Merge pull request #29 from /issues/28

simulator: add ssh-transfer and ssh-exfil modules

Author: kmroz

cmd/run/run.go

@@ -140,6 +140,9 @@ type Module struct {
 	Timeout      time.Duration
 	// FailMsg    string
 	SuccessMsg string
+	// False by default.  If true, don't wait until Timeout between simulation
+	// runs of this module.
+	Fast bool
 }
 
 func (m *Module) FormatHost(host string) string {
@@ -149,7 +152,10 @@ func (m *Module) FormatHost(host string) string {
 			host = h
 		}
 	}
-
+	// Check if the simulator module implements the HostMsgFormatter interface.
+	if hostMsgFormatter, ok := m.Module.(simulator.HostMsgFormatter); ok {
+		return hostMsgFormatter.HostMsg(host)
+	}
 	f := m.HostMsg
 	if f == "" {
 		switch m.Pipeline {
@@ -194,7 +200,7 @@ var allModules = []Module{
 	// 	Pipeline:   PipelineDNS,
 	// 	NumOfHosts: 1,
 	// 	HeaderMsg:  "",
-	// 	HostMsg:    "Resolving %s via ns1.sandbox.alphasoc.xyz",
+	// 	HostMsg:    "Resolving %s via dns.sandbox-services.alphasoc.xyz",
 	// 	Timeout:    1 * time.Second,
 	// 	// FailMsg:    "Test failed (queries to arbitrary DNS servers are blocked)",
 	// 	SuccessMsg: "Success! DNS hijacking is possible in this environment",
@@ -277,6 +283,24 @@ var allModules = []Module{
 		HeaderMsg:  "Resolving random imposter domains",
 		Timeout:    1 * time.Second,
 	},
+	Module{
+		Module:     simulator.NewSSHTransfer(),
+		Name:       "ssh-transfer",
+		Pipeline:   PipelineIP,
+		NumOfHosts: 1,
+		HeaderMsg:  "Preparing to send randomly generated data to a standard SSH port",
+		Timeout:    5 * time.Minute,
+		Fast:       true,
+	},
+	Module{
+		Module:     simulator.NewSSHExfil(),
+		Name:       "ssh-exfil",
+		Pipeline:   PipelineIP,
+		NumOfHosts: 1,
+		HeaderMsg:  "Preparing to send randomly generated data to a non-standard SSH port",
+		Timeout:    5 * time.Minute,
+		Fast:       true,
+	},
 }
 
 type Simulation struct {
@@ -344,8 +368,9 @@ func run(sims []*Simulation, extIP net.IP, size int) error {
 							okHosts++
 						}
 
-						// wait until context expires (unless fast mode or very last iteration)
-						if !fast && ((simN < len(sims)-1) || (hostN < len(hosts)-1)) {
+						// Wait until context expires, unless fast global mode,
+						// fast module (default false) or very last iteration.
+						if !(fast || sim.Fast) && ((simN < len(sims)-1) || (hostN < len(hosts)-1)) {
 							<-ctx.Done()
 						}
 

go.mod

@@ -3,10 +3,9 @@ module github.com/alphasoc/flightsim
 go 1.13
 
 require (
-	github.com/cretz/bine v0.1.1-0.20191105223159-1c71414a61dc
-	github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7
-	github.com/stretchr/testify v1.4.0 // indirect
-	golang.org/x/crypto v0.0.0-20191122220453-ac88ee75c92c // indirect
-	golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933
-	golang.org/x/sys v0.0.0-20191128015809-6d18c012aee9 // indirect
+	github.com/cretz/bine v0.2.0
+	github.com/inhies/go-bytesize v0.0.0-20201103132853-d0aed0d254f8 // indirect
+	github.com/pkg/errors v0.8.1
+	golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e // indirect
+	golang.org/x/net v0.0.0-20210525063256-abc453219eb5
 )

go.sum

@@ -24,9 +24,10 @@ Available commands:
     version     Prints the version number
 
