nVis Custom Red Teaming Platform for CPTC

October 07, 2020

by Silas

_______________

Abstract

This blog post’s objective is to primarily discuss the development process for this tool, address the technical details around how the application works, and how competitors can utilize nVis into their toolset. The tool can be found here: https://github.com/Menn1s/nVis

Initial Development

What:

nVis is an open source tool that was developed primarily for the National Collegiate Penetration Testing Competition. CPTC is a cybersecurity competition created for teams of six students to gain real-life experience in penetration testing, communication, and report writing. Speaking from a technical level, students are performing an internal penetration test on a fictional company’s environment. The environment is intentionally created with several vulnerable Unix and Windows systems.

Why:

During our regionals CPTC competition, one task that ate up lots of our time was scanning the environment, transferring the information gathered to a whiteboard, and assigning a host for testing. Often times, we found ourselves asking one another whether or not we had already finished testing a particular box. As a result, Dennis and I decided that there should be a tool that can fulfill all of our needs while simultaneously addressing the issues that we encountered. After a few months and several late night work calls, we developed a collaborative red teaming platform capable of performing simultaneous scans, populating a web server, and many other features!

How:

The architecture of this tool is fairly simple to understand. However, as we were merely novices to programming and web development, there were several challenges that we encountered along the way.

nVis Screenshot

This photo lays out how nVis functions from a high level overview. The tool operates with a client-server design and prioritizes speed and ease of use. Each team member will download the nVis repository and function as a client. The client’s main roles are to repeatedly run nmap scans on a respective subnet and push the resulting information into the MongoDB located on the nVis server. Similarly, a single team member will download the nVis repository and function as the server. The server is responsible for translating the nmap information and display it onto the Web Server. Each team member will be able to access this web server and watch as the scans populate the application in real time.

nVis Screenshot

This is a screenshot taken from National CPTC that highlights what the team member sees on the nVis web server. The tool lists the hostname, IP address, the number of ports open, as well as the state of the host. By clicking “Toggle expand”, this will reveal the specific port that is open and the associated service name. In addition, users are able to click on the hostname and cycle through three different colors to indicate the host’s current status.

Orange - In Progress
Green - Completed
Blue - Found Something + Investigate Later

This feature was extremely useful for us as it reduced any potential confusion in regards to which hosts are being attacked as well as streamlined a more efficient way of tackling an environment with many hosts.

Building It All Out

Backend Server

There were a few moving parts when it came to building out the backend server. The first task was to build a script that would run an initial ping scan on a user-defined subnet and store the hosts in a text file. A second scan would be run to identify any hosts that may have not responded to the ping but have common ports open. From these two scans, the script would take the unique IPs and run an intense scan. Because every minute is so critical in this competition, this script was designed in this fashion in order to allow the team to start identifying and attacking systems as quickly and as efficiently as possible.

while True:
	first = "nmap -n -sn " + subnet + " -oG - | awk '/Up$/{print $2}' > first.txt"
	second = "nmap -v -T5 " + subnet + " -p21,22,23,25,110,139,443,445,3000,3389,8080 | grep Discovered | awk '{print $6}' > second.txt"
	os.system(first)
	os.system(second)
	os.system("sort first.txt second.txt | uniq > initial.txt")
	os.system("nmap -sV -T5 -iL initial.txt -oA " + nmapdb)

The second task was to figure out a way to get these nmap scans onto a central server with the least amount of work possible. What easier way than with an anonymous FTP server! (Jk, there are probably easier and better ways but this is just what we came up with at the time) On the server script, we created a bash script that would install a VSFTPD server, reference a pre-configured config file, and essentially allow for any anonymous users to upload a file to a specified directory.

ftp_connection = ftplib.FTP(server, username)
	ftp_connection.cwd(remote_path)
	ftp_connection.set_pasv(False)
	fh = open(nmapdb +".xml" , 'rb')
	ftp_connection.storbinary("STOR %s.xml" % nmapdb, fh)
	fh.close()
	ftp_connection.quit()

So by now, we have collected all of the nmap scans into a single location. The final task was to parse through the nmap scans and populate a database with the relevant information so the web server would be able to serve everything we needed. Luckily for us, we were able to find a python script on GitHub that accomplished exactly what we needed. Credit to https://github.com/erforschr/nmap-to-mongo. The python script imports all the nmap xml from the FTP directory and from there, it parses and populates our mongo database!

Frontend Server


Recent Posts


WTF is the Linux Shell?

DNS for Out-of-Band Exfiltration

nVis Custom Red Teaming Platform for CPTC

Hello Swift