├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── ansible.cfg ├── module_docs.md ├── roles ├── autossh │ └── tasks │ │ ├── autossh.yml │ │ └── main.yml ├── common │ ├── defaults │ │ └── main.yml │ └── tasks │ │ ├── git.yml │ │ ├── main.yml │ │ ├── nmap.yml │ │ ├── pip.yml │ │ └── screen.yml ├── crackmapexec │ ├── docs.json │ ├── meta │ │ └── main.yml │ └── tasks │ │ ├── crackmapexec.yml │ │ └── main.yml ├── empire │ ├── docs.json │ └── tasks │ │ ├── empire.yml │ │ └── main.yml ├── fierce │ ├── docs.json │ └── tasks │ │ ├── fierce.yml │ │ └── main.yml ├── hashid │ ├── docs.json │ └── tasks │ │ ├── hashid.yml │ │ └── main.yml ├── kismet │ ├── docs.json │ └── tasks │ │ ├── kismet.yml │ │ └── main.yml ├── medusa │ ├── docs.json │ └── tasks │ │ ├── main.yml │ │ └── medusa.yml ├── metasploit │ ├── docs.json │ └── tasks │ │ ├── main.yml │ │ └── metasploit.yml ├── onesixtyone │ ├── docs.json │ └── tasks │ │ ├── main.yml │ │ └── onesixtyone.yml ├── responder │ ├── docs.json │ └── tasks │ │ ├── main.yml │ │ └── responder.yml ├── sslscan │ ├── docs.json │ ├── meta │ │ └── main.yml │ └── tasks │ │ ├── main.yml │ │ └── sslscan.yml ├── tunnel-dns-client │ ├── defaults │ │ └── main.yml │ ├── docs.json │ ├── files │ │ └── tunnel-dns.service.j2 │ └── tasks │ │ ├── main.yml │ │ ├── tunnel-dns-client-service.yml │ │ └── tunnel-dns-client.yml ├── tunnel-dns-server │ └── tasks │ │ ├── main.yml │ │ └── tunnel-dns-server.yml ├── tunnel-ssh-client │ ├── defaults │ │ └── main.yml │ ├── docs.json │ ├── files │ │ └── tunnel-ssh.service.j2 │ ├── meta │ │ └── main.yml │ └── tasks │ │ ├── main.yml │ │ ├── tunnel-ssh-keys.yml │ │ └── tunnel-ssh-service.yml └── virtualenv │ ├── defaults │ └── main.yml │ └── tasks │ ├── main.yml │ └── virtualenv.yml ├── sample.yml ├── scripts ├── doctor.py └── roller.sh └── templates ├── docs.template.json └── hosts.template /.gitignore: -------------------------------------------------------------------------------- 1 | # Ansible 2 | *.retry 3 | 4 | # YAMS 5 | *.pub 6 | hosts 7 | 8 | # IDE 9 | .vscode/* -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | There's a ton of functionality in Ansible. If you're migrating from existing automation tools (e.g. shell scripts) a good rule of thumb is to assume it can all be done in Ansible with less headache and greater portability until proven otherwise. 2 | 3 | When building roles: 4 | 5 | * Aim for maximum compatibility. Don't use apt to install a Python module, if pip will accomplish the same. 6 | * When adding distribution-specific commands, ensure you use conditionals to scope it. 7 | * Make liberal use of inline documentation. 8 | * Store any environment-specific data (local git root, ssh key location, etc.) in your-role/defaults/main.yml. 9 | * Ensure that any dependencies are declared in your-role/meta/main.yml and that your dependency doesn't already exist under roles/common/tasks. 10 | * Submit pull requests to the dev branch. 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Liam Somerville 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Project Abandoned 2 | While working through YAMS, I discovered Ansible Galaxy. This does essentially what YAMS aimed to do, but with the full force of RedHat behind it. I've moved most of the roles [there](https://galaxy.ansible.com/list#/roles?page=1&page_size=10&users=leesoh) but will be leaving this project up for the time being. 3 | 4 | # YAMS Framework 5 | Welcome to Yet Another Modular Security Framework. YAMS is a collection of Ansible roles, some hacky scripts, and a large amount of standing on the shoulders of giants. 6 | 7 | # Thanks 8 | YAMS is very much inspired by [The Penetration Tester's Framework](https://github.com/trustedsec/ptf) but attempts to build on the great work done there by adding strong support for environment-specific targeting (OS type, architecture, etc.), leveraging Ansible's solid module support for common tasks (git, apt, yum, etc.), and adding the ability to define a build script for easy deploy/rebuild. 9 | 10 | ## More Thanks 11 | * https://leucos.github.io/ansible-files-layout for role layouts 12 | * @pixel8ed for opening my eyes to the glory of automation with Ansible and sanity checking 13 | 14 | # Getting Started 15 | Getting started with YAMS is pretty straightforward. First, you're going to need to [install Ansible](https://docs.ansible.com/ansible/intro_installation.html#installing-the-control-machine) on your control machine. This is the system you'll use to configure your targets. 16 | 17 | YAMS doesn't require any special configuration on the target - if you can SSH to it, you can configure it. 18 | 19 | Once you've cloned the YAMS repo, you'll need to make a couple of changes: 20 | 21 | 1. Copy `templates\hosts.template` to `hosts`. 22 | 2. Update `hosts` with the appropriate IP/port for your target. 23 | 3. Update any `CHANGEME` values in `\defaults\main.yml` for modules you plan on using. 24 | 25 | That's it! You can either tweak the sample `sample.yml` playbook to provision your first machine, or build your own. 26 | 27 | Once you're happy with it, you can deploy your configuration using `ansible-playbook .yml [--ask-become-pass]`. 28 | 29 | ## Keeping Things Current 30 | Ansible makes it pretty simple to keep a role up to date. Once you've got things the way you want them, just make sure that you're making good use of `update: yes` and `state: latest` and then just re-run the playbook. 