Marsform is a RedTeam infrastructure deployment tool based on Terraform.
The goal is to deploy a secure infrastructure as fast as possible.
A simplified tutorial is available in infra-examples
Digital Ocean and Azure (mostly) are used in this setup, but any provider could be used.
- The only exposed ssh port is the jumpbox, every other machine uses an "ssh jump" through this jumpbox.
- The firewalls are managed with ferm
- teamservers are accessible through ssh port forward
- The
global.tf
in the root folder contains all the global variables that might be needed in any module.
Add this to your .bashrc
export DIGITALOCEAN_TOKEN="CHANGEME"
export ARM_SUBSCRIPTION_ID="CHANGEME"
export FASTLY_API_KEY="CHANGEME"
Install azure-cli
. Make sure you run az login
before deploying in Azure.
- Set the
jumpbox_ip
variable (a jumpbox where you can ssh with a private key) - Set the
do_ssh_keys
variable (a comma separated list of ssh key fingerprints) :curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Bearer ${DIGITALOCEAN_TOKEN}" "https://api.digitalocean.com/v2/account/keys" | grep -o '"id":[0-9]*'
Initial jumpbox config; the generated ssh_config
will use 'jumpbox' as ProxyJump.
Make sure you have a 'jumpbox' entry in your ~/.ssh/config
:
Host jumpbox
User root
Hostname 159.263.323.317
Cobalt Strike archive IS NOT provided; if you plan to deploy a Cobalt Strike teamserver, download it with your license and copy it there:
./files/cobaltstrike-dist.tgz
In the root directory of this project, adjust the content of infra.tf
to reflect the infrastructure you wish to deploy.
You will then be able to init
then apply
:
terraform init
terraform apply
- Users will require port forward knowledge
- Most stuff runs as root :(
- When deploying a FiercePhish server, you must copy/paste the value from the FiercePhish installation output (saved in /tmp/fiercephish-install.out), then re-run
terraform apply
. (since the mail._domainkey key is generated during the installation)
|
Private | Internet
--------- | ----------
|
|
| +-----------------+
| | |
ssh port forward to access teamserver, ssh, etc. | | Jumpbox | ssh +----------+
+----+-----+-----------------------+-----------------+-----| (port 22 open) |<---------| Attacker |
| | | | |(permanent infra)| +----------+
| | | | | |
| | | | +-----------------+
| | | |
| | | |
| | | |
| v v |
| +--------------+ +---------------+ | +-------------+
| | | | | | | |
| | TeamServer |<-------+ HTTPS Redir |<--------+----| Azure CDN |<--------+
| | | | | | | | |
| +--------------+ +---------------+ | +-------------+ |
| | |
| | |
| +----------------------+ | |
| | | | |
| | +--------------+ | +-+------------------+ |
| | | | +---->| | |
|---------------------+-->| TeamServer |<--------| DNS Redir |<--------+
| | | | | |
| +--------------+ +-+------------------+ | +----------+
| | |-----| Victim |
| | | +----------+
| +-----------------------+ | +-------------+ |
| | | | | | |
+------------------>| Web Delivery Server |<-------+----| Azure CDN |<--------+
| | | | | | |
| +-----------------------+ | +-------------+ |
| | |
| | |
| +-+------------------+ |
| ssh | | |
+------------------------------------------------->| Phishing Server |<--------+
| |
+-+------------------+
|
|
|
v
Author: S2V2
Inspired from:
- @byt3bl33d3r's Red Baron project
- @_RastaMouse's Automated Red Team Infrastructure Deployment with Terraform (and part 2) blog posts.
- @bluscreenofjeff's Red Team Infrastructure Wiki
- @rsmudge's Malleable-C2-Profiles repository
- specifically @harmj0y's Amazon browsing traffic profile used in this project
- @ramen0x3f's AggressorScripts repository
- @raikiasec's FiercePhish project
- @mrgretzky's pwndrop hosting file service