Red team operations involve miscellaneous skills, last several months and are politically sensitive; they require a lot of monitoring, consolidating and caution. Wavestone’s red team operations management software, Abaddon, has been designed to make red team operations faster, more repeatable, stealthier, while including value-added tools and bringing numerous reporting capabilities.
Because:
What did we want with Abaddon ?:
Abaddon aims at facilitating red team operations by:
The slides presenting Abaddon at RSAC2020 can be found here: (Abaddon, the red team angel)
What you can deploy
Other features
Installing and launching Abaddon
Abaddon has been tested on Debian, LUbuntu, and of course KALI Linux (latest tests have been performed on the 5.4.0 amd64 version). You also need to have Internet access, and a public IP address if you want to deploy your C&C server locally.
Note that to configure your AWS environment, the easiest way is probably to install the aws-cli like indicated here: <https://docs.aws.amazon.com/fr_fr/cli/latest/userguide/install-cliv2-linux.html>
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
git clone [email protected]/wavestone-cdt/abaddon.git
cd abaddon
aws configure
mv abaddon/settings.py.sample abaddon/settings.py
sed -i 's/yourPasswordHere/<databasepassword>/g' abaddon/settings.py
bash setup/install.sh
This script will:
Start the Red Team Angel !
bash abaddon.sh
Open a browser, and go to the URL 127.0.0.1:8000 (connect with the Django superuser credentials created during the installation).
Deployment of a C&C infrastructure inside Abaddon
If no EC2 instance has been deployed before from Abaddon (it is important that you deploy the EC2 from Abaddon, so that you have access to the SSH key, located in the aws folder), go to the Delivery/Let’s phish! page. Click onDeploy EC2!. Wait for the end of the deployment (you can check inside the terminal used to start Abaddon if the EC2 is ready to be used, all the deployment steps appear in the shell).
Go to the misc/apache/default-ssl.conf file andUPDATEthe domain name of the EC2 inside the second VirtualHost. To avoid the detection of your infrastructure, buy a new domain name and configure it to point to your EC2. Use this domain name in the Apache configuration file and UPDATEmisc/apache/topsecret.keyandmisc/apache/topsecret.crt accordingly, which is with the private key and the certificate of your new domain.
Go then to the Monitor current Scenarios page and click onConfigure a RedELK infrastructure. Give this scenario a name. Abaddon supports actually only one scenario at the time. Choose an EC2 instance deployed from your Abaddon and chooseLocal Deployment (because you deploy your Apache docker locally). Then, choose the ports used by the deployed EC2 to receive the HTTP and SSL connections, and the port and the IP address the Apache reverse proxy will forward the traffic to (for instance, the IP and port your SILENTTRINITY server listens to). A common configuration would be the following:
http port = 80
ssl port = 443
Listening Port= 9999
C2 IP adress = 172.16.0.1
Wait for the end of the deployment and go back to the Monitor current Scenarios page.
Getting Involved
Please do not hesitate to send us Pull Requests, or send me questions (@Ibrahimous).
Call for Contributions
We really would like to see pentesters and other offensive security lovers get out of their secret zone, and share ideas, contribute to establishing a comprehensive framework for red team operations.
So, I you want to enhance the tool, please do. If you want to reshape it radically, please submit your ideas.
Documentation, Setup & Basic Usage
The documentation is a work in progress, and will very soon be available in the Wiki.
Author
Charles IBRAHIM (@Ibrahimous)
Acknowledgments, Contributors & Involuntary Contributors
(In no particular order)