31 | 32 | ``` 33 | --- 34 | - name: Clone Empire 35 | become: true 36 | git: 37 | repo: https://github.com/EmpireProject/Empire.git 38 | dest: "{{ git_location }}/empire-git" 39 | update: yes 40 | 41 | --- 42 | - name: Install pip 43 | become: true 44 | when: ansible_os_family == "Debian" 45 | apt: 46 | name: python-pip 47 | update_cache: yes 48 | state: latest 49 | ``` 50 | 51 | # The Plumbing 52 | YAMS uses Ansible [roles](https://docs.ansible.com/ansible/playbooks_roles.html#roles) to define configurations for a host. A playbook is just a grouping of these roles to define the configuration of a system. YAMS provides the roles, you provide the targets. 53 | 54 | Playbooks contain roles, roles contain plays, plays perform actions, and all of a sudden a box gets provisioned. 55 | 56 | You can include a role in a playbook by adding it to the `roles` section: 57 | 58 | ``` 59 | --- 60 | - hosts: that_host 61 | remote_user: that_guy 62 | roles: 63 | - metasploit 64 | - sslscan 65 | - ... 66 | - kismet 67 | ``` 68 | 69 | Roles contain all the modular goodness we use to build playbooks. A role should define everything that needs to happen for the role to be succesfully provisioned on a target, including: 70 | 71 | * Dependency on other roles 72 | * Environment variables 73 | * Service configurations 74 | * Packages to install 75 | * Files created (and contents edited!) 76 | 77 | Roles can be simple: 78 | 79 | ``` 80 | # Installs Medusa 81 | --- 82 | - name: Install Medusa 83 | become: true 84 | when: ansible_os_family == "Debian" 85 | apt: 86 | name: medusa 87 | update_cache: yes 88 | ``` 89 | 90 | Or a bit more involved: 91 | 92 | ``` 93 | --- 94 | # Installs and configures Metasploit 95 | - name: Download Metasploit installer 96 | become: true 97 | get_url: 98 | url: https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb 99 | dest: /tmp/msfinstall 100 | mode: 0755 101 | 102 | - name: Install Metasploit 103 | become: true 104 | command: /tmp/msfinstall 105 | 106 | - name: Initialize Metasploit database 107 | command: msfdb init 108 | ``` 109 | 110 | Packaging tools as roles allows us to reuse them in different playbooks. That's the magic of YAMS. Build once, use all over the damn place. 111 | 112 | ## Role Structure 113 | Here's how a basic role is structed in YAMS: 114 | 115 | ``` 116 | your-role/ 117 | ├── docs.json # Contains documentation for the role 118 | ├── defaults 119 | │ └── main.yml # Stores role-specific variables 120 | ├── files # Stores any required files for your role 121 | ├── handlers 122 | │ └── main.yml 123 | ├── meta 124 | │ └── main.yml # Declare dependencies here 125 | └── tasks 126 | └── main.yml # Imports and tags your role 127 | └── your-role.yml # Contains all required plays for the role 128 | ``` 129 | 130 | The `main.yml` file under `tasks` is what is run when a role is added to a playbook. Rather than store all functionality in that, however, we just use it to import and tag actual role file — `your-role.yml`. 131 | 132 | This may seem a bit silly but doing it this way allows us to selectively run roles from the playbook using `ansible-playbook your-playbook.yml --tags "your-role,another-role"`. 133 | 134 | ## Common Plays 135 | Here's how to do some common operations using Ansible. You can get a full list of supported modules [here](https://docs.ansible.com/ansible/list_of_all_modules.html). 136 | 137 | ### Install a Package Using apt 138 | ``` 139 | - name: Install my-package 140 | become: true 141 | when: ansible_os_family == "Debian" 142 | apt: 143 | name: my-package 144 | update_cache: yes 145 | state: latest 146 | ``` 147 | 148 | The above command is the same as running `sudo apt update && sudo apt install my-package`. Re-running the task will update it (state: latest). 149 | 150 | ### Clone a Git Repository 151 | ``` 152 | - name: Clone my-repo 153 | become: true 154 | git: 155 | repo: https://github.com/foo/bar.git 156 | dest: /opt/bar-git 157 | update: yes 158 | ``` 159 | 160 | This is the same as running `sudo git clone https://github.com/foo/bar.git /opt/bar-git`. Re-running the task will perform a `git pull` operation (update: yes). 161 | 162 | ### Download Files 163 | ``` 164 | - name: Download my-file 165 | get_url: 166 | url: https://my.site/my-file.sh 167 | dest: /tmp/my-file.sh 168 | mode: 0755 169 | ``` 170 | 171 | The above command is the same as `wget https://my.site/my-file.txt -P /tmp && chmod 755 /tmp/my-file.txt` 172 | 173 | ### Run Commands 174 | ``` 175 | - name: Initialize Metasploit database 176 | command: msfdb init 177 | ``` 178 | This one is pretty straightforward. 179 | 180 | ## Targeting Using Conditionals 181 | When adding distro-specific commands (e.g. `apt`, `yum`) to a play, make use of Ansible's [conditionals](https://docs.ansible.com/ansible/playbooks_conditionals.html) to target the commands appropriately. 182 | 183 | For example: 184 | 185 | ``` 186 | - name: Install foo 187 | when: ansible_os_family == "Debian" 188 | apt: 189 | name: foo 190 | update_cache: yes 191 | state: latest 192 | ``` 193 | 194 | ## Dependencies 195 | You can easily implement a role dependency by defining that in `your-role/meta/main.yml` like so: 196 | 197 | ``` 198 | --- 199 | dependencies: 200 | - { role: autossh } 201 | ``` 202 | 203 | # Module Documentation 204 | All module documentation can be found in [module_docs.md](module_docs.md) until a better place is found. 