vmware-labs/attack-surface-framework vmware-labs/attack-surface-framework

  • Stars
    star
    183
  • Rank 210,154 (Top 5 %)
  • Language
    CSS
  • License
    Other
  • Created over 3 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
vmware-labs/attack-surface-framework
github

vmware-labs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Tool to discover external and internal network attack surface

Attack Surface Framework

Overview

ASF aims to protect organizations acting as an attack surface watchdog, provided an “Object” which might be a: Domain, IP address or CIDR (Internal or External), ASF will discover assets/subdomains, enumerate their ports and services, track deltas and serve as a continuous and flexible attacking and alerting framework leveraging an additional layer of support against 0 day vulnerabilities with publicly available POCs.

Motivation

The lack of support and flexibility to automate discovery of dynamic assets and their associated vulnerabilities through continuous scanning or exploitation in a single pane of glass was the driving force in the creation of ASF, the current solutions are restricted by the technology or the program they are built for, we wanted a solution that is scalable as well as utilizes popular Open Source security tools for handling a full vulnerability lifecycle.

ASF is a breed of open source projects leveraging a powerful arsenal of tools wrapped in a single pane of glass on top of a GUI. ASF architectural diagram illustrated below:

Architecture

Prerequisites

Latest version of Kali Linux (tested on 64 bits) - https://kali.org/get-kali/

Latest version of Subfinder installed, for instructions see https://github.com/projectdiscovery/subfinder

16 GB of RAM at least

1 TB HD - XFS filesystem recommended

Build & Run

As root

  1. git clone https://github.com/vmware-labs/attack-surface-framework.git /opt/asf
  2. cd /opt/asf/
  3. Run ./setup.sh
  4. Assign youruser, email and yourpass

Once the installation is completed ASF will be available as a service on http://127.0.0.1:2021

Security

ASF is not meant to be publicly exposed, assuming you install it on a cloud provider or even on a local instance, we recommend to access it using port forwarding through SSH, here is an example:

ssh -i "key.pem" -L 8080:127.0.0.1:8080 user@yourhost - For ASF GUI

ssh -i "key.pem" -L 9045:127.0.0.1:9045 user@yourhost - To access Graylog2 Panel

Then open your browser and go to:

http://127.0.0.1:8080 - For ASF - user:youruser pass:yourpass (provided in initial setup)

https://127.0.0.1:9045 - For Graylog2 - user:admin pass:admin #Change it in /graylog/docker-compose.yaml

Graylog2 requires a few steps to start receiving logs from ASF:

Once logged in, go to System/"Content Packs" and import the Content Pack located at /opt/asf/tools/graylog/content_pack_ASF.json, click on the "Upload" button and you should see "Basic" reflected in the "Select Content Packs" section, click on "Basic", make sure the "ASF" radio button is selected and hit the "Apply content" button, this will create the Global input to parse JSON logs and related extractors.

Graylog2 Inputs Example

Now you are ready to receive logs from ASF and setup your streams / alerts / dasboards !

More info @ https://docs.graylog.org/en/4.1/

Documentation

ASF has two scopes:

A) External: For your publicly exposed assets.

B) Internal: Assets in your corporate network.

For the External scope, the flow goes through four basic steps:

A.1 Targets - Here is where you input your targets

Targets

A.2 Discovery - Module that runs the Amass process to discover publicly exposed assets, feel free to create your configuration file to setup your API keys https://github.com/OWASP/Amass/blob/master/examples/config.ini

Discovery

A.3 Enumeration - Module that runs the NMAP process to enumerate ports/services and create filters for the Redteam module. Default setup is to look for --top-ports 200 but you can suit it to your needs in /opt/asf/tools/nmap/*.sh

Enumeration

A.4 Redteam - Module that runs submodules located in "/opt/asf/redteam"

Redteam

Note: For the Internal scope, the flow goes through A.1(Targets),A.3(Enumeration) and A.4(Redteam).

Contributing

The attack-surface-framework project team welcomes contributions from the community. Before you start working with attack-surface-framework, please read our Developer Certificate of Origin. All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch. For more detailed information, refer to CONTRIBUTING.md.

License

Attack Surface Framework Copyright 2021 VMware, Inc.

The BSD-2 license (the "License") set forth below applies to all parts of the Attack Surface Framework project. You may not use this file except in compliance with the License.

BSD-2 License

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Notice

Attack Surface Framework Copyright 2021 VMware, Inc.

This product is licensed to you under the BSD-2 license (the "License"). You may not use this product except in compliance with the BSD-2 License.

This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file.

