bytes-of-swiss's Introduction

Bytes of Swiss


Master
Build

Bytes of Swiss is a library of no frills Ansible roles that can be combined to make a vulnerable virtual machine. This can be used for cybersecurity King of the Hill competitions, penetration testing practice, or to test both offensive and defense tools.

Vulnerabities are located in roles/vuln and pull in services like an FTP server or database from roles/service as needed. The roles/misc directory contains helper roles like adding a new user.

All roles are tested with Molecule and Vagrant.

Example

This makes an existing machine vulnerable by making a new bind shell every minute, creating a PHP shell, and running telnet.

---
- hosts: vulnerable
  roles:
    - vuln/bind-shell
    - vuln/web-shell
    - service/telnet

Try It Out

Download the repository.

git clone https://github.com/becksteadn/Bytes-Of-Swiss.git

Start the example VM with Vagrant

vagrant up

Run the example playbook.

ansible-playbook -i vagrant.ini example.yml

Exploit the machine.

Web shell
- curl localhost:8080/cmd.php?cmd=cat%20/etc/passwd
Telnet
- telnet localhost 2323
- Log in with vagrant:vagrant
Bind shell
- vagrant ssh
- sudo netstat -tunlp
- Observe the processes listening on high ports. Connect to one with nc and run some bash commands.

Contributing

Any help or suggestions are greatly appreciated! Check out CONTRIBUTING.md for details.

bytes-of-swiss's People

Contributors

Stargazers

Watchers

bytes-of-swiss's Issues

Test with Vagrant on Appveyor

Appveyor comes with VirtualBox preinstalled

Create scenario for docker containers

Create a new Molecule scenario for testing with Docker containers.

Create post provisioning scripts to generate user behavior

This will give users an idea of what normal logs look like

Tag vulnerabilities and tasks with easy/med/hard

Categorize vulnerabilities for future work. Eventually may be able to design random VMs with a difficulty level.

Use fileglob filter instead of ls command

The fake database data injection tasks use ls which causes linting errors and is not good practice. Use the fileglob filter instead.

https://github.com/becksteadn/Bytes-Of-Swiss/blob/10e7a6f6b315549a7b1675ee88f8bfb9ac1a443d/roles/service/database/tasks/fake-data.yml#L9

https://docs.ansible.com/ansible/latest/plugins/lookup/fileglob.html

Create SQL injection app

Make a web app that is vulnerable to SQL injection

Create sql-injection role
Create tables in database
Create web app
Test

[VULN] Overprivileged users

Description
Create a user that has extra privileges.

What does the vulnerability require?
Creating a system user with access special files or applications.

What weaknesses does this create in a machine?
A compromised user that might be able to create additional vulnerabilities or persistence.

TODO

Update add_user role
Write tests
Update README.md

Create vulnerabilities at random

Let user pick what vulns to include
- Y/N choice on complete list
- Easy/Med/Hard
- Category (web, insecure config, scenarios)
Include roles randomly
- 50/50 pick

[Provisioning] Create restricted security group when making vulnerable EC2 instance

[VULN] 🔓 SQL Injection Web App

Description
A web app that has SQL injection.

What does the vulnerability require?
A web server, PHP, and database.

What weaknesses does this create in a machine?
User information can be disclosed. Plaintext passwords?

Additional context
https://www.w3schools.com/sql/sql_injection.asp

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

TODO

SMB/FTP support defining multiple shares

Create a YAML list with FTP/SMB shares then loop over them and add them to the config file.

vars:
    sambashares:
      - name: public
        comment: Public resources
        path: /samba/public
        read_only: yes
        browsable: yes
      - name: private
        comment: Private resources
        path: /samba/private
        read_only: no
        browsable: no

http://scriptingis.life/cool-ansible-3/

Set database root password

Default installation has some mysterious root password. Need to reset it or figure out what it is.

Create web app vulnerablities with PHP, Node, Flask...

Make DVWA-like vulnerabilities with different web languages.

Create a way to build scenarios

Keep scenario specific files somewhere. PCAPs, credential files, etc.

Add Windows to CircleCI testing

CircleCI will soon support Windows. Complete issue #29 then add it to CI testing.

Support Windows instances

https://dev.to/jeikabu/reusable-windows-vms-with-vagrant-2h5c

Need to find CI solution that supports VMs or create instances in cloud.
Molecule support for Windows connections?
Update existing roles with Windows support if possible

[VULN] 🔓 OSINT from web app

Description
A social media-esque web app where users give away personal information.

What does the vulnerability require?
Requires a web server and maybe PHP if posts aren't hard coded.

What weaknesses does this create in a machine?
Users create weak passwords based on things they like. fidoMarlins1965

Additional context
None.

TODO

Create scenario
Create web page
Test

[SERV] 🧰 SMB Server

Description
Create a Sambda server to host file shares.

What kind of vulnerabilities can use this service?
Shares can be made to have anonymous or write access.

What other services are needed?
None.

Additional context
https://tutorials.ubuntu.com/tutorial/install-and-configure-samba

https://www.howtoforge.com/samba-server-installation-and-configuration-on-centos-7

TODO

Add roles for troll vulns

[VULN] 🔓 Drupalgeddon2

Description
A vulnerable Drupal site that allows RCE.

What does the vulnerability require?
A specially crafted request.
Web server.
PHP.

What weaknesses does this create in a machine?
RCE as an anonymous visitor.

Additional context
https://www.rapid7.com/db/modules/exploit/unix/webapp/drupal_drupalgeddon2

TODO

Create AWS scenario for molecule testing

Test roles on AWS to mimic installing on a real system.

Create AWS scenario in cookiecutter template
Add AWS scenario to existing roles
Configure API keys
Integrate with CI testing

Create a way to provision infrastructure

Create a role or playbook to provision a server. Maybe make a roles/management directory to contain infrastructure and check roles.

[VULN] 🔓 Add SSH and other exploit methods to Shellshock

Add scenario with credentials or sensitive info in log files

Test roles with other supported variables

For example, test the database role with MySQL and MariaDB rather than just the default.

Make create.yml play nice locally and with circleci

Seems like the 'Populate instance config dict' user variable location is different depending on where it is run. Needs more debugging.

Update README for all working roles

Add variables in standard format
Add dependencies

Test with Travis CI

Test roles in parallel

Use CircleCI to test roles in parallel

Update main README.md

Needs new example playbook and description.

[VULN] 🔓 Shellshock

Description
Shellshock takes advantage of a vulnerability in older version of the Bash shell to execute commands remotely.

What does the vulnerability require?
Shellshock is most often found in cgi-bin capabilities of web servers but can also be used in mail servers.

What weaknesses does this create in a machine?
Allows remote command execution.

Additional context

https://blog.cloudflare.com/inside-shellshock/

https://www.surevine.com/shellshocked-a-quick-demo-of-how-easy-it-is-to-exploit/

https://code-maven.com/set-up-cgi-with-apache

TODO

scriptingislife / bytes-of-swiss Goto Github PK

bytes-of-swiss's Introduction

Bytes of Swiss

Example

Try It Out

Contributing

bytes-of-swiss's People

Contributors

Stargazers

Watchers

Forkers

bytes-of-swiss's Issues

Recommend Projects

Recommend Topics

Recommend Org