205 | 206 | # Contributing 207 | See [CONTRIBUTING.md](CONTRIBUTING.md) 208 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | inventory = hosts 3 | roles_path = ./roles -------------------------------------------------------------------------------- /module_docs.md: -------------------------------------------------------------------------------- 1 | # Intelligence Gathering 2 | ## Fierce 3 | **Module Author:** liam somerville (@leesoh) 4 | 5 | **Last Updated:** 2017-06-10 6 | 7 | **Original URL:** https://github.com/davidpepper/fierce-domain-scanner 8 | 9 | Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware. 10 | 11 | # Vulnerability Analysis 12 | ## Kismet 13 | **Module Author:** liam somerville (@leesoh) 14 | 15 | **Last Updated:** 2017-06-10 16 | 17 | **Original URL:** https://www.kismetwireless.net/index.shtml 18 | 19 | Kismet is a wireless network detector, sniffer, and intrusion detection system. Kismet works predominately with Wi-Fi (IEEE 802.11) networks, but can be expanded via plug-ins to handle other network types. 20 | 21 | ## onesixtyone 22 | **Module Author:** liam somerville (@leesoh) 23 | 24 | **Last Updated:** 2017-06-10 25 | 26 | **Original URL:** https://github.com/trailofbits/onesixtyone 27 | 28 | The approach taken by most SNMP scanners is to send the request, wait for n seconds and assume that the community string is invalid. If only 1 of every hundred scanned IP addresses responds to the SNMP request, the scanner will spend 99*n seconds waiting for replies that will never come. This makes traditional SNMP scanners very inefficient. 29 | 30 | onesixtyone takes a different approach to SNMP scanning. It takes advantage of the fact that SNMP is a connectionless protocol and sends all SNMP requests as fast as it can. Then the scanner waits for responses to come back and logs them, in a fashion similar to Nmap ping sweeps. 31 | 32 | ## sslscan 33 | **Module Author:** liam somerville (@leesoh) 34 | 35 | **Last Updated:** 2017-06-10 36 | 37 | **Original URL:** https://github.com/rbsec/sslscan.git 38 | 39 | sslscan tests SSL/TLS enabled services to discover supported cipher suites 40 | 41 | # Post Exploitation 42 | ## CrackMapExec 43 | **Module Author:** liam somerville (@leesoh) 44 | 45 | **Last Updated:** 2017-06-10 46 | 47 | **Original URL:** https://github.com/byt3bl33d3r/CrackMapExec 48 | 49 | CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of 'Living off the Land': abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions. 50 | 51 | ## Empire 52 | **Module Author:** liam somerville (@leesoh) 53 | 54 | **Last Updated:** 2017-06-10 55 | 56 | **Original URL:** http://www.powershellempire.com/ 57 | 58 | Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. 59 | 60 | # Exploitation 61 | ## hashID 62 | **Module Author:** liam somerville (@leesoh) 63 | 64 | **Last Updated:** 2017-06-10 65 | 66 | **Original URL:** https://github.com/psypanda/hashID 67 | 68 | hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions. 69 | 70 | ## Medusa 71 | **Module Author:** liam somerville (@leesoh) 72 | 73 | **Last Updated:** 2017-06-10 74 | 75 | **Original URL:** http://foofus.net/goons/jmk/medusa/medusa.html 76 | 77 | Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as m any services which allow remote authentication as possible. The author considers following items as some of the key features of this application: 78 | 79 | * Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently. 80 | * Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing. 81 | * Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing. 82 | 83 | ## Metasploit 84 | **Module Author:** liam somerville (@leesoh) 85 | 86 | **Last Updated:** 2017-06-10 87 | 88 | **Original URL:** https://metasploit.com/ 89 | 90 | You might have heard of this one before... 91 | 92 | ## Responder 93 | **Module Author:** liam somerville (@leesoh) 94 | 95 | **Last Updated:** 2017-06-10 96 | 97 | **Original URL:** https://github.com/lgandx/Responder 98 | 99 | Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. 100 | 101 | # Reporting 102 | # Tunnels 103 | ## SSH Tunnel 104 | **Module Author:** liam somerville (@leesoh) 105 | 106 | **Last Updated:** 2017-07-17 107 | 108 | **Original URL:** N/A 109 | 110 | Creates an AutoSSH-powered SSH service that will persistently call home to the specified IP/host. 111 | 112 | If priv_key is uncommented, it will upload the key to the target and use that to call home. If priv_key is not set, one will be generated and the corresponding public key downloaded to the files subfolder. 113 | 114 | Since the most likely use for this is some sort of onsite dropbox, you'll likely not want to use a private key you use for other systems. 115 | 116 | 117 | -------------------------------------------------------------------------------- /roles/autossh/tasks/autossh.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Author: Liam Somerville (@leesoh) 3 | # Date: 2017-05-21 4 | # Description: Installs AutoSSH 5 | 6 | - name: Install AutoSSH 7 | become: true 8 | when: ansible_os_family == "Debian" 9 | apt: 10 | name: autossh 11 | update_cache: yes 12 | state: latest 13 | -------------------------------------------------------------------------------- /roles/autossh/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: autossh.yml 3 | tags: autossh 4 | -------------------------------------------------------------------------------- /roles/common/defaults/main.yml: -------------------------------------------------------------------------------- 1 | # Where local git repos live 2 | git_location: /opt 3 | -------------------------------------------------------------------------------- /roles/common/tasks/git.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install git 3 | become: true 4 | when: ansible_os_family == "Debian" 5 | apt: 6 | name: git 7 | update_cache: yes 8 | state: latest -------------------------------------------------------------------------------- /roles/common/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: nmap.yml 3 | tags: nmap,common 4 | - include: git.yml 5 | tags: git,common 6 | - include: pip.yml 7 | tags: pip,common 8 | - include: screen.yml 9 | tags: screen,common -------------------------------------------------------------------------------- /roles/common/tasks/nmap.