autossh & stunnel + Kali C2 Server = KaliVirtualDropbox

Create a Kali virtual dropbox appliance (ISO) for use during remote Vulnerability Assessments and Penetration tests that auto installs without any user interaction, and calls home to your C2 server using unique shared secrets.

The most common use case is to run this script on an engagement specific Kali instance (the C2 host). However, the script can be run on another host. In that case, this script creates another bash script (c2_setup.sh) that you need to transfer to and execute on your C2 host.

1. Stand up an engagement specific Kali instance/VM (C2 host)

2. Open up 443/tcp to your C2 host from the outside

3. Clone and execute the script on the C2 host

   cd /opt
   sudo git clone https://github.com/TUVOpenSky-THREATS/KaliVirtualDropbox
   cd KaliVirtualDropbox
   sudo ./create_ISO_configure_C2.sh
   

   This script will pull the public IP for the server and use that. If you want to manually specify the C2 IP, provide the IP as the first parameter:

   sudo ./create_ISO_configure_C2.sh C2_IP_ADDRESS
   

4. Transfer the ISO to your remote contact

   1. The ISO will be in /opt/build/images
   2. You can use simple-https-server or whatever you want to serve the file. If using simple-https server, make sure to host the private keys outside your temporary web root ;)

5. Your remote contact installs the ISO in a VM, bootable USB, or on hardware

6. On the C2 host, SSH to your dropbox with the randomly generated password provided by the script OR the ssh key located in /root/~.ssh/dropbox.key

   ssh root@localhost -p9999 <then enter password> or, 
   sudo ssh root@localhost -p9999 -i /root/.ssh/dropbox.key
   

7. Configure Nessus or anything else you want on the box

• Stunnel Configuration

  1. Creates a new ssl key for stunnel (/etc/stunnel/stunnel.pem)
  2. Creates a config file for stunnel (/etc/stunnel/stunnel.conf)
  3. Starts stunnel (listens 443/tcp and redirects to 22/tcp locally)

• SSH/User Configuration

  1. Creates a user (autossh)
  2. Creates ssh keypair for the autossh user
  3. Adds public key to authorized_keys for autossh
  4. Private key is copied to ISO and is used by the Dropbox to connect to the C2
  5. While the dropbox can establish a tunnel with the C2, it can not execute commands on C2

• Dropbox Custom ISO Creation

  1. Grabs public IP of C2 host
  2. Creates a random password for Dropbox
  3. Installs ISO creation toolkit (live-build, etc.)
  4. Downloads live-build config from kali.org
  5. Copies unique, newly created ssh keypair to ISO
  6. Creates remote callback script on ISO that calls back to public IP of C2
  7. Adds script to cron on ISO
  8. Configures ISO to auto install
  9. Configures sshd config on ISO
  10. Enables services on ISO
  11. Asks you if you want to copy a Nessus binary to ISO (optional)
  12. Builds ISO

• https://www.kali.org/docs/development/live-build-a-custom-kali-iso/
• https://www.kali.org/docs/development/dojo-mastering-live-build/
• https://www.offensive-security.com/kali-linux/kali-rolling-iso-of-doom/
• https://www.blackhillsinfosec.com/how-to-build-your-own-penetration-testing-drop-box/