Kali Linux

Redherd Framework : A Collaborative And Serverless Framework For Orchestrating A Geographically Distributed Group Of Assets

Redherd Framework is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of conducting simulating complex offensive cyberspace operations.

The framework takes advantage of the “as a Service” paradigm in order to deploy a ready-to-use infrastructure that can also be adopted for effective training purposes, by reliably reproducing a real-world cyberspace scenario in which red and blue teams can challenge each other. RedHerd perfectly fits the Open Systems Architecture design pattern, thanks to the adoption of both open standards and wide-spread open source software components.

Terminology

NameDescription
assetThe multi-platform devices (Windows, Debian-like, RHEL-like, MacOS and Android) that can be orchestrated.
clientThe device used by an operator to interact with RedHerd components.
moduleThe code implementation of a task that can be executed by asset.
processThe dynamic instance of a module.
taskThe abstract representation of an operator intent.
topicA group of modules that shares a common intent (e.g. port scanning, Wi-Fi, …).

Architecture

RedHerd uses some specialized Docker containers in order to integrate many community acclaimed open-source products with a custom application layer, implemented for interoperability purposes. These containers have been designed to compartmentalise features and to allow horizontal scaling if needed. The described architecture offers a high level of automation by allowing minimized user interaction during the asset setup process and is bounded by a Virtual Private Network (VPN) granting Operations Security (OPSEC) by design.

The main elements of the RedHerd framework are listed hereafter:

  • Assets: multi-platform devices (Windows, Debian-like, RHEL-like, MacOS and Android) that can be orchestrated to perform cyber operations;
  • Herd-Server: the Node.js core of the framework which is responsible for interacting with the assets. It receives and multiplexes all the inputs from the operators thanks to an extended set of Application Programming Interfaces (API) and dispatches the output received from the assets via a Socket.IO channel;
  • File-Server: an FTPS-based server, which allows secure file transfer among operators and assets;
  • OVPN-Server: the OpenVPN gateway for all entities interacting with the framework;
  • Distribution-Server: the only component publicly accessible outside the VPN edge, which represents an Nginx web server that distributes, after authentication, all the configuration files needed by an entity attempting to join the framework;
  • Herd-View: a Progressive Web Application (PWA) written in Angular that provides a user-friendly interface to monitor and task all the assets in real-time;
  • Client: the device used by an operator to interct with the framework components.

Last but not least, Herd-CLI represents the administrative application for managing the entire framework.

Features

RedHerd has several overwhelming features that characterize it with strong orchestration capabilities:

  • Intuitive Interface: it provides, through Herd-View, an intuitive web application to easily interact with the assets;
  • Multi-Platform: it is able to orchestrate a wide range of devices, offering joining and tasking procedures for different operating systems (Windows, Debian-like, RHEL-like, MacOS and Android);
  • Multi-User: it supports multi-user collaboration. The teamwork has become crucial for effective operations. In relation to this, joining RedHerd many users can task the same asset or operate independently;
  • Agentless: it overcomes the requirement of a local agent waiting for a task to accomplish. Specifically, during the task warmup Herd-Server receives a job for an asset and initiates an SSH connection with it. Subsequently, it specializes and executes the set of commands needed to reach the expected result, allowing a lightweight computational effort asset-side;
  • Easily Deployable: it is cross platform and can be deployed both on premise and in a Cloud-based environment. In order to grant this feature, a bash script has been proposed to automate the framework deployment process on a Debian-based distro. Taking into account the design choice to use docker-enabled containerization, an equivalent script could be easily developed allowing RedHerd to be hosted on a different operating system;
  • Easily Expandable: it provides developer ready JavaScript specifications, offering an easy way to expand the product features by writing custom modules and accomplishing an uncountable number of tasks;
  • Module Hot-Update: modules can be added, removed and updated on the fly. It is not needed a framework reboot or a new deployment;
  • API Driven: it is driven by an extensive set of REST API which enables third party application to easily interact with and make use of the framework features.

Setup :: Intro

The entire solution is cross platform and can be deployed both on premise and in a Cloud-based environment. The released implementation focuses on a Debian host machine tested both locally and remotely.

