FreshRSS

๐Ÿ”’
โŒ Secure Planet Training Courses Updated For 2019 - Click Here
โ˜ท
โ–ณ ๐Ÿ”ƒ
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

CSAF - Cyber Security Awareness Framework

By: Zion3R

The Cyber Security Awareness Framework (CSAF) is a structured approach aimed at enhancing Cybersecurity" title="Cybersecurity">cybersecurity awareness and understanding among individuals, organizations, and communities. It provides guidance for the development of effective Cybersecurity" title="Cybersecurity">cybersecurity awareness programs, covering key areas such as assessing awareness needs, creating educational m aterials, conducting training and simulations, implementing communication campaigns, and measuring awareness levels. By adopting this framework, organizations can foster a robust security culture, enhance their ability to detect and respond to cyber threats, and mitigate the risks associated with attacks and security breaches.


Requirements

Software

  • Docker
  • Docker-compose

Hardware

Minimum

  • 4 Core CPU
  • 10GB RAM
  • 60GB Disk free

Recommendation

  • 8 Core CPU or above
  • 16GB RAM or above
  • 100GB Disk free or above

Installation

Clone the repository

git clone https://github.com/csalab-id/csaf.git

Navigate to the project directory

cd csaf

Pull the Docker images

docker-compose --profile=all pull

Generate wazuh ssl certificate

docker-compose -f generate-indexer-certs.yml run --rm generator

For security reason you should set env like this first

export ATTACK_PASS=ChangeMePlease
export DEFENSE_PASS=ChangeMePlease
export MONITOR_PASS=ChangeMePlease
export SPLUNK_PASS=ChangeMePlease
export GOPHISH_PASS=ChangeMePlease
export MAIL_PASS=ChangeMePlease
export PURPLEOPS_PASS=ChangeMePlease

Start all the containers

docker-compose --profile=all up -d

You can run specific profiles for running specific labs with the following profiles - all - attackdefenselab - phisinglab - breachlab - soclab

For example

docker-compose --profile=attackdefenselab up -d

Proof



Exposed Ports

An exposed port can be accessed using a proxy socks5 client, SSH client, or HTTP client. Choose one for the best experience.

  • Port 6080 (Access to attack network)
  • Port 7080 (Access to defense network)
  • Port 8080 (Access to monitor network)

Example usage

Access internal network with proxy socks5

  • curl --proxy socks5://ipaddress:6080 http://10.0.0.100/vnc.html
  • curl --proxy socks5://ipaddress:7080 http://10.0.1.101/vnc.html
  • curl --proxy socks5://ipaddress:8080 http://10.0.3.102/vnc.html

Remote ssh with ssh client

  • ssh kali@ipaddress -p 6080 (default password: attackpassword)
  • ssh kali@ipaddress -p 7080 (default password: defensepassword)
  • ssh kali@ipaddress -p 8080 (default password: monitorpassword)

Access kali linux desktop with curl / browser

  • curl http://ipaddress:6080/vnc.html
  • curl http://ipaddress:7080/vnc.html
  • curl http://ipaddress:8080/vnc.html

Domain Access

  • http://attack.lab/vnc.html (default password: attackpassword)
  • http://defense.lab/vnc.html (default password: defensepassword)
  • http://monitor.lab/vnc.html (default password: monitorpassword)
  • https://gophish.lab:3333/ (default username: admin, default password: gophishpassword)
  • https://server.lab/ (default username: postmaster@server.lab, default passowrd: mailpassword)
  • https://server.lab/iredadmin/ (default username: postmaster@server.lab, default passowrd: mailpassword)
  • https://mail.server.lab/ (default username: postmaster@server.lab, default passowrd: mailpassword)
  • https://mail.server.lab/iredadmin/ (default username: postmaster@server.lab, default passowrd: mailpassword)
  • http://phising.lab/
  • http://10.0.0.200:8081/
  • http://gitea.lab/ (default username: csalab, default password: giteapassword)
  • http://dvwa.lab/ (default username: admin, default passowrd: password)
  • http://dvwa-monitor.lab/ (default username: admin, default passowrd: password)
  • http://dvwa-modsecurity.lab/ (default username: admin, default passowrd: password)
  • http://wackopicko.lab/
  • http://juiceshop.lab/
  • https://wazuh-indexer.lab:9200/ (default username: admin, default passowrd: SecretPassword)
  • https://wazuh-manager.lab/
  • https://wazuh-dashboard.lab:5601/ (default username: admin, default passowrd: SecretPassword)
  • http://splunk.lab/ (default username: admin, default password: splunkpassword)
  • https://infectionmonkey.lab:5000/
  • http://purpleops.lab/ (default username: admin@purpleops.com, default password: purpleopspassword)
  • http://caldera.lab/ (default username: red/blue, default password: calderapassword)