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install Nmap 3 | become: true 4 | when: ansible_os_family == "Debian" 5 | apt: 6 | name: nmap 7 | update_cache: yes 8 | state: latest -------------------------------------------------------------------------------- /roles/common/tasks/pip.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install pip 3 | become: true 4 | when: ansible_os_family == "Debian" 5 | apt: 6 | name: python-pip 7 | update_cache: yes 8 | state: latest 9 | 10 | - name: Update pip 11 | command: pip install --upgrade pip -------------------------------------------------------------------------------- /roles/common/tasks/screen.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install screen 3 | become: true 4 | when: ansible_os_family == "Debian" 5 | apt: 6 | name: screen 7 | update_cache: yes 8 | state: latest 9 | -------------------------------------------------------------------------------- /roles/crackmapexec/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "CrackMapExec", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-06-10", 5 | "category": "post-exploitation", 6 | "description": "CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of 'Living off the Land': abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.", 7 | "instructions": "Nothing special", 8 | "url": "https://github.com/byt3bl33d3r/CrackMapExec" 9 | } -------------------------------------------------------------------------------- /roles/crackmapexec/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - { role: virtualenv } -------------------------------------------------------------------------------- /roles/crackmapexec/tasks/crackmapexec.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install CrackMapExec dependencies 3 | become: true 4 | when: ansible_os_family == "Debian" 5 | apt: name={{ item }} state=installed update_cache=yes 6 | with_items: 7 | - libssl-dev 8 | - libffi-dev 9 | - python-dev 10 | - build-essential 11 | 12 | - name: Install CrackMapExec 13 | pip: 14 | name: crackmapexec 15 | virtualenv: "{{ venv_home }}/cme" -------------------------------------------------------------------------------- /roles/crackmapexec/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: crackmapexec.yml 3 | tags: crackmapexec -------------------------------------------------------------------------------- /roles/empire/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "Empire", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-06-10", 5 | "category": "post-exploitation", 6 | "description": "Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.", 7 | "instructions": "Nothing special", 8 | "url": "http://www.powershellempire.com/" 9 | } -------------------------------------------------------------------------------- /roles/empire/tasks/empire.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Clone Empire 3 | become: true 4 | git: 5 | repo: https://github.com/EmpireProject/Empire.git 6 | dest: "{{ git_location }}/empire-git" 7 | update: yes 8 | 9 | - name: Install Empire 10 | become: true 11 | environment: 12 | SETUP_KEY: "RANDOM" 13 | command: "{{ git_location }}/empire-git/setup/install.sh" -------------------------------------------------------------------------------- /roles/empire/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: empire.yml 3 | tags: empire -------------------------------------------------------------------------------- /roles/fierce/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "Fierce", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-06-10", 5 | "category": "intelligence-gathering", 6 | "description": "Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.", 7 | "instructions": "Nothing special", 8 | "url": "https://github.com/davidpepper/fierce-domain-scanner" 9 | } -------------------------------------------------------------------------------- /roles/fierce/tasks/fierce.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install dependencies 3 | become: true 4 | when: ansible_os_family == "Debian" 5 | apt: 6 | name: "{{ item }}" 7 | update_cache: yes 8 | state: latest 9 | 10 | with_items: 11 | - libnet-dns-perl 12 | 13 | - name: Install fierce 14 | become: true 15 | git: 16 | repo: https://github.com/davidpepper/fierce-domain-scanner.git 17 | dest: "{{ git_location }}/fierce-git" 18 | update: yes -------------------------------------------------------------------------------- /roles/fierce/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: fierce.yml 3 | tags: fierce -------------------------------------------------------------------------------- /roles/hashid/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "hashID", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-06-10", 5 | "category": "exploitation", 6 | "description": "hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions.", 7 | "instructions": "Nothing special", 8 | "url": "https://github.com/psypanda/hashID" 9 | } -------------------------------------------------------------------------------- /roles/hashid/tasks/hashid.