 Cheatsheet:
-    flightsim run                Run all the modules
-    flightsim run c2             Simulate C2 traffic
-    flightsim run c2:trickbot    Simulate C2 traffic for the TrickBot family
+    flightsim run                   Run all the modules
+    flightsim run c2                Simulate C2 traffic
+    flightsim run c2:trickbot       Simulate C2 traffic for the TrickBot family
+    flightsim run ssh-transfer:1MB  Simulate a 1MB SSH/SFTP file transfer
 `
 
 func main() {

main.go

@@ -23,7 +23,7 @@ func (*Hijack) Simulate(ctx context.Context, extIP net.IP, host string) error {
 	r := &net.Resolver{
 		PreferGo: true,
 		Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
-			return d.DialContext(ctx, "udp", "ns1.sandbox.alphasoc.xyz:53")
+			return d.DialContext(ctx, "udp", "dns.sandbox-services.alphasoc.xyz:53")
 		},
 	}
 

simulator/hijack.go

@@ -9,6 +9,12 @@ import (
 	"github.com/alphasoc/flightsim/utils"
 )
 
+// HostMsgFormatter allows a simulator to implement a custom HostMsg method to be called in
+// place of parsing the Module.HostMsg field.
+type HostMsgFormatter interface {
+	HostMsg(host string) string
+}
+
 type Simulator interface {
 	Init(bind net.IP) error
 	Simulate(ctx context.Context, host string) error

simulator/simulator.go

@@ -0,0 +1,44 @@
+package simulator
+
+import (
+	"fmt"
+	"math/rand"
+
+	simssh "github.com/alphasoc/flightsim/simulator/ssh"
+	bytesize "github.com/inhies/go-bytesize"
+)
+
+// SSHExfil defines this simulation.  It's little more than a wrapper around SSHTransfer.
+type SSHExfil struct {
+	SSHTransfer
+}
+
+// NewSSHExfil creates a new SSH Exfiltration simulator.
+func NewSSHExfil() *SSHExfil {
+	return &SSHExfil{}
+}
+
+// defualtTargetHosts returns a default string slice of targets in the {HOST:IP} form.
+// Random selection of a non-standard SSH port is performed.
+func (s *SSHExfil) defaultTargetHosts() []string {
+	// Ports to be used for ssh exfil detectability.
+	ports := []string{"443", "465", "993", "995"}
+	pos := rand.Intn(len(ports))
+	return []string{fmt.Sprintf("ssh.sandbox-services.alphasoc.xyz:%v", ports[pos])}
+}
+
+// defaultSendSize returns a 100 bytesize.MB default.
+func (s *SSHExfil) defaultSendSize() bytesize.ByteSize {
+	return 100 * bytesize.MB
+}
+
+// Hosts sets the simulation send size, and extracts the destination hosts.  A slice of
+// strings representing the destination hosts (IP:port) is returned along with an error.
+func (s *SSHExfil) Hosts(scope string, size int) ([]string, error) {
+	dstHosts, sendSize, err := simssh.ParseScope(scope, s.defaultTargetHosts(), s.defaultSendSize())
+	if err != nil {
+		return dstHosts, err
+	}
+	s.sendSize = sendSize
+	return dstHosts, nil
+}

