mrengstrom
commented
3 years ago Thanks for the kind words.
As to your question, it was considered using the agents as remote scanners and passing the scan results back to the server to compile the results. That functionality was a little out of scope based off what we were planning so it was not implemented at the time, but it is an achievable goal that we had as a future possibility for the project.
As for what you can do currently, if the target hosts have nmap installed (or any other scanning tool that produces an output report) you can create an ability to execute a scan and exfil the report back to the server and manually import it into pathfinder. The next step up from that would be changing the pathfinder plugin to make the endpoint for uploading reports to be un-authenticated so an agent can push a report to it directly (could be done through the ability commands), removing the manual step of importing.
Long term it would be best to have pathfinder be agent-aware, and have the capability to stage discovery commands for the agents to determine which are able to run the scanners. We would display a list of agents to run scans from and allow selecting n-number of them. When receiving the results back we would use those results to map out a network with more detail and possibly be able to resolve more complex network rules in place and how some hosts might bridge between multiple subnets and be used for lateral movement.
Hi Guys,
I just stumbled upon this, you guys have done some serious work here. Thanks for sharing it 🤗. My question though is whether there is anything in the roadmap to be able to run the initial scan as part of an operation. As far as I understood the
nmapscan is done directly from the CALDERA server which limits the visibility over the target network, considering your CALDERA server is not in the same subnet as the vulnerable machines you want to identify. Running it as part of an operation would likely increase the attack surface, given you have an agent running inside the target subnet.