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install hashID 3 | become: true 4 | git: 5 | repo: https://github.com/psypanda/hashID.git 6 | dest: "{{ git_location }}/hashid-git" 7 | update: yes -------------------------------------------------------------------------------- /roles/hashid/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: hashid.yml 3 | tags: hashid -------------------------------------------------------------------------------- /roles/kismet/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "Kismet", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-06-10", 5 | "category": "vulnerability-analysis", 6 | "description": "Kismet is a wireless network detector, sniffer, and intrusion detection system. Kismet works predominately with Wi-Fi (IEEE 802.11) networks, but can be expanded via plug-ins to handle other network types.", 7 | "instructions": "Nothing special", 8 | "url": "https://www.kismetwireless.net/index.shtml" 9 | } -------------------------------------------------------------------------------- /roles/kismet/tasks/kismet.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install Kismet 3 | become: true 4 | when: ansible_os_family == "Debian" 5 | apt: 6 | name: kismet 7 | update_cache: yes 8 | state: latest -------------------------------------------------------------------------------- /roles/kismet/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: kismet.yml 3 | tags: kismet -------------------------------------------------------------------------------- /roles/medusa/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "Medusa", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-06-10", 5 | "category": "exploitation", 6 | "description": "Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as m any services which allow remote authentication as possible. The author considers following items as some of the key features of this application:\n\n* Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.\n* Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.\n* Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.", 7 | "instructions": "N/A", 8 | "url": "http://foofus.net/goons/jmk/medusa/medusa.html" 9 | } -------------------------------------------------------------------------------- /roles/medusa/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: medusa.yml 3 | tags: medusa -------------------------------------------------------------------------------- /roles/medusa/tasks/medusa.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install Medusa 3 | become: true 4 | when: ansible_os_family == "Debian" 5 | apt: 6 | name: medusa 7 | update_cache: yes -------------------------------------------------------------------------------- /roles/metasploit/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "Metasploit", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-06-10", 5 | "category": "exploitation", 6 | "description": "You might have heard of this one before...", 7 | "instructions": "Nothing special", 8 | "url": "https://metasploit.com/" 9 | } -------------------------------------------------------------------------------- /roles/metasploit/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: metasploit.yml 3 | tags: metasploit -------------------------------------------------------------------------------- /roles/metasploit/tasks/metasploit.yml: -------------------------------------------------------------------------------- 1 | # Author: Liam Somerville 2 | # Date: 2017-05-29 3 | # Description: Installs Metasploit 4 | --- 5 | - name: Download Metasploit installer 6 | become: true 7 | get_url: 8 | url: https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb 9 | dest: /tmp/msfinstall 10 | mode: 0755 11 | 12 | - name: Install Metasploit 13 | become: true 14 | command: /tmp/msfinstall 15 | -------------------------------------------------------------------------------- /roles/onesixtyone/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "onesixtyone", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-06-10", 5 | "category": "vulnerability-analysis", 6 | "description": "The approach taken by most SNMP scanners is to send the request, wait for n seconds and assume that the community string is invalid. If only 1 of every hundred scanned IP addresses responds to the SNMP request, the scanner will spend 99*n seconds waiting for replies that will never come. This makes traditional SNMP scanners very inefficient.\n\nonesixtyone takes a different approach to SNMP scanning. It takes advantage of the fact that SNMP is a connectionless protocol and sends all SNMP requests as fast as it can. Then the scanner waits for responses to come back and logs them, in a fashion similar to Nmap ping sweeps.", 7 | "instructions": "Nothing special", 8 | "url": "https://github.com/trailofbits/onesixtyone" 9 | } -------------------------------------------------------------------------------- /roles/onesixtyone/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: onesixtyone.yml 3 | tags: onesixtyone -------------------------------------------------------------------------------- /roles/onesixtyone/tasks/onesixtyone.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install onesixtyone 3 | become: true 4 | when: ansible_os_family == "Debian" 5 | apt: 6 | name: onesixtyone 7 | update_cache: yes 8 | state: latest -------------------------------------------------------------------------------- /roles/responder/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "Responder", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-06-10", 5 | "category": "exploitation", 6 | "description": "Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.", 7 | "instructions": "Nothing special.", 8 | "url": "https://github.com/lgandx/Responder" 9 | } -------------------------------------------------------------------------------- /roles/responder/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: responder.yml 3 | tags: responder -------------------------------------------------------------------------------- /roles/responder/tasks/responder.