Closed kmroz closed 2 years ago
Added iface
handling, etc.
Sample output/errors:
./flightsim run
AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 10.186.0.3
The current time is 14-Sep-21 08:16:45
08:16:45 [c2] Preparing a random sample of C2 domains
08:16:45 [c2] Resolving livdecor.pt
08:16:46 [c2] Resolving matixx.xyz
...
08:16:50 [c2] Done (5/5)
...
08:16:55 [dga] Generating a list of DGA domains
08:16:55 [dga] Resolving uonemmjxkx.net
08:16:56 [dga] Resolving ymswtzhopm.net
...
08:17:10 [dga] Done (15/15)
...
08:17:16 [scan] Preparing a random sample of RFC 5737 destinations
08:17:16 [scan] Port scanning 203.0.113.4
08:17:19 [scan] Port scanning 203.0.113.7
...
08:17:46 [scan] Done (10/10)
...
08:18:06 [tunnel-dns] Simulating DNS tunneling via *.sandbox.alphasoc.xyz
08:18:16 [tunnel-dns] Done (1/1)
AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 10.186.0.3
The current time is 14-Sep-21 08:12:33
08:12:33 [c2] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.
08:12:33 [c2] Preparing a random sample of C2 domains
08:12:33 [c2] Resolving xeibzs12.top
08:12:34 [c2] ERROR: xeibzs12.top: lookup xeibzs12.top. on 127.0.0.53:53: dial udp 10.186.0.3:0->127.0.0.53:53: i/o timeout
...
08:12:38 [c2] Done (0/5)
...
08:12:43 [dga] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.
08:12:43 [dga] Generating a list of DGA domains
08:12:43 [dga] Resolving wdzowbbvuo.biz
08:12:44 [dga] ERROR: wdzowbbvuo.biz: lookup wdzowbbvuo.biz. on 127.0.0.53:53: dial udp 10.186.0.3:0->127.0.0.53:53: i/o timeout
...
08:12:58 [dga] Done (0/15)
...
08:13:03 [scan] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.
08:13:03 [scan] Preparing a random sample of RFC 5737 destinations
08:13:03 [scan] Port scanning 203.0.113.39
08:13:06 [scan] Port scanning 203.0.113.43
08:13:09 [scan] Port scanning 203.0.113.50
...
08:13:33 [scan] Done (10/10)
...
08:13:54 [tunnel-dns] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.
08:13:54 [tunnel-dns] Simulating DNS tunneling via *.sandbox.alphasoc.xyz
08:13:54 [tunnel-dns] ERROR: sandbox.alphasoc.xyz: lookup pvnxjanknktrudzahtallgpgrmlptm.sandbox.alphasoc.xyz. on 127.0.0.53:53: dial udp 10.186.0.3:0->127.0.0.53:53: i/o timeout
08:14:04 [tunnel-dns] Done (0/1)
Something like this... let me know what you guys think. As discussed, we can hold off on this until the next release, in which case I'll prep a release tomorrow.
ubuntu:~$ ./flightsim run c2
AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim)
The address of the network interface for IP traffic is 10.186.0.4
The address of the network interface for DNS queries is 127.0.0.1
The current time is 25-Oct-21 15:17:33
15:17:33 [c2] Preparing a random sample of C2 domains
15:17:33 [c2] Resolving astro--pacific.com
15:17:34 [c2] Resolving boundertime.ru
15:17:35 [c2] Resolving boldchat.website
15:17:36 [c2] Resolving premieruandcsystems.com
15:17:37 [c2] Resolving officeworkzone.xyz
15:17:38 [c2] Done (5/5)
15:17:38 [c2] Preparing a random sample of C2 IP:port pairs
15:17:38 [c2] Connecting to 3.17.7.232:19832
15:17:39 [c2] Connecting to 192.34.109.104:443
15:17:40 [c2] Connecting to 81.213.59.22:443
15:17:41 [c2] ERROR: 81.213.59.22:443: dial tcp 10.186.0.4:0->81.213.59.22:443: i/o timeout
15:17:41 [c2] Connecting to 136.144.41.168:59666
15:17:42 [c2] Connecting to 178.128.94.170:443
15:17:43 [c2] ERROR: 178.128.94.170:443: dial tcp 10.186.0.4:0->178.128.94.170:443: i/o timeout
15:17:43 [c2] Done (3/5)
All done! Check your SIEM for alerts using the timestamps and details above.
ubuntu:~$ ./flightsim run -iface lo c2
AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim)
The address of the network interface for IP traffic is 127.0.0.1
The address of the network interface for DNS queries is 127.0.0.1
The current time is 25-Oct-21 15:21:21
15:21:21 [c2] Preparing a random sample of C2 domains
15:21:21 [c2] Resolving service-mp2sc0gc-1301679103.gz.apigw.tencentcs.com
15:21:22 [c2] Resolving service-azhuvd2i-1305517013.gz.apigw.tencentcs.com
15:21:23 [c2] Resolving mywatchidea.com
15:21:24 [c2] Resolving sec.qaxcn.cf
15:21:25 [c2] Resolving boldchat.website
15:21:26 [c2] Done (5/5)
15:21:26 [c2] Preparing a random sample of C2 IP:port pairs
15:21:26 [c2] Connecting to 47.92.163.5:8443
15:21:26 [c2] ERROR: 47.92.163.5:8443: dial tcp 127.0.0.1:0->47.92.163.5:8443: connect: invalid argument
...
15:21:30 [c2] Done (0/5)
All done! Check your SIEM for alerts using the timestamps and details above.
🦭
Should help with DNS queries where the nameserver is not reachable via the external IP (ie. systemd's 127.0.0.53, etc). Also report an error if resolve fails due to dial errors.
Addresses: https://github.com/alphasoc/flightsim/issues/39