AR local improvements

modules/vagrant_controller.py

@@ -19,6 +19,7 @@ def __init__(self, config: dict):
         super().__init__(config)
 
     def build(self) -> None:
+
         self.logger.info("[action] > build\n")
         vagrantfile = 'Vagrant.configure("2") do |config| \n \n'
 
@@ -115,6 +116,7 @@ def show(self) -> None:
                     messages.append("\nAccess Splunk via:\n\tWeb > https://localhost:8000\n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password'])
                 else:
                     messages.append("\nAccess Splunk via:\n\tWeb > http://localhost:8000\n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password'])
+                messages.append("\nAccess Guacamole via:\n\tWeb > http://localhost:8080/guacamole" + "\n\tusername: Admin \n\tpassword: " + self.config['general']['attack_range_password'])
             elif status.name.startswith("ar-phantom"):
                 messages.append("\nAccess Phantom via:\n\tWeb > https://localhost:443 \n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password'])
             elif status.name.startswith("ar-win"):

packer/ansible/roles/guacamole/tasks/main.yml

@@ -1,10 +1,6 @@
 ---
 
 - include: install_packages.yml
-  when: cloud_provider != "local"
 - include: setup_tomcat.yml
-  when: cloud_provider != "local"
 - include: guacamole_server.yml
-  when: cloud_provider != "local"
-- include: guacamole_client.yml
-  when: cloud_provider != "local"
+- include: guacamole_client.yml

packer/ansible/roles/linux_osquery/tasks/main.yml

@@ -3,6 +3,12 @@
 - include: install_osquery_linux.yml
 - include: collect_osquery_logs.yml
 
-- name: restart splunk
+- name: Restart splunk uf
   become: true
-  command: "systemctl restart SplunkForwarder"
+  command: "systemctl restart SplunkForwarder"
+  when: cloud_provider != "local"
+
+- name: Restart splunk uf
+  become: true
+  command: "/opt/splunkforwarder/bin/splunk restart"
+  when: cloud_provider == "local"

packer/ansible/roles/linux_sysmon/tasks/main.yml

@@ -3,6 +3,12 @@
 - include: install_sysmon_linux.yml
 - include: configure_inputs.yml
 
-- name: restart splunk
+- name: Restart splunk uf
   become: true
-  command: "systemctl restart SplunkForwarder"
+  command: "systemctl restart SplunkForwarder"
+  when: cloud_provider != "local"
+
+- name: Restart splunk uf
+  become: true
+  command: "/opt/splunkforwarder/bin/splunk restart"
+  when: cloud_provider == "local"

packer/ansible/roles/linux_universal_forwarder/tasks/install_universal_forwarder.yml

@@ -27,8 +27,8 @@
   when: splunk_path.stat.exists == false
 
 - name: copy outputs.conf to forward data to splunk server
-  copy:
-    src: outputs.conf
+  template:
+    src: outputs.conf.j2
     dest: /opt/splunkforwarder/etc/system/local/outputs.conf
     owner: splunk
     group: splunk
@@ -44,7 +44,13 @@
 
 - name: setup to start at boot
   become: true
-  command: "/opt/splunkforwarder/bin/splunk enable boot-start -user splunk"
+  command: "/opt/splunkforwarder/bin/splunk enable boot-start"
+  when: cloud_provider != "local"
+
+- name: setup to start at boot
+  become: true
+  command: "/opt/splunkforwarder/bin/splunk enable boot-start"
+  when: cloud_provider == "local"
 
 - name: Start splunk uf
   become: true

packer/ansible/roles/linux_universal_forwarder/templates/outputs.conf.j2

@@ -0,0 +1,9 @@
+[tcpout]
+defaultGroup=my_indexers
+
+[tcpout:my_indexers]
+{% if cloud_provider == 'local' %}
+server=192.168.56.12:9997
+{%- else -%}
+server=10.0.1.12:9997
+{%- endif %}

packer/ansible/roles/nginx_web_proxy/tasks/main.yml

@@ -7,7 +7,7 @@
 
 - name: restart splunk
   become: true
-  command: "/opt/splunkforwarder/bin/splunk restart"
+  command: "systemctl restart SplunkForwarder"
 
