alphasoc / flightsim Goto Github PK

Please take a look and let's fix this up:

AlphaSOC Network Flight Simulator™ v1.0.4 (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 172.20.10.2
The current time is 28-May-19 00:20:31

Time      Module   Description
--------------------------------------------------------------------------------
00:20:31  hijack   Starting
00:20:31  hijack   Resolving alphasoc.com via ns1.sandbox.alphasoc.xyz
00:20:31  hijack   Test failed (queries to arbitrary DNS servers are blocked)
00:20:32  hijack   Finished

All done! Check your SIEM for alerts using the timestamps and details above.

Reports as failed, but alphasoc.com resolves just fine using that name server, as below.

$ dig @ns1.sandbox.alphasoc.xyz alphasoc.com +short
216.239.32.21
216.239.34.21
216.239.36.21
216.239.38.21

Minor issue in the readme.
The install command on the current version of go will be
"go install github.com/alphasoc/flightsim@latest"

As pointed out by @chrisforce1 users being on old releases may experience various problems due to open-wisdom api changes and so on.

Let's check github's releases every time user executes flightsim (or daily, it doesn't matter) and if there's a new release let's print an information in CLI about it with a link to the release.

There was a request for configurable delay between modules, so it's easier to identify results in the SIEM.

Sounds as simple as adding a sleep in the loop.

is there a list of IOCs I can use to make a rule for Elastic detection?

Currently users can simulate different malware families (e.g. c2:trickbot) but there's no way for a user to list the available families within the tool, so they would have to guess or know ahead of time. If we can't display this within the tool itself, we should update the documentation so that the supported malware families are clear.

As per https://github.com/krmaxwell/dns-exfiltration we should synthesize Base64 encoding and exfiltration of data to hostnames under base64.alphasoc.xyz, as below:

1. Generate a long random binary value from /dev/random or similar
2. Chop the value into pieces and encode each with Base64
3. Ship each piece out over DNS (e.g. AAAAAAAAAAAxMjM0NTY3OA==.base64.alphasoc.xyz)

Module description for the table in the documentation as below.

We should probably rename sandbox.alphasoc.xyz to tunnel.alphasoc.xyz too. Thoughts?

For sure you mistyped with a counter in scan.go
There should be 'j' instead of 'i'

This bug cause flightsim to connect to the same port 10 times in a row

We should synthesize Gcat / Gdog traffic if possible. Let's knock around some ideas.

Actions are locked at the fixed goreleaser version due to errors with the latest one.

ignore

We should synthesize a large outbound FTP transfer to a valid service endpoint that we control (e.g. ftp.sandbox.alphasoc.xyz) by using /dev/random or similar, establishing a connection, and uploading the content. Thinking of 100MB as the default, but it should be configurable.

Currently this module just performs DNS tunneling emulation, but we should extend it to synthesize similar tunnels over ICMP, as per https://www.hackingarticles.in/command-and-control-tunnelling-via-icmp/. We could either split the module out into dns-tunnel and icmp-tunnel or add an argument to describe DNS or ICMP. When running flightsim run and executing all the modules, we'd obviously want to generate both traffic patterns.

It would be really useful to test for these particular malware families. The abuse.ch tracker shows the active C2s that we can use, and the CSV we can use is available from https://feodotracker.abuse.ch/downloads/ipblocklist.csv.

We'd pull C2 IP:port material from the CSV and connect out to the 5 latest pairs for each family with a vanilla TCP connection to the IP:port. The Emotet C2s are listed in the CSV as Heodo.

We should generate SSH traffic to a legitimate service that we operate using a common non-SSH port number, selected randomly from this list, and send a significant amount of data from /dev/random or similar to synthesize data exfiltration.

25
80
110
143
443
445
465
587
993
995

This would help ensure we don't kick off a release from something like flightsim@[email protected].

Can dump context as below:

foo.yml:
...
  jobs:
  ...
      steps:
        - name: Dump GitHub context
          env:
            GITHUB_CONTEXT: ${{ toJSON(github) }}
          run: echo "$GITHUB_CONTEXT"
        - name: Dump job context
          env:
            JOB_CONTEXT: ${{ toJSON(job) }}
          run: echo "$JOB_CONTEXT"
        - name: Dump steps context
          env:
            STEPS_CONTEXT: ${{ toJSON(steps) }}
          run: echo "$STEPS_CONTEXT"
        - name: Dump runner context
          env:
            RUNNER_CONTEXT: ${{ toJSON(runner) }}
          run: echo "$RUNNER_CONTEXT"
        - name: Dump strategy context
          env:
            STRATEGY_CONTEXT: ${{ toJSON(strategy) }}
          run: echo "$STRATEGY_CONTEXT"
        - name: Dump matrix context
          env:
            MATRIX_CONTEXT: ${{ toJSON(matrix) }}
          run: echo "$MATRIX_CONTEXT"

We need to pull a list of sinkholed domains and IPs and connect out to them.