System requirements

Following are some recommended and tested specifications for the host machine:

  • Ubuntu >= 18.04
  • 8+ GB RAM
  • 50+ GB HDD
  • 2+ CPUs

Obtain

The first step involves to obtain the latest release of the framework cloning it from the official GitHub repository:

$ git clone https://github.com/redherd-project/redherd-framework.git

Deploy

The second step includes the deploy of RedHerd on the host machine. It could be performed running the specifically developed deploy.sh bash script which implements a manually triggered but fully automated procedure on a Debian-based device.

Select the public interface

Select the external IP address which all assets/clients will connect to:

$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:5d:01:84:00 brd ff:ff:ff:ff:ff:ff inet 172.23.163.163/20 brd 172.23.175.255 scope global dynamic noprefixroute eth0 valid_lft 82990sec preferred_lft 82990sec inet6 fe80::ab6c:c19c:6d33:aff1/64 scope link noprefixroute valid_lft forever preferred_lft forever

Install Docker

Before going further, Docker installation is necessary to deploy and launch the RedHerd framework:

$ cd redherd-framework $ sudo ./redherd-framework/utils/install_docker.sh

Launch the deploy script

Using the command line provided below, the deploy script will initialize the database (-db), generate the Certification Authority (CA) (-ca), the SSH keys (-k), the Distribution-Server credentials (-u) and the OpenVPN configurations for 10 (-a 10) endpoints (assets/clients). You can join to the framework up to 256 endpoints.

$ cd redherd-framework
$ sudo ./deploy.sh -s 172.23.163.163 -db -ca -k -u -a 10

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((#
    *** (((
    [*] DETECTED PARAMETERS:
    [!] INIT DB: TRUE
    [!] GENERATE CA: TRUE
    [!] GENERATE CERTS: TRUE
    [!] GENERATE KEYS: TRUE
    [!] GENERATE USERS: TRUE
    [!] PUBLIC HOSTNAME: 172.23.163.163
    [!] ASSETS COUNT: 10
    [!] VPN NET CIDR: 10.11.0.0/16
    [!] DOCKER OVPNSRV NAME: ovpnsrv
    [!] DOCKER OVPNSRV ADDRESS: 10.10.0.2
    [!] DOCKER HERDSRV NAME: herdsrv
    [!] DOCKER HERDSRV ADDRESS: 10.10.0.3
    [!] DOCKER HERDVIEW NAME: herdview
    [!] DOCKER HERDVIEW ADDRESS: 10.10.0.5
    [!] DOCKER FTPSRV NAME: ftpsrv
    [!] DOCKER FTPSRV ADDRESS: 10.10.0.4
    [!] DOCKER DSTRSRV NAME: dstrsrv
    Continue? [y/N]: y

Check framework status

Once the deploy procedure has completed, check all dockers are up and running:

$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 07839fcaec7e dstrsrv:latest “/docker-entrypoint.…” About a minute ago Up About a minute 80/tcp, 0.0.0.0:8443->443/tcp, :::8443->443/tcp dstrsrv 48beb5cb7eb8 herdview:latest “/docker-entrypoint.…” About a minute ago Up About a minute 80/tcp herdview f3fec616f317 ftpsrv:latest “/bin/sh -c ‘/run.sh…” 4 minutes ago Up 4 minutes 21/tcp, 30000-30009/tcp ftpsrv e12362fa5dca herdsrv:latest “docker-entrypoint.s…” 4 minutes ago Up 4 minutes 3000-3001/tcp herdsrv 4b5fe465f217 ovpnsrv:latest “ovpn_run” 7 minutes ago Up 7 minutes 0.0.0.0:1194->1194/udp, :::1194->1194/udp ovpnsrv

Initialize

Finally, the first user, aka the System User, has to be generated in order to initialize the framework:

$ sudo herd-cli user -a firstuser New User Password: [-] Attempting to create the new user [!] Operation successfully completed

Framework Management :: Intro

This section provides a deeper insight on how to fully manage the framework deployment process and all its features.

