├── targets.txt ├── pubs └── example.pub ├── .gitignore ├── README.md ├── files ├── chruby.sh └── dotfile_screenrc.txt ├── templates ├── database.yml.j2 ├── mount.sh.j2 └── msfconfig.yml.j2 ├── ec2prep.playbook ├── roles └── swap │ └── tasks │ └── main.yml ├── LICENSE └── attackbox.playbook /targets.txt: -------------------------------------------------------------------------------- 1 | [attack] 2 | 192.168.1.100 3 | -------------------------------------------------------------------------------- /pubs/example.pub: -------------------------------------------------------------------------------- 1 | This is where crypto goes... -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Ansible 2 | *.retry 3 | credentials/* -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # attackbox 2 | Ansible scripts to build an attack box 3 | -------------------------------------------------------------------------------- /files/chruby.sh: -------------------------------------------------------------------------------- 1 | source /usr/local/share/chruby/chruby.sh 2 | chruby ruby -------------------------------------------------------------------------------- /templates/database.yml.j2: -------------------------------------------------------------------------------- 1 | production: 2 | adapter: postgresql 3 | database: msf 4 | username: msf 5 | password: {{ msfdbpass }} 6 | host: 127.0.0.1 7 | port: 5432 8 | pool: 75 9 | timeout: 5 -------------------------------------------------------------------------------- /templates/mount.sh.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | mount -t ecryptfs -o key=passphrase:passphrase_passwd={{ ecryptpass }},user,noauto,exec,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig={{ password_hash.stdout }},verbosity=0 /opt/ /opt/ -------------------------------------------------------------------------------- /files/dotfile_screenrc.txt: -------------------------------------------------------------------------------- 1 | defshell -bash 2 | startup_message off 3 | multiuser on 4 | defscrollback 10000 5 | logfile /opt/logs/$USER-screenlog.%H.%n.%Y%m%d-%0c:%s.%t.log 6 | logfile flush 5 7 | logtstamp on 8 | deflog on 9 | defmonitor on 10 | caption always "%{= gk}%-Lw%{= bW}%50> %n%f* %t %{-}%+Lw%< %= %{= rk} %H %l %{= gk} %0c:%s %{-}" 11 | defutf8 on 12 | activity "Activity in %t(%n)" 13 | screen -t msf 0 14 | screen -t empire 1 15 | screen -t impacket 2 -------------------------------------------------------------------------------- /ec2prep.playbook: -------------------------------------------------------------------------------- 1 | --- 2 | - name: AnisblePrep-EC2 3 | hosts: ec2prep 4 | remote_user: ubuntu 5 | sudo: yes 6 | 7 | tasks: 8 | 9 | - name: Disallow Password Login 10 | lineinfile: dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present 11 | 12 | - name: Allow root SSH access 13 | lineinfile: dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin yes" state=present 14 | 15 | - name: Restart sshd 16 | service: 17 | name: 'ssh' 18 | state: 'restarted' 19 | 20 | - name: Set up authorized_keys for the root user 21 | authorized_key: user=root key="{{ item }}" 22 | with_file: 23 | - pubs/example.pub 24 | 25 | 26 | -------------------------------------------------------------------------------- /roles/swap/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: set swap_file variable 2 | set_fact: 3 | swap_file: /mnt/{{ swap_space }}.swap 4 | 5 | - name: check if swap file exists 6 | stat: 7 | path: "{{ swap_file }}" 8 | register: swap_file_check 9 | 10 | - name: create swap file 11 | command: fallocate -l {{ swap_space }} {{ swap_file }} 12 | when: not swap_file_check.stat.exists 13 | 14 | - name: set permissions on swap file 15 | file: 16 | path: "{{ swap_file }}" 17 | mode: 0600 18 | 19 | - name: format swap file 20 | command: mkswap {{ swap_file }} 21 | when: not swap_file_check.stat.exists 22 | 23 | - name: add to fstab 24 | lineinfile: 25 | dest: /etc/fstab 26 | regexp: "{{ swap_file }}" 27 | line: "{{ swap_file }} none swap sw 0 0" 28 | 29 | - name: turn on swap 30 | command: swapon -a 31 | 32 | - name: set swapiness 33 | sysctl: 34 | name: vm.swappiness 35 | value: "1" -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 R5 Industries LLC 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /templates/msfconfig.yml.j2: -------------------------------------------------------------------------------- 1 | [framework/core] 2 | Prompt=%whi%T %blu%H %red%L %grnS:%S %yelJ:%J%whi 3 | ConsoleLogging=true 4 | LogLevel=3 5 | SessionLogging=true 6 | TimestampOutput=true 7 | 8 | 9 | [framework/ui/console] 10 | ActiveModule=exploit/multi/script/web_delivery 11 | 12 | [multi/script/web_delivery] 13 | Payload=windows/meterpreter/reverse_https 14 | VERBOSE=false 15 | EnableContextEncoding=false 16 | DisablePayloadHandler=false 17 | Powershell::persist=false 18 | Powershell::strip_comments=true 19 | Powershell::strip_whitespace=false 20 | Powershell::sub_vars=false 21 | Powershell::sub_funcs=false 22 | Powershell::method=reflection 23 | SSL=true 24 | SRVHOST=0.0.0.0 25 | SRVPORT=443 26 | SSLCompression=false 27 | TCP::max_send_size=0 28 | TCP::send_delay=0 29 | HTTP::chunked=false 30 | HTTP::header_folding=false 31 | HTTP::junk_headers=false 32 | HTTP::compression=none 33 | HTTP::server_name=Apache 34 | LPORT=443 35 | LHOST={{ inventory_hostname }} 36 | TARGET=2 37 | EnableStageEncoding=true 38 | URIPATH=/register 39 | 40 | [multi/handler] 41 | Payload=windows/meterpreter/reverse_https 42 | LPORT=443 43 | LHOST={{ inventory_hostname }} 44 | EnableStageEncoding=true 45 | ExitOnSession=false 46 | 47 | [server/socks4a] 48 | SRVHOST=127.0.0.1 49 | SRVPORT=9050 -------------------------------------------------------------------------------- /attackbox.playbook: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Setup Attack Box 3 | hosts: attack 4 | 5 | roles: 6 | - { role: swap, swap_space: '4g'} 7 | 8 | vars: 9 | ecryptpass: "{{ lookup('password', 'credentials/' + inventory_hostname + '/ecryptfs.txt length=30 chars=ascii_letters') }}" 10 | msfdbpass: "{{ lookup('password', 'credentials/' + inventory_hostname + '/msfdbpass.txt length=30 chars=ascii_letters') }}" 11 | 12 | tasks: 13 | 14 | - name: Set up authorized_keys for the root user 15 | authorized_key: user=root key="{{ item }}" 16 | with_file: 17 | - pubs/example.pub 18 | 19 | - name: Warn on old version of Kali 20 | when: ansible_distribution_release == "moto" 21 | fail: msg="Unsupported version of Kali Linux - please upgrade to Sana (2.0)" 22 | 23 | - name: Add non-free Debian repos 24 | when: ansible_distribution == "Debian" 25 | apt_repository: repo='deb http://http.debian.net/debian {{ ansible_distribution_release }} non-free' state=present 26 | register: nonfree 27 | 28 | - name: Install Multiverse in AWS-Ubuntu 29 | apt_repository: repo="{{item}}" 30 | register: multiverse_installed 31 | when: ansible_distribution == 'Ubuntu' 32 | with_items: 33 | - 'deb http://archive.ubuntu.com/ubuntu {{ansible_distribution_release}} multiverse' 34 | - 'deb-src http://archive.ubuntu.com/ubuntu {{ansible_distribution_release}} multiverse' 35 | - 'deb http://archive.ubuntu.com/ubuntu {{ansible_distribution_release}}-updates multiverse' 36 | - 'deb-src http://archive.ubuntu.com/ubuntu {{ansible_distribution_release}}-updates multiverse' 37 | 38 | 39 | - name: Update apt cache 40 | apt: update_cache=yes 41 | 42 | - name: Install non-free APT-available Tools 43 | apt: name={{item}} state=present 44 | when: nonfree|success 45 | with_items: 46 | - rar 47 | 48 | - name: Install Libraries and Deps 49 | apt: name={{item}} state=present 50 | with_items: 51 | - build-essential 52 | - autoconf 53 | - curl 54 | - ntpdate 55 | - ecryptfs-utils #ecryptfs 56 | - libffi-dev #chruby 57 | - libgdbm-dev #chruby 58 | - libncurses5-dev #chruby 59 | - libreadline-dev # chruby 60 | - libssl-dev #chruby 61 | - libyaml-dev #chruby 62 | - zlib1g-dev #chruby 63 | - libpq-dev # Metasploit 64 | - libpcap-dev # Metasploit 65 | - libsqlite3-dev # Metasploit 66 | - sudo # Metasploit database setup 67 | - python-psycopg2 # For Metasploit database setup 68 | - mingw32 # For Nanomet building and win bins 69 | - mingw-w64 # For Nanomet 64bit 70 | - python-colorama #Empire 71 | - python-distlib #Empire 72 | - python-html5lib #Empire 73 | - python-wheel #Empire 74 | - libexpat1-dev #Empire 75 | - libpython-dev #Empire 76 | - libpython2.7 #Empire 77 | - python-dev #Empire 78 | - python-chardet 79 | - python-enum34 #Empire 80 | - python-openssl #Empire 81 | - python-pip #Empire 82 | - python-pkg-resources #Empire 83 | - python-ply #Empire 84 | - python-pycparser #Empire 85 | - python-requests #Empire 86 | - python-setuptools #Empire 87 | - python-support #Empire 88 | - python-urllib3 #Empire 89 | - swig #Empire 90 | - python-m2crypto #Empire 91 | - python-crypto #Impacket 92 | - python-pyasn1 #Impacket 93 | - libcrypt-ssleay-perl # padBuster 94 | - libjpeg-dev # mitmproxy 95 | - python-imaging # mitmproxy 96 | - libxml2 # mitmproxy 97 | - libxslt1-dev # mitmproxy 98 | 99 | - name: PIP Install Libraries 100 | pip: name={{item}} state=present 101 | with_items: 102 | - trufflehog # truffleHog 103 | - ldapdomaindump # ldapdomaindump 104 | - cffi # Empire 105 | - pycrypto # Empire and Impacket 106 | - iptools # Empire 107 | - pydispatcher # Empire 108 | - ndg-httpsclient # Empire 109 | - cryptography # Empire 110 | - passlib # mitmproxy 111 | - pyasn1 # mitmproxy 112 | - pyOpenSSL # mitmproxy 113 | # - mitmproxy # "pip install --upgrade cffi" will fix things if this breaks 114 | 115 | - name: Install APT-available Tools 116 | apt: name={{item}} state=present 117 | with_items: 118 | - cadaver 119 | - smbclient 120 | - cifs-utils 121 | - nfs-common 122 | - git 123 | - subversion 124 | - libnet-ssleay-perl 125 | - mysql-client 126 | - lsof 127 | - iptstate 128 | - upx-ucl 129 | - ldap-utils 130 | - screen 131 | - tmux 132 | - tcpdump 133 | - htop 134 | - sqlite3 135 | - dnsutils 136 | - polipo 137 | - proxychains 138 | - whois 139 | 140 | - name: Copy over .screenrc 141 | copy: src=files/dotfile_screenrc.txt dest=/root/.screenrc 142 | 143 | # Disable listening services that we don't need 144 | 145 | - name: Stop RPCBind 146 | when: ansible_distribution == "Debian" 147 | service: name=rpcbind state=stopped enabled=no 148 | 149 | - name: Start NFS-Common 150 | when: ansible_distribution == "Debian" 151 | service: name=nfs-common state=stopped enabled=no 152 | 153 | ##### eCryptFS Setup 154 | 155 | - name: Check for already created but unmount drive 156 | shell: ls /opt/ 157 | register: ecryptunmounted 158 | 159 | - name: Check for already created but mounted drive 160 | shell: df -h 161 | register: ecryptmounted 162 | 163 | - name: Create /opt/ directory 164 | file: path=/opt/ owner=root group=root mode=0755 state=directory 165 | 166 | - name: Add encryption password to keyring 167 | shell: 'printf "%s" "{{ ecryptpass }}" | ecryptfs-add-passphrase | grep -o "\[.