Credits

https://www.djangoproject.com/

https://github.com/creativetimofficial/material-dashboard-django

https://nmap.org/

https://github.com/OWASP/Amass

https://github.com/lanjelot/patator

https://github.com/FortyNorthSecurity/EyeWitness

https://github.com/projectdiscovery/nuclei

https://www.metasploit.com

https://www.kalilinux.org

https://www.graylog.org/products/open-source

https://github.com/wpscanteam/wpscan

https://github.com/vanhauser-thc/thc-hydra

https://nxlog.co/products/nxlog-community-edition

https://www.docker.com/

Presented at Blackhat Arsenal

https://www.blackhat.com/us-21/arsenal/schedule/index.html#vdoberman-24096

More Repositories

1

wasm-workers-server

🚀 Develop and run serverless applications on WebAssembly
Rust
503
star
2

webassembly-language-runtimes

Wasm Language Runtimes provides popular language runtimes (Ruby, Python, …) precompiled to WebAssembly that are tested for compatibility and kept up to date when new versions of upstream languages are released
Shell
315
star
3

node-replicated-kernel

Experimental kernel with built-in replication.
Rust
153
star
4

mod_wasm

mod_wasm is an extension module for the Apache HTTP Server (httpd) that enables the usage of WebAssembly (Wasm). This module allows the execution of certain tasks in the backend in a very efficient and secure way.
Rust
110
star
5

reconciler-runtime

⚠️ Maintenance suspended. Please, migrate to the active fork reconciler.io/runtime. See https://github.com/reconcilerio/runtime/releases/tag/v0.20.0 for instructions. This repository will be archived eventually.
Go
81
star
6

distribution-tooling-for-helm

Helm Distribution plugin is is a set of utilities and Helm Plugin for making offline work with Helm Charts easier. It is meant to be used for creating reproducible and relocatable packages for Helm Charts that can be moved around registries without hassles. This is particularly useful for distributing Helm Charts into airgapped environments.
Go
62
star
7

yaml-jsonpath

JSONPath implementation for the gopkg.in/yaml.v3 node API
Go
47
star
8

wasm-languages

How to use WebAssembly in various languages
HTML
45
star
9

verified-betrfs

A verified high-performance file system
Dafny
32
star
10

hci-benchmark-appliance

HCIBench stands for "Hyper-converged Infrastructure Benchmark". It's an automation wrapper around the popular and proven open source benchmark tools: Vdbench and Fio that make it easier to automate testing across a HCI cluster. It's the recommended tool for VMware vSAN customer to run performance testing.
Python
29
star
11

vmware-customer-connect-cli

Golang based CLI to interact with customerconnect.vmware.com
Go
19
star
12

date-and-time-pattern-detection

Date/time Pattern Detection is multi-module project consisting of library, rest-api and models. The project aims to help Engineers who need to parse date/time input without pattern, need validation library for localized date/time or help/suggestions on what are the standard Unicode practices for Localization.
Java
17
star
13

research-and-development-artificial-intelligence-lab

Welcome to VMware's AI Lab (VAIL). Here we publish helpful snippets for the NLP community 😄
Python
14
star
14

vmware-image-builder-action

GitHub action code for VMware Image Builder (VIB).
TypeScript
14
star
15

marketplace-cli

A CLI for interacting with the VMware Marketplace
Go
11
star
16

container-tracer

The project brings the power of the Linux kernel tracing to Kubernetes. It leverages existing kernel tracing frameworks such as ftrace, perf, ebpf to trace workloads running on a Kubernetes cluster. Designed as a native Kubernetes application, its main goal is to be simple and efficient in doing one thing - collecting system traces per container.
Go
11
star
17

advanced-same-machine-interprocess-communication-protocol-suite

Toroni is a protocol suite for advanced interprocess communication specialized to work the same machine (i.e. no networking involved) offering characteristics that are unmatched by existing OS IPC features, off-the shelve components like ZeroMQ, Aeron and many others. Currently Toroni involves The Reliable Message Protocol which is:- brokerless, meaning no dedicated server process is needed to run the protocol- many-to-many- totally ordered, meaning all readers see messages from all writers in the same order- reliable, meaning a reader can detect if it has missed a message- termination safe, meaning crash of any communicating process is not harmful to the restAdditionaly Toroni offers The Topic Protocol (TP) which is is publish/subscribe protocol running on top of RMP.More info about RMP and TP can be found at https://radio.eng.vmware.com/2022/events/3090Toroni will not be limited to RMP and TP and can be placeholder for new advanced IPC same machine protocols.
Java
10
star
18

