|Subject: [Hangout-NYLXS] what is TAP?
Introducing TAP – An Open-Source Attack Platform
As security assessors, we don’t always have the luxury of being onsite
working with our customers all of the time. For that reason, I created
the TrustedSec Attack Platform (TAP) device. Basic concept is that you
can deploy a box to the customer and have it automatically establish
itself back to you in order to perform pentests. While this may seem
like a simple concept, reliability, continual updates, and egress
filtering is always a challenge. TAP solves that by only requiring one
outbound port, using proxychains-ng for all outbound communications, and
completely sets up the device for you in an automated fashion. It
supports SSH keys, passwords (stored via AES encryption), and more.
Additionally, TAP will automatically repair itself if it detects that
the SSH port is down as well as if there are other issues with the device.
Additionally, there are scripts that the team over here at TrustedSec
has created that allows you to establish a full SSH tunnel into the
machine with whatever box you want to. The concept is to quickly create
and deploy boxes you can send to locations in order to ensure you can
maintain access during an assessment. TAP will ensure that the system is
always up-to-date with your latest patches, and uses the PenTesters
Framework (github.com/trustedsec/ptf) to automatically install all of
your tools and keep them up-to-date.
TAP is recommended to be installed on a more long-term and stable Linux
platform such as LTS with Ubuntu for stability and updates.
For hardware, we use the Intel NUC series with a solid-state drive, 16
gigs of ram, wireless alfa attached for wireless assessments, and a
Verizon LTE card so you don’t have to worry about egress filtering if it
isn’t available. Recommend IPTables off EVERYTHING except for the IP
addresses that you want the remote connection coming to, and block all
Installing or UnInstalling TAP
python setup.py - This will install TAP. In order to uninstall TAP:
python setup.py - This will uninstall TAP.
python setup.py - This will install TAP.
In order to uninstall TAP:
python setup.py - This will uninstall TAP.
Setup will walk you through all of the steps you need in order to be
successful in deploying the box.
Setting up TAP
When setting up TAP, the questions you may have is the REMOTE ssh
server, this would be an external box you have with SSH exposed. This
would be your box you want the TAP machine to connect back to, the
machine you have on the Internet waiting for connections. It is not
recommended to use root as this is a security oversight. Use a normal
user to establish the SSH tunnel. Right now its password only although
lateron we will be adding support for SSH keys. The password is stored
using AES however the cipher key storage is insecure at the moment.
Someone with maintained access to the box could grab the cipher key and
decrypt the password in the config with enough time and persistence.
Will fix this in a later release date.
The second is the LOCAL port that will be on the REMOTE box. When TAP
connects back via reverse SSH, it connects to the REMOTE box and
establishes a local port on the machine. When you SSH to the remote box
on the Internet, you will want to ssh user-at-localhost -p . This will be
the port TAP bindes to on the REMOTE system so you can access it.
Once you configure that, TAP has a default path it pulls updates from,
you can change this to your own update path. I intentionally kept this
off github so you can specify what you want for approved updates.
Next, you can send commands to the TAP, it checks every two minutes for
new instructions. You need to specify a path, for example:
TAP will check that path every two minutes looking for new commands,
note that this next part is IMPORTANT. The first line of the text file
MUST contain “EXECUTE COMMAND” (without the double quotes). Once TAP
identifies this, it will check to see if the command was executed before
and if not it will execute the commands line by line. This is useful
when you lose connection with TAP and need to call execute commands to
Once you run setup, it will install the files in /usr/share/tap. It will
automatically start if you specify, and will automatically check for
updates such as Debian updates, TAP updates, etc.
You should also whitelist the update servers if you are using Debian as
well as your REMOTE box you connect back to.
In the event that you decide not to use SSH keys and use passwords, the
config stores it in an AES format. If you need to update the password,
go to the scripts directory which has an update-password script to
update the encrypted password and create a new dynamic cipher key.
Also a neat trick once you are there is a small tool we wrote for
basically a SSH VPN. This works out great if you aren’t doing large
traffic volumes such as port scans, vulnerability scans, etc. The below
is a simple tool that wraps sshuttle to create the VPN. Just save the
below file into a python file and run and use the commands. It’ll VPN
you in to the remote network where TAP is deployed. You can do anything
such as long as it isn’t extremely large volume traffic (pretty stable).
There’s two ways to handle a VPN, first is through the method below with
SSHuttle. You can also use a transparent VPN that was created by Geoff
Walton at TrustedSec that is located in the under the scripts folder.
This will create a TAP interface and VPN you into the system through
SSH. With SSHuttle, things like port scans do not work properly, would
highly recommend the ssh-tunnel script.
Automatic Proxy Chains
TAP uses proxychains4 (proxychains-ng) to tunnel all of your http/https
traffic through SSH to your remote box. This helps with content/egress
filtering so you can ensure you always have everything up-to-date. In
order to use proxychains, just type proxychains4 – TAP updates
automatically use this.
TAP during the setup process will prompt you to see if you want to log
all commands executed on the system. If you do, all commands that are
entered on the system will be logged so that you can provide to the
customer or keep records of what happened on the devices. All logs are
saved under /var/log/messages.
The TrustedSec Attack Platform (TAP) can be downloaded from here:
TAP and this blog post was written by David Kennedy – founder of TrustedSec.
By davek|October 28th, 2015|October 2015|Comments Off on Introducing TAP
– An Open-Source Attack Platform
hangout mailing list