Skip to content

2.10 Resources

D3vil0p3r edited this page May 14, 2023 · 1 revision

Athena OS consists in several elements with the purpose to make comfortable the user. Some of them are key features of the user environment because are needed for reaching the objective of the project: making the user closer to the security and hacking resources.

Red Team Menu

Red Team Menu is born for organizing in pretty manner all main security tools that users need to start their hacking activity. It consists of two levels:

  • 1st level containing several hacking categories, plus Firefox browser and Code OSS as editor
  • 2nd level consisting of hacking tools deployed for each hacking category

image

In details:

Information Gathering Dmitry Nmap Spiderfoot TheHarvester enum4linux wafw00f Fierce
Vulnerability Analysis Legion Nikto unix-privesc-check
Web Application Analysis WPScan Burpsuite dirb dirbuster ffuf Wfuzz sqlmap
Password Attacks John Hashcat Hydra CEWL CRUNCH RSMangler Medusa
Sniffing mitmproxy Responder Wireshark
Wireless Testing Aircrack-ng Kismet Reaver Wifite Fern Wifi Cracker Spooftooph
Reverse Engineering NASM Radare2
Exploitation SearchSploit Metasploit SEToolkit
Post Exploitation PowerSploit Mimikatz evil-winrm proxychains-ng weevely

At the beginning, these tools are not installed to avoid that users would store in the disk space installed tools or services that never use. For users that would like to get these main tools, the Enthusiast Student role must be chosen on the Welcome App.

Red Team menu can be accessed by CTRL+SPACE.

PWNage Menu

PWNage Menu allows users to access quickly to the main hacking platforms for learning purposes and to join the main Discord InfoSec Communities:

  • 1st shell deploys all quick links to the main hacking platforms
  • 2nd shell can be accessed by the Discurity icon on top where the user can join several Discord InfoSec servers or open Discord App.

image

PWNage menu can be accessed by CTRL+TAB.

One of the most interesting features of Athena is the deep integration with Hack The Box platform, accessible by PWNage menu. Athena gives the possibility to play Hack The Box machines directly on the OS environment in a quick and comfortable manner. It offers:

  • Connect/Disconnect to/from Hack The Box VPN servers
  • Play any active free machine you wish
  • Reset the active machine
  • Stop any active machine
  • Submit a flag and write a review about your hacking experience!
  • ... and access to the Hack The Box website

It can be done by accessing to the Hack The Box icon on the PWNage menu. The menu is automatically updated by a command inside /etc/profile.d/run-once.sh in order to call Hack The Box APIs and retrieve the last free active machines.

Playing with one of these machines will edit the PROMPT of the shell by showing the name of the laboratory, the target IP address, the attacker IP address, the Hack The Box username of the user and the prize points.

The set of tools that manages the Hack The Box environment needs of the App Token of the Hack The Box user that can be retrieved on the profile settings of the Hack The Box website. Once retrieved, it can be set by calling htb-update command.

image

Users can also play retired machines if they have a Hack The Box VIP subscription by htb-play tool. It can list all retired machines by htb-play -l command and then start the machine by specifying its name

image

Payload to Dock

Another important security element in Athena is Payload to Dock. It is based on Dash 2 Dock and keeps the access to the most famous payload repositories. It allows to get the latest version of payloads and accessing their path directly by the shell. It shows:

The Dock contains also links to Mimikatz and Powersploit, and allows to run the current SHELL and PowerShell.

image

At the beginning, these repositories are not installed, to avoid that users would store in the disk space payload repositories that never use. For users that would like to get these repositories, the hacking role that can usually use these resources must be chosen on the Welcome App.

The implementation of this dock leverage on the .desktop files that should contain a similar configuration (here Mimikatz example):

[Desktop Entry]
Type=Application
Encoding=UTF-8
Name=Mimikatz
Comment=Mimikatz
Icon=/usr/share/icons/hicolor/128x128/apps/kali-mimikatz-128x128.png
Exec=gnome-terminal -- fish -c "if test -d /usr/share/windows/mimikatz;cd /usr/share/windows/mimikatz;$SHELL;else;echo \"Mimikatz is not installed. I'm retrieving it for you...\";sudo pacman -S mimikatz;cd /usr/share/windows/mimikatz;$SHELL;end;"
Terminal=false
Categories=Tags;Describing;Application

These .desktop files must be stored in /home/cybee/.local/share/applications (for the current user) or /usr/share/applications folder (for all the users). Then logout and login for applying the changes. At the end, access to the dock bar, click on "Show Applications" icon, search your Desktop Entry, right-click and "Pin to dash".

The applications in Payload to Dock are defined in dconf-shell.ini in favorite-apps field.

Payload Environment Variables

On the system, for accessing these resources in a quick manner, several environment variables have been defined:

Environment Variable Value
$PAYLOADS /usr/share/payloads
$AUTOWORDLISTS /usr/share/payloads/Auto_Wordlists
$FUZZDB /usr/share/payloads/FuzzDB
$PAYLOADSALLTHETHINGS /usr/share/payloads/PayloadsAllTheThings
$SECLISTS /usr/share/payloads/SecLists
$SECURITYWORDLIST /usr/share/payloads/Security-Wordlist
$MIMIKATZ /usr/share/windows/mimikatz
$POWERSPLOIT /usr/share/windows/powersploit
$ROCKYOU /usr/share/payloads/SecLists/Passwords/Leaked-Databases/rockyou.txt
$DIRBIG /usr/share/payloads/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
$DIRMEDIUM /usr/share/payloads/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
$DIRSMALL /usr/share/payloads/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
$WEBAPI_COMMON /usr/share/payloads/SecLists/Discovery/Web-Content/api/api-endpoints.txt
$WEBAPI_MAZEN /usr/share/payloads/SecLists/Discovery/Web-Content/common-api-endpoints-mazen160.txt
$WEBCOMMON /usr/share/payloads/SecLists/Discovery/Web-Content/common.txt
$WEBPARAM /usr/share/payloads/SecLists/Discovery/Web-Content/burp-parameter-names.txt

In this manner, the user can retrieve the needed payload with less effort, for example:

ffuf -u <target_url> -w $DIRSMALL

or

john file.hash --wordlist=$ROCKYOU

Browser Hacking Extensions

Firefox ESR has been modified in order to integrate at the installation time the addons you need for your web application pentesting activity. The preinstalled addons are:

  • Cookie Quick Manager
  • FoxyProxy Standard
  • Hack-Tools
  • HacKontext
  • HTTPS Everywhere
  • Penetration Testing Kit
  • Privacy
  • uBlock Origin
  • Wappalyzer

These extensions have been added by default on Firefox by importing $HOME/.mozilla/firefox-esr folder containing the installed extensions to the target Athena system.

In particular, HacKontext is an extension that allows users to inject website information, HTTP headers and body parameters of the active browser tab on specific InfoSec command-line tools in order to improve and speed up their correct usage. It helps users to copy and paste headers and any parameters automatically to the tools. image

As example, by visiting Arch Linux forum authentication page and selecting “Copy as FFUF”, the clipboard stores the following string:

ffuf -u https://bbs/.archlinux.org/login.php?action=in -H ‘Host: bbs.archlinux.org’ -H ‘User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0’ -H ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8’ -H ‘Accept-Language: en-US,en;q=0.5’ -H ‘Accept-Encoding: gzip, deflate, br’ -H ‘Content-Type: application/x-www-form-urlencoded’ -H ‘Content-Length: 176’ -H ‘Origin: https://bbs/.archlinux.org’ -H ‘Connection: keep-alive’ -H ‘Referer: https://bbs/.archlinux.org/login.php’ -H ‘Upgrade-Insecure-Requests: 1’ -H ‘Sec-Fetch-Dest: document’ -H ‘Sec-Fetch-Mode: navigate’ -H ‘Sec-Fetch-Site: same-origin’ -H ‘Sec-Fetch-User: ?1’ -H ‘DNT: 1’ -H ‘Sec-GPC: 1’ -d ‘form_sent=1&redirect_url=https://bbs.archlinux.org/index.php&csrf_token=7b2829f6ea8fbbc02cb3035a025fed10a9d166fb&req_username=usertest&req_password=passtest&login=Login’

and the user can edit this string for adding the preferred wordlist and fuzzing parameters for attacking the target.

