Merge pull request mandiant#90 from fireeye/commando-2.0

commando 2.0

README.md

@@ -7,12 +7,12 @@
                \/             \/      \/     \/     \/      \/       
                         C O M P L E T E  M A N D I A N T                    
                              O F F E N S I V E   V M                        
-                                   Version 1.3                                 
+                                   Version 2.0                                 
                _____________________________________________________          
 
                                    Developed by                                
                                    Jake Barteaux                               
-                                 Proactive Services  
+                                 Mandiant Red Team  
                                   Blaine Stancill                           
                                     Nhan Huynh   
                      FireEye Labs Advanced Reverse Engineering                            
@@ -22,9 +22,9 @@ ______________________________________________________________________________
   <img width="300" src="https://github.com/fireeye/commando-vm/blob/master/Commando.png?raw=true" alt="Commando VM"/>
 </p>  
 
-Welcome to CommandoVM - a fully customized, Windows-based security distribution for penetration testing and red teaming.
-
+Welcome to CommandoVM - a fully customizable, Windows-based security distribution for penetration testing and red teaming.
 
+For detailed install instructions or more information please see our [blog]()
 
 Installation (Install Script)
 =============================
@@ -42,9 +42,12 @@ Recommended
 * 4+ GB RAM
 * 2 network adapters
 * Enable Virtualization support for VM
+  * REQUIRED FOR KALI OR DOCKER
 
 Instructions
-------------
+============
+Standard install
+----------------
 1. Create and configure a new Windows Virtual Machine
   * Ensure VM is updated completely. You may have to check for updates, reboot, and check again until no more remain 
 * Take a snapshot of your machine!
@@ -58,6 +61,18 @@ Instructions
 
 The script will set up the Boxstarter environment and proceed to download and install the Commando VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work.
 
+Custom install
+--------------
+1.	Download the zip from https://github.com/fireeye/commando-vm into your Downloads folder.
+2.	Decompress the zip and edit the `${Env:UserProfile}\Downloads\commando-vm-master\commando-vm-master\profile.json` file by removing tools or adding tools in the “packages” section. Tools are available from our [package list](https://github.com/fireeye/commando-vm/blob/master/packages.csv) or from the chocolatey repository.
+3.	Open an administrative PowerShell window and enable script execution.
+`Set-ExecutionPolicy Unrestricted -f`
+4.	Change to the unzipped project directory.
+`cd ${Env:UserProfile}\Downloads\commando-vm-master\commando-vm-master\`
+5.	Execute the install with the -profile_file argument.
+`.\install.ps1 -profile_file .\profile.json`
+
+For more detailed instructions about custom installations, see our [blog]()
 
 Installing a new package
 ========================
@@ -101,6 +116,10 @@ Installed Tools
 - Visual Studio 2017 Build Tools (Windows 10)
 - Visual Studio Code
 
+### Docker
+- Amass
+- SpiderFoot
+
 ### Evasion
 - CheckPlease
 - Demiguise
@@ -191,6 +210,11 @@ Installed Tools
 - SpoolerScanner
 - Watson
 
+## Kali Linux
+- kali-linux-default
+- kali-linux-xfce
+- VcXsrv
+
 ### Networking Tools
 - Citrix Receiver
 - OpenVPN
@@ -282,59 +306,13 @@ Installed Tools
 - Probable-Wordlists
 - RobotsDisallowed
 
