Skip to content

Home

Jump to bottom
standarduserworkbench edited this page Jan 28, 2020 · 1 revision

  1. Hacker launches MQ As previously stated MandaloreQuest is an auto-exploitation platform written in python. The program receives targets via command line input.

  2. MQ scans target(s) The program uses specifically crafted nmap syntax to collect data about the target.

  3. MQ collects results It then process through each targeted host and collect OS, open ports, and associated applications and versions if found.

  4. MQ normalizes scan results The application then normalizes the results for each host and temporarily stores host data for exploitation.

  5. MQ requests linked exploits to paired results from Metasploit Then MQ uses its MSFDB connector to pull linked potential exploits from Metasploit.

  6. Metasploit returns linked Exploits The MSFDB returns potential exploits to MQ.

  7. MQ opens a remotely accessible MSFCONSOLE shell The program then uses the MSFRPC module to remotely open and access an MSFCONSOLE shell.

  8. MQ, through Metasploit, launches exploits through MSFCONSOLE MQ then pushes commands to the MSFCONOLE launching exploits at the target.

  9. Metasploit receives callbacks and runs survey script If the exploits are successful, callbacks will be received either to the listener on the remote MSFCONSOLE shell, or to a preconfigured remote shell.

  10. Survey script collects commands to run from JM A survey script for an interactive operation is a script that automatically runs commands to collects the results of the commands to obtain situational awareness on the target machine and in the target network.

This is often an important, but overlooked, step in the offensive security lifecycle. Our survey script for metasploit, has additional capabilities, but is built on top of the Custom Scripting overview written by Offensive Security. You can find existing metasploit scripts here.

This survey script pulls the commands to run, by connecting to a remote DB that is part of another program we wrote called JediMammoth. This is a modular C2 implant control platform. It stores attributes of targets (machines & networks) by casename. It also stores associated passwords and connects to a remote ELK platform that displays callback/active operational statistics categorized by casenames.

  1. Metasploit sends commands via survey script to target This process uses a series of Ruby scripting techniques and metasploit API Calls to send the commands to the target.

  2. Metasploit receives results of commands via Survey script The survey script receives and store the output of each command into a local to a file. The data is stored into folders named after each hostname, and individual files named after each command run.

  3. Survey script stores results of commands into JM A separate .py script runs on a cronjob timer to collect and store the results of each command found under the folder named after the hostname into the JM-DB. Since conflicts can exist for this logic, hosts are created in the JediMammoth DB by hostname and Mac Address. If these two attributes change, a new host is created.

  4. Operator/Analyst accesses UI to view results, passwords, loot, etc Notice the term change. The idea here is that the hacker gaining access and the analyst reviewing Operation notes might be different people or different teams. JediMammoth allows analysts to view the output of active Interactive Operations without having to be present during the Operation, or understanding how to navigate complex hacking tools.

Clone this wiki locally