Whenever we use any module for eg. c2-dns. It generates 10 c2 domains. The no. of domains to be generated should be configurable by using some parameters

Sample Eg:- flightsim run c2-dns -n 20

Let's bring this one back. Contact me on Slack for details around the IP:port feed.

We'd connect to 10 C2 destinations and output would look something like this:

Time      Module   Description
--------------------------------------------------------------------------------
11:26:01  c2-ip    Starting
11:26:02  c2-ip    Preparing random sample of current C2 IP:port pairs
11:26:03  c2-ip    Connecting to 1.2.3.4:1192
11:26:04  c2-ip    Connecting to 2.3.4.5:443
11:26:05  c2-ip    Connecting to 3.4.5.6:71
...
11:26:09  c2-ip    Finished

Add some concept of pre-checks. If interfaces are invalid, etc, die before running any simulations. Allow an override for this though (ie. --nochecks) or something along those lines.

This - #23 - but via SSH/SFTP.

Please let's take a look at this and see what we can do to generate ransomware patterns.

We should somehow document each module so users know what they're for and why they're important. I had a will of describing new modules during the release notes, but these messages are not consumed by many people and are not long lasting – instead with every new module we should link to a documentation.

This could be either a single .md file, a series of files for each mode, or a wiki. I guess ideally these should be also available directly via CLI.

I downloaded flightsim in github release, and found that flightsim.exe is not available.

Would be useful to have an imposter module, so one can generate traffic to domains impersonating well known brands, e.g. offiec365.com, console.amazonaws-ec2.net etc.

We should combine them by taking 5 random FQDNs and 5 random IP:port pairs, then:

• Resolving the FQDNs (as per c2-dns)
• Connecting to the resolved IPs on TCP port 80 (new code)
• Connecting to the 5 IP:port pairs (as per c2-ip)

We should generate OAST traffic patterns to random 33-character hostnames beneath these domains:

oast.pro
oast.live
oast.site
oast.online
oast.fun
oast.me
oastify.com

Here's an example of the FQDN format:

cfm1m19rm8es8h8k0ti0nk95987ojzy1s.oast.me
ccrq5f1br19caa000010rj578k1rxyofb.oast.pro
cflkmv5bf3v166000010mg9bup789oa3t.oast.online
cfmbem6d7l6ktb000010ayruwetaon435.oast.site

flightsim tries to be smart and picks up external interface default for the internet traffic – this works fine for IP traffic simulators, but not necessarily for DNS. We had a situation lately (on AWS VM) where the default interface was in 10.0.0.0/8, but the DNS server was running under 127.0.0.53. As we were binding to 10.x.x.x, the whole DNS traffic was going into oblivion and was not registered by Route53.

We need to solve the problem above plus add some sort of reporting to detect such problems and let user know if DNS queries are not reaching any server.

Is there a way I can direct the traffic to a specific interface like you can with tcpreplay? I want to send the traffic to an interface I have a sensor attached directly to in order to sniff the traffic.

It seems we can spoof JARM server fingerprints, i.e.

https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b

The idea would be to set up a TLS server and have flightsim interact with it to generate the bad JARM fingerprint.

SCTP can be used to bypass monitoring and filtering, along the lines of http://0x27.me/ssh/sctp/privacy/security/evasion/2015/07/27/SSH-Over-SCTP/. It's a different protocol than TCP or UDP, and I'd like to do some marketing around this at some point to raise awareness.

In this case, we'd do the following:

• Set up the FTP service from #23 over SCTP
• Configure the client to use SCTP, establish a session, and send data to the service

We'd want the module to report on success or failure, so that users can see whether SCTP is being blocked within their environment (similar to what we do with Tor, DNS tunneling, etc.)

This will require some research and integration. We'll need to have flightsim set up a Tor circuit.

Output would look something like this:

Time      Module   Description
--------------------------------------------------------------------------------
11:26:01  tor      Starting
11:26:01  tor      Establishing Tor circuit
11:26:04  tor      Success! Tor use is permitted in this environment
11:26:05  tor      Finished

And if the test fails:

Time      Module   Description
--------------------------------------------------------------------------------
11:26:01  tor      Starting
11:26:01  tor      Establishing Tor circuit
11:26:04  tor      Test failed (unable to establish Tor circuit)
11:26:05  tor      Finished

Hi
Can you provide Dockerfile to run this tool on diffrent OS with docker image..

Thnaks

what is the problem when I run this commend.

flightsim run

return

dial tcp 34.96.64.1:443: i/o timeout

Initial discussions moving toward key/value pairs.