simulator/ssh-exfil.go

@@ -0,0 +1,179 @@
+package simulator
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"strings"
+
+	simssh "github.com/alphasoc/flightsim/simulator/ssh"
+	"github.com/alphasoc/flightsim/utils"
+	"golang.org/x/crypto/ssh"
+
+	bytesize "github.com/inhies/go-bytesize"
+)
+
+// SSHTransfer defines this simulation.
+type SSHTransfer struct {
+	src      net.IP // Connect from this IP.
+	sendSize bytesize.ByteSize
+}
+
+// Client connection results struct.
+type clientConnRes struct {
+	c   *simssh.Client
+	err error
+}
+
+// NewSSHTransfer creates a new SSH/SFTP simulator.
+func NewSSHTransfer() *SSHTransfer {
+	return &SSHTransfer{}
+}
+
+// defaultSendSize returns a 100 bytesize.MB default.
+func (s *SSHTransfer) defaultSendSize() bytesize.ByteSize {
+	return 100 * bytesize.MB
+}
+
+// defualtTargetHosts returns a default string slice of targets in the {HOST:IP} form.
+func (s *SSHTransfer) defaultTargetHosts() []string {
+	return []string{"ssh.sandbox-services.alphasoc.xyz:22"}
+}
+
+// HostMsg implements the HostMsgFormatter interface, returning a custom host message
+// string to be output by the run command.
+func (s *SSHTransfer) HostMsg(host string) string {
+	return fmt.Sprintf(
+		"Simulating an SSH/SFTP file transfer of %v (%v) to %v",
+		s.sendSize.Format("%.0f", "B", false),
+		s.sendSize.Format("%.2f", "", false),
+		host)
+}
+
+// Init sets the source IP for this simulation.
+func (s *SSHTransfer) Init(src net.IP) error {
+	s.src = src
+	return nil
+}
+
+// newClient initializes and returns SSH/SFTP Client along with an error.
+func newClient(
+	ctx context.Context,
+	clientName string,
+	src net.IP,
+	dst string,
+	signer ssh.Signer) (*simssh.Client, error) {
+	// Create a Client that's ready to use for SSH/SFTP transfers.
+	c, err := simssh.NewClient(ctx, clientName, src, dst, signer)
+	if err != nil {
+		// No need to invoke client Teardown(), as underlying connections would have been
+		// closed by NewClient().
+		return nil, err
+	}
+	// Init/Version.
+	initResp, err := c.SendInit()
+	if err != nil {
+		c.Teardown()
+		return c, err
+	}
+	// TODO: Do we really care about version mismatches?  From the sftp spec, a 3 can be
+	// followed by some form of version negotiaion.
+	if initResp.Version != simssh.ClientVer {
+		c.Teardown()
+		return c, fmt.Errorf("server version mismatch, expecting %v, received %v",
+			simssh.ClientVer, initResp.Version)
+	}
+	return c, nil
+}
+
+type simulationContext struct {
+	Ctx        context.Context
+	Dst        string
+	ClientName string
+	Handle     string
+	SendSize   bytesize.ByteSize
+	Signer     ssh.Signer
+	Ch         chan<- simssh.WriteResponse
+}
+
+// simulate performs the actual client connect and write on behalf of Simulate().
+func (s *SSHTransfer) simulate(simCtx *simulationContext) {
+	c, err := newClient(simCtx.Ctx, simCtx.ClientName, s.src, simCtx.Dst, simCtx.Signer)
+	if err != nil {
+		// Piggy back client connect errors on WriteResponse chan.
+		res := simssh.WriteResponse{}
+		res.ClientName = simCtx.ClientName
+		res.Err = err
+		simCtx.Ch <- res
+		return
+	}
+	simCtx.Ch <- c.WriteRandom(simCtx.Handle, simCtx.SendSize)
+	c.Teardown()
+}
+
+// Simulate an ssh/sftp file transfer.
+func (s *SSHTransfer) Simulate(ctx context.Context, dst string) error {
+	// Auth.
+	signer, err := simssh.NewSignerFromKey()
+	if err != nil {
+		return err
+	}
+	// Compute number of clients and a send size for each, such that we don't exceed
+	// maxClients.
+	const maxClients = 2
+	const minSendSize = 1 * bytesize.MB
+	if s.sendSize <= 0 {
+		return fmt.Errorf("invalid send size: %v", s.sendSize)
+	}
+	senderSizes := utils.ComputeSenderSizes(maxClients, s.sendSize, minSendSize)
+	numClients := len(senderSizes)
+	// Create a WriteResponse channel, used by clients to return connection errors and
+	// write responses.
+	writeCh := make(chan simssh.WriteResponse, numClients)
+	for i := 0; i < numClients; i++ {
+		go s.simulate(&simulationContext{
+			Ctx:        ctx,
+			Dst:        dst,
+			ClientName: fmt.Sprintf("alphasoc-%v", i),
+			Handle:     fmt.Sprintf("flightsim-ssh-transfer-%v", i),
+			SendSize:   senderSizes[i],
+			Signer:     signer,
+			Ch:         writeCh})
+
+	}
+	var errsEncountered []string
+	var totalBytesSent bytesize.ByteSize
+	for i := 0; i < numClients; i++ {
+		res := <-writeCh
+		// Append all client connect and write errors, but continue.
+		if res.Err != nil {
+			errsEncountered = append(errsEncountered, fmt.Sprintf("client %v: %v", res.ClientName, res.Err.Error()))
+		}
+		totalBytesSent += bytesize.ByteSize(res.BytesSent)
+	}
+	if len(errsEncountered) != 0 {
+		// Don't append ':" to leading '%v' as composed err already has trailing ':'.
+		return fmt.Errorf(
+			"[%v (%v) successfully transferred] Errors encountered:\n\t%v",
+			totalBytesSent.Format("%.0f", "B", false),
+			totalBytesSent.Format("%.2f", "", false),
+			strings.Join(errsEncountered, "\n\t"),
+		)
+	}
+	// Success.
+	return nil
+}
+
+// Cleanup is a no-op.
+func (s *SSHTransfer) Cleanup() {}
+
+// Hosts sets the simulation send size, and extracts the destination hosts.  A slice of
+// strings representing the destination hosts (IP:port) is returned along with an error.
+func (s *SSHTransfer) Hosts(scope string, size int) ([]string, error) {
+	dstHosts, sendSize, err := simssh.ParseScope(scope, s.defaultTargetHosts(), s.defaultSendSize())
+	if err != nil {
+		return dstHosts, err
+	}
+	s.sendSize = sendSize
+	return dstHosts, nil
+}