*\]" | sed "s/\[//g;s/\]//g"' 168 | register: password_hash 169 | when: (ecryptmounted.stdout.find('ECRYPTFS') == -1 and ecryptmounted.stdout.find('/opt') == -1) 170 | 171 | - name: Mount eCryptFS drive 172 | shell: "mount -t ecryptfs -o key=passphrase:passphrase_passwd={{ ecryptpass }},user,noauto,exec,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig={{ password_hash.stdout }},verbosity=0 /opt/ /opt/" 173 | when: (ecryptmounted.stdout.find('ECRYPTFS') == -1 and ecryptmounted.stdout.find('/opt') == -1) 174 | 175 | - stat: path=/root/mountecrypt.sh 176 | register: eCryptFSmountscript 177 | 178 | - name: Create eCryptFS mount script 179 | when: eCryptFSmountscript.stat.exists == False 180 | template: src=./templates/mount.sh.j2 dest=/root/mountecrypt.sh mode=0770 181 | 182 | ##### Create Logs Directory 183 | 184 | - name: Create logs directory 185 | file: path=/opt/logs/ state=directory 186 | 187 | ##### Metasploit 188 | - name: Install PostgreSQL for Metasploit 189 | apt: name=postgresql state=present 190 | register: postgres_install 191 | 192 | - name: Start PostgreSQL 193 | service: name=postgresql state=started enabled=yes 194 | 195 | - name: Clone Metasploit 196 | git: repo=https://github.com/rapid7/metasploit-framework.git dest=/opt/metasploit-framework 197 | register: msf 198 | 199 | - name: Pull MSF Ruby Version 200 | slurp: src=/opt/metasploit-framework/.ruby-version 201 | register: rubyversion 202 | 203 | ##### ruby-install 204 | - name: Clone ruby-install 205 | git: repo=https://github.com/postmodern/ruby-install.git dest=/opt/ruby-install 206 | register: rubyinstall 207 | 208 | - name: Install Ruby-Install 209 | #when: rubyinstall.changed 210 | shell: "make install" 211 | args: 212 | chdir: /opt/ruby-install 213 | executable: "/bin/bash" 214 | creates: "/usr/local/bin/ruby-install" 215 | 216 | - name: Install MSF version of Ruby 217 | when: rubyinstall.changed 218 | shell: "ruby-install ruby {{ rubyversion.content | b64decode | trim }}" 219 | args: 220 | chdir: /opt/ruby-install 221 | executable: "/bin/bash" 222 | creates: "/usr/local/src/ruby-{{ rubyversion.content | b64decode | trim }}/bin/rake" 223 | 224 | ##### chruby 225 | - name: Clone chruby 226 | git: repo=https://github.com/postmodern/chruby.git dest=/opt/chruby 227 | register: chruby 228 | 229 | - name: Install Chruby 230 | #when: chruby.changed 231 | shell: "{{ item }}" 232 | args: 233 | chdir: /opt/chruby 234 | executable: "/bin/bash" 235 | creates: "/usr/local/share/chruby/chruby.sh" 236 | with_items: 237 | - make install 238 | - source /usr/local/share/chruby/chruby.sh 239 | 240 | - name: Put chruby loader in Profile.d 241 | copy: src=files/chruby.sh dest=/etc/profile.d/chruby.sh mode=644 242 | 243 | - name: Setup Metasploit Gems 244 | #when: msf.changed 245 | shell: "{{ item }}" 246 | args: 247 | chdir: /opt/metasploit-framework/ 248 | executable: "/bin/bash" 249 | with_items: 250 | - /usr/local/bin/chruby-exec ruby-{{ rubyversion.content | b64decode | trim }} -- gem install bundler --no-ri --no-rdoc 251 | - /usr/local/bin/chruby-exec ruby-{{ rubyversion.content | b64decode | trim }} -- bundle install 252 | 253 | - name: Setup Metasploit Database User 254 | sudo: True 255 | sudo_user: postgres 256 | postgresql_db: name=msf 257 | 258 | - name: Setup Metasploit Database # Generates a random 20 character password for the database 259 | sudo: True 260 | sudo_user: postgres 261 | postgresql_user: db=msf name=msf priv=ALL role_attr_flags=CREATEDB,NOSUPERUSER password="{{ msfdbpass }}" 262 | 263 | - name: Create Metasploit Home Directory for root 264 | file: path=/root/.msf4/ state=directory 265 | 266 | - name: Create Metasploit database.yml file 267 | template: src=./templates/database.yml.j2 dest=/root/.msf4/database.yml 268 | 269 | - name: Create Metasploit config file 270 | template: src=./templates/msfconfig.yml.j2 dest=/root/.msf4/config 271 | 272 | ##### NMAP 273 | - name: Clone Nmap 274 | git: repo=https://github.com/nmap/nmap.git dest=/opt/nmap 275 | register: nmap 276 | 277 | - name: Build and install Nmap 278 | when: nmap.changed 279 | register: nmap_build 280 | shell: "{{ item }}" 281 | failed_when: "'Stop' in nmap_build.stderr" 282 | args: 283 | chdir: /opt/nmap/ 284 | executable: "/bin/bash" 285 | with_items: 286 | - ./configure 287 | - make 288 | - make -C ncat/ 289 | - make install 290 | - git clean -df 291 | 292 | ##### POWERSHELL EMPIRE 293 | - name: Clone Powershell Empire 294 | git: repo=https://github.com/PowerShellEmpire/Empire.git dest=/opt/empire 295 | 296 | - stat: path=/opt/empire/data/empire.db 297 | register: empire_db 298 | 299 | - name: Setup Empire Database if not setup 300 | when: empire_db.stat.exists == False 301 | shell: "{{ item }}" 302 | environment: 303 | STAGING_KEY: RANDOM 304 | args: 305 | chdir: /opt/empire/setup/ 306 | executable: "/bin/bash" 307 | with_items: 308 | - ./install.sh 309 | 310 | 311 | ##### LetsEncrypt 312 | - name: Clone LetsEncrypt SSL 313 | git: repo=https://github.com/letsencrypt/letsencrypt.git dest=/opt/letsencrypt 314 | 315 | ##### Nanomet 316 | ## TODO - Compile Nanomet x86 anx x64 317 | - name: Clone Nanomet 318 | git: repo=https://github.com/kost/nanomet.git dest=/opt/nanomet 319 | register: nanomet 320 | 321 | - name: Build Nanomet 322 | when: nanomet.changed 323 | shell: "{{ item }}" 324 | args: 325 | chdir: /opt/nanomet/ 326 | executable: "/bin/bash" 327 | creates: /opt/nanomet/nm32.exe 328 | with_items: 329 | - make CC=i586-mingw32msvc-gcc 330 | - mv nanomet.exe nm32.exe 331 | 332 | ##### Nikto 333 | - name: Clone Nikto 334 | git: repo=https://github.com/sullo/nikto.git dest=/opt/nikto 335 | 336 | ##### IMPACKET 337 | - name: Clone Impacket 338 | git: repo=https://github.com/CoreSecurity/impacket.git dest=/opt/impacket 339 | register: impacket 340 | 341 | - name: Install Impacket library only if repository changed 342 | when: impacket.changed 343 | command: python setup.py install chdir=/opt/impacket/ 344 | 345 | ##### SECLISTS 346 | - name: Clone SecLists 347 | git: repo=https://github.com/danielmiessler/SecLists.git dest=/opt/seclists 348 | 349 | ##### PADBUSTER 350 | - name: Clone Automated Padbuster 351 | git: repo=https://github.com/gw0/PadBuster.git dest=/opt/padbuster 352 | 353 | ##### SQLMAP 354 | - name: Clone SQLMap 355 | git: repo=https://github.com/sqlmapproject/sqlmap.git dest=/opt/sqlmap 356 | 357 | ##### POST EXPLOITATION BINS 358 | - name: Clone Post Exploitation bins 359 | git: repo=https://github.com/mubix/post-exploitation.git dest=/opt/post-exploitation 360 | 361 | ##### KERBEROAST 362 | - name: Clone Kerberoast 363 | git: repo=https://github.com/nidem/kerberoast.git dest=/opt/kerberoast 364 | 365 | ##### RESPONDER 366 | - name: Clone Responder 367 | git: repo=https://github.com/SpiderLabs/Responder.git dest=/opt/responder 368 | 369 | ##### SUBBRUTE 370 | - name: Clone SubBrute 371 | git: repo=https://github.com/TheRook/subbrute.git dest=/opt/subbrute 372 | 373 | --------------------------------------------------------------------------------