Destroy

The deploy script can also be used to take the framework down:

$ sudo ./deploy.sh -d

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((#
    *** (((
    [*] Docker environment cleanup
    ovpnsrv
    Untagged: ovpnsrv:latest
    Deleted: sha256:91e78a2d4ce5fb45970d261909f113d0062109702f8ec0ec757b2a7858ff5d23
    Deleted: sha256:5693be9dc0dc0f0ecf136f37475a4b9adf31c0a72894b687822690db7e1f1e8c
    Deleted: sha256:852d8501542f54dbe5754f7fd73d807c4203f66d62ff54d99c119419a02bca2b
    Deleted: sha256:869c88433db452ed79c7162582047dcfbaf47b209317ec1fa6b71a9c40b96ecd
    Deleted: sha256:6b07e4131caa0156ed54f2b2ce27f0c03a3d50e03cc3cc6767d1b69cf4a7205e
    Deleted: sha256:0e459de7b327a61e34e29b6a07c06ea38797c5202e5e3819eee5f8a23553ca08
    Deleted: sha256:b7404afcdd25a8b70ad5873c4094d13f1975a58acf81885e7d88de7288365c11
    Deleted: sha256:b43b3ed5d13e7f800a5ec9e6d3072d32ece187eb182be07245910f95787f5093
    Deleted: sha256:be6ba2aa03790eb8336b8464eb14cdcb34270e6cdb22d83a0e11b20919181214
    Deleted: sha256:07fc7232db98106e694a0234a0ab7ba19286133832192a299a70ecec4dce5682
    Deleted: sha256:e1c5528f18db384fa8373d701f3e61af0e2c1656733af27959ae587a83b457d4
    Deleted: sha256:8f1cece9330a25a1cf795ba78562059f326138fbea5e2749d64dd5a3d70f4050
    Deleted: sha256:9bfcecbeeb774e41e9561e686a4afb7f5012316ef7e271ab017082692b182298
    Deleted: sha256:bfa09c8289fbcc8791c8a174d545cea0fa5f4617c26aa30f1b07ff494b010ad0
    Deleted: sha256:45ba11e8699b99fec50b655797907112cc6246280f146774f42a33cca8cc8408
    Deleted: sha256:36fcb8e0144e44d9c85aadb569122350252c74320b619dbf4cc458da3173cae4
    Deleted: sha256:6ce35068dce464cfd49e7bfa8f0cb9ac384e687732d7d26074873ba63388b915
    herdsrv
    Untagged: herdsrv:latest
    Deleted: sha256:58d8b77f4eaa2252921cd77d5cfd496f29cd6fe6d23463b28ae8233d65e2731a
    Deleted: sha256:116de39c14160d43d2a3fb24aed18b9c9b2228ae0d8e5cec533990c01548cf95
    Deleted: sha256:b042ec9beedfd8aaa9b070900a080385ea705003a97633b2a3710b3a25c90740
    Deleted: sha256:e68cb0e1bd2b8346e2de7dde87ae5d2b7dba3b1497cb30b954bebd6fe86edb52
    Deleted: sha256:e17cca51ca5993a778056672511ae01f4b5231a14add9ea7dd7145a8cf24c9a9
    Deleted: sha256:ecf85fbbcde4f995c90ad19b7da82314fd0bcacf8bc085c296e7dba33edf7551
    Deleted: sha256:96797af7230236fe1eae96e3bea3ad38453c277f36c8a298d4ecc27cb1892eee
    Deleted: sha256:693d0d723aced0e2121968489f25c1e8a206c7c170893777c251af498cedff6e
    Deleted: sha256:4ea4c8116ce073d39f6b95fe774ad873ea072c171d2c78dd9e5e130bc6b2ff7a
    Deleted: sha256:8bbf0fdc143fdc22558d4c2f120e59a655146f3f285775e071cc2e1f79b92339
    Deleted: sha256:308cccf6a89553f19e45a79c043ac83025181ca1b3c00268ae765ec228626b2f
    Deleted: sha256:4ca64ce92227b399e4749a970027b149b7e0ba167186f3822fae0c9c9e1391dc
    Deleted: sha256:17d8b36dd94c4ddfbfe4784bdd20d9b6b5769f4eca6e4efdb43d01d5d6f0cfd4
    Deleted: sha256:2e9271591c173b6ab793635240a224e830a8cc36cad9b21d7f1e772d95e8143d
    Deleted: sha256:5c62079596e97e4221a3b510558e8853fa6fc1dae3549e8785b6777215984a46
    Deleted: sha256:34631d73d29e214ffda5cda7e1660769a7dd3ca5736582bcc63a232f4d42cc7f
    Deleted: sha256:5bf2516c48fa1fee5522ad761de3f8a4329b50fd8178b252e39cab3bc7db9b77
    Deleted: sha256:81f6727d260bf8f8ba3c26e316c88e20673f294bc06e60ff28861f43d976493e
    Deleted: sha256:1119f1e7303603bc416e90ae0c6b4124b23bfa9b2aafec1af4273782449c5914
    ftpsrv
    Untagged: ftpsrv:latest
    Deleted: sha256:42f92a4ddd6dc98221542a9e28982ce9674bac081636edfcf8e86a5e04cc3af1
    Deleted: sha256:d159c5cb39cc834e02e833c3ddb6bb6a9c80a4a6a9b653251c56d0284342cb1d
    herdview
    Untagged: herdview:latest
    Deleted: sha256:8b351a7109b26167045ace8118ebd63fabb35db531973c664c9a103cc673a4db
    Deleted: sha256:2c67a03feece34a56f65a77b37d345f3abfece9b97cf1f2631c4ea571148d5ce
    dstrsrv
    Untagged: dstrsrv:latest
    Total reclaimed space: 0B
    internal
    ovpn-dat
    a-server

