From c83fa04a982497a6284296cda3a70be04c3d1eb8 Mon Sep 17 00:00:00 2001 From: dustinupdyke Date: Wed, 2 Aug 2023 15:34:17 -0400 Subject: [PATCH] Adds documentation --- docs/core/handlers/blog_helper.md | 89 ++++++++++++++++ docs/core/handlers/excel.md | 17 +++- docs/core/handlers/notepad.md | 61 +++++++++++ docs/core/handlers/npc_system.md | 44 ++++++++ docs/core/handlers/outlook.md | 130 ++++++++++++++++++++++++ docs/core/handlers/pidgin.md | 74 ++++++++++++++ docs/core/handlers/powerpoint.md | 46 +++++++++ docs/core/handlers/print.md | 31 ++++++ docs/core/handlers/rdp.md | 47 +++++++++ docs/core/handlers/reboot.md | 28 +++++ docs/core/handlers/sftp.md | 52 ++++++++++ docs/core/handlers/sharepoint_helper.md | 66 ++++++++++++ docs/core/handlers/ssh.md | 53 ++++++++++ docs/core/handlers/watcher.md | 51 ++++++++++ docs/core/handlers/wmi.md | 64 ++++++++++++ docs/core/handlers/word.md | 46 +++++++++ 16 files changed, 894 insertions(+), 5 deletions(-) diff --git a/docs/core/handlers/blog_helper.md b/docs/core/handlers/blog_helper.md index e69de29b..cdd82db4 100644 --- a/docs/core/handlers/blog_helper.md +++ b/docs/core/handlers/blog_helper.md @@ -0,0 +1,89 @@ +# Blog Helper Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +The 'blog' command for a browser handler allows browse/deletion/upload/reply from a blog site. + +The handlerArgs for the blog command are: + +- "blog-credentials-file": `json credentials file path`, required, credentials file, see SSh.json sample handler for format +- "blog-deletion-probability": <0-100 integer>, default 0, probability to delete a blog post +- "blog-upload-probability": <0-100 integer>, default 0 , probability to upload a blog post +- "blog-reply-probability": <0-100 integer>, default 0 , probability to reply to a random blog post +- "blog-browse-probability": <0-100 integer>, default 0, probability to browse to a random blog post +- "blog-version": "drupal", -- version, required, only drupal is currrently supported, tested with version 7 + +Sum of browse+deletion+upload+reply <= 100 + +The CommandArgs are strings of the form "key:value", supported args are: + +- site:`blog site` -- required +- credentialKey:`credential key contained in the credential file` + +A handler can only browse a single blog site. The username, password specified by the credentialKey are used to login into the site. + +Under drupal, it assumed that all users have the capabilty to delete all blogs, even other user's blogs. + +Default content in config directory is blog-content.csv, default reply content is blog-reply.csv + +This content can be overridden in application.json by the 'BlogContent', 'BlogReply' fields. + +```json + "Content": { + "EmailContent": "", + "EmailReply": "", + "EmailDomain": "", + "EmailOutside": "", + "BlogContent": "", + "BlogReply": "", + "FileNames": "", + "Dictionary": "" + }, +``` + +The timeline configuration looks like this: + +```json +{ + "Status": "Run", + "TimeLineHandlers": [ + { + "HandlerType": "BrowserChrome", + "HandlerArgs": { + "isheadless": "false", + "blockimages": "true", + "blockstyles": "true", + "blockflash": "true", + "blockscripts": "true", + "stickiness": 75, + "stickiness-depth-min": 5, + "stickiness-depth-max": 10000, + "incognito": "true", + "blog-credentials-file": "c:\\ghosts_data\\blog_creds.json", + "blog-deletion-probability": 0, + "blog-upload-probability": 0, + "blog-browse-probability": 0, + "blog-reply-probability": 100, + "blog-version": "drupal" + + }, + "Initial": "about:blank", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "True", + "TimeLineEvents": [ + { + "Command": "blog", + "CommandArgs": [ + "site:http://www.netexhsv.com:8080", + "credentialKey:credkey1" + ], + "DelayAfter": 10000, + "DelayBefore": 0 + } + ] + } + ] +} +``` diff --git a/docs/core/handlers/excel.md b/docs/core/handlers/excel.md index fa13ed5f..93f65027 100644 --- a/docs/core/handlers/excel.md +++ b/docs/core/handlers/excel.md @@ -33,8 +33,15 @@ Some of the key-value pairs are self-explanatory, but let's review a few important ones: -| Key | Value | -| --------------- | --------------------------------------- | -| `workingset` | For the documents Excel creates, how many should we create (max) and how old can they be before we start creating new ones (max-age-in-hours). | -| `Command` | (create) Create new documents. This is currently the only setting, but there is space for new commands to be built in the future | -| `CommandArgs` | [0] The path to the folder where the documents should be created. [1] Also periodically export documents as PDFs as well as saving them natively. [2] if creating PDFs, vary their name from the original document. [3] Randomly save documents in an array of locations. | +| Key | Value | +| ---------------------- | --------------------------------------- | +| `workingset` | For the documents Excel creates, how many should we create (max) and how old can they be before we start creating new ones (max-age-in-hours). | +| `Command` | (create) Create new documents. This is currently the only setting, but there is space for new commands to be built in the future | +| `CommandArgs`  | See below | + +For CommandArgs, we began with positional arguments, but this quickly became unwieldy. We are now using named arguments, which are easier to read and maintain, but the mix remains for now. The following arguments are available: + +- [0] The path to the folder where the documents should be created. (old style) +- [1] Also periodically export documents as PDFs as well as saving them natively. (middle style) +- [2] if creating PDFs, vary their name from the original document. (new style) +- [3] Randomly save documents in an array of locations. (new style) diff --git a/docs/core/handlers/notepad.md b/docs/core/handlers/notepad.md index e69de29b..69b6240d 100644 --- a/docs/core/handlers/notepad.md +++ b/docs/core/handlers/notepad.md @@ -0,0 +1,61 @@ +# Notepad Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +There is currently only one supported command (random) which uses probabilities to write text. + +During each activity cycle the handler will: + +- Choose action as either delete, create, modify, or view +- if delete, then delete random file from output-directory +- if create, open notepad, add random text, save as random new file to output-directory +- if view, open notepad with existing file from input-directory +- if modify, open notepad with existing file from output-directory, add random text, save +- if create or modify, roll against pdf-probability and do a print to pdf if roll succeeds + +For this to work, the default printer must be print to pdf - there is curently no checking is done if the correct printer is not selected. + +At end of activity cycle, Notepad is closed. + +CommandArgs from Timeline events is not used. + + +```json +{ + "Status": "Run", + "TimeLineHandlers": [ + { + "HandlerType": "Notepad", + "HandlerArgs": { + "execution-probability": 100, + "deletion-probability": 0, + "view-probability": 0, + "creation-probability": 0, + "modification-probability": 100, + "pdf-probability": 100, + "input-directory": "C:\\ghosts_data\\uploads", + "output-directory": "C:\\ghosts_data\\uploads", + "text-generation": "random", + "min-paragraphs": 4, + "max-paragraphs": 15, + "delay-jitter": 50 + }, + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "True", + "TimeLineEvents": [ + { + "Command": "random", + "CommandArgs": [ + ], + "DelayAfter": 20000, + "DelayBefore": 0 + } + ] + } + + ] +} +``` diff --git a/docs/core/handlers/npc_system.md b/docs/core/handlers/npc_system.md index e69de29b..71decf67 100644 --- a/docs/core/handlers/npc_system.md +++ b/docs/core/handlers/npc_system.md @@ -0,0 +1,44 @@ +# NPC System Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +This is currently only used to turn the client on and off (where the client binary still runs, but does nothing). It is not used to control the client's behavior as other handlers might do. + +```json +{ + "TimeLineHandlers": [ + { + "HandlerType": "NpcSystem", + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": false, + "TimeLineEvents": [ + { + "Command": "Stop", + "CommandArgs": [], + "DelayAfter": 0, + "DelayBefore": 0 + } + ] + }, + { + "HandlerType": "NpcSystem", + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": false, + "TimeLineEvents": [ + { + "Command": "Start", + "CommandArgs": [], + "DelayAfter": 0, + "DelayBefore": 0 + } + ] + } + ] +} + +``` \ No newline at end of file diff --git a/docs/core/handlers/outlook.md b/docs/core/handlers/outlook.md index e69de29b..1cec3b2f 100644 --- a/docs/core/handlers/outlook.md +++ b/docs/core/handlers/outlook.md @@ -0,0 +1,130 @@ +# Outlook Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +```json +{ + "TimeLineHandlers": [ + { + "HandlerType": "Outlook", + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "True", + "TimeLineEvents": [ + { + "Command": "create", + "CommandArgs": [ + "CurrentUser", + "Random|Other:string ToEmailAddress - comma separate multiples", + "Random|Other:string CcEmailAddress - comma separate multiples", + "Random|Other:string BccEmailAddress - comma separate multiples", + "Random|Other:string Subject", + "Random|Other:string Body", + "PlainText|RTF|HTML enum BodyType", + "string Attachments - comma separate multiples" + ], + "DelayAfter": 900000, + "DelayBefore": 0 + }, + { + "Command": "reply", + "CommandArgs": [ + "CurrentUser", + "All - reply to all", + "All", + "All", + "Parent - format is 'RE: '", + "Random+Parent - format is reply then original message", + "Parent - format of original message", + "" + ], + "DelayAfter": 900000, + "DelayBefore": 0 + }, + { + "Command": "clickrandomlink", + "CommandArgs": [], + "DelayAfter": 900000, + "DelayBefore": 0 + } + ] + }, + { + "HandlerType": "Outlook", + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "True", + "TimeLineEvents": [ + { + "Command": "create", + "CommandArgs": [ + "CurrentUser", + "random", + "random", + "random", + "Random", + "Random", + "PlainText", + "" + ], + "DelayAfter": 900000, + "DelayBefore": 0 + }, + { + "Command": "reply", + "CommandArgs": [ + "CurrentUser", + "All", + "All", + "All", + "Parent", + "Parent+Random", + "Parent", + "" + ], + "DelayAfter": 900000, + "DelayBefore": 0 + }, + { + "Command": "clickrandomlink", + "CommandArgs": [], + "DelayAfter": 900000, + "DelayBefore": 0 + } + ] + } + ] +} +``` + +Some of the key-value pairs are self-explanatory, but let's review a few important ones: + +| Key | Value | +| ---------------------- | --------------------------------------- | +| `Command` | (create) Create new emails. (reply) Reply to emails in the current inbox at random (clickrandomlink) Click a link at random in the current inbox | +| `CommandArgs`  | See below | + +For CommandArgs, we began with positional arguments, but this quickly became unwieldy. We are now using named arguments, which are easier to read and maintain, but the mix remains for now. The following arguments are available for creating new emails (create): + +- [0] "CurrentUser": The current user's email address, or indicate the email address you want to use here. Note that if Outlook is not configured to use this email address, email may not be sent. +- [1] "Random|Other": This configures the TO address in an email where "Random" picks email addresses from the configuration directory. If you want to specify particular addresses, this field can also be comma-separated email addresses. +- [2] "Random|Other": This configures the CC address in an email where "Random" picks email addresses from the configuration directory. If you want to specify particular addresses, this field can also be comma-separated email addresses. +- [3] "Random|Other": This configures the BCC address in an email where "Random" picks email addresses from the configuration directory. If you want to specify particular addresses, this field can also be comma-separated email addresses. +- [4] "Random|Other:string Subject", +- [5] "Random|Other:string Body", +- [6] "PlainText|RTF|HTML enum BodyType", +- [7] "string Attachments - comma separate multiples" + +For replying to emails (reply): + +- [0] "CurrentUser": The