-## Changelog:
-1.3 - June 28 2019
-- Added RottenPotatoNG https://github.com/breenmachine/RottenPotatoNG #63
-- Added Juicy Potato https://github.com/ohpe/juicy-potato #63, #64
-- Added Watson https://github.com/rasta-mouse/Watson #64
-- Added PwndPasswordsNTLM https://github.com/JacksonVD/PwnedPasswordsNTLM #67
-- Added FOCA https://github.com/JacksonVD/PwnedPasswordsNTLM #71 
-- Added Vulcan https://github.com/praetorian-code/vulcan
-- Added SharpClipHistory https://github.com/mwrlabs/SharpClipHistory
-- Added NetRipper https://github.com/NytroRST/NetRipper
-- Added RobotsDisallowed https://github.com/danielmiessler/RobotsDisallowed
-- Added Probable-Wordlists https://github.com/berzerk0/Probable-Wordlists
-- Added SharpSploit https://github.com/cobbr/SharpSploit
-- Changed WinRM configuration #65
-- Un-hardened UNC file paths #68
-- Fixed install issues with Covenant #61, #76
-
-1.2 - May 31 2019
-- Added recommended hardware settings #20, #17
-- Added DomainPasswordSpray https://github.com/dafthack/DomainPasswordSpray #2
-- Added GoBuster https://github.com/OJ/gobuster #39
-- Added Wfuzz https://github.com/xmendez/wfuzz #40
-- Added Notepad++ #30
-- Added TextFX plugin for Notepad++
-- Added Explorer Suite (CFF Explorer)
-
-1.1 - April 30 2019
-- Added AD-Control-Paths https://github.com/ANSSI-FR/AD-control-paths/releases
-- Added DefenderCheck https://github.com/matterpreter/DefenderCheck
-- Added dnsrecon https://github.com/darkoperator/dnsrecon
-- Added EvilClippy https://github.com/outflanknl/EvilClippy
-- Added NtdsAudit https://github.com/Dionach/NtdsAudit
-- Added SharpExec https://github.com/anthemtotheego/SharpExec
-- Added Subdomain-Bruteforce https://github.com/visualbasic6/subdomain-bruteforce
-- Fixed issue #18 with PATH 
-- Added Commando Logos with transparent backgrounds to $Home\Pictures
-- Pinned Firefox to Taskbar
-- Fixed misspellings in Readme #42/#43
-- Added Ruby and Ruby Devkit #1
-- Updated Rubeus package to current version (1.4.2) #31
-
-1.0.2 - April 10 2019
-- Added missing 'seclists.fireeye' package to packages.json #38
-
-1.0.1 - March 31 2019
-- Used https instead of http to install boxstarter #10
-
 Legal Notice
 ============
 <pre>This download configuration script is provided to assist penetration testers
-in creating handy and versatile toolboxes for offensive engagements. It
-provides a convenient interface for them to obtain a useful set of pentesting Tools directly from their original sources. Installation and use of this script
-is subject to the Apache 2.0 License.
+in creating handy and versatile toolboxes for offensive engagements. It provides 
+a convenient interface for them to obtain a useful set of pentesting Tools directly 
+from their original sources. Installation and use of this script is subject to the 
+Apache 2.0 License.
 
 You as a user of this script must review, accept and comply with the license
 terms of each downloaded/installed package listed below. By proceeding with the

changelog.md

@@ -0,0 +1,52 @@
+## 2.0 - August 5 2019
+- Added Kali Linux https://www.kali.org
+- Added Docker https://www.docker.com #88
+- Added SpiderFoot https://github.com/smicallef/spiderfoot #84
+- Added Amass https://github.com/OWASP/Amass
+- Added customization support #42, #25 
+
+## 1.3 - June 28 2019
+- Added RottenPotatoNG https://github.com/breenmachine/RottenPotatoNG #63
+- Added Juicy Potato https://github.com/ohpe/juicy-potato #63, #64
+- Added Watson https://github.com/rasta-mouse/Watson #64
+- Added PwndPasswordsNTLM https://github.com/JacksonVD/PwnedPasswordsNTLM #67
+- Added FOCA https://github.com/JacksonVD/PwnedPasswordsNTLM #71 
+- Added Vulcan https://github.com/praetorian-code/vulcan
+- Added SharpClipHistory https://github.com/mwrlabs/SharpClipHistory
+- Added NetRipper https://github.com/NytroRST/NetRipper
+- Added RobotsDisallowed https://github.com/danielmiessler/RobotsDisallowed
+- Added Probable-Wordlists https://github.com/berzerk0/Probable-Wordlists
+- Added SharpSploit https://github.com/cobbr/SharpSploit
+- Changed WinRM configuration #65
+- Un-hardened UNC file paths #68
+- Fixed install issues with Covenant #61, #76
+
+## 1.2 - May 31 2019
+- Added recommended hardware settings #20, #17
+- Added DomainPasswordSpray https://github.com/dafthack/DomainPasswordSpray #2
+- Added GoBuster https://github.com/OJ/gobuster #39
+- Added Wfuzz https://github.com/xmendez/wfuzz #40
+- Added Notepad++ #30
+- Added TextFX plugin for Notepad++
+- Added Explorer Suite (CFF Explorer)
+
+## 1.1 - April 30 2019
+- Added AD-Control-Paths https://github.com/ANSSI-FR/AD-control-paths/releases
+- Added DefenderCheck https://github.com/matterpreter/DefenderCheck
+- Added dnsrecon https://github.com/darkoperator/dnsrecon
+- Added EvilClippy https://github.com/outflanknl/EvilClippy
+- Added NtdsAudit https://github.com/Dionach/NtdsAudit
+- Added SharpExec https://github.com/anthemtotheego/SharpExec
+- Added Subdomain-Bruteforce https://github.com/visualbasic6/subdomain-bruteforce
+- Fixed issue #18 with PATH 
+- Added Commando Logos with transparent backgrounds to $Home\Pictures
+- Pinned Firefox to Taskbar
+- Fixed misspellings in Readme #42/#43
+- Added Ruby and Ruby Devkit #1
+- Updated Rubeus package to current version (1.4.2) #31
+
+1.0.2 - April 10 2019
+- Added missing 'seclists.fireeye' package to packages.json #38
+
+1.0.1 - March 31 2019
+- Used https instead of http to install boxstarter #10

commandovm.win10.config.fireeye/commandovm.win10.config.fireeye.nuspec

@@ -2,9 +2,12 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>commandovm.win10.config.fireeye</id>
-    <version>1.2.0.0</version>
+    <version>2.0.0.0</version>
     <title>CommandoVM</title>
     <authors>Jake Barteaux</authors>
-    <description>CommandoVM - Penetration Testing Distribution</description>
+    <description>CommandoVM - Penetration Testing Distribution</description>    
+    <dependencies>
+      <dependency id="autohotkey.portable" />
+    </dependencies>
   </metadata>
 </package>

commandovm.win10.config.fireeye/tools/EnableWinRM.ahk

@@ -0,0 +1,59 @@
+#NoEnv  ; Recommended for performance and compatibility with future AutoHotkey releases.
+#Warn  ; Enable warnings to assist with detecting common errors.
+#WinActivateForce
+
+
+SendMode Input  ; Recommended for new scripts due to its superior speed and reliability.
+SetWorkingDir %A_ScriptDir%  ; Ensures a consistent starting directory.
+SetKeyDelay, 50
+
+psScript =
+(
+    winrm quickconfig -q
+    Enable-PSRemoting -SkipNetworkProfileCheck -Force
+	Set-Service -Name WinRM -StartupType Automatic
+	Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP" -RemoteAddress Any
+    Set-Item wsman:localhost\client\trustedhosts -Value "*" -Force
+    Enable-WSManCredSSP -Role "Client" -DelegateComputer "*" -Force
+)
+
+RunWait PowerShell.exe -Command &{%psScript%}
+
+title = Local Group Policy Editor
+Run, C:\Windows\System32\gpedit.msc
+WinWait, %title%, , 5000
+IfWinExist %title%
+{
+	WinActivate %title%
+	WinMaximize, %title%
+	Sleep, 500
+	BlockInput On
+	SendInput, {down}{down}{down}{down}{right}					; Expand "Administrative Template"	
+	Sleep, 500
+	SendInput, {down}{down}{down}{down}{down}{down}{right}		; Expand "System"
+	Sleep, 500
+	SendInput, c												; Delegate credentials
+	Sleep, 500
+	SendInput, {tab}											; Switch Pane
+	Sleep, 500
+	SendInput, {down}{down}{down}{down}							; Delegate fresh creds with NTML-Only server Auth
+	Sleep, 500
+	SendInput, {enter}
+	Sleep, 500
+	SendInput, !E
+	Sleep, 500
+	SendInput, {tab}{tab}{tab}									; Show
+	Sleep, 500
+	SendInput, {enter}
+	Sleep, 500
+	SendInput, {tab}{tab}
+	Sleep, 500
+	SendInput, WSMAN/*
+	Sleep, 500
+	SendInput, !O       										; OK
+	Sleep, 500
+	SendInput, {tab}{enter}										; Done
+	SendInput, !fx												; Quit
+	BlockInput Off
+}
+Exit

