Redherd Framework : A Collaborative And Serverless Framework For Orchestrating A Geographically Distributed Group Of Assets
Redherd Framework is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of conducting simulating complex offensive cyberspace operations.
The framework takes advantage of the “as a Service” paradigm in order to deploy a ready-to-use infrastructure that can also be adopted for effective training purposes, by reliably reproducing a real-world cyberspace scenario in which red and blue teams can challenge each other. RedHerd perfectly fits the Open Systems Architecture design pattern, thanks to the adoption of both open standards and wide-spread open source software components.
Terminology
Name
Description
asset
The multi-platform devices (Windows, Debian-like, RHEL-like, MacOS and Android) that can be orchestrated.
client
The device used by an operator to interact with RedHerd components.
module
The code implementation of a task that can be executed by asset.
process
The dynamic instance of a module.
task
The abstract representation of an operator intent.
topic
A group of modules that shares a common intent (e.g. port scanning, Wi-Fi, …).
Architecture
RedHerd uses some specialized Docker containers in order to integrate many community acclaimed open-source products with a custom application layer, implemented for interoperability purposes. These containers have been designed to compartmentalise features and to allow horizontal scaling if needed. The described architecture offers a high level of automation by allowing minimized user interaction during the asset setup process and is bounded by a Virtual Private Network (VPN) granting Operations Security (OPSEC) by design.
The main elements of the RedHerd framework are listed hereafter:
Assets: multi-platform devices (Windows, Debian-like, RHEL-like, MacOS and Android) that can be orchestrated to perform cyber operations;
Herd-Server: the Node.js core of the framework which is responsible for interacting with the assets. It receives and multiplexes all the inputs from the operators thanks to an extended set of Application Programming Interfaces (API) and dispatches the output received from the assets via a Socket.IO channel;
File-Server: an FTPS-based server, which allows secure file transfer among operators and assets;
OVPN-Server: the OpenVPN gateway for all entities interacting with the framework;
Distribution-Server: the only component publicly accessible outside the VPN edge, which represents an Nginx web server that distributes, after authentication, all the configuration files needed by an entity attempting to join the framework;
Herd-View: a Progressive Web Application (PWA) written in Angular that provides a user-friendly interface to monitor and task all the assets in real-time;
Client: the device used by an operator to interct with the framework components.
Last but not least, Herd-CLI represents the administrative application for managing the entire framework.
Features
RedHerd has several overwhelming features that characterize it with strong orchestration capabilities:
Intuitive Interface: it provides, through Herd-View, an intuitive web application to easily interact with the assets;
Multi-Platform: it is able to orchestrate a wide range of devices, offering joining and tasking procedures for different operating systems (Windows, Debian-like, RHEL-like, MacOS and Android);
Multi-User: it supports multi-user collaboration. The teamwork has become crucial for effective operations. In relation to this, joining RedHerd many users can task the same asset or operate independently;
Agentless: it overcomes the requirement of a local agent waiting for a task to accomplish. Specifically, during the task warmup Herd-Server receives a job for an asset and initiates an SSH connection with it. Subsequently, it specializes and executes the set of commands needed to reach the expected result, allowing a lightweight computational effort asset-side;
Easily Deployable: it is cross platform and can be deployed both on premise and in a Cloud-based environment. In order to grant this feature, a bash script has been proposed to automate the framework deployment process on a Debian-based distro. Taking into account the design choice to use docker-enabled containerization, an equivalent script could be easily developed allowing RedHerd to be hosted on a different operating system;
Easily Expandable: it provides developer ready JavaScript specifications, offering an easy way to expand the product features by writing custom modules and accomplishing an uncountable number of tasks;
Module Hot-Update: modules can be added, removed and updated on the fly. It is not needed a framework reboot or a new deployment;
API Driven: it is driven by an extensive set of REST API which enables third party application to easily interact with and make use of the framework features.
Setup :: Intro
The entire solution is cross platform and can be deployed both on premise and in a Cloud-based environment. The released implementation focuses on a Debian host machine tested both locally and remotely.
System requirements
Following are some recommended and tested specifications for the host machine:
Ubuntu >= 18.04
8+ GB RAM
50+ GB HDD
2+ CPUs
Obtain
The first step involves to obtain the latest release of the framework cloning it from the official GitHub repository:
The second step includes the deploy of RedHerd on the host machine. It could be performed running the specifically developed deploy.sh bash script which implements a manually triggered but fully automated procedure on a Debian-based device.