Once the script has completed, you can verify that no RedHerd dockers are up:

$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

Quick-deploy

Select the external IP address to which all assets/clients will connect:

$ ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:01:84:00 brd ff:ff:ff:ff:ff:ff
inet 172.23.163.163/20 brd 172.23.175.255 scope global dynamic noprefixroute eth0
valid_lft 82990sec preferred_lft 82990sec
inet6 fe80::ab6c:c19c:6d33:aff1/64 scope link noprefixroute
valid_lft forever preferred_lft forever

Deploy the framework for the desired number of assets/client (e.g. -a 10):

$ cd redherd-framework
$ sudo ./deploy.sh -s 172.23.163.163 -a 10

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((#
    *** (((
    [*] DETECTED PARAMETERS:
    [!] INIT DB: FALSE
    [!] GENERATE CA: FALSE
    [!] GENERATE CERTS: FALSE
    [!] GENERATE KEYS: FALSE
    [!] GENERATE USERS: FALSE
    [!] PUBLIC HOSTNAME: 172.23.163.163
    [!] ASSETS COUNT: 10
    [!] VPN NET CIDR: 10.11.0.0/16
    [!] DOCKER OVPNSRV NAME: ovpnsrv
    [!] DOCKER OVPNSRV ADDRESS: 10.10.0.2
    [!] DOCKER HERDSRV NAME: herdsrv
    [!] DOCKER HERDSRV ADDRESS: 10.10.0.3
    [!] DOCKER HERDVIEW NAME: herdview
    [!] DOCKER HERDVIEW ADDRESS: 10.10.0.5
    [!] DOCKER FTPSRV NAME: ftpsrv
    [!] DOCKER FTPSRV ADDRESS: 10.10.0.4
    [!] DOCKER DSTRSRV NAME: dstrsrv
    Continue? [y/N]: y

Database re-initialization

Deploy the framework and re-initialize the local database:

$ cd redherd-framework
$ sudo ./deploy.sh -s 172.23.163.163 -a 10 -db

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((#
    *** (((
    [*] DETECTED PARAMETERS:
    [!] INIT DB: TRUE
    [!] GENERATE CA: FALSE
    [!] GENERATE CERTS: FALSE
    [!] GENERATE KEYS: FALSE
    [!] GENERATE USERS: FALSE
    [!] PUBLIC HOSTNAME: 172.23.163.163
    [!] ASSETS COUNT: 10
    [!] VPN NET CIDR: 10.11.0.0/16
    [!] DOCKER OVPNSRV NAME: ovpnsrv
    [!] DOCKER OVPNSRV ADDRESS: 10.10.0.2
    [!] DOCKER HERDSRV NAME: herdsrv
    [!] DOCKER HERDSRV ADDRESS: 10.10.0.3
    [!] DOCKER HERDVIEW NAME: herdview
    [!] DOCKER HERDVIEW ADDRESS: 10.10.0.5
    [!] DOCKER FTPSRV NAME: ftpsrv
    [!] DOCKER FTPSRV ADDRESS: 10.10.0.4
    [!] DOCKER DSTRSRV NAME: dstrsrv
    Continue? [y/N]: y

Certification Authority regeneration

Deploy the framework and regenerate the Certification Authority:

