/prebellico

Passive internal reconnaissance tool

Primary LanguagePythonApache License 2.0Apache-2.0

prebellico

100% Passive Network Reconnaissance Tool

Challenge your assumptions

When attacking, auditing, or defending modern internal networks, intelligence is everything. Understanding the environment to the best possible degree can be the difference between successfully penetrating, or defending, the target environment.

Over the years, internal audit and testing engagements have been operating on various assumptions within switched networks, often driving engagement execution methods.

But what if these assumptions were wrong?

What if programs and network gear didn't always do what they're supposed to do?

What if we could utilize the idle time; the off-hour pauses; the days, sometimes weeks, that exist between deployment and engagement execution; to understand the network and reclaim wasted time?

As attackers, what if we could leverage the realities of modern networks and the things customers do to ‘prepare’ for an engagement (backups, security scans, etc.) through 100% passive methods?

What if you could gain a foothold into an organization prior to engagement by simply listening?

Obtaining information about the network in a stealthy manner can be difficult within a mature environment. Even during overt engagements, obtaining the information you need within a limited time window can be difficult. There are engagement delays, there are poor descriptions, there are poor assumptions, there are simulated or test environments.

These things can easily lead to unrealistic scope reductions and assumptions (intentional or unintentional) a real-world attacker would not be subject to. What you believe, what you expect, invariably affect what you do and where you look.

Who this is for

Prebellico is great for red teams, blue teams, penetration testers, auditors, defenders and hunters alike; anyone who wants to know more about the network they're in. It is a 100% passive network reconnaissance tool designed to challenge assumptions made about the target environment that may have arisen around the intent of the engagement.

Prebellico fingerprints the environment without touching it, gathering information about the target environment prior to, and during, an engagement without transmission, including what is called reverse port scanning.

Operation

Active

Deployment and execution is simple. Simply launch Prebellico as a root user, select the listening interface, and the information it gathers will be:

  • dumped to the screen
  • logged to a file
  • recorded to a database file (SQLite)

Prebellico has built in query options to explore acquired db information, and the log file matches screen output verbatum.

By design Prebellico operates in a 100% passive state while ignoring traffic generated by the localhost and uses very few resources. Concequently, there is no need to be concerned about it impacting an environment or overusing resources, regardless of the engagement timeline or objective.

Pre engagement / post-mortem

Want to further understand an environment you don’t yet have access to?

Want to know how to better scope your engagement prior to execution?

Want to understand the environment your tending?

Prebellico has the ability to process PCAP files (with a maximum SNAPLEN of 262144 bytes) prior to, during, or after an engagement.

This can be used for processing historical data obtained elsewhere or for scope validation purposes prior to engagement kickoff. You can also merge this data during the engagement by copying the database over and specifying the database and log file at launch time, if so desired.

Usage

./prebellico.py --help
usage: prebellico.py [-h] [-i INF | -r READ] [-l LOG] [-d DB] [-e EXTRA]
                     [-w WAIT] [-s] [-q]
                     [--report | --credentials | --listhosts | --listnetworks | --ip IP]

optional arguments:
  -h, --help            show this help message and exit
  -i INF, --inf INF     Specify the interface you want Prebellico to listen
                        on. By default Prebellico will hunt for interfaces and
                        ask the user to specify an interface if one is not
                        provided here.
  -r READ, --read READ  Specify a PCAP file to read from instead of a network
                        interface. By default Prebellico assumes that traffic
                        is to be read from a network interface.
  -l LOG, --log LOG     Specify an output file. By default Prebellico will log
                        to "prebellico.log" if a logfile is not specified.
  -d DB, --db DB        Specify an SQLite db file you want to write to. By
                        default this will create, if need be, and write to
                        "prebellico.db" if not specified by the user, as long
                        as the file is an actual Prebellico DB that the user
                        can read from.
  -e EXTRA, --extra EXTRA
                        Specify extra filtering using PCAP based syntax. By
                        default, "ip or arp or aarp and not host 0.0.0.0 and
                        not host <interface_IP>" is used as a filter.
  -w WAIT, --wait WAIT  *Pending implementation. Specify a period of time in
                        hours to wait for new intelligence before shifting to
                        a new form of intelligence gathering.
  -s, --subsume         Include traffic from the target interface from
                        Prebellico output. By default this traffic is excluded
                        to ensure data generated by the interface while
                        interacting with the environment does not taint the
                        "fingerprint" of the target environment.
  -q, --quiet           Remove the Prebellico banner at the start of the
                        script.

Options to query intel obtained by Prebellico. You may only specify one query at a time, along with an optional db with '-d' or '-db':
  --report              Provide a high level SITREP on all observed network
                        activity.
  --credentials         *Pending implementation. Provide a brief summary about
                        credentials obtained by Prebellico.
  --listhosts           Provide a list of known internal hosts.
  --listnetworks        Provide a list of known networks, assuming a /24
                        netmask.
  --ip IP               Provide specific details about what Prebellico already
                        knows about a host.

TL;DR

IT truths:

  • There's always bugs
  • Things don't always work as they should
  • Designs aren't always executed to perfection

The fact is, sometimes packets get to places they shouldn't.

With prebellico you'll be prepared to catch them.

Roadmap

  • semi-passive mode: further enumeration leveraging acquired intel
  • remote probe: no local DB, exfil to remote master
  • improved hash recognition and recording
  • db merging / importing
  • network graph

Prebellico - Because there is no patch for 100% passive reconnaissance.