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install Responder 3 | become: true 4 | git: 5 | repo: https://github.com/lgandx/Responder.git 6 | dest: "{{ git_location }}/responder-git" 7 | update: yes -------------------------------------------------------------------------------- /roles/sslscan/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "sslscan", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-06-10", 5 | "category": "vulnerability-analysis", 6 | "description": "sslscan tests SSL/TLS enabled services to discover supported cipher suites", 7 | "instructions": "Nothing special.", 8 | "url": "https://github.com/rbsec/sslscan.git" 9 | } -------------------------------------------------------------------------------- /roles/sslscan/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - { role: common } -------------------------------------------------------------------------------- /roles/sslscan/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: sslscan.yml 3 | tags: sslscan -------------------------------------------------------------------------------- /roles/sslscan/tasks/sslscan.yml: -------------------------------------------------------------------------------- 1 | - name: Installing dependencies 2 | become: true 3 | when: ansible_os_family == "Debian" 4 | apt: 5 | name: "{{ item }}" 6 | update_cache: yes 7 | state: latest 8 | 9 | with_items: 10 | - build-essential 11 | - zlib1g-dev 12 | 13 | - name: Build dependencies 14 | become: true 15 | apt: 16 | pkg: openssl 17 | state: build-dep 18 | 19 | - name: Cloning repo 20 | become: true 21 | git: 22 | repo: https://github.com/rbsec/sslscan.git 23 | dest: "{{ git_location }}/sslscan-git" 24 | update: yes 25 | 26 | - name: Building sslscan 27 | become: true 28 | command: make static 29 | args: 30 | chdir: "{{ git_location }}/sslscan-git" -------------------------------------------------------------------------------- /roles/tunnel-dns-client/defaults/main.yml: -------------------------------------------------------------------------------- 1 | # Tunnel service parameters 2 | dnscat2_dest_domain: CHANGEME 3 | tunnel_name: tunnel-dns 4 | -------------------------------------------------------------------------------- /roles/tunnel-dns-client/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "DNS Tunnel", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-07-25", 5 | "category": "tunnels", 6 | "description": "Creates an dnscat2-powered service that will persistently call home to the specified host.", 7 | "instructions": "", 8 | "url": "N/A" 9 | } -------------------------------------------------------------------------------- /roles/tunnel-dns-client/files/tunnel-dns.service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Reverse tunnel to {{ dnscat2_dest_domain }} over DNS 3 | After=network.target 4 | 5 | [Service] 6 | ExecStart={{ git_location }}/dnscat2-git/client/dnscat2 {{ dnscat2_dest_domain }} 7 | Restart=always 8 | 9 | [Install] 10 | WantedBy=multi-user.target 11 | -------------------------------------------------------------------------------- /roles/tunnel-dns-client/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: tunnel-dns-client.yml 3 | tags: tunnel-dns-client 4 | 5 | - include: tunnel-dns-client-service.yml 6 | tags: tunnel-dns-client -------------------------------------------------------------------------------- /roles/tunnel-dns-client/tasks/tunnel-dns-client-service.yml: -------------------------------------------------------------------------------- 1 | # Author: Liam Somerville 2 | # Date: 2017-06-09 3 | # Description: Configures dnscat2 as a systemd service 4 | --- 5 | - name: "Configure dnscat2 tunnel to {{ dnscat2_dest_domain }}" 6 | become: true 7 | template: 8 | src: "../files/{{ tunnel_name }}.service.j2" 9 | dest: "/etc/systemd/system/{{ tunnel_name }}.service" 10 | 11 | - name: "Set dnscat2 tunnel to auto-start" 12 | become: true 13 | service: 14 | name: "{{ tunnel_name }}" 15 | enabled: yes 16 | state: restarted -------------------------------------------------------------------------------- /roles/tunnel-dns-client/tasks/tunnel-dns-client.yml: -------------------------------------------------------------------------------- 1 | # Author: Liam Somerville 2 | # Date: 2017-06-09 3 | # Description: Installs dnscat2 4 | --- 5 | - name: Clone dnscat2 6 | become: true 7 | git: 8 | repo: https://github.com/iagox86/dnscat2.git 9 | dest: "{{ git_location }}/dnscat2-git" 10 | update: yes 11 | 12 | - name: Build dnscat2 13 | become: true 14 | make: 15 | chdir: "{{ git_location }}/dnscat2-git/client" -------------------------------------------------------------------------------- /roles/tunnel-dns-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: tunnel-dns-server.yml 3 | tags: tunnel-dns-server -------------------------------------------------------------------------------- /roles/tunnel-dns-server/tasks/tunnel-dns-server.yml: -------------------------------------------------------------------------------- 1 | # Author: 2 | # Date: 3 | # Description: 4 | --- 5 | - name: Install dependencies 6 | become: true 7 | when: ansible_os_family == "Debian" 8 | apt: 9 | name: ruby-dev 10 | update_cache: yes 11 | state: latest 12 | 13 | - name: Clone dnscat2 14 | become: true 15 | git: 16 | repo: https://github.com/iagox86/dnscat2.git 17 | dest: "{{ git_location }}/dnscat2-git" 18 | update: yes 19 | 20 | - name: Install dnscat2 server 21 | become: true 22 | args: 23 | chdir: "{{ git_location }}/dnscat2-git/server" 24 | command: "{{ item }}" 25 | with_items: 26 | - gem install salsa20 -v ‘0.1.1' 27 | - gem install bundler 28 | - bundle install 29 | -------------------------------------------------------------------------------- /roles/tunnel-ssh-client/defaults/main.yml: -------------------------------------------------------------------------------- 1 | # AutoSSH parameters 2 | server_alive_int: 30 3 | server_alive_count: 3 4 | 5 | # Tunnel service parameters 6 | autossh_dest: CHANGEME 7 | autossh_dest_port: 2222 8 | autossh_int_port: 31337 9 | autossh_user: CHANGEME 10 | tunnel_name: tunnel-ssh 11 | ssh_keyfile: id_rsa 12 | 13 | # Uncomment if you wish to provide the local path to your own private key for uploading 14 | #priv_key: ../files/id_rsa.pub -------------------------------------------------------------------------------- /roles/tunnel-ssh-client/docs.