Select the public interface
Select the external IP address which all assets/clients will connect to:
$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:5d:01:84:00 brd ff:ff:ff:ff:ff:ff inet 172.23.163.163/20 brd 172.23.175.255 scope global dynamic noprefixroute eth0 valid_lft 82990sec preferred_lft 82990sec inet6 fe80::ab6c:c19c:6d33:aff1/64 scope link noprefixroute valid_lft forever preferred_lft forever
Install Docker
Before going further, Docker installation is necessary to deploy and launch the RedHerd framework:
$ cd redherd-framework $ sudo ./redherd-framework/utils/install_docker.sh
Launch the deploy script
Using the command line provided below, the deploy script will initialize the database (-db), generate the Certification Authority (CA) (-ca), the SSH keys (-k), the Distribution-Server credentials (-u) and the OpenVPN configurations for 10 (-a 10) endpoints (assets/clients). You can join to the framework up to 256 endpoints.
$ cd redherd-framework $ sudo ./deploy.sh -s 172.23.163.163 -db -ca -k -u -a 10
Once the deploy procedure has completed, check all dockers are up and running:
$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 07839fcaec7e dstrsrv:latest “/docker-entrypoint.…” About a minute ago Up About a minute 80/tcp, 0.0.0.0:8443->443/tcp, :::8443->443/tcp dstrsrv 48beb5cb7eb8 herdview:latest “/docker-entrypoint.…” About a minute ago Up About a minute 80/tcp herdview f3fec616f317 ftpsrv:latest “/bin/sh -c ‘/run.sh…” 4 minutes ago Up 4 minutes 21/tcp, 30000-30009/tcp ftpsrv e12362fa5dca herdsrv:latest “docker-entrypoint.s…” 4 minutes ago Up 4 minutes 3000-3001/tcp herdsrv 4b5fe465f217 ovpnsrv:latest “ovpn_run” 7 minutes ago Up 7 minutes 0.0.0.0:1194->1194/udp, :::1194->1194/udp ovpnsrv
Initialize
Finally, the first user, aka the System User, has to be generated in order to initialize the framework:
$ sudo herd-cli user -a firstuser New User Password: [-] Attempting to create the new user [!] Operation successfully completed
Framework Management :: Intro
This section provides a deeper insight on how to fully manage the framework deployment process and all its features.
Destroy
The deploy script can also be used to take the framework down:
As for the asset also for the client we have tried to provide high flexibility and reduced interaction. Again, a one-line script interacts with Distribution-Server, downloads the user-related OpenVPN configuration file and initiates the VPN encrypted channel.
Docker
The dockerized client case is the most simple. The one-liner provided locally by the Herd-CLI creates an Ubuntu container that joins the infrastructure and allows the host machine to act as a client:
After successfully joined the framework VPN, connect to Herd-View using a browser and visiting the URL https://10.10.0.5, then download the RedHerd Certification Authority certificate clicking on the upper-left button and install it in your system. Alternatively, you can obtain this certificate directly from https://10.10.0.3:3000/ca.crt.
Once the certificate has been trusted, it is possible to fill the login page with your user credentials.h
Asset Management :: Intro
One of the aspects which is particularly relevant is the asset setup and join procedure. The implementation of this feature has been ruled by two design drivers: high flexibility and low user interaction. The former characteristic is needed in order to grant a remarkable level of compatibility with different operating systems, while the latter is fundamental to minimize failures and reduce the skills required to add a new asset to RedHerd. The result is a manually triggered yet fully automated procedure that involves only the execution of a one-line script which is different for each compatible platform: Bash for Android and Linux, PowerShell for Windows and Zsh for MacOS.
This one-liner interacts with Distribution-Server and acts as a dropper downloading the full setup script and the related OpenVPN configuration file. The second stage fully configures the device in order to fulfill the framework requirements, i.e., dependencies management, certificate trusting, firewall and SSH daemon set up. Then, the VPN connection is initiated and the API are used to interact with Herd-Server and insert the new asset into the framework database. At this point, the asset is effectively part of the framework and so it is completely accessible by the operators.
During the RedHerd Framework lifecycle it is possible that some assets have to be excluded from the operative network due to kidnapping or simply for administrative reasons. This scenario could involve mainly two actions: Full Asset Ban and Single Asset Ban.
Full Asset Ban
In this situation the quickest method is to regenerate the RedHerd Certification Authority, this action cuts off all assets contemporary.
Single Asset Ban
In this case Herd-CLI offers an administrative command which allows to revoke the VPN certificate assigned to a specific asset. This command is part of the asset realm and requires the asset name.