quietKali

This past week a coworker and I were on a Red Team engagement.

To explain, a Red Team engagement is different than a standard penetration test. In a Red Team engagement, the Red Team (Attackers) are pitted against the Blue Team (Defenders). The idea is that the Red Team will show real-world scenarios of attacks. They are meant to be quiet and avoid detection. This is to then show the Blue Team what they did so the Blue Team can get better at detection and response. (Remember, it is not IF you get compromised, it is WHEN.) In turn, if the Blue Team is really good at detecting the activities of the Red Team and stop them, the Blue Team can show the Red Team where they caught them, and thus improving the tactics the Red Team is using. This becomes a cyclical event and each team improves the other, driving security forward.



So on this engagement, I changed my hostname to match the customer's environment, and changed my MAC address, but for some reason something happened which reverted my hostname (my fault, I didn't change persistently and did not verify). Strike 1!



The next day my coworker's computer tried to connect to Kali's servers for an update or to install a package. Strike 2!!



Uh oh, we better not mess this up! So I created quietKali, learning from our mistakes. quietKali will let you change the hostname, change the MAC address, and disable access to Kali's servers. It will even revert when done.

This is great during a Red Team exercise and you need to avoid detection. So just run "python quietKali.py --on -m eth0 -h manual" and quietKali will block access to Kali's servers, change the MAC address on eth0 to a random value, and allow you to set the hostname. You can also select from printers, servers, workstations, routers, etc and the hostname will be generated for you.

There is also the --revert option which will revert your machine to the state it was in before killing access to Kali servers and changing the hostname and MAC address.
# Usage
--on, Enable quietKali. This will modify your machine to keep from connecting to Kali servers.
--off, Disable quietKali. This will remove settings set when turning on quietKali and allow you to connect to Kali servers again. quietKali must be off to run apt-get update and install.
--mac (-m), Change MAC address. Specify the interface you want to change the MAC address of. If using the --hostname (-n) option, the MAC address will be changed to match the type of host you are emulating.
--hostname (-n), Set hostname. Valid options are random, router, printer, workstation, server, or manual. Manual will request a string to use as the hostname, which will allow you to match to the customer environment better.
--revert, Revert changes. Will turn off quietKali and restore settings for mac and hostname changes.
** Values for the hostname are stored under the names folder. The format currently is "line from name file"-"Random number". As I gather more hostname formats, I will be adding/changing this formatting. In the meantime, manual is probably the best to format to your environment.
I am looking for ideas on how to add to this. Some ideas are:

- Set MAC address to match the hostname type. (i.e., selecting a printer hostname will set MAC address to a printer MAC address)

- Add more hostname types and formats

Check it out at https://github.com/l0gan/quietKali and let me know what you think!

Comments

  1. Red Team exercise is an interesting way to play the bad guys. Sometimes, however, the red team seems to be too good at what they do.

    ReplyDelete

Post a Comment

Popular Posts