 - name: restart nginx again
   become: true

packer/ansible/roles/osquery_linux/tasks/main.yml

@@ -6,6 +6,12 @@
 - include: collect_osquery_logs.yml
 
 
-- name: restart splunk
+- name: Restart splunk uf
   become: true
-  command: "/opt/splunkforwarder/bin/splunk restart"
+  command: "systemctl restart SplunkForwarder"
+  when: cloud_provider != "local"
+
+- name: Restart splunk uf
+  become: true
+  command: "/opt/splunkforwarder/bin/splunk restart"
+  when: cloud_provider == "local"

packer/ansible/roles/sysmon_linux/tasks/main.yml

@@ -7,4 +7,4 @@
 
 - name: restart splunk
   become: true
-  command: "/opt/splunkforwarder/bin/splunk restart"
+  command: "systemctl restart SplunkForwarder"

packer/ansible/roles/windows_common/tasks/install_choco.yml

@@ -0,0 +1,7 @@
+---
+
+- name: install Chocolatey CLI v1.4.0
+  win_chocolatey:
+    name: 'chocolatey'
+    state: present
+    version: '1.4.0'

packer/ansible/roles/windows_common/tasks/main.yml

@@ -3,6 +3,8 @@
 - include: windows-disable-defender.yml
 - include: windows-enable-ps-logging.yml
 - include: windows-enable-4688-cmd-line-audit.yml
+- include: install_choco.yml
+  when: cloud_provider == "local"
 - include: install_app_chocolatey.yml
   with_items:
     - "firefox"

packer/ansible/roles/windows_universal_forwarder/tasks/configure_outputs.yml

@@ -6,7 +6,7 @@
   with_items:
     - 'C:\Program Files\SplunkUniversalForwarder\etc\apps\win_outputs_app\local'
 
-- name: Copy an outputs.conf using templating
-  win_copy:
-    src: outputs.conf
+- name: Copy an outputs.conf
+  win_template:
+    src: outputs.conf.j2
     dest: C:\Program Files\SplunkUniversalForwarder\etc\apps\win_outputs_app\local\outputs.conf

packer/ansible/roles/windows_universal_forwarder/templates/outputs.conf.j2

@@ -0,0 +1,9 @@
+[tcpout]
+defaultGroup=my_indexers
+
+[tcpout:my_indexers]
+{% if cloud_provider == 'local' %}
+server=192.168.56.12:9997
+{%- else -%}
+server=10.0.1.12:9997
+{%- endif %}

packer/ansible/roles/zeek_sensor/tasks/splunkuf.yml

@@ -10,4 +10,4 @@
 
 - name: restart splunkuf
   become: true
-  command: "/opt/splunkforwarder/bin/splunk restart"
+  command: "systemctl restart SplunkForwarder"

terraform/ansible/roles/guacamole/tasks/guacamole_server_post.yml

@@ -26,6 +26,13 @@
   template:
     src: user-mapping.xml
     dest: /etc/guacamole/user-mapping.xml
+  when: cloud_provider != "local"
+
+- name: Copy user-mapping-local.xml
+  template:
+    src: user-mapping-local.xml
+    dest: /etc/guacamole/user-mapping.xml
+  when: cloud_provider == "local"
 
 - name: Restart guacd and tomcat
   shell:

terraform/ansible/roles/guacamole/tasks/main.yml

@@ -1,4 +1,3 @@
 ---
 
-- include: guacamole_server_post.yml
-  when: cloud_provider != "local"
+- include: guacamole_server_post.yml

terraform/ansible/roles/guacamole/templates/user-mapping-local.xml

@@ -0,0 +1,62 @@
+<user-mapping>
+    <authorize 
+            username="Admin"
+            password="{{attack_range_password|hash('md5')}}"
+            encoding="md5">
+
+        <connection name="ar-splunk">
+            <protocol>ssh</protocol>
+            <param name="hostname">localhost</param>
+            <param name="port">22</param>
+            <param name="username">vagrant</param>
+            <param name="password">vagrant</param>
+        </connection>        
+
+        {% if phantom_server == '1' %}
+        <connection name="ar-phantom">
+            <protocol>ssh</protocol>
+            <param name="hostname">192.168.56.13</param>
+            <param name="port">22</param>
+            <param name="username">vagrant</param>
+            <param name="password">vagrant</param>
+        </connection>    
+        {% endif %}
+
+        {% for server in range(windows_servers_count) %}
+        <connection name="ar-win-{{ loop.index-1 }}">
+            <protocol>rdp</protocol>
+            <param name="hostname">192.168.56.{{loop.index-1+14}}</param>
+            <param name="port">3389</param>
+             {% if cloud_provider == 'azure' %}
+            <param name="username">AzureAdmin</param>
+            {% else %}
+            <param name="username">Administrator</param>
+            {% endif %}
+            <param name="password">{{attack_range_password}}</param>
+            <param name="ignore-cert">true</param>
+        </connection>
+        {% endfor %}
+
+        {% for server in range(linux_servers_count) %}
+        <connection name="ar-linux-{{ loop.index-1 }}">
+            <protocol>ssh</protocol>
+            <param name="hostname">192.168.56.{{loop.index-1+21}}</param>
+            <param name="port">22</param>
+            <param name="username">vagrant</param>
+            <param name="password">vagrant</param>
+        </connection>
+        {% endfor %}
+
+        {% if kali_server == '1' %}
+        <connection name="ar-kali">
+            <protocol>ssh</protocol>
+            <param name="hostname">192.168.56.30</param>
+            <param name="port">22</param>
+            <param name="username">vagrant</param>
+            <param name="password">vagrant</param>
+        </connection>    
+        {% endif %}
+
+    </authorize>
+
+</user-mapping>

