-
Notifications
You must be signed in to change notification settings - Fork 33
Route Configuration
In the server_root directory chosen during the server configuration section, place any files you want to serve as a payload.
Along with those files, optionally create a <payload_name>.info file. For example, if you want to host a payload called index.html, make index.html.info. .info files are YML which contain filtering information for the payload you are hosting.
Instead of .info files, you can also use a single file in the server root called pathList.yml. It uses the same format as .info files except as a list instead of a single object. Make sure to add the path and hosted_file parameters since those are automatically populated only when using .info files.
- path: /test.html
hosted_file: folder1/test.html
- path: /cond.html
hosted_file: cond.html
authorized_useragents:
- .*Mozilla.*
Below is a list of filtering options which can be used in .info files and the global conditional configuration directory.
Number of times to serve file
This will serve the file once before not allowing the file to be accessed anymore
serve: 1List of User Agent strings to allow. This is a regex search.
All user agents with the string Linux will be allowed as well as the iPhone user agent.
authorized_useragents:
- Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
- ".*Linux.*"
- "^Moz*ll*$"List of User Agent strings to block. This is a regex search, so the entire user agent does not need to be specified
blacklist_useragents:
- Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1List of User Agent strings to allow. This is a glob search
All user agents with the string Linux will be allowed as well as the iPhone user agent.
authorized_useragents_glob:
- Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
- "*Linux*"
- "Moz*ll*"List of User Agent strings to block. This is a glob search.
blacklist_useragents_glob:
- Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
- *Mozilla*List of IPs or IP ranges who are allowed to view a file
authorized_iprange:
- 192.168.0.1
- 192.168.10.1/24Authorized HTTP methods
authorized_methods:
- GET
- PUTDictionary of headers which must be present
authorized_headers:
Hacked: yesThe request with a header of Hacked and a value of yes, like below, would be allowed to access the payload.
GET / HTTP/1.1
Host: google.com
Hacked: yes
...Authorized JA3 hashes to access the file. More information about JA3 can be found here.
authorized_ja3:
- e7d705a3286e19ea42f587b344ee6865
- 6734f37431670b3ab4292b8f60f29984Blacklisted IPs from accessing a payload
blacklist_iprange:
- 94.130.90.152Prerequisite paths which must be hit, in order, before the payload will be served.
In this case, when /first is requested, it is automatically served. When /second is accessed, the user will be served a 404 page. When /first is accessed, and then /second is accessed after, /second will be successfully hosted. When /first is accessed and then /second is accessed, you will finally be able to get /payload.
first.info
second.info
prereq:
- /firstpayload.info
prereq:
- /first
- /secondUses the MaxMind GeoIP2 country database to only allow access to specific countries. The ISO 3116 country codes which can be used are listed here.
geoip:
authorized_countries:
- US
- CAUses the MaxMind GeoIP2 country database to deny access to specific countries. The ISO 3116 country codes which can be used are listed here.
geoip:
blacklist_countries:
- CASets the Content-Type for the payload being served. More information about the Content-Type header can be found here
content_type: application/mswordSets Content-Disposition header for the payload. There are two sub-keys: type and file_name. type can either be inline or attachment. file_name is the name for the attachment if the attachment option is chosen
disposition:
type: attachment
file_name: file.docxExecutes a program, gives the HTTP request to stdin, and checks stdout against an output variable.
exec:
script: /home/user/test.py
output: successAdds the header to all HTTP responses.
add_headers:
Accept-Encoding: gzipAdds the header to an HTTP response if the page was successfully reached
Adds the header to an HTTP response if the request was denied
Number of times a payload has been accessed. This variable is for satellite to do record-keeping.
Boolean to determine if the file should be served. This is mostly used by the satellite server for record-keeping, but can be set manually to now allow a payload to be hosted.
not_serving: trueSpecifies what happens when the request does not match the prerequisites. There are two options: redirection, available through on_failure.redirect, and rendering a web page, available through on_failure.render.
on_failure:
redirect: https://google.comThe page rendered must meet the prereqs in the rendered page. In this example, the same request must match all preconditions for /index.html or else the response will be the default fail message.
on_failure:
render: /index.htmlProxy route to a different address
proxy: http://localhost:2222Pulls credentials from POST or PUT request and dumps it to credential_capture.file_output.
credential_capture:
file_output: /tmp/credsYou can apply these conditional configurations for all routes using the global conditionals directory. By default, the directory is <server_root>/conditions. If your server root is set to /etc/satellite, your global conditionals directory would be /etc/satellite/conditions.
If you were to have a list of user agents that are known to be associated with a target CIRT as well as a list of IPs associated with ProofPoint, then you could create two files: example_cirt_ua.yml and proofpoint_ip.yml. Now, when you can share the proofpoint_ip.yml with Twitter, others can download and use it with ease.
# /etc/satellite/conditions/proofpoint_ip.yml
blacklist_iprange:
- 127.0.0.1
- 127.0.0.2# /etc/satellite/conditions/example_cirt_ua.yml
blacklist_useragents:
- ExampleBot-CIRT