Network / IP Address

Attack

  • 10.0.0.100 attack.lab
  • 10.0.0.200 phising.lab
  • 10.0.0.201 server.lab
  • 10.0.0.201 mail.server.lab
  • 10.0.0.202 gophish.lab
  • 10.0.0.110 infectionmonkey.lab
  • 10.0.0.111 mongodb.lab
  • 10.0.0.112 purpleops.lab
  • 10.0.0.113 caldera.lab

Defense

  • 10.0.1.101 defense.lab
  • 10.0.1.10 dvwa.lab
  • 10.0.1.13 wackopicko.lab
  • 10.0.1.14 juiceshop.lab
  • 10.0.1.20 gitea.lab
  • 10.0.1.110 infectionmonkey.lab
  • 10.0.1.112 purpleops.lab
  • 10.0.1.113 caldera.lab

Monitor

  • 10.0.3.201 server.lab
  • 10.0.3.201 mail.server.lab
  • 10.0.3.9 mariadb.lab
  • 10.0.3.10 dvwa.lab
  • 10.0.3.11 dvwa-monitor.lab
  • 10.0.3.12 dvwa-modsecurity.lab
  • 10.0.3.102 monitor.lab
  • 10.0.3.30 wazuh-manager.lab
  • 10.0.3.31 wazuh-indexer.lab
  • 10.0.3.32 wazuh-dashboard.lab
  • 10.0.3.40 splunk.lab

Public

  • 10.0.2.101 defense.lab
  • 10.0.2.13 wackopicko.lab

Internet

  • 10.0.4.102 monitor.lab
  • 10.0.4.30 wazuh-manager.lab
  • 10.0.4.32 wazuh-dashboard.lab
  • 10.0.4.40 splunk.lab

Internal

  • 10.0.5.100 attack.lab
  • 10.0.5.12 dvwa-modsecurity.lab
  • 10.0.5.13 wackopicko.lab

License

This Docker Compose application is released under the MIT License. See the LICENSE file for details.



SystemBC Malware's C2 Server Analysis Exposes Payload Delivery Tricks

By: Newsroom
Cybersecurity researchers have shed light on the command-and-control (C2) server workings of a known malware family called SystemBC. "SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP," Kroll said in an analysis published last week. The risk

Chisel-Strike - A .NET XOR Encrypted Cobalt Strike Aggressor Implementation For Chisel To Utilize Faster Proxy And Advanced Socks5 Capabilities

By: noreply@blogger.com (Unknown)


A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.


Why write this?

In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the go version of chisel called SharpChisel. This wrapper has a few issues and isn't maintained to the latest version of chisel. It didnโ€™t allow using shellcode with donut, reflectio n methods or execute-assembly. I found a fix for this using the SharpChisel-NG project.

Since the SharpChisel assembly is around 16.7 MB, execute-assembly(has a hidden size limitation of 1 MB) and similar in memory methods wouldnโ€™t work. To maintain most of the execution in memory I incorporated the NetLoader project by Flangvik which is executed via execute-assembly to reflectively host and load a XOR encrypted version of SharpChisel with base64 arguments in memory.

As an alternative, it is also possible to implement similar C# proxies like SharpSocks by replacing the appropriate chisel binaries in the project.

Setup

Note: If using a Windows teamserver skip steps 2 and 3.

  1. Clone/download the repository: git clone https://github.com/m3rcer/Chisel-Strike.git

  2. Make all binaries executable:

  • cd Chisel-Strike

  • chmod +x -R chisel-modules

  • chmod +x -R tools

  1. Install Mingw-w64 and mono:

  • sudo apt-get install mingw-w64

  • sudo apt install mono-complete

  1. Import ChiselStrike.cna in cobalt strike using the Script Manager

Recompile binaries from the src folder if needed.

Usage

chisel can be executed on both the teamserver (windows/linux) and the beacon. With either acting as the server/client. A normal execution flow would be to setup a chisel server on the teamserver and create a client on the beacon connecting back to the teamserver.

Commands

  1. chisel <client/server> <command>: Run Chisel on a beacon

  2. chisel-tms <client/server> <command>: Run Chisel on your teamserver

  3. chisel-enc: XOR Encrypt SharpChisel.exe with a password of choice

  4. chisel-jobs: List active chisel jobs on the teamserver and beacon

  5. chisel-kill: Kill active chisel jobs on a beacon

  6. chisel-tms-kill: Kill active chisel jobs on teamserver

Example

OPSEC

NetLoader can easily be obfuscated and used to bypass defender using projects like NimCrypt2 and the like.

Yet SharpChisel.exe drops a dll on disk due to the use of Costura/Fody packages at a location similar to: C:\Users\m3rcer\AppData\Local\Temp\Costura\CB9433C24E75EC539BF34CD1AA12B236\64\main.dll which is detected by defender. It is advised to obfuscate chisel dll's using projects like gobfuscate in the SharpChisel-NG project and re-build new SharpChisel-NG binaries as shown here.

TODO

  • Figure a way to avoid SharpChisel dropping main.dll on disk / Create a new C# wrapper for chisel.

  • Create a method to parse command output for the chisel-tms command.

Credits



โŒ