current user's email address, or indicate the email address you want to use here. Note that if Outlook is not configured to use this email address, email may not be sent. +- [1] "All": Reply to all on the original thread, or reply to a specific user on the original email thread. If you want to reply to a specific user, indicate the email address here. +- [2] "All": Reply to all the addresses in the original email thread CC field. If you want to reply to a specific user, indicate the email address here. +- [3] "All": Reply to all the addresses in the original email thread BCC field. If you want to reply to a specific user, indicate the email address here. +- [4] "Parent": Subject line of the reply. "Parent" format is 'RE: $original_message$' +- [5] "Random+Parent": Body of the reply. "Random+Parent" format is the reply then the original message below - as is typically seen in email threads. +- [6] "Parent": HTML or plain text. "Parent" uses the format of the original message. +- [7] "": Not used in replies. diff --git a/docs/core/handlers/pidgin.md b/docs/core/handlers/pidgin.md index e69de29b..a06888bf 100644 --- a/docs/core/handlers/pidgin.md +++ b/docs/core/handlers/pidgin.md @@ -0,0 +1,74 @@ +# Pidgin Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +Exercises a Pidgin client - tested with Pidgin 2.14.1 (libpurple 2.14.1) ane Centos 7.3 ejabberd server + +## Prequisites +- Pidgin must be installed and already configured with an enabled account in %APPDATA%\.purple\accounts.xml and pointing to the target server. +- The logged in user must have an enabled Pidgin account in accounts.xml +- Pidgin preferences must have already been set in %APPDATA%\.purple\prefs.xml +- Conversations must be TABBED (in prefs.xml/conversations section, name='tabs' type='bool' value='1') + +## Implementation +- This implementation is about 95% open loop as there are no C# bindings for the Pidgin libpurple.dll +- The only feedback to GHOSTS is via window titles, it cannot determine when messages arrive or message content. +- GHOSTS cannot parse the chat logs to synch converstations as the Pidgin process has these log files locked. +- So messages are sent open loop with simple delays between messages. +- The GHOSTS time line CommandArgs lists chat targets (username@domain) + +Activity Cycle - each activity cycle is seperated by DelayAfter. An activity cycle does: + +- Pick a random target from the timeline - this is only used to initiate the first chat +- If Pidgin is not started then Pidgin is started. +- If an IM window is not open, the roll against NewChatProbability and open an IM window to the random target chosen from the timeline +- If roll against NewChatProbability was not successful, end activity cycle. +- If an IM window is open and a new chat was not initiated, the roll against CloseChatProbability, if successful, close current chat and end activity cycle. +- If get to this point, then IM window is open with one or more targets and message loop is entered. +- Enter a loop in which between RepliesMin and RepliesMax messages are sent. +- The first message is sent to current selected target in the Chat window, then the next chat target in the Chat window is selected. If the max replies is reached, then the loop exits and the activity cycle is ended. The next activity cycle picks up where the last activity cycle ended as per the first chat target. + +A chat target can be the current logged in user, which means messages are simply echoed back from the server. + +- As chats arrive from other different users, the number of open tabs in the grows, but chats can be closed by CloseChatProbability +- Between 1-4 random emojis are added to a message based on EmojiProbability +- During an activity cycle, any popup windows that match a title in ErrorWindowTitles are closed + + +```json +{ + "Status": "Run", + "TimeLineHandlers": [ + { + "HandlerType": "Pidgin", + "HandlerArgs": { + "RepliesMin": 2, + "RepliesMax": 5, + "ErrorWindowTitles": [ "XMPP Message Error" ], + "EmoticonProbability": 