Automating red team infrastructure using Overlord

hello my name is vasilis and i am evangelist and together we have built overlord a tool which optimize infrastructure setup on the cloud the tool is mainly used for retrieving engagements but it can also be used for simple social engineering or other smaller scale attacks so let's start with a very simple example of what it is a command control server and the redirector because they are the main components of the retiming infrastructure quantum control server or c2 is a server which is controlled by the attacker and is used to send commands to compromise systems the redirector is another server which is directly connected to the c2 for example via socket and basically it hides the presence

of the z2 so here we can see a full retiming infrastructure example which can include multiple command control servers with their directors we have a mail server a phishing server which can host the phishing website for example and payload server which can cause our payloads to be downloaded etc all the servers shown here are under the control of the attacker of course so to make sure that only the needed services are accessible over the internet we use firewall rules in each of the cloud providers so nws and digital ocean which are used by others for example as we can see here we have a dns c2 with only port 53 open uh from the inbound

and the port 22 which is only accessible to the public ip of the pentas team and of course it's for management purposes of the server the outbound rules um allow the http ports for downloading tools and scripts as well as the 453 to perform domain results if the c2 was an http one we would need also in the inbound port 80 and 443 for the compromise systems to connect to these ports so now that we have finished with the redmi basics let's talk about overload overload was inspired by a red button which is a terraform implementation for returning infrastructure automation the difference between the two is that overlord abstracts the user from the terraform implementation

and provides a user-friendly cli to achieve but at the end of the day it's a terraform code generator which creates the terraform files in the bulk which are then executed and the infrastructure is created automatically so why why would summer use overload why do we use it so first of all it's because we are lazy we like repeated processes to be automated also it's easy to use and sets the infrastructure up in minutes including all the servers and dns records and everything that the user wants to set up [Music] another very important component is the project management the tool has a functionality of saving the state of the current project for any future use for example you can set up exactly the

same infrastructure for a client in the future by using the project folder of the specific client the tool is customizable we have built the tool in such a way to be easily scalable and extensible so a developer can extend the project with new cloud providers for example or new modules if they see a need and finally overload is reducing the cost for a company because you can destroy the infrastructure where which you have deployed in again in very short time and with one command this will avoid any unintended costs of servers deployed on the cloud and left there by mistake after the engagement has been completed okay so let's now dig into the modules offered by overlord

it's each module has a specific purpose and we have the servers side and the rest of the modules let's start with the servers so first of all we have the c2 servers which are the command and control we have already explained then we have mail servers which we use i read mail and postfix to configure seqr solution of ml server so we make a lot of configuration changes in the deployment the web server which is essentially a server with 80 and 443 open the directors which might must be connected to c2 servers and finally we have goldfish which is a module which fully installs and starts the garbage service on a specified server on the cloud the user can then

use the ip provided to login to the web interface via port 3333 which will only be accessible from the ip where the infrastructure was deployed from the public ip of the pentas team essentially the rest of the modules are used to complete the infrastructure so we have the dns record module which it deploys dns records on the provider where the specified servers reside the let's say crypt module has three different implementations which one is for govis server web server one is for a generic web server and one is for creating the dot pm file to be used on se2 for example then we have the ansible module which is one of our new features ansible is used

with custom playbooks which are created by the user the yam playbooks can be used to perform actions on any of the deployed servers and installations of course and finally coded is used to redirect their name servers to the provider where the dns records will reside so for example if you have a domain registered on godaddy and you create a c2 server on nws with an a record on that domain you have to use the godaddy module to redirect the name servers to aws okay so this is especially helpful for route 53 because the name servers are different every time you deploy an infrastructure so overlord will wait until they are determined and then it will change the goldaddy

entries to the nws generated nameservers for digitalocean the change is also done automatically by overlord but the manual change is also easy because the name servers are the standard ns1 and s2 and s3.digitalocean.com which can be done easily manually as well it should be noted here that if you use a dns c2 and you have to manually change the host names of the name servers to point to your own domain this is not done by overload okay okay so now that we know how the tool works and what it can do let's see the structure of the folders and files first of all the config.json file includes all the necessary information such as default values

for example we have the digital ocean as our default provider which means that whenever we have the provider variable in overlord it will be populated with the digital version value you can of course change that and amend it to your needs the variables.json file includes all the api tokens and keys to connect to the providers the scripts folder contains some scripts and tools which we have created to run on specified servers for example the govis implementation is located here as well as the installation of metasploit and dns cut the playbooks are the yummy files created by the user to be used on specified servers overlord will load all the files from this directory to the playbook variable

