Hi there! I would like to get your input on how we could implement a scripting mechanics to automate the various command line tools in the Stinger OS. Example of task the script could accomplished: Automated osintscan or portscan over a range of IP Recursive portscan over sfuzzer or osintscan result Recursive dig on a netscan dataset (WMI Scanner tools) I would like to know what language / syntax you would like to use for such scripting. Keep in mind there is also a huge challenge to implement such a features, so we need to find ways to keep this simple for the implementation. For example: we don't have the ressources to create a fully functional parser, we have to code all possible command and variable.
Don't try to replicate any language - it would be annoying to write a script, that would work in real life, but will not work in Nite Team. Instead create your own language.
Here's an idea based on real pentesting way to do the things. Add basic file management features to NT4 (command like "vi","rm","rename","cat") : - create file (vi ip.txt) - edit file (vi ip.txt) - delete file (rm ip.txt) - rename (rename ip.txt ip_rosenews.txt) - display (cat ip.txt) Add file input and output management for each available command: -I input_file -O output_file (could be use to save result in file) Example: sfuzzer -I in_domains.txt -t 30 osintscan -I in_domains.txt -s google.com -d 500 portscan -I in_domains.txt fingerprint -I in_services.txt ... Each input file contains one domain/ip/data per line. If more than one parameter is needed for a command, you can use csv format. Example: fingerprint -I in_services.txt in_services.txt ---------------- www.rosenews.com,80,apache www.khopesh.com,80,nginx In the end, create a new command to automate multiple commands (like "multi"): multi -I sequence.txt sequence.txt ------------- sfuzzer -I in_domains01.txt -O out_sfuzzer01 -t 30 portscan -I out_sfuzzer01 -O out_portscan01.txt osintscan -I in_domains01.txt-O out_osintscan01 -s google.com -d 500 portscan -I out_osintscan01 -O out_portscan02.txt fingerprint -I out_portscan01.txt fingerprint -I out_portscan02.txt ------------- This is how its done in real pentest depending on tools availability. It probablibly easier this way than creating a complete scripting language. References for file input/output arguments: nmap -iL ip.txt -p 80 -oN out.txt For command automation, you can refer to metasploit msfconsole resource file. msfconsole -r commands.txt S1g5
Sorry there's an error in the example for finguerprint file format. Example: fingerprint -I in_services.txt in_services.txt ---------------- www.rosenews.com,80 www.khopesh.com,80 Example: foxacid -I in_services.txt in_services.txt ---------------- www.rosenews.com,80,apache www.khopesh.com,80,nginx S1g5
Here's another idea for those who would like to obtain faster results from a oneliner without using input/output files. It would be great to have the feature to "pipe" command output in another command. Pipes "|" let you use the output of a program as the input of another one. Ref: http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-4.html Example: sfuzzer rosenews.com -t 30 | portscan | fingerprint S1g5
You could use the metasploit database approach to save information from each command in an "agent's database" automatically. He could use this information in futur command by using a special switch/parameter. I will not explain this in details but take a look at this link for inspiration: https://www.offensive-security.com/metasploit-unleashed/using-databases/ This kind of feature is great during pentest engagement with large number of assets and a lot of ip/services/creds information to reuse for lateral movement and expand control. This approach eliminate the need to manage and parse a lot of input/output files. S1g5
This is what I had in mind when I mentioned scripting initially. I agree that it would be easier to create our own syntax than to try and emulate a known language. I don't think that we'll need too many bells and whistles for it, though. Hell, even make the 'scripting screen' one that you can drag-and-drop elements (a la spacechem, etc) or you can type code into.
For ranges you could implement it like nmap nmap 192.168.1.1-20 For "recursive" commands, as suggested by others do something like pipes in bash: "command1 | command2 | command3".
i really like the idea of enabling some sort of regex for some commands, and the ability to have an 'agent database' of known information that we could review/filter and pull from via command. I would also like something akin to and 'advanced' command shell that acts as a normal command shell, instead of each command opening a different window. Getting started, each command opening with their basic manual page coming up is super useful, but once some of the basics are down, it quickly clutters a screen. one or two windows chaining commands one after the other flows better once you have a groove going To take things in a completely different direction, using a system of "Code Blocks" might be an idea. A visual snap-in style coding IDE that would allow bits of code/conditions to be joined together. It might limit what can be done with a 'scripting language' in the game, which could be a good thing in that you dont have to program an entire virtual envronment, you just have to make something that will work depending on how the code is snapped together. Examples: Ardublock - https://learn.sparkfun.com/tutorials/alternative-arduino-interfaces Snap - https://snap.berkeley.edu/
Dropdown UI embedded in the spawned window for a toolset (like DNS recon), that allows for populating lists of things that you would run the commands against. For example, a "target list" pulldown spawns a notepad-like window, where you just put in (cr delimited, space delimited, comma delimited, or something) the IP addresses you want to apply the command to. The command for the tool could then get optional switches like '--Tlist' with tab completable whatever-lists-you've-built. Simplified back end could create text files for each list with filename based on context, stored in a subfolder under the installation folder (missionnumber-<context>-list.txt as a filename) that the game could draw on for what is available in that mission (or later, if you get to draw on old research in 'new' mission profiles). Workflow: Open DNS&VHOST Mapping Pull down list->create new target list (from the window itself, the DNS/vhost icon perhaps) Enter in addresses, for example 122.125.1.1 122.125.1.2 122.125.1.3 Close the list. Game saves <mission#>-tlist.txt player uses Fingerprint fingerprint --tlist a03-tlist Game runs the fingerprint against each address. Output is unified (so instead of screensful with the graphics for each, one table of host, port, and technology found), with a header of what addresses were tested against. (Note: if you're adventurous allow ranges or block definitions like 122.125.1.1-25, or 122.125.1.1-122.125.1.25) (Note: In v.8, you can put in non-single addresses, and all it does is give you a null result back without telling you that you were doomed from when you hit enter. For example, "fingerprint 122.125.1.1-25" will actually execute, and look like it's checking, but won't find the two active addresses in the range. )
You're probably already knee-deep in whatever you've chosen, but honestly following the same rules as shell scripts (ksh/bash/maybe even fish) by creating simple methods for loops, basic variables with assignment capability, alias support, and lastly basic wildcard integration would probably go a long way, be more than enough to have as a solid foundation to build on, and wouldn't break the mental bank. Also, while I would love to have vi internally, it would probably be far simpler to begin with a nano-like command-line program that simply turns the window into an editor. At least to start, it sure would be awesome to have [a basic] vi in the future.