feed-manager-for-misp

MISP Feed Manager is a set of python libraries and utilities to ease generation and consumption of feeds of threat intelligence indicators published in MISP format (https://github.com/MISP/misp-rfc). MISP Threat Sharing is an open source threat intelligence platform (https://en.wikipedia.org/wiki/Malware_Information_Sharing_Platform).
Python
9
star
19

multi-tenant-persistence-for-saas

Multi-tenant Persistence for SaaS acts as data abstraction layer for underlying data store (Postgres) and provide multi-tenancy capabilities along with ability to integrate with different IAM authorizers.
Go
8
star
20

build-inspector

Build Inspector is a tool designed to process plain-text CI/CD build and deploy logs, and extract useful information from them, such as dependency provenance information, along with potentially risky behavioral information.
Python
8
star
21

client-library-for-chaos-mesh

Chaos-Mesh Python Client
Python
5
star
22

blueprint-for-horizon-with-vmc-on-aws

This script include all necessary groups, services and Distributed firewall rules for a Horizon Environment in VMC on AWS.
HCL
4
star
23

bert-pretraining

The project is a python module that facilitates BERT pretraining. The current existing open source solution for training this specific model is convoluted. We have simplified the procedure. The project's goal is to open the code to the wider Machine Learning community to help ML practitioners train their own BERT models using their data. The code was created to train the latest iteration of VMware's BERT model (vBERT) to help Machine Learning and Natural Language Processing Researchers within VMware.
Python
4
star
24

vmware-customer-connect-sdk

Golang based SDK to interact with customerconnect.vmware.com. It is used in a CLI that enables product downloads from customerconnect: https://github.com/vmware-labs/vmware-customer-connect-cli
Go
3
star
25

vms-for-slurm

vm-provisioning-plugin-for-slurm (also called Multiverse) is Dynamic VM orchestration for virtualized HPC frameworks. In other words it a VM per job model which spawns individual VMs on demand for evey incoming job in a HPC Cluster.
C
2
star
26

galaxy-parser-for-misp

MISP Galaxy Parser is a set of python libraries and utilities to ease reading and processing of MISP Galaxies. MISP Galaxies are knowledge bases of malware labels, threat actors codified in MISP format. MISP Threat Sharing is an open source threat intelligence platform (https://en.wikipedia.org/wiki/Malware_Information_Sharing_Platform).
Python
2
star
27

patterns-lab

Run an immutable vmware lab using PhotonOS.
2
star
28

inclusive-language-ext-for-sonarqube

Language and terminology undergo change on a continuous basis due to social and linguistic forces. VMware Inclusive Terminology (ITS) Extension for SonarQube is used to scan source code and other project files for presence of terms which are considered as offensive, and provides recommended alternatives.This extension scans source code for Inclusive Terminology issues during build phase in build pipelines. Issues are reported to Sonar server and will be shown in Project Issues dashboard. After scan, SonarQube provides convenient tools to analyze, fix and report these issues.
Java
2
star
29

in-memory-property-aware-temporal-graph

Temporalgraph aims to provide an in-memory graph database that stores nodes and relationships between nodes in a versioned/time-aware manner.
Java
1
star
30

ui-guided-tours

UI Guided Tours representing step-by-step walkthroughs for VMware products
1
star
31

compliance-dashboard-for-kubernetes

A K8s compliance checker aggregator, with a dashboard and analyzer of K8s resources, as well as 3rd party scanners integration.
Go
1
star
32

efficient-supervised-anomaly-detection

RADE is a resource-efficient decision tree ensemble method (DTEM) based anomaly detection approach that augments standard DTEM classifiers resulting in competitive anomaly detection capabilities and significant savings in resource usage.
Python
1
star
33

api-data-collector

API Data Collector is a Chrome DevTools Extension which captures HTTP Requests and Response data, especially API data. API data can be stored, retrieved, and modified to be functional as a mock server for local application development and production debugging.
JavaScript
1
star
34

telemetry-peak-analyzer

The telemetry peak analyzer handles time series and detect relevant peaks or anomalies in threat telemetry data.
Python
1
star
35

sudo-for-microsoft-windows

Sudo for Windows aims to bring the familiar functionality of the linux Sudo command to Windows environments. It allows for full audit logging of all requests for elevation, along with the ability to tightly control which commands are allowed to be run by which users and groups.
C#
1
star
36

syscall-failure-analyzer

The project is an automatic system-call failure root-cause analyzer for Linux. Today, each error code might be caused by reasons. The tool allows developers and users to trace and analyze syscall call failures to pinpoint the exact reason of the failure.
Python
1
star