$ cd redherd-framework
$ sudo ./deploy.sh -s 172.23.163.163 -a 10 -ca

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((#
    *** (((
    [*] DETECTED PARAMETERS:
    [!] INIT DB: FALSE
    [!] GENERATE CA: TRUE
    [!] GENERATE CERTS: TRUE
    [!] GENERATE KEYS: FALSE
    [!] GENERATE USERS: FALSE
    [!] PUBLIC HOSTNAME: 172.23.163.163
    [!] ASSETS COUNT: 10
    [!] VPN NET CIDR: 10.11.0.0/16
    [!] DOCKER OVPNSRV NAME: ovpnsrv
    [!] DOCKER OVPNSRV ADDRESS: 10.10.0.2
    [!] DOCKER HERDSRV NAME: herdsrv
    [!] DOCKER HERDSRV ADDRESS: 10.10.0.3
    [!] DOCKER HERDVIEW NAME: herdview
    [!] DOCKER HERDVIEW ADDRESS: 10.10.0.5
    [!] DOCKER FTPSRV NAME: ftpsrv
    [!] DOCKER FTPSRV ADDRESS: 10.10.0.4
    [!] DOCKER DSTRSRV NAME: dstrsrv
    Continue? [y/N]: y

Distribution-Server credentials regeneration

Deploy the framework and regenerate all credentials relative to Distribution-Server:

$ cd redherd-framework
$ sudo ./deploy.sh -s 172.23.163.163 -a 10 -u

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((#
    *** (((
    [*] DETECTED PARAMETERS:
    [!] INIT DB: FALSE
    [!] GENERATE CA: FALSE
    [!] GENERATE CERTS: FALSE
    [!] GENERATE KEYS: FALSE
    [!] GENERATE USERS: TRUE
    [!] PUBLIC HOSTNAME: 172.23.163.163
    [!] ASSETS COUNT: 10
    [!] VPN NET CIDR: 10.11.0.0/16
    [!] DOCKER OVPNSRV NAME: ovpnsrv
    [!] DOCKER OVPNSRV ADDRESS: 10.10.0.2
    [!] DOCKER HERDSRV NAME: herdsrv
    [!] DOCKER HERDSRV ADDRESS: 10.10.0.3
    [!] DOCKER HERDVIEW NAME: herdview
    [!] DOCKER HERDVIEW ADDRESS: 10.10.0.5
    [!] DOCKER FTPSRV NAME: ftpsrv
    [!] DOCKER FTPSRV ADDRESS: 10.10.0.4
    [!] DOCKER DSTRSRV NAME: dstrsrv
    Conti
    nue? [y/N]: y

Client Management :: Intro

As for the asset also for the client we have tried to provide high flexibility and reduced interaction. Again, a one-line script interacts with Distribution-Server, downloads the user-related OpenVPN configuration file and initiates the VPN encrypted channel.

Docker

The dockerized client case is the most simple. The one-liner provided locally by the Herd-CLI creates an Ubuntu container that joins the infrastructure and allows the host machine to act as a client:

$ herd-cli endpoint -s 172.23.16.16 -o docker -m client -i 1

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** (((
    sudo docker run -d –rm –cap-add=NET_ADMIN –device /dev/net/tun -e DSTRSRV_PUBLIC_ADDRESS=”172.23.16.16″ -e USERNAME=”HyXqpOOx41″ -e PASSWORD=”l9tcuv6GKUDBYtcyt2fyEcktDE578cs1″ –network host -v $(pwd)/redherd-certifica
    tes:/usr/local/share/ca-certificates –name redherd-client redherd/client

Debian

It is just required to run the Herd-CLI one-liner on the Debian host:

$ herd-cli endpoint -s 172.23.16.16 -o debian -m client -i 1

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** (((
    sudo bash -c “apt update && apt install openvpn -y && curl -k -u HyXqpOOx41:l9tcuv6GKUDBYtcyt2fyEcktDE578cs1 https://172.23.16.16:8443/f6865d8c51bb7a1ba155bdfbeb3f686e/config.ovpn > ./redherd.ovpn && /usr/sbin/openvpn ./redherd.ovpn

Windows

Download and install the OpenVPN-Client, then use the PowerShell one-liner to download the OpenVPN configuration.