./flightsim run ssh-transfer:sz=1MB:tgt=foo.bar.com:9999

Has anyone tried to compile and run the software for arm?

BR,
Kolja

We should connect to known IRC servers and generate traffic.

When attempting to run the ssh-transfer test, the SSH service is not active

The current time is 16-Feb-24 21:11:52

21:11:52 [ssh-transfer:6GB] Preparing to send randomly generated data to a standard SSH port
21:11:52 [ssh-transfer:6GB] Simulating an SSH/SFTP file transfer of 6442450944B (6.00GB) to ssh.sandbox-services.alphasoc.xyz:22
21:11:55 [ssh-transfer:6GB] ERROR: ssh.sandbox-services.alphasoc.xyz:22: [0B (0.00B) successfully transferred] Errors encountered:
        client alphasoc-1: unable to connect: dial tcp >35.211.33.16:22: connect: no route to host
        client alphasoc-0: unable to connect: dial tcp >35.211.33.16:22: connect: no route to host
21:11:55 [ssh-transfer:6GB] Done (0/1)

Let's create a module to check into random cryptomining pools using the Stratum protocol. We can use the CryptoIOC API to pull a live list of mining pool FQDNs and ports to use. Selecting 5 random servers should be sufficient for testing purposes. As below:

• Pull 5 random FQDN:port pairs from the CryptoIOC API
• Connect to them using the Stratum protocol and simply ping / check-in to each

We need to pick 10 random domains from this list and then, for each domain:

1. perform the equivalent of dig mx <domain>
2. take the first MX entry and resolve it to an IP
3. attempt to connect to the IP on TCP port 25

Suggested output is as follows:

Time      Module   Description
--------------------------------------------------------------------------------
11:26:01  spambot  Starting
11:26:01  spambot  Preparing random sample of Internet mail servers
11:26:02  spambot  Resolving mx1.domain.com
11:26:03  spambot  Connecting to 1.2.3.4:25
11:26:04  spambot  Resolving mx2.domain.com
11:26:05  spambot  Connecting to 2.4.5.6:25
...
11:26:09  spambot  Resolving smtp.blah.com
11:26:10  spambot  Connecting to 3.4.5.6:25
11:26:11  spambot  Finished

We can improve this later to record successes and failures (like with do with the Tor module), but for now it'll be fine to resolve each of these domains to a mail exchanger, then connect to it on TCP port 25.

The readme says flightsim can be installed using the following command:

go install github.com/alphasoc/flightsim@latest

However, it installs the latest v1 version (v1.1.1), not v2.

-format cols 5
-format json

More than just a PR, the version/version.go file shows v0.0.0. See about changing this to match the version releases and have master show latest release.

DNS tunneling over DNS-over-HTTPS (DoH) to *.sandbox.alphasoc.xyz via a random public server picked from the list below.

https://dns.google/dns-query
https://cloudflare-dns.com/dns-query
https://dns.quad9.net/dns-query
https://doh.opendns.com/dns-query
https://doh.powerdns.org -- shutdown planned for 15.09.2021 according to https://powerdns.org/doh/privacy.html

Attempt to perform the equivalent of this operation:

• dig www.google.com @ns1.sandbox.alphasoc.xyz

We'll then set up a simple resolver (e.g. TinyDNS) on the server that only ever resolves www.google.com and we can test to see whether it's possible in customer environments for arbitrary name servers to be used by workstations (which can be used to facilitate DNS hijacking..)

Here's what it would look like in terms of terminal output:

Time      Module   Description
--------------------------------------------------------------------------------
09:30:28  hijack   Starting
09:30:28  hijack   Resolving www.google.com via ns1.sandbox.alphasoc.xyz
09:30:29  hijack   Success! DNS hijacking is possible in this environment
09:30:30  hijack   Finished

If the test fails, we'd serve this instead:

Time      Module   Description
--------------------------------------------------------------------------------
09:30:28  hijack   Starting
09:30:28  hijack   Resolving www.google.com via ns1.sandbox.alphasoc.xyz
09:30:29  hijack   Test failed (queries to arbitrary DNS servers are blocked)
09:30:30  hijack   Finished

An increasing amount of malware is using non-ICANN domains (e.g. .bazar as used by Team9) for C2, which are resolved via OpenNIC servers that we mark within Wisdom as alt_dns. We should register alphasoc.bazar via EmerDNS and update the hijack module so that it:

• selects 3 random OpenNIC servers from the alt_dns list
• hits each on UDP port 53 with a request for alphasoc.bazar

We should connect to api.telegram.org and synthesize API bot traffic, i.e.

https://gbhackers.com/telerat-malware-abused-telegram-bot-api/

Worth adding simulator for malicious TLS traffic, i.e. having known bad JA3 or certificate hashes.