Malleum Knowledge Base

Red Team infrastructure Setup

4 min read

Adding Timestamps to the Kali Prompt

PROMPT=$PROMPT'%F{yellow}[%D{%m/%d/%y} %D{%L:%M:%S}]%f '

Terminal Logging Script

# smart_script will continuously log the input and output of the terminal into a logfile located in ~/Terminal_typescripts/raw/

smart_script() {
    # if there's no SCRIPT_LOG_FILE exported yet
    if [ -z "$SCRIPT_LOG_FILE" ]; then
        # make folder paths
        local logdirparent=~/Terminal_typescripts
        local logdirraw=raw/$(date +%F)
        local logdir=$logdirparent/$logdirraw
        local logfile=$logdir/$(date +%F_%T).$$.rawlog
        local txtfile=$logfile.txt

        # if no folder exists - make one
        if [ ! -d "$logdir" ]; then
            mkdir -p "$logdir" || { echo "Failed to create log directory"; exit 1; }
        fi
        export SCRIPT_LOG_FILE=$logfile
        export SCRIPT_LOG_PARENT_FOLDER=$logdirparent
        export TXTFILE=$txtfile

        # Start logging with the script command
        if [ -n "$1" ]; then
            script -f "$logfile"
        else
            script -f -q "$logfile"
        fi

        # Convert raw log to readable text
        cat "$logfile" | perl -pe 's/\e([^\\[\\]]|\\[.*?[a-zA-Z]|\\].*?\\a)//g' | col -b > "$txtfile"
        exit
    fi
}

# Start logging into new file
alias startnewlog='unset SCRIPT_LOG_FILE && smart_script -v'

# savelog manually saves the current terminal in/out into a logfile:
# Example: $ savelog logname
savelog() {
    local manualdir=$SCRIPT_LOG_PARENT_FOLDER/manual

    # if no folder exists - make one
    if [ ! -d "$manualdir" ]; then
        mkdir -p "$manualdir" || { echo "Failed to create manual log directory"; return 1; }
    fi

    # make log name
    local logname=${SCRIPT_LOG_FILE##*/}
    logname=${logname%.*}

    # add user logname if passed as argument
    if [ -n "$1" ]; then
        logname=${logname}_$1
    fi

    # make filepaths
    local txtfile=$manualdir/$logname.txt
    local rawfile=$manualdir/$logname.rawlog

    # make .rawlog readable and save it to .txt file
    cat "$SCRIPT_LOG_FILE" | perl -pe 's/\e([^\\[\\]]|\\[.*?[a-zA-Z]|\\].*?\\a)//g' | col -b > "$txtfile"
    # copy corresponding .rawfile
    cp "$SCRIPT_LOG_FILE" "$rawfile"

    printf '[+] Saved logs\n'
    printf '  \\\\-> %s\n' "$txtfile"
    printf '  \\\\-> %s\n' "$rawfile"
}

# Run Smart Script at terminal initialization
smart_script

Elastic, Fleet, & Terminal Logging

sudo apt update && sudo apt -y upgrade 

sudo reboot -f

sudo mkdir -p /etc/apt/keyrings && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu focal stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt update

sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y

sudo systemctl enable docker.service

sudo gpasswd -a kali docker

sudo reboot

git clone https://github.com/peasead/elastic-container.git
  • Change the Password in the .env file.
  • Don’t Change the username
./elastic-container.sh start
  • Now browse to https://localhost:5601 and accept the certificate security warning to access the Kibana dashboard.

Enrolling an Agent

Now that Elastic is installed, we can use the Fleet server to set up an agent to pull and ingest logs.

In the side menu (the hamburger icon in the upper-left corner), click on Management ⇒ Fleet.

In the upper right corner, click Add Agent.

In the new menu, leave the name as “Agent policy 1” and click “Create policy”

Scroll to 3. Install Elastic Agent

Copy this command into the Kali terminal, but do not run it yet. Add -i to the end of the last command in this command block, like this:

Return to the main section. In the Settings tab, under the Outputs section, create a new output with the “Add output” button:

Name the new output elastic

In the hosts field, enter: https://localhost:9200

In the Advanced YAML configuration block, enter the following:

ssl.verification_mode: none

Set Make this output the default for agent integrations and Make this output the default for agent monitoring to on by clicking on both options.

The new Output should look like this:

Customizing the Collected Data

We have enrolled the Kali teamserver in the Fleet collection pipeline. The agent for our Kali host is now shipping log data to the Fleet server. However, it currently has a default configuration and we want to specify the exact data to ship. Right now, our Fleet agent does not know about the terminal logging files.

In the left-side menu, click on Fleet ⇒ Agent Policies

Click on Agent policy 1

Click on Add Integration

Search for the term custom

Select Custom Logs

Click Add custom logs

In the Configure Integration section, change the integration name to terminal_typescripts

In the Custom log field path, add

/home/kali/Terminal_typescripts/*/*.rawlog
/home/kali/Terminal_typescripts/*/*/*.rawlog
/home/kali/Terminal_typescripts/manual/*.txt

  In the bottom right corner, click “Save and continue”, then click “Save and deploy changes”

Ghostwriter

+] Ghostwriter is ready to go!
[+] You can login as `admin` with this password: F3l3dFywCQePZnlYrMqe436B3Byqr2ce
[+] You can get your admin password by running: ghostwriter-cli config get admin_password

Graph View