50, + "NewChatProbability": 100, + "CloseChatProbability": 100, + "TimeBetweenMessagesMax": 10000, + "TimeBetweenMessagesMin": 5000 + }, + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "True", + "TimeLineEvents": [ + { + "Command": "random", + "CommandArgs": [ + "bjones@sitea.com", + "pharvey@sitea.com", + + ], + "DelayAfter": 20000, + "DelayBefore": 0 + } + ] + } + ] +} +``` diff --git a/docs/core/handlers/powerpoint.md b/docs/core/handlers/powerpoint.md index a2d8869f..8c898ae6 100644 --- a/docs/core/handlers/powerpoint.md +++ b/docs/core/handlers/powerpoint.md @@ -1 +1,47 @@ # PowerPoint Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +```json +{ + "TimeLineHandlers": [ + { + "HandlerType": "PowerPoint", + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "HandlerArgs": { + "workingset": { + "max": 20, + "max-age-in-hours": 72 + } + }, + "Loop": true, + "TimeLineEvents": [ + { + "Command": "create", + "CommandArgs": [ "%homedrive%%homepath%\\Documents", "pdf", "pdf-vary-filenames", "save-array:['c:\\tmp','c:\\tmp\\path2','c:\\tmp\\path3']" ], + "DelayAfter": 900000, + "DelayBefore": 0 + } + ] + } + ] +} +``` + +Some of the key-value pairs are self-explanatory, but let's review a few important ones: + +| Key | Value | +| ---------------------- | --------------------------------------- | +| `workingset` | For the documents Excel creates, how many should we create (max) and how old can they be before we start creating new ones (max-age-in-hours). | +| `Command` | (create) Create new documents. This is currently the only setting, but there is space for new commands to be built in the future | +| `CommandArgs`  | See below | + +For CommandArgs, we began with positional arguments, but this quickly became unwieldy. We are now using named arguments, which are easier to read and maintain, but the mix remains for now. The following arguments are available: + +- [0] The path to the folder where the documents should be created. (old style) +- [1] Also periodically export documents as PDFs as well as saving them natively. (middle style) +- [2] if creating PDFs, vary their name from the original document. (new style) +- [3] Randomly save documents in an array of locations. (new style) diff --git a/docs/core/handlers/print.md b/docs/core/handlers/print.md index e69de29b..3f33af90 100644 --- a/docs/core/handlers/print.md +++ b/docs/core/handlers/print.md @@ -0,0 +1,31 @@ +# Printing Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +- Command is the printer to be used for printing (this must already be setup on the system). +- CommandArgs is the path to the file to be printed. + +```json +{ + "TimeLineHandlers": [ + { + "HandlerType": "Print", + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "False", + "TimeLineEvents": [ + { + "Command": "MyPrinter", + "CommandArgs": [ + "C:\\Temp\\print_test.txt" + ], + "DelayAfter": 900000, + "DelayBefore": 0 + } + ] + } + ] +} +``` diff --git a/docs/core/handlers/rdp.md b/docs/core/handlers/rdp.md index e69de29b..ecf226ec 100644 --- a/docs/core/handlers/rdp.md +++ b/docs/core/handlers/rdp.md @@ -0,0 +1,47 @@ +# Remote Desktop Protocol (RDP) Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +Each CommandArg is of the form shown below, if multiple CommandArgs are present a random one is chosen for execution on each cycle. + +- `targetIp`|`credkey` The targetIP is the IP to use for the RDP connection +- The `credKey` is only used to retrieve the password of the matching record in the credentials file. +- The username (if supplied) is used instead of the logged-in user (can also provide 'domain' keyword in credentials) +- The password is used if a password prompt appears on RDP open + + +```json +{ + "Status": "Run", + "TimeLineHandlers": [ + { + "HandlerType": "Rdp", + "HandlerArgs": { + "CredentialsFile": "", //required, file path to a JSON file containing the RDP credentials + "mouse-sleep-time": 10000, //time to sleep between random mouse movements + "execution-time": 60000, //after this total connection time has elapsed, the RDP is closed and a new