NIST Feed

NIST Feed is a special tool able to inform users about a new published or updated CVE by a popup notification! The notification contains a description of the CVE. image

NIST Feed can be configured according to the parameters shown by nist-feed -h. Users can decide which kind of CVE they wish to be informed about, for instance CVEs with a high impact on the confidentiality and integrity, or CRITICAL CVEs. Some examples:

  • Set Desktop Notifications for latest or updated CVE with CRITICAL severity:
    nist-feed -n -l -s CRITICAL
    
  • Show details about the last three CVEs. No Desktop Notifications:
    nist-feed -r 3
    
  • Show details about the last twenty CVEs with PHYSICAL as attack vector and MEDIUM severity. No Desktop Notifications:
    nist-feed -V AV:P -s MEDIUM
    
  • Set Desktop Notifications for latest or updated CVE having high Confidentiality, Integrity and Availability impact:
    nist-feed -n -l -m C:H/I:H/A:H
    
    or
    nist-feed -n -l -c C:H -i I:H -a A:H
    
  • Set Desktop Notifications for latest or updated CVE with HIGH attack complexity and NETWORK as attack vector:
    nist-feed -n -l -A AC:H -V AV:N
    

Reference: https://nvd.nist.gov/

The -s argument is used for setting a scheduled popup notification on crontab according to the specified filters.

When the popup notification is shown, users can left-click on it for accessing to the NIST NVD page with all detailed information, or right-click for closing it.

BlackArch Repository

Athena tool surface can be increased by extending these main tools with the ones from BlackArch repository.

BlackArch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. Its repository contains 2800+ tools, classified for categories. You can install tools individually or in groups according to the categories they belong. BlackArch Repository is compatible with only Arch-based distributions as Athena OS.

On Athena OS, the installation of BlackArch Repository occurs by the usage of strap.sh file as described on the official documentation: https://blackarch.org/downloads.html in the section Installing on top of ArchLinux. At the time of Athena ISO creation, this script is placed in airootfs/usr/local/bin/ folder and it is run with Calamares Installer by shellprocess-<before|final>.conf file. strap.sh stores blackarch.gpg, blackarch-trusted and blackarch-revoked files in /usr/share/pacman/keyrings folder, enable Multilib repository and add BlackArch server repository in /etc/pacman.conf file and then execute pacman-key --init and pacman-key --populate. In this manner, all the keys inside /usr/share/pacman/keyrings are installed and trusted correctly.

Note: Multilib needs to be enabled because it is generally used to run 32-bit applications on a 64-bit system, and some security tools on BlackArch belong to this category. In general, this is often useful when running older games or really anything else that is meant for 32-bit systems. Enabling support for multilib is a relatively common operation for many Arch Linux users. It is also relatively easy as far as Arch goes. For enabling it manually, in /etc/pacman.conf uncomment these two lines:

#[multilib]
#Include = /etc/pacman.d/mirrorlist

and run sudo pacman -Syyu.

BlackArch hacking tools can be installed in several ways. Users can install a single tool, categories or all the tools. For installing a single tool, just execute sudo pacman -S <tool-name>. For installing a category, execute sudo pacman -S <category-name>. There are several categories that users can install:

Category Description
blackarch-anti-forensic Countering forensic activities.
blackarch-automation Workflow automation.
blackarch-automobile Analyzing automotive applications.
blackarch-backdoor Exploiting or open backdoors on already vulnerable systems.
blackarch-binary Operating on binary in some form.
blackarch-bluetooth Using Bluetooth attacks.
blackarch-code-audit Auditing existing source code for vulnerability analysis.
blackarch-cracker Cracking cryptographic functions.
blackarch-crypto Working with cryptography, with the exception of cracking.
blackarch-database Database exploitations on any level.
blackarch-debugger Debugging resources in realtime.
blackarch-decompiler Reversing a compiled program into source code.
blackarch-defensive Protecting resources from malware and attacks.
blackarch-disassembler Producing assembly output rather than the raw source code.
blackarch-dos Using DoS (Denial of Service) attacks.
blackarch-drone Managing physically engineered drones.
blackarch-exploitation Taking advantages of exploits in other programs or services.
blackarch-fingerprint Exploiting fingerprint biometric equipment.
blackarch-firmware Exploiting vulnerabilities in firmware.
blackarch-forensic Finding information on physical disks or embedded memory.
blackarch-fuzzer Fuzzing tools.
blackarch-hardware Exploiting or managing anything to do with physical hardware.
blackarch-honeypot Acting as "honeypots", i.e., programs that appear to be vulnerable services used to attract hackers into a trap.
blackarch-ids Intrusion Detection System tools.
blackarch-keylogger Recording and retaining keystrokes on a target system.
blackarch-malware Malicious software or malware detection.
blackarch-misc Miscellaneous tools.
blackarch-mobile Manipulating mobile platforms.
blackarch-networking Scanning selected systems for vulnerabilities or information about the network.
blackarch-nfc NFC technology tools.
blackarch-packer Operating on or involve packers.
blackarch-proxy Acting as a proxy, i.e., redirecting traffic through another node on the internet.
blackarch-radio Operating on radio frequency.
blackarch-recon Actively seeking vulnerable exploits in the wild.
blackarch-reversing Any decompiler, disassembler or any similar program.
blackarch-scanner Scanning selected systems for vulnerabilities or information about the network.
blackarch-sniffer Analyzing network traffic.
blackarch-social Social engineering attacks.
blackarch-spoof Spoofing attacker entity.
blackarch-stego Analyzing resources for hidden information.
blackarch-tunnel Tunneling network traffic on a given network.
blackarch-voip Operating on VoIP programs and protocols.
blackarch-webapp Web application attacks tools.
blackarch-windows Native Windows packages.
blackarch-wireless Operating on wireless networks on any level.

It is also possible to install all hacking tools by sudo pacman -S blackarch.

InfoSec Roles

In Athena you can set any InfoSec role you feel suitable. Currently the implemented roles are:

Role
Black Hat Omniscient
Bug Bounty Hunter
Cracker Specialist
Enthusiast Student
Forensic Analyst
Malware Analyst
Mobile Analyst
Network Analyst
OSINT Specialist
Red Teamer
Web Pentester

These roles are linked to related-role tools and related BlackArch category group. In Athena repository the role tool packaging is managed by a script that automate the retrieving of tools to be installed by the PKGBUILD in order to exclude any conflicting or problematic tool very easily and prevent installation blocks.

This automation is managed mainly by the following string:

printf "'%s' " $(pacman -Sgq blackarch-webapp blackarch-fuzzer | awk '!seen[$0]++' | sed -e "$(sed 's:.*:s/^&$//ig:' <<<$(printf "%s\n" "${to_exclude[@]}"))") >> PKGBUILD

where the first piece retrieves all the members of a package group, then all duplicated members are removed, finally all packages that need to be excluded are removed. The result is placed as dependencies in the role meta-package.

Tool configuration

VIM

The following configuration has been used on VIM: https://github.com/amix/vimrc

Neofetch

Settings of Neofetch can be accessed on .config/neofetch/config.conf. You can change the shown ASCII logo and the output system information. For example, for changing logo, open config.conf file and search for ascii_distro. There, the user can change its value with one of the list above that file section.

In Athena, Neofetch, in synergy with lolcat, is implemented inside $HOME/.config/fish/config.fish file as neofetch | lolcat`.

Tmux

Tmux is implemented with several plugins retrieved from https://github.com/wfxr/tmux-power. Tmux Plugin Manager is used to manage the plugins.

On Athena, tmux themes are set according to the chosen theme at the installation time.

Bfetch

Bfetch is implemented with several textarts. Some examples of output can be seen here: https://asciinema.org/a/381349

Backgrounds and Icons

In Athena, backgrounds are usually stored in /usr/share/backgrounds/default folder.

The user can change a background desktop also by CLI:

GS_BACKEND=dconf gsettings set org.gnome.desktop.background picture-uri-dark .local/share/backgrounds/neon_circle.jpg

Note: if you are using a dark theme on GNOME, use picture-uri-dark argument. If you are usng a light theme, use picture-uri argument.

For changing Login Screen background in GDM, you can refer to: Indeed, the file containing information about the Login background is gnome-shell-theme.gresource. The user can create a backup file of it, and create a new one as described in https://wiki.archlinux.org/title/GDM#Login_screen_background_image During this creation, in lockDialogGroup, remember to set background-size: as cover;; When the user created this file, it should place it in /usr/share/gnome-shell. Keep the backup file because this operation can break the Login Screen if the user didn't do it well. If it occurs, on the black screen after the reboot, press ALT+F1 or ALT+F2 or ALT+Fx (where x is another number) to call the terminal, enter as root and restore the backup file.

On Athena a new gresource file has been used for changing the Login Screen and for setting a transparent Top Bar. During the creation of Athena, this new gresource file has been placed in airootfs/usr/share/gnome-shell as .gresourcenew. Then, the replacing with the old file is performed by Calamares Installer by shellprocess-<before|final>.conf file.