$ herd-cli endpoint -s 172.23.16.16 -o windows -m client -i 1

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** ((( $block = {
    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webclient = New-Object System.Net.WebClient; $basic = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(“HyXqpOOx41” + “:” + “l9tcuv6GKUDBYtcyt2fyEcktDE578cs1”));$webclient.Headers[“Authorization”] = “Basic “;
    $webclient.DownloadFile(“https://172.23.16.16:8443/f6865d8c51bb7a1ba155bdfbeb3f686e/config.ovpn”, “redherd.ovpn”)
    }; powershell -ep bypass -nop -c $block
    [!] Manually run OpenVPN with downloaded redherd.ovpn config file

Android

Download and install the OpenVPN-Client, then download the OpenVPN configuration from the provided link

$ herd-cli endpoint -s 172.23.16.16 -o android -m client -i 1

  • #
    ** (#
    ** ((#

    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** (((
    [!] Manually download the OpenVPN config file:
    [!] Url: https://172.23.16.16:8443/f6865d8c51bb7a1ba155bdfbeb3f686e/config.ovpn
    [!] Username: HyXqpOOx41
    [!] Password: l9tcuv6GKUDBYtcyt2fyEcktDE578cs1

MacOS

Download and install the OpenVPN-Client, then use the Zsh one-liner to download the OpenVPN configuration.

$ herd-cli endpoint -s 172.23.16.16 -o macos -m client -i 1

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** (((
    curl -k -u HyXqpOOx41:l9tcuv6GKUDBYtcyt2fyEcktDE578cs1 https://172.23.16.16:8443/f6865d8c51bb7a1ba155bdfbeb3f686e/config.ovpn > ./redherd.ovpn
    [!] Manually run OpenVPN with the downloaded redherd.ovpn config file

Herd-View Access

After successfully joined the framework VPN, connect to Herd-View using a browser and visiting the URL https://10.10.0.5, then download the RedHerd Certification Authority certificate clicking on the upper-left button and install it in your system. Alternatively, you can obtain this certificate directly from https://10.10.0.3:3000/ca.crt.

Once the certificate has been trusted, it is possible to fill the login page with your user credentials.h

Asset Management :: Intro

One of the aspects which is particularly relevant is the asset setup and join procedure. The implementation of this feature has been ruled by two design drivers: high flexibility and low user interaction. The former characteristic is needed in order to grant a remarkable level of compatibility with different operating systems, while the latter is fundamental to minimize failures and reduce the skills required to add a new asset to RedHerd. The result is a manually triggered yet fully automated procedure that involves only the execution of a one-line script which is different for each compatible platform: Bash for Android and Linux, PowerShell for Windows and Zsh for MacOS.

This one-liner interacts with Distribution-Server and acts as a dropper downloading the full setup script and the related OpenVPN configuration file. The second stage fully configures the device in order to fulfill the framework requirements, i.e., dependencies management, certificate trusting, firewall and SSH daemon set up. Then, the VPN connection is initiated and the API are used to interact with Herd-Server and insert the new asset into the framework database. At this point, the asset is effectively part of the framework and so it is completely accessible by the operators.

Docker

Add

$ herd-cli endpoint -s 172.23.16.16 -o docker -m install -i 2

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** (((
    sudo docker run -d –rm –cap-add=NET_ADMIN –device /dev/net/tun -e DSTRSRV_PUBLIC_ADDRESS=”172.23.16.16″ -e USERNAME=”78l8zUBjpm” -e PASSWORD=”2GHDUWvZxtbn18LeiVoEv4UmhGv0rUrY” –privileged=true –network host –name redherd-asset redherd/asset

Remove

$ herd-cli endpoint -s 172.23.16.16 -o docker -m remove -i 2

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** (((
    sudo docker stop redherd-asset

Debian

Add

$ herd-cli endpoint -s 172.23.16.16 -o debian -m install -i 2 * # ** (# ** ((# *** #((# ****( (***** (((((( #(((( ******************* ((((((((((((((((((((# ***************** (((((((((((((((((( *********** ((((((((((( ******* (((((((# (***** ((( ______ _______ ______ _ _ _______ ______ ______ ***** ((( |_____/ |______ | \ |_____| |______ |_____/ | \ **** (( | \_ |______ |_____/ | | |______ | \_ |_____/ *** ((# Command-line Interface *** ((( sudo bash -c “curl -k -u 78l8zUBjpm:2GHDUWvZxtbn18LeiVoEv4UmhGv0rUrY https://172.23.16.16:8443/50f3331a80894d85bcda8c4b404a919c/debian_asset_setup.sh > /tmp/script.sh && chmod +x /tmp/script.sh && /tmp/script.sh install && rm -rf /tmp/script.sh

