alphasoc / flightsim Goto Github PK
View Code? Open in Web Editor NEWA utility to safely generate malicious network traffic patterns and evaluate controls.
Home Page: https://alphasoc.com
License: Other
A utility to safely generate malicious network traffic patterns and evaluate controls.
Home Page: https://alphasoc.com
License: Other
Please take a look and let's fix this up:
AlphaSOC Network Flight Simulator™ v1.0.4 (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 172.20.10.2
The current time is 28-May-19 00:20:31
Time Module Description
--------------------------------------------------------------------------------
00:20:31 hijack Starting
00:20:31 hijack Resolving alphasoc.com via ns1.sandbox.alphasoc.xyz
00:20:31 hijack Test failed (queries to arbitrary DNS servers are blocked)
00:20:32 hijack Finished
All done! Check your SIEM for alerts using the timestamps and details above.
Reports as failed, but alphasoc.com
resolves just fine using that name server, as below.
$ dig @ns1.sandbox.alphasoc.xyz alphasoc.com +short
216.239.32.21
216.239.34.21
216.239.36.21
216.239.38.21
Minor issue in the readme.
The install command on the current version of go will be
"go install github.com/alphasoc/flightsim@latest"
As pointed out by @chrisforce1 users being on old releases may experience various problems due to open-wisdom api changes and so on.
Let's check github's releases every time user executes flightsim (or daily, it doesn't matter) and if there's a new release let's print an information in CLI about it with a link to the release.
There was a request for configurable delay between modules, so it's easier to identify results in the SIEM.
Sounds as simple as adding a sleep in the loop.
is there a list of IOCs I can use to make a rule for Elastic detection?
Currently users can simulate different malware families (e.g. c2:trickbot
) but there's no way for a user to list the available families within the tool, so they would have to guess or know ahead of time. If we can't display this within the tool itself, we should update the documentation so that the supported malware families are clear.
As per https://github.com/krmaxwell/dns-exfiltration we should synthesize Base64 encoding and exfiltration of data to hostnames under base64.alphasoc.xyz
, as below:
/dev/random
or similarAAAAAAAAAAAxMjM0NTY3OA==.base64.alphasoc.xyz
)Module description for the table in the documentation as below.
Module | Description |
---|---|
base64-dns |
Exfiltrates Base64-encoded data over DNS to *.base64.alphasoc.xyz |
We should probably rename sandbox.alphasoc.xyz
to tunnel.alphasoc.xyz
too. Thoughts?
For sure you mistyped with a counter in scan.go
There should be 'j' instead of 'i'
This bug cause flightsim to connect to the same port 10 times in a row
Actions are locked at the fixed goreleaser version due to errors with the latest one.
ignore
We should synthesize a large outbound FTP transfer to a valid service endpoint that we control (e.g. ftp.sandbox.alphasoc.xyz
) by using /dev/random
or similar, establishing a connection, and uploading the content. Thinking of 100MB as the default, but it should be configurable.
Currently this module just performs DNS tunneling emulation, but we should extend it to synthesize similar tunnels over ICMP, as per https://www.hackingarticles.in/command-and-control-tunnelling-via-icmp/. We could either split the module out into dns-tunnel
and icmp-tunnel
or add an argument to describe DNS or ICMP. When running flightsim run
and executing all the modules, we'd obviously want to generate both traffic patterns.
It would be really useful to test for these particular malware families. The abuse.ch tracker shows the active C2s that we can use, and the CSV we can use is available from https://feodotracker.abuse.ch/downloads/ipblocklist.csv.
We'd pull C2 IP:port material from the CSV and connect out to the 5 latest pairs for each family with a vanilla TCP connection to the IP:port. The Emotet C2s are listed in the CSV as Heodo
.
We should generate SSH traffic to a legitimate service that we operate using a common non-SSH port number, selected randomly from this list, and send a significant amount of data from /dev/random
or similar to synthesize data exfiltration.
25
80
110
143
443
445
465
587
993
995
This would help ensure we don't kick off a release from something like flightsim@[email protected]
.
Can dump context as below:
foo.yml:
...
jobs:
...
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: echo "$GITHUB_CONTEXT"
- name: Dump job context
env:
JOB_CONTEXT: ${{ toJSON(job) }}
run: echo "$JOB_CONTEXT"
- name: Dump steps context
env:
STEPS_CONTEXT: ${{ toJSON(steps) }}
run: echo "$STEPS_CONTEXT"
- name: Dump runner context
env:
RUNNER_CONTEXT: ${{ toJSON(runner) }}
run: echo "$RUNNER_CONTEXT"
- name: Dump strategy context
env:
STRATEGY_CONTEXT: ${{ toJSON(strategy) }}
run: echo "$STRATEGY_CONTEXT"
- name: Dump matrix context
env:
MATRIX_CONTEXT: ${{ toJSON(matrix) }}
run: echo "$MATRIX_CONTEXT"
We need to pull a list of sinkholed domains and IPs and connect out to them.
Whenever we use any module for eg. c2-dns. It generates 10 c2 domains. The no. of domains to be generated should be configurable by using some parameters
Sample Eg:- flightsim run c2-dns -n 20
Let's bring this one back. Contact me on Slack for details around the IP:port feed.
We'd connect to 10 C2 destinations and output would look something like this:
Time Module Description
--------------------------------------------------------------------------------
11:26:01 c2-ip Starting
11:26:02 c2-ip Preparing random sample of current C2 IP:port pairs
11:26:03 c2-ip Connecting to 1.2.3.4:1192
11:26:04 c2-ip Connecting to 2.3.4.5:443
11:26:05 c2-ip Connecting to 3.4.5.6:71
...
11:26:09 c2-ip Finished
Add some concept of pre-checks. If interfaces are invalid, etc, die before running any simulations. Allow an override for this though (ie. --nochecks) or something along those lines.
This - #23 - but via SSH/SFTP.
Please let's take a look at this and see what we can do to generate ransomware patterns.
We should somehow document each module so users know what they're for and why they're important. I had a will of describing new modules during the release notes, but these messages are not consumed by many people and are not long lasting – instead with every new module we should link to a documentation.
This could be either a single .md file, a series of files for each mode, or a wiki. I guess ideally these should be also available directly via CLI.
I downloaded flightsim in github release, and found that flightsim.exe is not available.
Would be useful to have an imposter module, so one can generate traffic to domains impersonating well known brands, e.g. offiec365.com
, console.amazonaws-ec2.net
etc.
We should combine them by taking 5 random FQDNs and 5 random IP:port pairs, then:
c2-dns
)c2-ip
)We should generate OAST traffic patterns to random 33-character hostnames beneath these domains:
oast.pro
oast.live
oast.site
oast.online
oast.fun
oast.me
oastify.com
Here's an example of the FQDN format:
cfm1m19rm8es8h8k0ti0nk95987ojzy1s.oast.me
ccrq5f1br19caa000010rj578k1rxyofb.oast.pro
cflkmv5bf3v166000010mg9bup789oa3t.oast.online
cfmbem6d7l6ktb000010ayruwetaon435.oast.site
flightsim tries to be smart and picks up external interface default for the internet traffic – this works fine for IP traffic simulators, but not necessarily for DNS. We had a situation lately (on AWS VM) where the default interface was in 10.0.0.0/8, but the DNS server was running under 127.0.0.53. As we were binding to 10.x.x.x, the whole DNS traffic was going into oblivion and was not registered by Route53.
We need to solve the problem above plus add some sort of reporting to detect such problems and let user know if DNS queries are not reaching any server.
Is there a way I can direct the traffic to a specific interface like you can with tcpreplay? I want to send the traffic to an interface I have a sensor attached directly to in order to sniff the traffic.
It seems we can spoof JARM server fingerprints, i.e.
https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b
The idea would be to set up a TLS server and have flightsim interact with it to generate the bad JARM fingerprint.
SCTP can be used to bypass monitoring and filtering, along the lines of http://0x27.me/ssh/sctp/privacy/security/evasion/2015/07/27/SSH-Over-SCTP/. It's a different protocol than TCP or UDP, and I'd like to do some marketing around this at some point to raise awareness.
In this case, we'd do the following:
We'd want the module to report on success or failure, so that users can see whether SCTP is being blocked within their environment (similar to what we do with Tor, DNS tunneling, etc.)
This will require some research and integration. We'll need to have flightsim
set up a Tor circuit.
Output would look something like this:
Time Module Description
--------------------------------------------------------------------------------
11:26:01 tor Starting
11:26:01 tor Establishing Tor circuit
11:26:04 tor Success! Tor use is permitted in this environment
11:26:05 tor Finished
And if the test fails:
Time Module Description
--------------------------------------------------------------------------------
11:26:01 tor Starting
11:26:01 tor Establishing Tor circuit
11:26:04 tor Test failed (unable to establish Tor circuit)
11:26:05 tor Finished
Hi
Can you provide Dockerfile to run this tool on diffrent OS with docker image..
Thnaks
what is the problem when I run this commend.
flightsim run
return
dial tcp 34.96.64.1:443: i/o timeout
Initial discussions moving toward key/value pairs.
./flightsim run ssh-transfer:sz=1MB:tgt=foo.bar.com:9999
Has anyone tried to compile and run the software for arm?
BR,
Kolja
We should connect to known IRC servers and generate traffic.
When attempting to run the ssh-transfer test, the SSH service is not active
The current time is 16-Feb-24 21:11:52
21:11:52 [ssh-transfer:6GB] Preparing to send randomly generated data to a standard SSH port
21:11:52 [ssh-transfer:6GB] Simulating an SSH/SFTP file transfer of 6442450944B (6.00GB) to ssh.sandbox-services.alphasoc.xyz:22
21:11:55 [ssh-transfer:6GB] ERROR: ssh.sandbox-services.alphasoc.xyz:22: [0B (0.00B) successfully transferred] Errors encountered:
client alphasoc-1: unable to connect: dial tcp >35.211.33.16:22: connect: no route to host
client alphasoc-0: unable to connect: dial tcp >35.211.33.16:22: connect: no route to host
21:11:55 [ssh-transfer:6GB] Done (0/1)
Let's create a module to check into random cryptomining pools using the Stratum protocol. We can use the CryptoIOC API to pull a live list of mining pool FQDNs and ports to use. Selecting 5 random servers should be sufficient for testing purposes. As below:
We need to pick 10 random domains from this list and then, for each domain:
dig mx <domain>
Suggested output is as follows:
Time Module Description
--------------------------------------------------------------------------------
11:26:01 spambot Starting
11:26:01 spambot Preparing random sample of Internet mail servers
11:26:02 spambot Resolving mx1.domain.com
11:26:03 spambot Connecting to 1.2.3.4:25
11:26:04 spambot Resolving mx2.domain.com
11:26:05 spambot Connecting to 2.4.5.6:25
...
11:26:09 spambot Resolving smtp.blah.com
11:26:10 spambot Connecting to 3.4.5.6:25
11:26:11 spambot Finished
We can improve this later to record successes and failures (like with do with the Tor module), but for now it'll be fine to resolve each of these domains to a mail exchanger, then connect to it on TCP port 25.
The readme says flightsim can be installed using the following command:
go install github.com/alphasoc/flightsim@latest
However, it installs the latest v1 version (v1.1.1), not v2.
-format cols 5
-format json
More than just a PR, the version/version.go
file shows v0.0.0
. See about changing this to match the version releases and have master show latest release.
DNS tunneling over DNS-over-HTTPS (DoH) to *.sandbox.alphasoc.xyz
via a random public server picked from the list below.
https://dns.google/dns-query
https://cloudflare-dns.com/dns-query
https://dns.quad9.net/dns-query
https://doh.opendns.com/dns-query
https://doh.powerdns.org -- shutdown planned for 15.09.2021 according to https://powerdns.org/doh/privacy.html
Attempt to perform the equivalent of this operation:
dig www.google.com @ns1.sandbox.alphasoc.xyz
We'll then set up a simple resolver (e.g. TinyDNS) on the server that only ever resolves www.google.com
and we can test to see whether it's possible in customer environments for arbitrary name servers to be used by workstations (which can be used to facilitate DNS hijacking..)
Here's what it would look like in terms of terminal output:
Time Module Description
--------------------------------------------------------------------------------
09:30:28 hijack Starting
09:30:28 hijack Resolving www.google.com via ns1.sandbox.alphasoc.xyz
09:30:29 hijack Success! DNS hijacking is possible in this environment
09:30:30 hijack Finished
If the test fails, we'd serve this instead:
Time Module Description
--------------------------------------------------------------------------------
09:30:28 hijack Starting
09:30:28 hijack Resolving www.google.com via ns1.sandbox.alphasoc.xyz
09:30:29 hijack Test failed (queries to arbitrary DNS servers are blocked)
09:30:30 hijack Finished
An increasing amount of malware is using non-ICANN domains (e.g. .bazar
as used by Team9) for C2, which are resolved via OpenNIC servers that we mark within Wisdom as alt_dns
. We should register alphasoc.bazar
via EmerDNS and update the hijack
module so that it:
alt_dns
listalphasoc.bazar
We should connect to api.telegram.org
and synthesize API bot traffic, i.e.
https://gbhackers.com/telerat-malware-abused-telegram-bot-api/
Worth adding simulator for malicious TLS traffic, i.e. having known bad JA3 or certificate hashes.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.