connection opened + "execution-probability": 100, //after choosing a random target, the probability that a RDP to the target is opened + "delay-jitter": 50 + + }, + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "True", + "TimeLineEvents": [ + { + "Command": "random", + "CommandArgs": [ + "|" + ], + "DelayAfter": 20000, + "DelayBefore": 0 + } + ] + } + + + ] +} +``` diff --git a/docs/core/handlers/reboot.md b/docs/core/handlers/reboot.md index e69de29b..1fbd0514 100644 --- a/docs/core/handlers/reboot.md +++ b/docs/core/handlers/reboot.md @@ -0,0 +1,28 @@ +# Reboot Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +This is the only configuration possible for reboots currently. A fast loop configuration is probably not recommended, but once a day or similar is reasonable. + +```json +{ + "TimeLineHandlers": [ + { + "HandlerType": "Reboot", + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": false, + "TimeLineEvents": [ + { + "Command": "", + "CommandArgs": [ ], + "DelayAfter": 900000, + "DelayBefore": 0 + } + ] + } + ] +} +``` diff --git a/docs/core/handlers/sftp.md b/docs/core/handlers/sftp.md index e69de29b..c31eb031 100644 --- a/docs/core/handlers/sftp.md +++ b/docs/core/handlers/sftp.md @@ -0,0 +1,52 @@ +# Secure File Transfer Protocol (sFTP) Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +Each CommandArg is of the formation shown below, if multiple CommandArgs are present a random one is chosen for execution on each cycle. + +- Credential handling is done in the same manner as the SSH handler, see that sample timeline for documentation +- After the `cred_key` is a ';' delimited list of SFTP commands that are executed in sequence during a cycle. +- Downloaded files are placed in the user's default downloads directory + +Supported commands: + +- get [remotefile] - downloads random remote file from remote host. Can specify absolute/relative path instead of [remotefile] +- put [localfile] - uploads random remote file from local upload directory to remote host. Can specify absolute/relative path instead of [localfile] +- cd [remotedir] - change to random directory in current directory on remote host. Can specify absolute/relative path instead of [remotedir] +- rm [remotefile] - deletes random remote file from remote host. Can specify absolute/relative path instead of [remotefile] +- ls [remotedir] - list remote contents of current directory, if no directory specified use current directory. Can specify absolute/relative path instead of [remotedir] +- mkdir [randomname] - make a random directory in cwd on remote host. Can specify absolute/relative path instead of [randomname] + +```json +{ + "Status": "Run", + "TimeLineHandlers": [ + { + "HandlerType": "Sftp", + "HandlerArgs": { + "TimeBetweenCommandsMax": 5000, //max,min between individual SFTP commands + "TimeBetweenCommandsMin": 1000, + "CredentialsFile": "", //required, file path to a JSON file containing the SSH credentials + "UploadDirectory": "", //optional, directory that contains files for upload, it not specified user Downloads directory is used + "delay-jitter": 0 //optional, default =0, range 0 to 50, if specified, DelayAfter varied by delay-%jitter*delay to delay+%jitter*delay + }, + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "True", + "TimeLineEvents": [ + { + "Command": "random", + "CommandArgs": [ + "||;;....;" + ], + "DelayAfter": 20000, + "DelayBefore": 0 + } + ] + } + + ] +} +``` diff --git a/docs/core/handlers/sharepoint_helper.md b/docs/core/handlers/sharepoint_helper.md index e69de29b..b10f1d61 100644 --- a/docs/core/handlers/sharepoint_helper.md +++ b/docs/core/handlers/sharepoint_helper.md @@ -0,0 +1,66 @@ +# Sharepoint Helper Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +The 'sharepoint' command for a browser handler allows download/deletion/upload from a sharepoint site. + +The handlerArgs for the sharepoint command are: + +- "sharepoint-credentials-file": `json credentials file path`, required, credentials file, see SSh.json sample handler for format +- "sharepoint-deletion-probability": <0-100 