EricZimmerman / KapeFiles

This repository serves as a place for community created Targets and Modules for use with KAPE.
MIT License
657 stars 192 forks source link

Omit having the sync module enabled for default RECmd compound #406

Closed Karneades closed 3 years ago

Karneades commented 3 years ago

I saw recent changes to the compound for RECmd to update the .reb files every time (having a sync module in the first place in the compound, see https://github.com/EricZimmerman/KapeFiles/commit/d99b7ca67bd2439a6e848b949d7fc73719bad968). I would omit having this sync command enabled by default in the main RECmd compound in the repo but rather have this as own module and leave it up to the user to initiate a sync. I use that compound but would like to be able to sync the tools manually and not every time I use it (sooo many changes ain't gonna happen).

Proposal

Thoughts?

EricZimmerman commented 3 years ago

in my experience, people do not sync enough, due to the fact they do not even know its there.

this was the reason for the change, to ensure that most people had the best course of action in place when they (blindly?) run the tool.

for more discerning people who do not want this (you mention not syncing every time you use it. more on this later) removing this line, deleting the sync file, or other tweaks are much easier than for the other group of people who want to just run stuff.

since you do not seem to be one of the people syncing tools every time you run them (be it kape, evtxecmd, etc) it seems reversing this change would adversely affect more people (the ones that sync kape, but nothing else).

with that said, i am open to a single module, !!ToolSync or something, that has all the other sync commands in it. this can then be optionally run by itself or in a larger chain. Starting the name with !! pushes it up in the list and the order it is ran (assuming its selected first).

pros and cons both ways.

randomaccess3 commented 3 years ago

I'd tend to want to remove the sync module and just have the sync button pull the latest kape mods/targets, update the ez tools, and sync evtx, re plugins, sql maps and whatever else.

Would be a one stop shop and would be aligned with what the sync button could be doing which is "give me the latest and greatest that's on offer".

The other thing could be some quick checks that say "hey it's been X days since you last synced (sunk? :P) you really should click that big ole sync button!"

Is that a possibility?

EricZimmerman commented 3 years ago

it CAN, but kape already tells you you have an old version and people ignore that, so

randomaccess3 commented 3 years ago

Sure do! For me, having sync keep everything aligned in the targets/modules/binary folder for your tools (update + sync) would be an amazing time saver.

EricZimmerman commented 3 years ago

this would be a better use of a powershell script than me including it.

i wont ever auto update Modules\bin stuff programmatically. too much liability

Karneades commented 3 years ago

I made a PR for adding a new module called "!!ToolSync" as proposed by Eric to include the current EZ tool sync modules, with the possibility to further add modules to update KAPE itself and the KAPE files as well.

If this would allow to omit the sync every time we run e.g. the RECmd compound then it would be cool. I'm happy to rename the file and extend as needed. And if it would impact all others negatively as Eric mentioned above, then I understand leaving it as it is and I will need to adapt our local KAPE repo as such (having an own compound without the sync).

@rathbuna I'm unable to use the RECmd sync command/module, because the current RECmd 1.6.0 version doesn't have a sync option yet (maybe I'm missing something) https://github.com/EricZimmerman/KapeFiles/blob/f3ea8466d90095b6ebeeb203d97c90531e6a102d/Modules/Registry/RECmd_Sync.mkape#L1

Karneades commented 3 years ago

I would then also add a section to the bottom of https://ericzimmerman.github.io/KapeDocs/#!Pages\2.-Getting-started.md regarding the module tools sync.

AndrewRathbun commented 3 years ago

I made a PR for adding a new module called "!!ToolSync" as proposed by Eric to include the current EZ tool sync modules, with the possibility to further add modules to update KAPE itself and the KAPE files as well.

If this would allow to omit the sync every time we run e.g. the RECmd compound then it would be cool. I'm happy to rename the file and extend as needed. And if it would impact all others negatively as Eric mentioned above, then I understand leaving it as it is and I will need to adapt our local KAPE repo as such (having an own compound without the sync).

@rathbuna I'm unable to use the RECmd sync command/module, because the current RECmd 1.6.0 version doesn't have a sync option yet (maybe I'm missing something) https://github.com/EricZimmerman/KapeFiles/blob/f3ea8466d90095b6ebeeb203d97c90531e6a102d/Modules/Registry/RECmd_Sync.mkape#L1

If sync doesn't work for your current RECmd binary, it's outdated. Version might be the same but current binary has that feature now.

Karneades commented 3 years ago

If sync doesn't work for your current RECmd binary, it's outdated. Version might be the same but current binary has that feature now.

Yeah, I just looked at the version. Thanks, with fresh download (same version) sync works now.

Karneades commented 3 years ago

@rathbuna Using the sync modules we don't see the changes anymore. Is there a way to print the output of the tools despite running them as modules?

AndrewRathbun commented 3 years ago

So you mean add --debug and --trace to each sync Module and then rely on the KAPE console log for that output?

AndrewRathbun commented 3 years ago

Also, it just dawned on me that kape.exe --sync Module that I was using internally actually had not been working, which totally makes sense since kape.exe doesn't reside in the Modules\bin folder. My mistake on that one!

I'm sure there's a workaround but I don't have it quite at this second. Let me know if you have any thoughts.

Karneades commented 3 years ago

yeah, run into that as well :)

EricZimmerman commented 3 years ago

--debug is enough to see stdout

AndrewRathbun commented 3 years ago

https://github.com/EricZimmerman/KapeFiles/pull/421

Karneades commented 3 years ago

@rathbuna I think Eric meant using --debug when invoking kape with the tool sync module - that works for me.