simulator/ssh-transfer.go

@@ -0,0 +1,41 @@
+package ssh
+
+import (
+	"fmt"
+
+	"golang.org/x/crypto/ssh"
+)
+
+// The private key here is solely used to authenticate with the server-side application
+// accpeting the SSH/SFTP data transfer.  This is being done on purpose.
+const privKey = `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACA6El6xrgg3fzl6dbygysFLXmVN3ysbLnbnkD8jpgOAxQAAAJiL5q0ti+at
+LQAAAAtzc2gtZWQyNTUxOQAAACA6El6xrgg3fzl6dbygysFLXmVN3ysbLnbnkD8jpgOAxQ
+AAAED/EajTMrrGDzvT2VVeQhF/pf+mE9zINK7Kv3tHRynbpDoSXrGuCDd/OXp1vKDKwUte
+ZU3fKxsudueQPyOmA4DFAAAAEGthcm9sQGVhc3kubG9jYWwBAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----`
+
+// gSigner is the ssh signer used to authenticate.  It's global to this package to avoid
+// computing it multiple times during a simulation
+var gSigner ssh.Signer = nil
+
+// NewSignerFromKey returns the global signer, if set, otherwise it generates an ssh signer
+// from a static private key, sets the global signer varialbe, and returns the signer.  An
+// error code is also returned.
+func NewSignerFromKey() (ssh.Signer, error) {
+	if gSigner != nil {
+		return gSigner, nil
+	}
+	key := []byte(privKey)
+	parsedKey, err := ssh.ParseRawPrivateKey(key)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse private key: %w", err)
+	}
+	signer, err := ssh.NewSignerFromKey(parsedKey)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate signer from private key: %w", err)
+	}
+	gSigner = signer
+	return gSigner, nil
+}