terraform/ansible/roles/join_domain/tasks/create_local.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Change dns server to domain controller
+  win_dns_client:
+    adapter_names: "{{ ansible_interfaces.0.connection_name }}"
+    ipv4_addresses: "192.168.56.14"
+
+- name: reboot | Rebooting Server
+  win_reboot:
+
+- name: Copy join domain script to host
+  win_copy:
+    src: "join_domain.ps1"
+    dest: 'C:\join_domain.ps1'
+
+- name: Run join domain
+  win_shell: "C:\\join_domain.ps1 attackrange.local {{ ansible_user }}@attackrange.local {{ attack_range_password }}"
+  register: win_shell_output
+  retries: 20
+  delay: 60
+  until: win_shell_output.stderr == ""
+
+- debug:
+    var: win_shell_output
+
+- name: reboot | Rebooting Server
+  win_reboot:

terraform/ansible/roles/join_domain/tasks/main.yaml

@@ -1,6 +1,9 @@
 
 - include: create.yml
-  when: join_domain == "1"
+  when: join_domain == "1" and cloud_provider != "local"
+
+- include: create_local.yml
+  when: join_domain == "1" and cloud_provider == "local"
 
 - include: windows-disable-firewall.yml
   when: join_domain == "1"

packer/ansible/roles/linux_prelude_agent/tasks/install.yml → terraform/ansible/roles/linux_agent_prelude/tasks/install_local.yml

@@ -3,19 +3,18 @@
 - name: Wait for redirector to be ready
   wait_for:
     port: 2323
-    host: "{{ splunk_indexer_ip }}"
+    host: "192.168.56.12"
     connect_timeout: 30
     delay: 60
     timeout: 900
 
 - name: Download Prelude Pneuma from headless Operator
   get_url:
-    url: http://{{ splunk_indexer_ip }}:3391/payloads/pneuma/v1.5/pneuma-linux
+    url: http://192.168.56.12:3391/payloads/pneuma/v1.6/pneuma-linux
     dest: /opt/prelude-pneuma
     mode: 755
 
 - name: Start Prelude Pneuma and Connect to headless Operator
-  shell: /opt/prelude-pneuma -name "$(hostname)" -address {{ splunk_indexer_ip }}:2323 &
+  shell: /opt/prelude-pneuma -name "$(hostname)" -address 192.168.56.12:2323 &
   async: 10
-  poll: 0
-
+  poll: 0

terraform/ansible/roles/linux_agent_prelude/tasks/main.yml

@@ -1,4 +1,7 @@
 ---
 
 - include: install.yml
-  when: prelude == "1"
+  when: prelude == "1" and cloud_provider!='local'
+
+- include: install_local.yml
+  when: prelude == "1" and cloud_provider=='local'

terraform/ansible/roles/linux_server_post/tasks/change_splunk_password.yml

@@ -12,6 +12,12 @@
   shell: '/opt/splunkforwarder/bin/splunk set servername {{ hostname }} -auth admin:{{ attack_range_password }}'
   become: yes
 
-- name: restart splunk
+- name: Restart splunk uf
   become: true
-  command: "systemctl restart SplunkForwarder"
+  command: "systemctl restart SplunkForwarder"
+  when: cloud_provider != "local"
+
+- name: Restart splunk uf
+  become: true
+  command: "/opt/splunkforwarder/bin/splunk restart"
+  when: cloud_provider == "local"

terraform/ansible/roles/splunk_byo_linux/tasks/config.yml

@@ -10,4 +10,4 @@
 
 - name: restart splunk
   become: true
-  command: "/opt/splunkforwarder/bin/splunk restart"
+  command: "systemctl restart SplunkForwarder"