Closed Karneades closed 3 years ago
in my experience, people do not sync enough, due to the fact they do not even know its there.
this was the reason for the change, to ensure that most people had the best course of action in place when they (blindly?) run the tool.
for more discerning people who do not want this (you mention not syncing every time you use it. more on this later) removing this line, deleting the sync file, or other tweaks are much easier than for the other group of people who want to just run stuff.
since you do not seem to be one of the people syncing tools every time you run them (be it kape, evtxecmd, etc) it seems reversing this change would adversely affect more people (the ones that sync kape, but nothing else).
with that said, i am open to a single module, !!ToolSync or something, that has all the other sync commands in it. this can then be optionally run by itself or in a larger chain. Starting the name with !! pushes it up in the list and the order it is ran (assuming its selected first).
pros and cons both ways.
I'd tend to want to remove the sync module and just have the sync button pull the latest kape mods/targets, update the ez tools, and sync evtx, re plugins, sql maps and whatever else.
Would be a one stop shop and would be aligned with what the sync button could be doing which is "give me the latest and greatest that's on offer".
The other thing could be some quick checks that say "hey it's been X days since you last synced (sunk? :P) you really should click that big ole sync button!"
Is that a possibility?
it CAN, but kape already tells you you have an old version and people ignore that, so
Sure do! For me, having sync keep everything aligned in the targets/modules/binary folder for your tools (update + sync) would be an amazing time saver.
this would be a better use of a powershell script than me including it.
i wont ever auto update Modules\bin stuff programmatically. too much liability
I made a PR for adding a new module called "!!ToolSync" as proposed by Eric to include the current EZ tool sync modules, with the possibility to further add modules to update KAPE itself and the KAPE files as well.
If this would allow to omit the sync every time we run e.g. the RECmd compound then it would be cool. I'm happy to rename the file and extend as needed. And if it would impact all others negatively as Eric mentioned above, then I understand leaving it as it is and I will need to adapt our local KAPE repo as such (having an own compound without the sync).
@rathbuna I'm unable to use the RECmd sync command/module, because the current RECmd 1.6.0 version doesn't have a sync option yet (maybe I'm missing something) https://github.com/EricZimmerman/KapeFiles/blob/f3ea8466d90095b6ebeeb203d97c90531e6a102d/Modules/Registry/RECmd_Sync.mkape#L1
I would then also add a section to the bottom of https://ericzimmerman.github.io/KapeDocs/#!Pages\2.-Getting-started.md regarding the module tools sync.
I made a PR for adding a new module called "!!ToolSync" as proposed by Eric to include the current EZ tool sync modules, with the possibility to further add modules to update KAPE itself and the KAPE files as well.
If this would allow to omit the sync every time we run e.g. the RECmd compound then it would be cool. I'm happy to rename the file and extend as needed. And if it would impact all others negatively as Eric mentioned above, then I understand leaving it as it is and I will need to adapt our local KAPE repo as such (having an own compound without the sync).
@rathbuna I'm unable to use the RECmd sync command/module, because the current RECmd 1.6.0 version doesn't have a sync option yet (maybe I'm missing something) https://github.com/EricZimmerman/KapeFiles/blob/f3ea8466d90095b6ebeeb203d97c90531e6a102d/Modules/Registry/RECmd_Sync.mkape#L1
If sync doesn't work for your current RECmd binary, it's outdated. Version might be the same but current binary has that feature now.
If sync doesn't work for your current RECmd binary, it's outdated. Version might be the same but current binary has that feature now.
Yeah, I just looked at the version. Thanks, with fresh download (same version) sync works now.
@rathbuna Using the sync modules we don't see the changes anymore. Is there a way to print the output of the tools despite running them as modules?
So you mean add --debug and --trace to each sync Module and then rely on the KAPE console log for that output?
Also, it just dawned on me that kape.exe --sync Module that I was using internally actually had not been working, which totally makes sense since kape.exe doesn't reside in the Modules\bin folder. My mistake on that one!
I'm sure there's a workaround but I don't have it quite at this second. Let me know if you have any thoughts.
yeah, run into that as well :)
--debug is enough to see stdout
@rathbuna I think Eric meant using --debug when invoking kape with the tool sync module - that works for me.
@rathbuna I think Eric meant using --debug when invoking kape with the tool sync module - that works for me.
I'm unsure how we can run a binary outside of the module folder to solve the KAPE sync.
I'm good with whatever. I run --debug and --trace every time I run KAPE anyways. If it's best to keep the Sync Modules vanilla, then let me know your thoughts on that. --debug for the Sync Modules would ensure everyone sees what's changed but if that's bad practice, happy to have it PR'd back to just --sync.
trace is overkill for most use cases. just slows things down IMO
FTR https://github.com/EricZimmerman/KapeDocs/pull/9. Addition in KAPE docs getting started section regarding the new module.
this would be a better use of a powershell script than me including it.
i wont ever auto update Modules\bin stuff programmatically. too much liability
Sure that's fine too. I mean, at the moment it's: Run kape updater script Run module sync Run ez updater ps1 script (and since i havent checked if it does plugins i generally delete re and edit the sha1 file) run evtx map sync run recmd batch sync run sql map sync copy relevant binaries across into the kape folder
which is just KAPE+EZ tools, and then after copy in whatever other bins necessary
Anything that could be done to improve that workflow will reduce the workload of keeping things up to date; id probably have to figure out how to write the ps1 to do that.
@randomaccess3 the following steps are now included in the new sync module !!ToolSync
So it's kape update + ez updater script + sync module.
Clarification question: There are three apps that have a --sync option? evtx, recmd, and sqlmap, right? Or is "module sync" another option?
-Mark
On Tue, Feb 16, 2021 at 1:24 AM Andreas Hunkeler notifications@github.com wrote:
@randomaccess3 https://github.com/randomaccess3 the following steps are now included in the new sync module !!ToolSync
- Run module sync
- run evtx map sync
- run recmd batch sync
- run sql map sync
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/KapeFiles/issues/406#issuecomment-779642125, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEAHTACSHVNIQ4HW6SDA4PTS7IMR3ANCNFSM4XKRCU5Q .
Clarification question: There are three apps that have a --sync option? evtx, recmd, and sqlmap, right? Or is "module sync" another option? … -Mark On Tue, Feb 16, 2021 at 1:24 AM Andreas Hunkeler @.***> wrote: @randomaccess3 https://github.com/randomaccess3 the following steps are now included in the new sync module !!ToolSync - Run module sync - run evtx map sync - run recmd batch sync - run sql map sync — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#406 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEAHTACSHVNIQ4HW6SDA4PTS7IMR3ANCNFSM4XKRCU5Q .
Yes, RECmd, EVTXECmd and SQLECmd have --sync
currently for Maps and Batch files, respectively. KAPE has it's own --sync which is for Targets/Modules only.
And for those who may find this later, I'll lay it out this way:
evtxecmd.exe --sync
will pull from https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps
sqlecmd.exe --sync
will pull from https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps
recmd.exe --sync
will pull from https://github.com/EricZimmerman/RECmd/tree/master/BatchExamples
kape.exe --sync
will pull from https://github.com/EricZimmerman/KapeFiles/tree/master/Targets and https://github.com/EricZimmerman/KapeFiles/tree/master/Modules
Ah, kape --sync, can't forget that. Thank you! -Mark
On Thu, Feb 18, 2021 at 12:37 PM Andrew Rathbun notifications@github.com wrote:
And for those who may find this later, I'll lay it out this way:
evtxecmd.exe --sync will pull from https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps sqlecmd.exe --sync will pull from https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps recmd.exe --sync will pull from https://github.com/EricZimmerman/RECmd/tree/master/BatchExamples kape.exe --sync will pull from https://github.com/EricZimmerman/KapeFiles/tree/master/Targets and https://github.com/EricZimmerman/KapeFiles/tree/master/Modules
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/KapeFiles/issues/406#issuecomment-781552861, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEAHTAEJQC4DZLPN7NLOKS3S7VM5JANCNFSM4XKRCU5Q .
https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/!!ToolSync.mkape will do all the above for you, too!
Thanks, Andrew. I saw that last night and that got me to watching the Github messages. I'm taking a look at SANS FOR500 just to make sure we aren't breaking any existing exercises. I'm not anticipating that we are but need t make sure. The other minor concern is that we might not be taking advantage of new stuff like "Registry\RECmd_Kroll".
-Mark
On Thu, Feb 18, 2021 at 12:42 PM Andrew Rathbun notifications@github.com wrote:
https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/!!ToolSync.mkape will do all the above for you, too!
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/KapeFiles/issues/406#issuecomment-781555637, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEAHTAG6A5UCN5CZ66OW5ELS7VNPXANCNFSM4XKRCU5Q .
I don't think anything will be broken for SANS FOR500, if anything, there will just be more stuff than what the textbooks cover. One thing that is a good thing to suggest is for any regular KAPE user/SANS student is to Watch the repos listed above so they can be in the loop of new/updated Maps, new/updated Batch File updates, new/updated Targets/Modules, etc. If you have any questions though, happy to talk through any concerns.
I saw recent changes to the compound for RECmd to update the .reb files every time (having a sync module in the first place in the compound, see https://github.com/EricZimmerman/KapeFiles/commit/d99b7ca67bd2439a6e848b949d7fc73719bad968). I would omit having this sync command enabled by default in the main RECmd compound in the repo but rather have this as own module and leave it up to the user to initiate a sync. I use that compound but would like to be able to sync the tools manually and not every time I use it (sooo many changes ain't gonna happen).
Proposal
Thoughts?