Automate penetration testing with apt2

On September 20, another release of the popular distribution kit for testing penetration Kali Linux 2017.2 was held. Among the innovations we got the opportunity to install several new tools from the repository. In this text, we will look at the apt2 or Automated Penetration Testing Toolkit framework.

Installation and Setup

After updating the distribution to version 2017.2, you can install the framework.
Let me remind you that you can upgrade to the latest version of Kali Linux using the following commands

apt-get update apt-get upgrade apt-get dist-upgrade 

Installation takes place as standard
')

 apt-get install apt2 

Next, I recommend a basic setting.

Having studied the official github of the project, it becomes clear that it integrates with the Metasploit Framework.

To integrate with Metasploit, you need to run its RPC service.
This is done as follows.

 msfconsole load msgrpc 

You should get a randomly generated password. Remember it.



You can look at the structure of the configuration file in the / usr / share / apt2 directory



We are interested in the file default.cfg

In the block [metasploit] we specify our password

 [metasploit] msfhost=127.0.0.1 msfport=55552 msfuser=msf msfpass=kqVbTlmr msfexploitdelay=20 

Then you can add additional keys for nmap or change the subnet. The default is a SYN scan (-sS) and a flag (-A), which tells Nmap to determine the versions of the services, the type and version of the OS, to run secure NSE scripts and traceroute. In some cases it will be useful to add the -Pn key if you do not import the nmap scan result into apt2.

 [nmap] scan_target=192.168.1.0/24 scan_type=S scan_port_range=1-1024 scan_flags=-A 

The default is 20 threads. This value can not be changed unnecessarily.

 [threading] max_modulethreads=20 

There is a setting for Reponder. If you use a non-standard configuration, you need to edit the [responder] and [default_tool_paths] blocks. I’ll set responder_timeout = 30, because I don’t want to waste time on this module.

Next is the block [searching]

 [searching] file_search_patterns=*.bat,*.sh,*passwd*,*password*,*Pass*,*.conf,*.cnf,*.cfg,*.config 

Here you can set masks of files that interest us if we get access, for example, to an NFS resource. You can add something your own or not to change.

The framework also allows you to use the Shodan API. Keys are set in a separate block and commented out by default. I will not use them, since my target machine is on the local network. Let me remind you that the process of obtaining API keys for each service is individual and not always free. The API key for Shodan can be obtained free of charge after registering on the site .

 [apikeys] #apt2_shodan_apikey=CHANGEME #apt2_linkedin_apikey=CHANGEME 

Launch

When running with the -h key, we get a list of available keys.



Let's look at some of them.

SAFE_LEVEL can take values ​​from 1 to 5 and tells apt2 how safe modules are allowed to run. The safest mode is 5. The default is 4.

EXCLUDE_TYPES allows you to exclude certain types of modules from the list.

--target sets targets, or you can use the -f switch to load the nmap scan file into apt2 XML file. Let me remind you that you can save the result of nmap in XML using the -oX switch.

and the key --listmodules will show the available modules. Let's look at this list.

 apt2 --listmodules 

We get a list with the indication of the module name, its type (used for EXCLUDE_TYPES), Safety Level and description. Modules with a Safety Level lower than indicated by the -s switch will not be executed, which will be further discussed in the apt2 output at startup.



Let's run apt2 with the highest level of risk against the machine 192.168.1.4 on which Ubuntu runs.

 apt2 -v -v -s 1 -b --target 192.168.1.4 

We are warned that modules requiring API keys will not be executed and scanning will begin.



Next, the modules will start running.



You can see what apt2 was able to assemble in the /root/.apt2/proofs directory



Here you can view the result of each module. In my case, the framework did not find anything worthwhile.

We will launch another scan for Windows 192.168.1.7 and will not perform nmap scanning via apt2, but load the XML file.

 nmap -n -Pn -A -oX scan1 192.168.1.7 apt2 -s 1 -b -v -v -f scan1 

Here other modules are already being launched, for example, a module for testing for vulnerability to ms08-067 .



If the server is vulnerable, it will be reported in the log

 [!] VULN [ms08-067] Found on [192.168.1.7] 

and the vulnerability will be exploited through the Metasploit RPC service automatically and we will get a session



Further, through the session, other modules will already be implemented.



And at the end of the program, a progress report will be created.

 firefox /root/.apt2/reports/reportGenHTML_flcgfsqhji.html 

If you want to write your own modules for apt2, you can examine the existing in the / usr / share / apt2 / modules directory and make your own by analogy. The framework itself is written in python and its modules, respectively, too.