AndrewRathbun commented 3 years ago

@rathbuna I think Eric meant using --debug when invoking kape with the tool sync module - that works for me.

I'm unsure how we can run a binary outside of the module folder to solve the KAPE sync.

I'm good with whatever. I run --debug and --trace every time I run KAPE anyways. If it's best to keep the Sync Modules vanilla, then let me know your thoughts on that. --debug for the Sync Modules would ensure everyone sees what's changed but if that's bad practice, happy to have it PR'd back to just --sync.

EricZimmerman commented 3 years ago

trace is overkill for most use cases. just slows things down IMO

Karneades commented 3 years ago

FTR https://github.com/EricZimmerman/KapeDocs/pull/9. Addition in KAPE docs getting started section regarding the new module.

randomaccess3 commented 3 years ago

this would be a better use of a powershell script than me including it.

i wont ever auto update Modules\bin stuff programmatically. too much liability

Sure that's fine too. I mean, at the moment it's: Run kape updater script Run module sync Run ez updater ps1 script (and since i havent checked if it does plugins i generally delete re and edit the sha1 file) run evtx map sync run recmd batch sync run sql map sync copy relevant binaries across into the kape folder

which is just KAPE+EZ tools, and then after copy in whatever other bins necessary

Anything that could be done to improve that workflow will reduce the workload of keeping things up to date; id probably have to figure out how to write the ps1 to do that.

Karneades commented 3 years ago

@randomaccess3 the following steps are now included in the new sync module !!ToolSync

So it's kape update + ez updater script + sync module.

mark-hallman commented 3 years ago

Clarification question: There are three apps that have a --sync option? evtx, recmd, and sqlmap, right? Or is "module sync" another option?

-Mark

On Tue, Feb 16, 2021 at 1:24 AM Andreas Hunkeler notifications@github.com wrote:

@randomaccess3 https://github.com/randomaccess3 the following steps are now included in the new sync module !!ToolSync

  • Run module sync
  • run evtx map sync
  • run recmd batch sync
  • run sql map sync

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/KapeFiles/issues/406#issuecomment-779642125, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEAHTACSHVNIQ4HW6SDA4PTS7IMR3ANCNFSM4XKRCU5Q .

AndrewRathbun commented 3 years ago

Clarification question: There are three apps that have a --sync option? evtx, recmd, and sqlmap, right? Or is "module sync" another option? -Mark On Tue, Feb 16, 2021 at 1:24 AM Andreas Hunkeler @.***> wrote: @randomaccess3 https://github.com/randomaccess3 the following steps are now included in the new sync module !!ToolSync - Run module sync - run evtx map sync - run recmd batch sync - run sql map sync — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#406 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEAHTACSHVNIQ4HW6SDA4PTS7IMR3ANCNFSM4XKRCU5Q .

Yes, RECmd, EVTXECmd and SQLECmd have --sync currently for Maps and Batch files, respectively. KAPE has it's own --sync which is for Targets/Modules only.

AndrewRathbun commented 3 years ago

And for those who may find this later, I'll lay it out this way:

evtxecmd.exe --sync will pull from https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps sqlecmd.exe --sync will pull from https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps recmd.exe --sync will pull from https://github.com/EricZimmerman/RECmd/tree/master/BatchExamples kape.exe --sync will pull from https://github.com/EricZimmerman/KapeFiles/tree/master/Targets and https://github.com/EricZimmerman/KapeFiles/tree/master/Modules

mark-hallman commented 3 years ago

Ah, kape --sync, can't forget that. Thank you! -Mark

On Thu, Feb 18, 2021 at 12:37 PM Andrew Rathbun notifications@github.com wrote:

And for those who may find this later, I'll lay it out this way:

evtxecmd.exe --sync will pull from https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps sqlecmd.exe --sync will pull from https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps recmd.exe --sync will pull from https://github.com/EricZimmerman/RECmd/tree/master/BatchExamples kape.exe --sync will pull from https://github.com/EricZimmerman/KapeFiles/tree/master/Targets and https://github.com/EricZimmerman/KapeFiles/tree/master/Modules

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/KapeFiles/issues/406#issuecomment-781552861, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEAHTAEJQC4DZLPN7NLOKS3S7VM5JANCNFSM4XKRCU5Q .

AndrewRathbun commented 3 years ago

https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/!!ToolSync.mkape will do all the above for you, too!

mark-hallman commented 3 years ago

Thanks, Andrew. I saw that last night and that got me to watching the Github messages. I'm taking a look at SANS FOR500 just to make sure we aren't breaking any existing exercises. I'm not anticipating that we are but need t make sure. The other minor concern is that we might not be taking advantage of new stuff like "Registry\RECmd_Kroll".

-Mark

On Thu, Feb 18, 2021 at 12:42 PM Andrew Rathbun notifications@github.com wrote:

https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/!!ToolSync.mkape will do all the above for you, too!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/KapeFiles/issues/406#issuecomment-781555637, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEAHTAG6A5UCN5CZ66OW5ELS7VNPXANCNFSM4XKRCU5Q .

AndrewRathbun commented 3 years ago

I don't think anything will be broken for SANS FOR500, if anything, there will just be more stuff than what the textbooks cover. One thing that is a good thing to suggest is for any regular KAPE user/SANS student is to Watch the repos listed above so they can be in the loop of new/updated Maps, new/updated Batch File updates, new/updated Targets/Modules, etc. If you have any questions though, happy to talk through any concerns.