Ansible and Testbed Deployment

Here we come to the most interesting case of using ansible for pentesting – creating vulnerable stands that can be raised simply by describing the settings in the configs. Let’s try to figure out if it’s really that simple and what can be done through ansible.

Problem statement and stand description

Let’s decide on the systems that will be used to create the stand. In this article, it was decided to describe the configuration of a vulnerable stand for relay attacks. Therefore, we will proceed from what we will use:

Relay attacks themselves have such a feature that when carrying out such actions, it is necessary that there are 3 participants in the network, rarely 2:

  • system hosting the vulnerable authentication method

  • a user who can authenticate legitimately on the affected system

  • attacking

Sometimes the last 2 can be on the same machine on the network. We will proceed from the fact that the reproduction of the experiment of this article will take place locally and therefore we will need:

  • 8 GB RAM

  • 40-50 GB of hard disk space (we take it with a margin, this is Windows)

Total – 2 virtual machines at least, now let’s decide on the type of Relay. To test configurations through ansible, we will try to implement the simplest option, and then it will be possible to extend the experience to more complex configurations, let’s get started.

ansible

From previous articles, we already know that work with the Windows operating system is carried out through powershell scripts, and not through python. This automatically gives us the opportunity to natively manage the system. The only task for the solution is still to configure WinRM, and the rest is just system configuration using Powershell.

We will create the ansible project using the same steps as in previous articles. First, create an inventory file:

[win] 
192.168.56.6

[win:vars]

ansible_user=administrator
ansible_password=Qwerty!@#
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore

Testing the connection to the system:

ansible -i hosts all -m win_ping
  1. Set up Windows Ad Services

  2. Configure User for Relay Attack

To perform the first task, let’s create a separate ad role. To work with the functionality of the operating system, we will use the module – win_feature. We will need to install the necessary set of tools and set the necessary parameters to configure the new Windows Active Directory tree. main.yaml file:

---
  - name: Test
    hosts: all
    gather_facts: false
    tasks:
      - name: set dc name
        ansible.windows.win_hostname:
          name: DC1
        register: res
        tags: set_name

      - name: Reboot
        ansible.windows.win_reboot:
        when: res.reboot_required
        tags: set_name

      - name: Install windows features - AD Domain Services
        win_feature:
          name: AD-Domain-Services
          state: present
          include_management_tools: yes
          register: features
        tags: install_feature_ad

      - name: Creating lab.local domain...
        win_domain:
          dns_domain_name: lab.local
          safe_mode_password: "{{domain_password}}"
        register: domain_output
        tags: set_domain

      - name: Reboot
        ansible.windows.win_reboot:
        when: domain_output.reboot_required
        tags: set_domain

In fact, this file can be divided into handles, roles, but we don’t do this on purpose so that we can understand what operations need to be performed in order to get a working domain on the server.

We start the setup and wait for the operating system to become available. The end result should be a Windows Server system that has all the necessary components installed to set up AD.

For the test, you can simply create one user, which will be added to the local administrators. For simplicity, this will be the Administrator itself.

Now you can start configuring the vulnerability. Everyone knows that old versions of protocols cannot be used and the best and easiest way is to relay on the SMB protocol. Let’s try to configure it.

For configuration, we will use the following script:

$task = '/c powershell New-PSDrive -Name "Public" -PSProvider "FileSystem" -Root "\\share\Private"'
$repeat = (New-TimeSpan -Minutes 5)
$taskName = "ntlm_bot"
$user = "lab.local\Administrator"
$password = "Qwerty123"

$action = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "$task"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval $repeat
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable -RunOnlyIfNetworkAvailable -DontStopOnIdleEnd

$taskExists = Get-ScheduledTask | Where-Object {$_.TaskName -like $taskName }
if($taskExists) {
    Unregister-ScheduledTask -TaskName $taskName -Confirm:$false
}
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -User $user -Password $password -Settings $settings

The script will put down all the data necessary for the user to automatically access the server resources. This is done so that you do not have to additionally go somewhere yourself. Let’s try to test how well the attack works. To do this, run the search command for the share on kali Linux via crackmapexec:

The tool will collect all the data for a further relay attack and compile a list of machines.

Let’s try to attack, run ntlmrelayx from impacket and wait for the bot to start opening access to the storage. The end result should be something like this:

With such a simple project for ansible, you can deploy test benches and train to use tools for collecting data and conducting a pentest. This will save a lot of time, without requiring self-entry of data and control over the execution of tasks. If errors occur using tags, you can continue the installation further from any task. It took only 12 minutes to deploy and run all the commands for this article.

Automating the process of discovering hosts, launching various scanners is a constant routine task. I invite everyone to free lessonwhere we will try to automate these processes through ansible.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *