MultiSIEM Modular Python3 Attack Framework
By ElevenPaths https://www.elevenpaths.com/
Usage: python3 ./siemsframework.py
SIEMs are defensive tools increasingly used in the field of cybersecurity, especially by major companies and companies intended to monitor highly critical systems and networks. However, from the point of view of an attacker, those permissions granted to SIEMs on systems and accounts from corporate networks are high. Moreover, administrative access to SIEMs may be used to obtain code execution on the server where such SIEM is installed, and sometimes also on client machines, considering that a SIEM collects events such as Active Directory servers, AWS servers, Data Bases and network devices (for example, Firewalls and Routers).
During our investigation, we detected a great amount of attack vectors that might be used on the various SIEMs to compromise them, for instance:
• Obtain user accounts and passwords stored in the SIEM from critical systems (LDAP/AD servers, databases, network devices, AWS servers).
• Develop and install malicious applications such as Windows/Linux reverse shells, Windows/Linux bind shells or malicious scripts with the aim of compromising the server where the SIEM is installed.
• Develop and install malicious applications such as Windows/Linux reverse shells, Windows/Linux bind shells or malicious scripts with the aim of compromising the machines from which the SIEM collects events.
• Create and apply malicious actions or notifications that allow to execute commands when a given event occurs, for example with the purpose of obtaining a reverse shell on the server where the SIEM is installed.
• Take advantage of default passwords and SIEM weaknesses in the OVA images configuration to obtain admin credentials of the server, database or even the SIEM web interface itself.
• Perform dictionary attacks or brute-force attacks against the web or admin interface, or against the SIEM client software, to obtain admin credentials.
• Read arbitrary files from the server where the SIEM is installed.
• Obtain SIEM configuration information and other relevant parameters to perform further attacks.
On the basis of the investigation results, the tool Open Source SIEMs Framework was developed. It is a modular tool developed in Python3 by the Innovation and Laboratory team of ElevenPaths. It allows to automatize potential attacks to various SIEMs existing in the market (both commercial and open source).
SIEMs Framework supports multiple attack payloads that may be selected according the SIEM to be attacked and its operating system. There are payloads available in PowerShell, Python, Bash, Exe, and more formats. Once the selected attack is executed, the tool shows the results on the screen and it is possible to return and execute any other attack on the same SIEM or select other SIEM to compromise. It has a simple, easy-to-use and intuitive interface. Currently it can be used with the following SIEMs: Splunk, Graylog and OSSIM.
SIEMs Framework can be downloaded from our Github by downloading the .zip file or cloning the repository, and presents the following requirements that can be installed through pip3 install -r requirements.txt:
• splunk-sdk
• requests
• python-nmap
• colorama
• pandas
• paramiko
• pymongo
• qradar4py
• requests_mock
• urllib3
Once the requirements installed, the tool can be used as follows: python3 ./siemsframework.py
When the tool is executed, the main menu is displayed, and there you must select if you wish to scan a specific IP where there would be a SIEM or a network to detect those SIEMs within it. For scanning and detecting the SIEM within a specific IP address you must use option 1, and for scanning the network option 2.
By selecting option 1 “Scan and Detect SIEM”, the tool requests the IP address to be able to scan the specific ports of the SIEMs supported and connect to either web or management interface in order to verify that it is really a SIEM.
Once the SIEM has been detected by following the above methods, the tool shows the SIEM detected in red and gives you the option to launch the attack module of that SIEM.
By selecting option 2 “Find SIEMs on the network” the tool requests the network to be scanned in CIDR notation, for instance: 192.168.137.0/24. Once the information is entered, SIEMs Framework performs firstly a discovery to detect the active systems; then, default ports of the SIEMs supported are scanned, and finally it connects to either web or management interface of each of those systems in order to verify that it is really a SIEM.
Once the SIEMs have been detected by following the above methods, the tool shows the SIEMs detected in red and requests the IP address of the SIEM to be attacked.
By entering “y” and selecting the launch of Splunk attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first two attacks no credentials are required, but for the fifth one Splunk admin privileges are needed.
This attack module contains a specific dictionary for Splunk named dict.txt, which is made up of the 100 most used password over 2018 and various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /splunk/dict.txt can be replaced with any other word list, provided that the file name is kept. Splunk password policy does not apply to users with admin role, so restrictions concerning password or account blocking due to unsuccessful access attempts do not apply. Prior to starting the dictionary attack, the tool verifies if the Splunk to be analyzed has the Free version that does not use any type of authentication, or if it still keeps the default password “changeme” of the oldest versions of this software:
In case the Splunk server to be analyzed has the web interface active, this module allows to obtain server and session information from the web interface itself without needing to authenticate. 8000 is the default port of Splunk web interface; to use this module it is necessary to know and enter the port where the web interface is published.
This module can be used on Splunk Server or Universal Forwarder. To use it, Splunk Admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module is the information of the current Splunk installation: version, operating system, Splunk configurations and more.
This module is only used on Splunk servers. To use it, Splunk admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module are all the credentials stored by those apps used on Splunk to connect to those devices from which events are obtained.
This module can be used on Linux Splunk Server. To use it, Splunk admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The module uses an index to load the file concerned, and its result is the content of the file /etc/shadow from the server where Splunk is installed.
This module will be available in the next version of SIEMs Framework. In order to compromise Universal Forwarders, attack 1 to obtain credentials and then attack 7 to install malicious applications depending on the platform may be performed so far.
This attack module allows to develop and install on Splunk a malicious application designed to compromise the system concerned. Firstly, the type of payload to be used according to the operating system and the type of Splunk to attack must be selected (Splunk Server or Universal Forwarder). You can use Linux Python Reverse or Bind Shell for Splunk Server or UF; Windows Python Reverse or Bind Shell for Splunk Server (where Python is installed by default); and Executable Bind Shell or a script to add an admin user on Windows Universal Forwarders (where Python is not installed by default). Then, username, Splunk admin password and the attacker’s IP address must be entered.
By entering “y” and selecting the launch of Graylog attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first three attacks no credentials are required, but for the fourth one Graylog admin privileges are needed.
This attack module contains a specific dictionary for Graylog named dict.txt, which is made up of the 100 most used password over 2018 and various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /graylog/dict.txt can be replaced with any other word list, provided that the file name is kept.
This attack module verifies if the Graylog to be analyzed has default credentials on Graylog web interface (admin/admin), as well as if it has default credentials to connect to the system by console or SSH (ubuntu/ubuntu). These couple of credentials are configured by default on Graylog virtual machine appliances, both on OVA and AMI.
This attack module verifies if the Graylog to be analyzed has Mongo DB database configured with no authentication. In such a case, it connects to MongoDB and obtains configuration information, LDAP credentials (depending on the current Graylog version they may be in plain text or encrypted) and access and secret keys configured in the AWS plugin. In case it is encrypted, LDAP user key is encrypted with AES CBC. They key is the first 16 bits of the field password_secret, located in the configuration file server.conf, or graylog.conf in case of standard installations; or the field secret_token located in the file graylog-secrets.json in case of OVA installations, the IV is the salt showed on the screen.
This attack module obtains information on configuration and credentials for LDAP and AWS in plain text from Graylog REST API. To use this module Graylog admin credentials are needed.
By entering “y” and selecting the launch of OSSIM attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first attack no credentials are required, but for the subsequent ones OSSIM admin credentials are needed.
This attack module contains a specific dictionary for OSSIM named dict.txt, which is made up of the 100 most used password over 2018 and various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /ossim/dict.txt can be replaced with any other word list, provided that the file name is kept.
This attack module allows to obtain configuration information from OSSIM server. To use it, OSSIM admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module is the relevant configuration information of the current installation: defined users, login parameters including LDAP configurations and password policies.