in the ansible module which you will see later when we demo the tool then we have the project directory where we have the ssh keys in the folder where all the ssh keys of the deployed servers will be stored from there you can log in to all the deployed servers and then finally we have the certificates folder which is used to store the dot pm certificates in case that the balance secret module is used okay so i haven't mentioned it previously but overload was presented for the first time last october in besides cyprus when we submitted to blackhead we promised the major upgrade with new features so the new version now includes the ansible module which is used to load the

yam playbooks and install anything the user wants on servers based on that we have created a playbook for user management this playbook creates different users with different ssh keys on servers and also enables logging in case a client has a question for specific actions that we have performed we can go back and find out what happened another request that we had from users was the implementation of an internal situation so this redirector is basically pointing to an internal c2 server instead of one on the cloud so this is done by auto ssh and it supports http and dns we also upgraded all the modules from terraform 0.11 to 0.12 and finally we now support new linux

distributions we have previously really supported debian on both nws and digital ocean now we support kali and ubuntu and debian on nws and ubuntu and debian on digital ocean ok so finally it's demo time uh vaselines will show you the tool but before that i will show you what is the infrastructure that we are going to set up so we are going to set up the following infrastructure we have one httpc2 with its redirector on aws and a certificate on this domain then we have one internal redirector on nws which points to an internal c2 where the attacker in the attacker's internal network we have a govis server with its redirector and again with a

certificate of this domain and on the cofish web server we have one mail server and only the client of cofish is allowed to send mails via the mail server we have another https touring director for the same c2 but it's on digitalocean so we have one on digital ocean and one on aws redirecting both to the same c2 and on our command and control server we use the user management and simple module to create two different users on the same machine okay so let's start with the demo and bacillus will show you how the tool works thank you very much typing help you can quickly find out more information about each command with a4 command you

can see your keys domains and created modules so let's add r our kali machine on nws with metasploit and one new director overload has auto complete functionality so you can double tap to see the available options to add an additional redirector on the same c2 we can use the director module this comes handy when you want to spawn up a redirector on a different provider than the c2 server one of our new features is the ability to create a director that points to internal ip this can be done by using the localhost value on the redirector id parameter

next we set up a goldfish instance and see director on digiology after the govish modulus is added we can set up our main server due to the customized configuration that we created for the main server at least one allowed ip has to be added with the set allowed ips command this will change my network's value in postfix and the access control is inadequate configuration automatically we have added short descriptions next to each of the modules ids to make it easier to identify the current instance the info command can also be used to check the configuration for each module as we can see in our screens now as mentioned before to make the tool more scalable we have implemented the

accessible module using the set playable command we are going to use the user management script which generates and adds our own public keys to the c2 server the script also enables page and tmx login now it's time for the hard part we need to create all the dns records for our project we are going to add an a record of our own c2 server on nws to set up the record we have to use the set record command specifying the module and domain name we will be fast forward the remaining dns record because it's the same process for the rest of them we support three types of records a txt and mx we encourage you to check our

wiki for more details another tip is to take some time to visualize your setup before adding your dns records with overlord

as we can see a dmarc and spf records are pre-defined as templates making the process a bit easier

if your dns provider is godaddy you can redirect your domain names to digitalocean and route53 respectively overload will automatically add add them to the correct provider based around their records now with everything set up let's deploy our infrastructure

as we can see when the deployment is finished we are greeted with all the ips and commands we need to know about our infrastructure using the remaining command we can change the name of the project we suggest deploying the certificates after creating your infrastructure otherwise you might get the serve fail error from your name server

created and deploying the project again we'll add the additional modules to our campaign

and now we are finished with installation our project folder contains all the ssh keys and certificates overload generated authenticating to gov server as root we can download the password which was automatically generated for the web interface

as we can see in our screen overload has generated all the necessary commands for us

now let's test a variety of playbook run correctly on rc2 we should be able to use my personal private key to log in with my username on the kali machine one note to have in mind is that the mail server needs a reboot to work properly

let's login and reboot the machine

and finally let's use our internal director i'm going to add a streak on my index.html file and spin up an http server for our demo

as we can see all the dns records have been set up correctly for the overlord red domain our teller director worked as intended as and the goldfish generated instances were successfully installed

finally a certificate for the web.overlord domain was successfully uploaded to the web server thank you for joining us and we hope you enjoyed the presentation and the demonstration of our tour