Remove

$ herd-cli endpoint -s 172.23.16.16 -o debian -m remove -i 2

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** (((
    sudo bash -c “curl -k -u 78l8zUBjpm:2GHDUWvZxtbn18LeiVoEv4UmhGv0rUrY https://172.23.16.16:8443/50f3331a80894d85bcda8c4b404a919c/debian_asset_setup.sh > /tmp/script.sh && chmod +x /tmp/script.sh && /tmp/script.sh remove && rm -rf /tmp/script.sh”

CentOS

Add

$ herd-cli endpoint -s 172.23.16.16 -o centos -m install -i 2

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** (((
    sudo bash -c “curl -k -u 78l8zUBjpm:2GHDUWvZxtbn18LeiVoEv4UmhGv0rUrY https://172.23.16.16:8443/50f3331a80894d85bcda8c4b404a919c/debian_asset_setup.sh > /tmp/script.sh && chmod +x /tmp/script.sh && /tmp/script.sh install && rm -rf /tmp/script.sh”

Remove

$ herd-cli endpoint -s 172.23.16.16 -o centos -m remove -i 2

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** (((
    sudo bash -c “curl -k -u 78l8zUBjpm:2GHDUWvZxtbn18LeiVoEv4UmhGv0rUrY https://172.23.16.16:8443/50f3331a80894d85bcda8c4b404a919c/debian_asset_setup.sh > /tmp/script.sh && chmod +x /tmp/script.sh && /tmp/script.sh remove && rm -rf /tmp/script.sh”

Windows

Add

$ herd-cli endpoint -s 172.23.16.16 -o windows -m install -i 2

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** ((( $block = {
    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webclient = New-Object System.Net.WebClient; $basic = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(“78l8zUBjpm” + “:” + “2GHDUWvZxtbn18LeiVoEv4UmhGv0rUrY”));$webclient.Headers[“Authorization”] = “Basic “;
    $webclient.DownloadFile(“https://172.23.16.16:8443/50f3331a80894d85bcda8c4b404a919c/windows_asset_setup.psm1”, “script.psm1”)
    Import-Module .\script.psm1; Add-Asset; Remove-Item .\script.psm1;
    }; powershell -ep bypass -nop -c $bloc

Remove

$ herd-cli endpoint -s 172.23.16.16 -o windows -m remove -i 2

  • #
    ** (#
    ** ((#
    * #((# ( ( (((((( #((((
    ((((((((((((((((((((#
    ((((((((((((((((((
    ** (((((((((((
    (((((((# ( ((( _ _ _ _ _
    * ((( |/ |
    | \ || | |/ | \ **** (( | _ | |/ | | | | _ |/
    *** ((# Command-line Interface
    *** ((( $block = {
    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webclient = New-Object System.Net.WebClient; $basic = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(“78l8zUBjpm” + “:” + “2GHDUWvZxtbn18LeiVoEv4UmhGv0rUrY”));$webclient.Headers[“Authorization”] = “Basic “;
    $webclient.DownloadFile(“https://172.23.16.16:8443/50f3331a80894d85bcda8c4b404a919c/windows_asset_setup.psm1”, “script.psm1”)
    Import-Module .\script.psm1; Remove-Asset; Remove-Item .\script.psm1;
    }; powershell -ep bypass -nop -c $block

Asset Ban

During the RedHerd Framework lifecycle it is possible that some assets have to be excluded from the operative network due to kidnapping or simply for administrative reasons. This scenario could involve mainly two actions: Full Asset Ban and Single Asset Ban.

Full Asset Ban

In this situation the quickest method is to regenerate the RedHerd Certification Authority, this action cuts off all assets contemporary.

Single Asset Ban

In this case Herd-CLI offers an administrative command which allows to revoke the VPN certificate assigned to a specific asset. This command is part of the asset realm and requires the asset name.

$ sudo herd-cli asset -b vVDNDUUGjb [-] Attempting to revoke client certificate [!] Certificate successfully revoked

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

10 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

10 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago