MITRE CALDERA on Raspberry pi
起動方法
cd caldera python3 -m venv venv source venv/bin/activate python3 server.py --insecure --build
アクセス方法
http://localhost:8888/
Username: red Password: admin
破壊方法
deactivate rm -rf caldera/
使い方
サイバーセキュリティ・フレームワーク「MITRE CALDERA」紹介、機能概要・動作環境構築編 #Python - Qiita
本体インストール方法
MITRE CALDERA v5.0.0 インストール手順 #Security - Qiita
# 1) Install git, python, pip, npm sudo apt update && sudo apt upgrade -y && sudo apt install python3-venv npm git -y # 2) Update Node & NPM (※Kaliの場合は手順が異なる;以降参照) curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash source ~/.bashrc nvm install stable # 3) Download Caldera git clone https://github.com/mitre/caldera.git --recursive # 4) Create environment & activate cd caldera python3 -m venv venv source venv/bin/activate # 5) Install requirements pip install -r requirements.txt # 6) Install Go & add to path (※ラズパイの場合はarm64指定) wget https://go.dev/dl/go1.22.0.linux-amd64.tar.gz && sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.22.0.linux-amd64.tar.gz && export PATH=$PATH:/usr/local/go/bin go version # 7) Run caldera python3 server.py --insecure --build
ラズパイの場合
wget https://go.dev/dl/go1.22.0.linux-amd64.tar.gz && sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.22.0.linux-amd64.tar.gz && export PATH=$PATH:/usr/local/go/bin
↓
wget https://go.dev/dl/go1.23.5.linux-arm64.tar.gz && sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.23.5.linux-arm64.tar.gz && export PATH=$PATH:/usr/local/go/bin
nvmインストール時の注意点(Kali Linux)
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/master/install.sh | bash echo 'export NVM_DIR="$HOME/.nvm" [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion" # This loads nvm bash_completion' >> ~/.zshrc source ~/.zshrc
emuプラグインインストール方法
confファイルに追記
┌──(kali㉿kali-raspberrypi)-[~]
└─$ cd /caldera/conf
┌──(kali㉿kali-raspberrypi)-[~/caldera/conf]
└─$ sudo vi default.yml
# 中略
plugins:
- access
- atomic
- compass
- debrief
- emu # 追記
- fieldmanual
- manx
- response
- sandcat
- stockpile
- training
Additional setup
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera/plugins/emu]
└─$ sudo apt-get install zlib1g
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera/plugins/emu]
└─$ pip3 install -r requirements.txt
Caldera起動後に再停止してペイロード追加ダウンロード
一度、ここまでの段階で、Calderaを起動して、emuがロードされて、ペイロード不足のWARNINGが出ることを確認する。そのうえで、再度Calderaを停止して以下の手順を実行する。
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera/plugins/emu]
└─$ cd /caldera/plugins/emu
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera/plugins/emu]
└─$ ./download_payloads.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 856k 100 856k 0 0 3560 0 0:04:06 0:04:06 --:--:-- 5441
ダウンロード中
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera/plugins/emu]
└─$ ./download_payloads.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 856k 100 856k 0 0 3560 0 0:04:06 0:04:06 --:--:-- 5441
Archive: payloads/AdFind.zip
inflating: payloads/adcsv.pl
[payloads/AdFind.zip] AdFind.exe password:
# パスワードは入力せずに、そのままEnter押下[*1]と指示する記事もあるが、```NotMalware```を入力した。
skipping: AdFind.exe incorrect password
extracting: payloads/password.txt
cp: cannot stat 'payloads/AdFind.exe': No such file or directory
Archive: payloads/NetSess.zip
inflating: payloads/NetSess.exe
Archive: payloads/wce_v1_41beta_universal.zip
inflating: payloads/Changelog
inflating: payloads/LICENSE.txt
inflating: payloads/README
inflating: payloads/wce.exe
Archive: payloads/PSTools.zip
inflating: payloads/PSTools/psfile.exe
inflating: payloads/PSTools/psfile64.exe
inflating: payloads/PSTools/pskill.exe
inflating: payloads/PSTools/pskill64.exe
inflating: payloads/PSTools/pslist.exe
inflating: payloads/PSTools/pslist64.exe
inflating: payloads/PSTools/PsLoggedon.exe
inflating: payloads/PSTools/PsLoggedon64.exe
inflating: payloads/PSTools/PsService.exe
inflating: payloads/PSTools/PsService64.exe
inflating: payloads/PSTools/pssuspend.exe
inflating: payloads/PSTools/pssuspend64.exe
inflating: payloads/PSTools/psping.exe
inflating: payloads/PSTools/psping64.exe
inflating: payloads/PSTools/PsInfo.exe
inflating: payloads/PSTools/PsInfo64.exe
inflating: payloads/PSTools/pspasswd.exe
inflating: payloads/PSTools/pspasswd64.exe
inflating: payloads/PSTools/PsGetsid.exe
inflating: payloads/PSTools/PsGetsid64.exe
inflating: payloads/PSTools/psloglist.exe
inflating: payloads/PSTools/psloglist64.exe
inflating: payloads/PSTools/psshutdown.exe
inflating: payloads/PSTools/psshutdown64.exe
inflating: payloads/PSTools/PsExec.exe
inflating: payloads/PSTools/PsExec64.exe
inflating: payloads/PSTools/psversion.txt
inflating: payloads/PSTools/Pstools.chm
inflating: payloads/PSTools/Eula.txt
PsExec64.exe v2.4 copied to Turla payloads directory
Pscp.exe copied to Turla payloads directory
Plink.exe copied to Turla payloads directory
*1: AdFind.zip from payloads requires a password · Issue #41 · mitre/emu · GitHub
再起動すると...
2025-01-22 15:12:35 INFO VueJS front-end build complete. server.py:276
ERROR go does not meet the minimum version of 1.19 app_svc.py:188
2025-01-22 15:14:05 ERROR [-] Error - Unable to import 'pyminizip'. emu_svc.py:96
ERROR [-] Verify you have installed dependencies: emu_svc.py:96
ERROR [-] See URL for more info: https://github.com/smihica/pyminizip emu_svc.py:96
ERROR None emu_svc.py:101
ERROR Error enabling plugin=emu, Command '['/home/kali/caldera/venv/bin/python3', c_plugin.py:70
'plugins/emu/data/adversary-emulation-plans/oilrig/Resources/utilities/crypt_executables.py', '-i',
'plugins/emu/data/adversary-emulation-plans/oilrig/Resources', '-p', 'malware', '--decrypt']' returned non-zero exit status 255.
ERROR Error importing plugin=builder, No module named 'docker' c_plugin.py:91
ERROR Error loading plugin=builder, 'NoneType' object has no attribute 'description' c_plugin.py:59
エラー解決のためにやったこと
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera]
└─$ wget https://go.dev/dl/go1.23.5.linux-arm64.tar.gz && sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.23.5.linux-arm64.tar.gz && export PATH=$PATH:/usr/local/go/bin
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera]
└─$ go version
go version go1.23.5 linux/arm64
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera]
└─$ sudo apt-get install build-essential python3-dev
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera]
└─$ pip install pyminizip
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera]
└─$ pip install docker
donut関連のWARNING解決のために実施したこと
WARNING Unable to properly load .donut for payload plugins.stockpile.app.donut.donut_handler due to failed import
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera]
└─$ pip install donut-shellcode
# これは失敗した
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera]
└─$ sudo apt-get update
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera]
└─$ sudo apt-get install build-essential python3-dev
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera]
└─$ git clone https://github.com/TheWover/donut.git
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera/donut]
└─$ pip install setuptools
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera]
└─$ cd donut
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera/donut]
└─$ python3 setup.py install
# これも失敗した。ARM64アーキテクチャには対応していない模様
┌──(venv)─(kali㉿kali-raspberrypi)-[~/caldera/donut]
└─$ pip install pycryptodome
# これでなぜかWARNINGは消えた。
その他のペイロードの補完
cd ~/caldera/plugins/emu/payloads wget ttps://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/***.exe cp /home/kali/caldera/plugins/emu/payloads/***.exe /home/kali/caldera/plugins/emu/data/adversary-emulation-plans/ mv /home/kali/caldera/plugins/emu/data/adversary-emulation-plans/***.exe /home/kali/caldera/plugins/emu/data/adversary-emulation-plans/***.exe # 最後のコマンドは、大文字Rを小文字rに変えている。 # Rubeus以外は諦めて空ファイルを作った... touch dumpWebBrowserCreds.exe touch m64.exe touch ryuk.exe
とりあえず最終形
まだWARNINGが残っているが、とりあえずこれで使ってみることにした
emu plugin
APT29やmenu_passなどが追加された。
cd /home/kali/caldera/plugins/emu/data/adversary-emulation-plans ls -la total 556 drwxrwxr-x 18 kali kali 4096 Jan 22 16:51 . drwxrwxr-x 7 kali kali 4096 Jan 22 16:55 .. drwxrwxr-x 6 kali kali 4096 Jan 22 15:13 apt29 drwxrwxr-x 6 kali kali 4096 Jan 22 15:13 blind_eagle drwxrwxr-x 7 kali kali 4096 Jan 22 15:13 carbanak -rw-rw-r-- 1 kali kali 1845 Jan 22 15:13 CONTRIBUTING.md drwxrwxr-x 4 kali kali 4096 Jan 22 15:13 fin6 drwxrwxr-x 7 kali kali 4096 Jan 22 15:13 fin7 drwxrwxr-x 8 kali kali 4096 Jan 22 15:14 .git drwxrwxr-x 4 kali kali 4096 Jan 22 15:13 .github -rw-rw-r-- 1 kali kali 432 Jan 22 15:13 .gitignore -rw-rw-r-- 1 kali kali 11357 Jan 22 15:13 LICENSE drwxrwxr-x 4 kali kali 4096 Jan 22 15:13 menu_pass drwxrwxr-x 4 kali kali 4096 Jan 22 15:13 micro_emulation_plans drwxrwxr-x 8 kali kali 4096 Jan 22 15:13 ocean_lotus drwxrwxr-x 9 kali kali 4096 Jan 22 15:13 oilrig -rw-rw-r-- 1 kali kali 22719 Jan 22 15:13 README.md drwxrwxr-x 2 kali kali 4096 Jan 22 15:13 resources -rw-rw-r-- 1 kali kali 446976 Jan 22 16:46 rubeus.exe drwxrwxr-x 8 kali kali 4096 Jan 22 15:13 sandworm drwxrwxr-x 2 kali kali 4096 Jan 22 15:13 structure drwxrwxr-x 8 kali kali 4096 Jan 22 15:13 turla drwxrwxr-x 8 kali kali 4096 Jan 22 15:14 wizard_spider