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "SSH Tunnel", 3 | "module author": "liam somerville (@leesoh)", 4 | "updated": "2017-07-17", 5 | "category": "tunnels", 6 | "description": "Creates an AutoSSH-powered SSH service that will persistently call home to the specified IP/host.\n\nIf priv_key is uncommented, it will upload the key to the target and use that to call home. If priv_key is not set, one will be generated and the corresponding public key downloaded to the files subfolder.\n\nSince the most likely use for this is some sort of onsite dropbox, you'll likely not want to use a private key you use for other systems.", 7 | "instructions": "", 8 | "url": "N/A" 9 | } -------------------------------------------------------------------------------- /roles/tunnel-ssh-client/files/tunnel-ssh.service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Reverse tunnel to {{ autossh_dest }} over SSH 3 | After=network.target 4 | 5 | [Service] 6 | User={{ autossh_user }} 7 | Environment="AUTOSSH_GATETIME=0" 8 | ExecStart=/usr/bin/autossh -M 0 -NTq -F {{ ansible_env.HOME }}/.ssh/config {{ tunnel_name }} 9 | Restart=always 10 | 11 | [Install] 12 | WantedBy=multi-user.target 13 | -------------------------------------------------------------------------------- /roles/tunnel-ssh-client/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - { role: autossh } -------------------------------------------------------------------------------- /roles/tunnel-ssh-client/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: tunnel-ssh-service.yml 3 | tags: tunnel-ssh-client 4 | 5 | - include: tunnel-ssh-keys.yml 6 | tags: tunnel-ssh-client 7 | -------------------------------------------------------------------------------- /roles/tunnel-ssh-client/tasks/tunnel-ssh-keys.yml: -------------------------------------------------------------------------------- 1 | # Author: Liam Somerville 2 | # Date: 2017-05-22 3 | # Description: Generates or uploads key material for communications 4 | --- 5 | - name: Create RSA keypair ({{ ssh_keyfile }}) 6 | when: priv_key is undefined 7 | command: "ssh-keygen -t rsa -f {{ ansible_env.HOME }}/.ssh/{{ ssh_keyfile }} -N '' -q" 8 | 9 | - name: Copy public key from target 10 | when: priv_key is undefined 11 | fetch: 12 | src: "{{ ansible_env.HOME }}/.ssh/{{ ssh_keyfile }}.pub" 13 | dest: "roles/{{ tunnel_name }}/files/{{ ssh_keyfile }}.pub" 14 | flat: yes 15 | 16 | - name: Upload private key to target ({{ priv_key }}) 17 | when: priv_key is defined 18 | copy: 19 | src: "{{ priv_key }}" 20 | dest: "{{ ansible_env.HOME }}/.ssh/{{ ssh_keyfile }}" -------------------------------------------------------------------------------- /roles/tunnel-ssh-client/tasks/tunnel-ssh-service.yml: -------------------------------------------------------------------------------- 1 | # Author: Liam Somerville 2 | # Date: 2017-05-22 3 | # Description: Creates an AutoSSH service that tunnels back to the IP specified in the service config. Thanks to https://www.everythingcli.org/ssh-tunnelling-for-fun-and-profit-autossh/ 4 | --- 5 | - name: "Create ssh config" 6 | blockinfile: 7 | create: yes 8 | name: "{{ ansible_env.HOME }}/.ssh/config" 9 | insertafter: EOF 10 | block: | 11 | Host {{ tunnel_name }} 12 | HostName {{ autossh_dest }} 13 | User {{ autossh_user }} 14 | Port {{ autossh_dest_port }} 15 | IdentityFile {{ ansible_env.HOME }}/.ssh/{{ ssh_keyfile }} 16 | RemoteForward {{ autossh_int_port }} localhost:22 17 | ServerAliveInterval 30 18 | ServerAliveCountMax 3 19 | StrictHostKeyChecking no 20 | 21 | - name: "Configure AutoSSH tunnel (22:{{ autossh_dest_port }}:{{ autossh_dest }}:{{ autossh_int_port }})" 22 | become: true 23 | template: 24 | src: "../files/{{ tunnel_name }}.service.j2" 25 | dest: "/etc/systemd/system/{{ tunnel_name }}.service" 26 | 27 | - name: "Set AutoSSH tunnel to auto-start" 28 | become: true 29 | service: 30 | name: "{{ tunnel_name }}" 31 | enabled: yes 32 | state: restarted -------------------------------------------------------------------------------- /roles/virtualenv/defaults/main.yml: -------------------------------------------------------------------------------- 1 | # Where your virtualenv environments live 2 | venv_home: "{{ ansible_env.HOME }}/.virtualenvs" 3 | -------------------------------------------------------------------------------- /roles/virtualenv/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: virtualenv.yml 3 | tags: virtualenv -------------------------------------------------------------------------------- /roles/virtualenv/tasks/virtualenv.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install virtualenv 3 | become: true 4 | when: ansible_os_family == "Debian" 5 | apt: 6 | name: virtualenv 7 | update_cache: yes 8 | state: latest 9 | 10 | - name: Install virtualenvwrapper 11 | become: true 12 | pip: 13 | name: virtualenvwrapper 14 | 15 | - name: Add virtualenvwrapper to .bashrc 16 | when: ansible_user_shell == "/bin/bash" 17 | blockinfile: 18 | create: yes 19 | name: "{{ ansible_env.HOME }}/.bashrc" 20 | insertafter: EOF 21 | block: | 22 | export WORKON_HOME={{ venv_home }} 23 | source /usr/local/bin/virtualenvwrapper.sh 2>/dev/null -------------------------------------------------------------------------------- /sample.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # A headless hacking tool playbook for Debian-based systems. 3 | - hosts: yams_targets 4 | remote_user: liam 5 | roles: 6 | - common 7 | - crackmapexec 8 | - empire 9 | - fierce 10 | - hashid 11 | - kismet 12 | - medusa 13 | - metasploit 14 | - onesixtyone 15 | - responder 16 | - tunnel-ssh-client -------------------------------------------------------------------------------- /scripts/doctor.py: -------------------------------------------------------------------------------- 1 | """ 2 | This script parses the docs.json file from all YAMS modules and then creates a 3 | single Markdown file. Each module is categorized using PTES phases. 4 | """ 5 | 6 | import json 7 | import os 8 | 9 | # Get the parent directory 10 | root_dir = os.path.dirname(os.getcwd()) 11 | doc_filename = 'docs.json' 12 | module_doc = os.path.join(root_dir, 'module_docs.md') 13 | doc_dic = { 14 | 'intelligence-gathering': [], 15 | 'vulnerability-analysis': [], 16 | 'post-exploitation': [], 17 | 'exploitation': [], 18 | 'reporting': [], 19 | 'tunnels': [] 20 | } 21 | 22 | 23 | def json_to_dict(json_file): 24 | """ 25 | Takes JSON file and returns a dict 26 | """ 27 | with open(json_file, 'r') as f: 28 | try: 29 | data = json.load(f) 30 | return data 31 | except Exception as err: 32 | print('[-] Failed to load JSON: {0}'.format(err)) 33 | 34 | 35 | def generate_doc(doc_dic): 36 | """ 37 | Takes in the dict containing all docs, parses it, then generates beautiful 38 | Markdowny documentation 39 | """ 40 | module_string = '' 41 | for category in doc_dic: 42 | print('[*] Now processing {0}'.format(category)) 43 | nice_title = category.replace('-', ' ').title() 44 | module_string += '# ' + nice_title + '\n' 45 | for module in doc_dic[category]: 46 | print('[*] Now processing {0}'.format(module['module_name'])) 47 | module_string += dict_to_md(module) 48 | print('[*] Writing results to {0}'.format(module_doc)) 49 | with open(module_doc, 'a') as f: 50 | f.write(module_string) 51 | f.write('\n') 52 | 53 | 54 | def dict_to_md(dict): 55 | """ 56 | Parses a dict into Markdown 57 | """ 58 | print('[*] Parsing documentation for {0}'.format(dict['module_name'])) 59 | module_md = '## ' + dict['module_name'] + '\n' 60 | module_md += '**Module Author:** ' + dict['module author'] + '\n\n' 61 | module_md += '**Last Updated:** ' + dict['updated'] + '\n\n' 62 | module_md += '**Original URL:** ' + dict['url'] + '\n\n' 63 | module_md += dict['description'] + '\n' 64 | module_md += '\n' 65 | return module_md 66 | 67 | 68 | def main(): 69 | try: 70 | os.remove(module_doc) 71 | print('[*] Overwriting old module documentation') 72 | except Exception: 73 | print('[-] Old documentation not found') 74 | pass 75 | 76 | print('[*] Herding documentation') 77 | for root, directories, filenames in os.walk(root_dir): 78 | for filename in filenames: 79 | if filename == doc_filename: 80 | filepath = os.path.join(root, filename) 81 | print('[+] Found docs: {0}'.format(filepath)) 82 | dict = json_to_dict(filepath) 83 | if dict['category'] == 'intelligence-gathering': 84 | doc_dic['intelligence-gathering'].append(dict) 85 | elif dict['category'] == 'vulnerability-analysis': 86 | doc_dic['vulnerability-analysis'].append(dict) 87 | elif dict['category'] == 'exploitation': 88 | doc_dic['exploitation'].append(dict) 89 | elif dict['category'] == 'post-exploitation': 90 | doc_dic['post-exploitation'].append(dict) 91 | elif dict['category'] == 'reporting': 92 | doc_dic['reporting'].append(dict) 93 | elif dict['category'] == 'tunnels': 94 | doc_dic['tunnels'].append(dict) 95 | generate_doc(doc_dic) 96 | 97 | 98 | if __name__ == '__main__': 99 | main() 100 | -------------------------------------------------------------------------------- /scripts/roller.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ $# -eq 0 ]; then 3 | echo "Usage: ./roller.sh " 4 | exit 1 5 | fi 6 | 7 | if [ -d ../roles/$1 ]; then 8 | echo "[-] Directory already exists!" 9 | exit 1 10 | fi 11 | 12 | echo "[*] Creating folders" 13 | mkdir -p ../roles/$1/tasks 14 | 15 | echo "[*] Creating files" 16 | 17 | cat > ../roles/$1/tasks/main.yml < ../roles/$1/tasks/$1.yml < ../roles/$1/docs.json <", 32 | "updated": "CHANGEME", 33 | "category": "[intelligence-gathering|vulnerability-analysis|exploitation|post-exploitation|reporting|tunnels]", 34 | "description": "CHANGEME", 35 | "instructions": "Nothing special.", 36 | "url": "https://CHANGEME" 37 | } 38 | EOF 39 | 40 | echo "[+] Work complete!" 41 | -------------------------------------------------------------------------------- /templates/docs.template.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_name": "Fake Maker", 3 | "module author": "your name (@wherever)", 4 | "updated": "2017-06-10", 5 | "category": "post-exploitation", 6 | "description": "This is a shortish description describing what your tool does. It could wrap over a few lines, but it's hard to say for sure.", 7 | "instructions": "1. Clone the repo\n2. Run a few things\n3. Sweat a bit\n4. Sacrifice a chicken.\nThen you should be mostly good to go.", 8 | "url": "URL to the source" 9 | } -------------------------------------------------------------------------------- /templates/hosts.template: -------------------------------------------------------------------------------- 1 | # Defines groups of targets. Modify and save as "hosts". Playbooks can target hosts or groups. 2 | [yams_targets] 3 | ansible_host= ansible_port=22 4 | --------------------------------------------------------------------------------