commandovm.win10.config.fireeye/tools/UNCPathSoftening.ahk

@@ -0,0 +1,58 @@
+#NoEnv  ; Recommended for performance and compatibility with future AutoHotkey releases.
+#Warn   ; Enable warnings to assist with detecting common errors.
+#WinActivateForce
+
+SendMode Input
+SetWorkingDir %A_ScriptDir%
+SetKeyDelay, 50
+
+; Handle installation
+title = Local Group Policy Editor
+Run, C:\Windows\system32\gpedit.msc
+WinWait, %title%,,5000
+IfWinExist %title%
+{
+  WinActivate, %title%  
+  WinMaximize, %title%
+
+  Sleep, 500
+  BlockInput On
+
+  Sleep, 500
+  SendInput, {down}{down}{down}{down}{right}        ; Administrative Template
+
+  Sleep, 500
+  SendInput, {down}{down}{right}                    ; Network
+
+  Sleep, 500
+  SendInput, N{down}{down}{down}{right}             ; Network Provider
+
+  Sleep, 500
+  SendInput, {tab}
+
+  Sleep, 500
+  SendInput, {Enter}
+
+  Sleep, 500
+  SendInput, !E
+
+  Sleep, 500
+  SendInput, {tab}{tab}{tab}{enter}
+
+  Sleep, 500
+  SendInput, {tab}{tab}
+
+  SendInput, \\*
+  SendInput, {tab}
+  SendInput, RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0
+
+  Sleep, 500
+  SendInput, !O
+  SendInput, {tab}{tab}{Enter}
+
+  Sleep, 500
+  WinClose
+  BlockInput Off
+}
+
+Exit,

commandovm.win10.config.fireeye/tools/chocolateyinstall.ps1

@@ -1,4 +1,4 @@
-$ErrorActionPreference = 'Continue'
+$ErrorActionPreference = 'Stop'
 
 $packageName = 'commandovm.win10.config.fireeye'
 $toolsDir    = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
@@ -199,6 +199,16 @@ if ($env_path -ne $old_path) {
 Get-ChildItem -Path (Join-Path ${Env:UserProfile} "Desktop") -Hidden -Filter "desktop.ini" -Force | foreach {$_.Delete()}
 Get-ChildItem -Path (Join-Path ${Env:Public} "Desktop") -Hidden -Filter "desktop.ini" -Force | foreach {$_.Delete()}
 
+# Use AutoHotKey to modify various settings
+$scripts = @(
+  "UNCPathSoftening.ahk",           # "Softening" MS UNC Path Hardning stuffs....
+  "EnableWinRM.ahk"                 # Enable WinRM
+)
+ForEach ($name in $scripts) {
+  $script = Join-Path $toolsDir $name
+  Write-Host "[+] Executing $script" -ForegroundColor Green
+  AutoHotKey $script
+}
 
 # Should be PS >5.1 now, enable transcription and script block logging
 # More info: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

commandovm.win10.installer.fireeye/commandovm.win10.installer.fireeye.nuspec

@@ -2,9 +2,12 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>commandovm.win10.installer.fireeye</id>
-    <version>1.2.0.0</version>
+    <version>2.0.0.0</version>
     <title>CommandoVM</title>
     <authors>Jake Barteaux</authors>
     <description>CommandoVM - Penetration Testing Distribution</description>
+    <dependencies>
+      <dependency id="common.fireeye" />
+    </dependencies>    
   </metadata>
 </package>