Install_Implant
Installation of the implant support on backend infrastructure includes transfering and configuring cryptographic payload on the capturing Red host (or a Yellow hop), as well as creating system users as per ImplantID configuration directives.
Here are the manual steps the Implant build process generates during its run:
### PHASE II: Red Infra Prep Deployment Guidance ###
----------------------------------------------------
A. If you have chosen to fetch armored SSH key from external Yellow/Red hosting, please host ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.bpk on your HTTP server. The key is encrypted, passworded and B64 protected. You can leave it on clear storage and use plaintext transmission. The implant will take care of the rest.
B.You will need to create user 4fa48c653682c3b04add14f434a3114 on SSH server where you want Implant to terminate the reverse tunnel on Red network. Refer to scripts in infra directory. SSH keys for the would be user are pregenerated: ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.pk and ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.pub. You need to place them in .ssh directory as per usual SSH access setup (mind the permissions on keys and .ssh directory)
C. You will need to stand up an WSS unwrap service on Yellow/Red side. Refer to scripts in infra directory or documentation.
Some Red hosts can benefit from automated way of installing and configuring implant support. Here is how deployment automation frameworks (or RTO) can initiate such an install. Esentially, the install script and the ImplantID cryptographic package is transferred to the destination and installed as follows:
./install_implant.sh /tmp/4fa48c653682c3b04add14f434a3114.tar.gz
[+] Checking if 4fa48c653682c3b04add14f434a3114 OS account is available
[+] Creating 4fa48c653682c3b04add14f434a3114 OS account
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
[+] Setting up 4fa48c653682c3b04add14f434a3114 HOME
[+] Unpacking SSH Keys from 4fa48c653682c3b04add14f434a3114.tar.gz
./4fa48c653682c3b04add14f434a3114.pk
./4fa48c653682c3b04add14f434a3114.bpk
./4fa48c653682c3b04add14f434a3114.pub
[+] Setting 4fa48c653682c3b04add14f434a3114 SSH keys
[+] Adding PUBLIC Key /tmp//4fa48c653682c3b04add14f434a3114/.ssh/4fa48c653682c3b04add14f434a3114 to Agent's Authorized keys file
[+] Currently, content of 4fa48c653682c3b04add14f434a3114 's HOME:
drwx------ 3 4fa48c653682c3b04add14f434a3114 users 4096 Apr 5 05:52 /tmp//4fa48c653682c3b04add14f434a3114
drwx------ 2 4fa48c653682c3b04add14f434a3114 root 4096 Apr 5 05:52 /tmp//4fa48c653682c3b04add14f434a3114/.ssh
-rw------- 1 4fa48c653682c3b04add14f434a3114 staff 4364 Apr 5 04:42 /tmp//4fa48c653682c3b04add14f434a3114/.ssh/4fa48c653682c3b04add14f434a3114.bpk
-rw------- 1 4fa48c653682c3b04add14f434a3114 staff 3243 Apr 5 04:42 /tmp//4fa48c653682c3b04add14f434a3114/.ssh/4fa48c653682c3b04add14f434a3114.pk
-rw------- 1 4fa48c653682c3b04add14f434a3114 staff 725 Apr 5 04:42 /tmp//4fa48c653682c3b04add14f434a3114/.ssh/4fa48c653682c3b04add14f434a3114.pub
-rw-r--r-- 1 root root 725 Apr 5 05:52 /tmp//4fa48c653682c3b04add14f434a3114/.ssh/authorized_keys
/opt/sshorty/tools
[!!!] If not embedding PK into implant, host armored PK: /tmp//4fa48c653682c3b04add14f434a3114/.ssh/4fa48c653682c3b04add14f434a3114.bpk