This attack module allows to obtain a reverse shell from OSSIM server to the attacker’s system. To use it, OSSIM admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The module develops a malicious action that will be connected via netcat to the attacker’s system. Then, it triggers a new policy that uses such action to warn in case any security event occurs, and this event is triggered through an unsuccessful SSH login attempt to OSSIM server. Consequently, a reverse shell is obtained from the OSSIM server to the attacker’s system in port 12345 with root privileges.
By entering “y” and selecting the launch of QRadar attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first two attack no credentials are required, but for the subsequent ones QRadar admin credentials or API Key are needed.
This attack module contains a specific dictionary for QRadar named dict.txt, which is made up of the 100 most used password over 2018 and various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /qradar/dict.txt can be replaced with any other word list, provided that the file name is kept. This attack is very slow because QRadar have a protection that permits only to 5 attempts each 30 minutes.
This attack module contains a specific dictionary for QRadar named apikeys.txt, which is made up of the 1000 different options of API keys that keep the structure that needs in this SIEM. In case you wish to use any other list different from the one mentioned above, /qradar/dict.txt can be replaced with any other word list, provided that the file name is kept. The program gives to option of you could create the file with API keys aleatorily.
This attack module allows us to obtain the server configuration through to use of API Key. To use it, QRadar API Key admin is needed, and they can be obtained for instance through a dictionary attack (2nd attack). The result of the module is the relevant configuration information of the current installation: defined users, network hierarchy, and deployment hosts.
This attack module allows us to obtain the list of user that is saved in Ariel database. To use it, QRadar API Key admin is needed, and they can be obtained for instance through a dictionary attack (2nd attack). The result of the module is the relevant configuration information of the users that have had contact with Ariel database.
By entering “y” and selecting the launch of McAfee attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first attack no credentials are required, but for the subsequent ones McAfee admin credentials are needed.
This attack module contains a specific dictionary for McAfee named dict.txt, which is made up of 7000 passwords creates aleatorily with various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /mcafee/dict.txt can be replaced with any other word list, provided that the file name is kept. This attack is very slow because McAfee have a protection that permits only to 3 attempts each 10 minutes.
This attack module contains a specific dictionary for McAfee named dict.txt, which is made up of 7000 passwords creates aleatorily with various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /mcafee/dict.txt can be replaced with any other word list, provided that the file name is kept.
This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (2nd attack). The result of the module is the relevant configuration information of the current installation: nameserver on the network, active services, network configuration, and firewall configuration.
This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (2nd attack). The result of the module is the relevant configuration information of the current installation: Number of release of SIEM, hdd data, ram data, processor data, active time, status next check date, status rules check date, and backup next date.
This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (2nd attack). The result of the module is the relevant information about system users.
By entering “y” and selecting the launch of SIEMonster attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first attack no credentials are required, but for the subsequent ones SIEMonster admin credentials are needed.
This attack module contains a specific dictionary for SIEMonster named dict.txt, which is made up of 7000 passwords creates aleatorily with various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /siemonster/dict.txt can be replaced with any other word list, provided that the file name is kept.
This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module is the relevant configuration information of the current installation: nameserver on the network, active docker's containers, list of active services, network configuration, and firewall configuration.
This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module is the relevant information about system users.
By entering “y” and selecting the launch of ElasticSIEM attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first attack no credentials are required, but for the subsequent ones ElasticSIEM admin credentials are needed.
This attack module contains a specific dictionary for ElasticSIEM named dict.txt, which is made up of the 7000 most used password over 2018 and various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /elasticsiem/dict.txt can be replaced with any other word list, provided that the file name is kept.
This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module is the relevant configuration information of the current installation: nameserver on the network, active docker's containers, list of active services, and network configuration.
Please report any error by opening an issue in GitHub. Your collaboration is very appreciated!