I ‘ve been absent for a while, switching jobs and analyzing personal goals couldn’t be postponed any longer. Now I am back to the grid! And I got a new tool too!
Why Gathering is a hell of a job…
Information about the target is what keeps the wheel spinning. More info, more attacks, more successful attacks, more shells, moar powah.
That applies perfectly for Vulnhub VMs and 3-4 hours CTFs, but the problem is obvious with assessments that require a team. The scalability isn’t exactly great when Information Gathering has to be done for a network and several hosts. Actually it ‘s a pain. If you have been there you know, if you haven’t, here are several examples:
- Hey, I started a minus A nmap for the slash 24 - Shit man, I am at 56 percent on the nmap. - Ok, I control-c'd, what switches? - Top 100, finished, come to see the results. (Whole team leans towards a single monitor)
- OK OK, I GOT A SHELL (yelling) - Great, what user? (yelling) - wou wou data (www-data) - What kernel? (yelling) - 3.8 - Distro? - Ubuntu 14.04 - Check SUIDs!!! (yelling) - Hey buddy, stop yelling, I know what to do! - I am not your buddy, pal - I am not your pal, guy - I am not your guy, friend - I am not your... ...
- I uploaded the file! - Good, what is the name? - not *under* a *under* backdoor *dot* php (not_a_backdoor.php) - Are you a moron? This is a Tomcat shit, why php? - Who told me that? - I told you before. (yelling) - Oh, fuck you! You said that it 's Apache (yelling) - Yes, it 's "Apache Tomcat" (yelling) ***Slap***
Generally Info-gathering with a team is a mess. Been there several times, yelled like this, got slapped twice, been to jail for ten long years, because I killed a guy who misinterpreted
*/1 in a crontab file and then the whole team spent an hour on facebook as we missed to start our handler on time.
Tools have tried to bridge the gap. Most of them fail badly for inexperienced teams as they need an amount of seriousness to work. Dradis falls flat under this category. It is great but you have to learn to use it. Who has time for that shit? Life is short. People still use metasploit.
GatherOS: not the nasty shit you’re waiting for…
Two things are more essential than just gathering. They are sharing and storing. GatherOS handles them both neaty.
The Idea is simple. You got a Reverse/Bind Shell, SSH, physical access to a system (be it Linux or –for the love of god– Windows). There are some basic stuff you have to run on the shell to understand what kind of machine you semi-pwned.
If you like keyboard, you remember the commands (
crontab -l, etc) but you will miss at least one (
If you once liked keyboard you have a script with nice and dandy output.
python -m SimpleHTTPServer 8080 the script and then you go for the download from the pwned machine:
wget: command not found.
OK, cool. You
netcat to your machine and start typing the HTTP Request:
GET /scroipt.sh HTTP/1.1
404 Not Found
Mistyped the script name…
You whisper something on the classic “fuck” pentester’s dialect and open the script with
gedit copy-pasting all the commands to the reverse shell. Hating yourself.
After half an hour a colleague asks you: “what was the MAC for the 172.16.47.128 ?“.
You have no idea, you are still copy-pasting…
What GatherOS does…
First things first. GatherOS resides here: https://github.com/operatorequals/gatheros
and has been the subject of about 2 rewrites. Also available with
pip install gatheros and the commands will be in your PATH (like magic)!
Now the juicy stuff!
The heart of the package!
It’s a simple python module that gets a special formatted JSON file input containing OS commands, and runs them against a shell (be it reverse/bind/ssh/local). Then it stores the output in a JSON file.
The reason GatherOS exists
This module consumes JSON files created by
gatheros-exec and fires up a
flask web application, nicely presenting the command outputs for everyone to see and admire!
$ gatheros-exec -o /tmp/$(uname -r).json local [waiting less than a minute...] $ ls -lh /tmp Total 1-rw-r--r-- 1 unused unused 110K Feb 6 13:10 4.9.0-kali1-amd64.json
And done! GatherOS ran the default InfoGathering scenario (built-in) against the local machine. For SSH on port
1022 it would be:
$ gatheros-exec -o /tmp/$(uname -r).json ssh uname@localhost -p1022
Now that there is a GatherOS file we could present it with
gatheros-show at port 8086 (default is
$ gatheros-show /tmp/4.9.0-kali1-amd64.json -p8086
Woah! A Firefox spawned with this:
Let’s see the MAC now!
As you may have recognized the default Information Gathering Scenario is heavily based on the rebootuser’s Cheatsheet that I believe it is the complete Cheatsheet out there! I can’t, but thank this site as well as it’s references for providing so useful commands for eager privilege escalators!
A Windows Scenario will also be ready in a later release!
Storing the Info!
Just zip the JSON files for later use!
gatheros-show will always serve you whichever JSONs you feed it.
Why “Information Gathering scenarios” ?
Well, those JSONs aren’t just lists of grouped commands. They contain a whole logic on which commands should run in case some others fail to run, based on a dependency oriented model.
This aspect of GatherOS can be used to automatically launch local-root exploits and other goodies as well, and it will be explained in a later post, when some more development will have taken place!
Stay tuned, it ‘s gonna be huge!