integer>, default 0 +- "sharepoint-upload-probability": <0-100 integer>, default 0 +- "sharepoint-download-probability": <0-100 integer>, default 0, sum of download+deletion+upload <= 100, download directory is browser download directory +- "sharepoint-version": "2013", -- version, required, only 2013 is currrently supported +- "sharepoint-upload-directory": `upload directory path`" -- files to be uploaded are read from this directory, default is browser download directory + +The CommandArgs are strings of the form "key:value", supported args are: + +- site:`sharepoint site` -- required +- credentialKey:`credential key contained in the credential file` + +A handler can only browse a single share point site. The username, password specified by the credentialKey are used to login into the site assuming NTLM authentication (i.e, username:password is passed in the URL header). The Documents site is assumed to be at `site`/Documents/Forms/Allitems.aspx + +```json +{ + "Status": "Run", + "TimeLineHandlers": [ + { + "HandlerType": "BrowserChrome", + "HandlerArgs": { + "isheadless": "false", + "blockimages": "true", + "blockstyles": "true", + "blockflash": "true", + "blockscripts": "true", + "stickiness": 75, + "stickiness-depth-min": 5, + "stickiness-depth-max": 10000, + "incognito": "true", + "sharepoint-credentials-file": "c:\\ghosts_data\\sharepoint_creds.json", + "sharepoint-deletion-probability": 15, + "sharepoint-upload-probability": 35, + "sharepoint-download-probability": 35, + "sharepoint-version": "2013", + "sharepoint-upload-directory": "C:\\ghosts_data\\uploads" + + }, + "Initial": "about:blank", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "True", + "TimeLineEvents": [ + { + "Command": "sharepoint", + "CommandArgs": [ + "site:http://portal.sitea.com", + "credentialKey:credkey1" + ], + "DelayAfter": 60000, + "DelayBefore": 0 + } + ] + } + ] +} +``` diff --git a/docs/core/handlers/ssh.md b/docs/core/handlers/ssh.md index e69de29b..71b3d48b 100644 --- a/docs/core/handlers/ssh.md +++ b/docs/core/handlers/ssh.md @@ -0,0 +1,53 @@ +# Secure Shell (SSH) Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +The credentials JSON file expected by this handler has the following format. + +```json +{ + "Version": "1.0", + "Data": { + "credkey1": {"username":"user1","password":"pw1base64"}, + "credkey2": {"username":"user2","password":"pw2base64"}, + .... + "credkeyN": {"username":"userN","password":"pwNbase64"}, + } +} +``` + +The Version slot string is unused at the moment but is there in case this implementation is extended in the future. The credkey is simply some unique string that identifies the credential. The password is assumed to be UTF8 that is base64 encoded. See src\Ghosts.Client\Infrastructure\SshSupport.cs for a list [`reservedword`] supported in Ssh commands + +```json +{ + "Status": "Run", + "TimeLineHandlers": [ + { + "HandlerType": "Ssh", + "HandlerArgs": { + "CommandTimeout": 1000, //max time to wait for new input from an SSH command execution + "TimeBetweenCommandsMax": 5000, //max,min between individual SSH commands + "TimeBetweenCommandsMin": 1000, + "ValidExts": "txt;doc;png;jpeg", //used by [randomextension] reserved word, choose random extension from this list + "CredentialsFile": "d:\\ghosts_data\\ssh_creds.json", //required, file path to a JSON file containing the SSH credentials + "delay-jitter": 0 //optional, default =0, range 0 to 50, if specified, DelayAfter varied by delay-%jitter*delay to delay+%jitter*delay + }, + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "True", + "TimeLineEvents": [ + { + "Command": "random", + "CommandArgs": [ + "||ls -lah;ls -ltrh;help;pwd;date;time;uptime;uname -a;df -h;cd ~;cd [remotedirectory];touch [randomname].[randomextension];mkdir [randomname]" //| + ], + "DelayAfter": 20000, + "DelayBefore": 0 + } + ] + } + ] +} +``` diff --git a/docs/core/handlers/watcher.md b/docs/core/handlers/watcher.md index e69de29b..f919afa2 100644 --- a/docs/core/handlers/watcher.md +++ b/docs/core/handlers/watcher.md @@ -0,0 +1,51 @@ +# File Watcher Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +The 'folder' command for Watcher is intended to monitor diskspace in a target folder. The CommandArgs are in key:value pairs: + +- path:`some folder` - folder to watch +- size:`max size in MB` - maximum folder size in MB +- deletionApproach:oldest|largest|random + + If max size is exceeded, then files are deleted from the folder using the deletionApproach until the folder size is under max size. + One obvious use of this is to monitor the browser downloads directory, i.e. path:%HOMEDRIVE%%HOMEPATH%\\Downloads. The deletion action can result in deleting a file that is in the progress of being downloaded which results in a failed download by the browser for this file. But since the goal is traffic generation, this is not a deal breaker. + + +```json +{ + "TimeLineHandlers": [ + { + "HandlerType": "Watcher", + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": true, + "TimeLineEvents": [ + { + "Command": "file", + "CommandArgs": [ "C:\\Temp\\test.txt", "300000" ], + "DelayAfter": 0, + "DelayBefore": 0 + } + ] + }, + { + "HandlerType": "Watcher", + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": true, + "TimeLineEvents": [ + { + "Command": "folder", + "CommandArgs": [ "path:%HOMEDRIVE%%HOMEPATH%\\Downloads", "size:2000", "deletionApproach:oldest" ], + "DelayAfter": 0, + "DelayBefore": 0 + } + ] + } + ] +} +``` diff --git a/docs/core/handlers/wmi.md b/docs/core/handlers/wmi.md index e69de29b..7c9bc2aa 100644 --- a/docs/core/handlers/wmi.md +++ b/docs/core/handlers/wmi.md @@ -0,0 +1,64 @@ +# Windows Management Instrumentation (WMI) Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +Each CommandArg is of the formation shown below, if multiple CommandArgs are present a random one is chosen for execution on each cycle. +Credential handling is done in the same manner as the SSH handler, see that sample timeline for documentation. +After the `cred_key` is a ';' delimited list of WMI commands that are executed in sequence during a cycle. + +Supported commands: + +- GetOperatingSystem +- GetBios +- GetProcessor +- GetUserList +- GetNetworkInfo +- GetFilesList +- GetProcessList + +The credentials file uses the same format as SFTP/SSH, but requires a 'domain' keyword in addition to 'username', 'password' +For this to work, the target host needs to be configured to allow WMI +The domain admin is the best choice for username/password +The trusted hosts of the VM running GHOSTS must be set to include the IPs of any of the hosts being interrogated by WMI + +You can print the Trusted hosts if the current host by executing in Powershell: + +- winrm g winrm/config/client + +You can set Trusted Hosts to a wild card (trust all hosts) by executing in Powershell: + +- winrm s winrm/config/client '@{TrustedHosts="*"}' + + +```json +{ + "Status": "Run", + "TimeLineHandlers": [ + { + "HandlerType": "Wmi", + "HandlerArgs": { + "TimeBetweenCommandsMax": 5000, //max,min between individual WMI commands + "TimeBetweenCommandsMin": 1000, + "CredentialsFile": "", //required, file path to a JSON file containing the WMI credentials + "delay-jitter": 0 //optional, default =0, range 0 to 50, if specified, DelayAfter varied by delay-%jitter*delay to delay+%jitter*delay + }, + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "Loop": "True", + "TimeLineEvents": [ + { + "Command": "random", + "CommandArgs": [ + "||;;....;" + ], + "DelayAfter": 20000, + "DelayBefore": 0 + } + ] + } + + ] +} +``` diff --git a/docs/core/handlers/word.md b/docs/core/handlers/word.md index 53222b23..c7d287c5 100644 --- a/docs/core/handlers/word.md +++ b/docs/core/handlers/word.md @@ -1 +1,47 @@ # Word Configuration + +???+ info "Sample Configuration" + The sample configuration below is also available in the [GHOSTS GitHub repository]( + +```json +{ + "TimeLineHandlers": [ + { + "HandlerType": "Word", + "Initial": "", + "UtcTimeOn": "00:00:00", + "UtcTimeOff": "24:00:00", + "HandlerArgs": { + "workingset": { + "max": 20, + "max-age-in-hours": 72 + } + }, + "Loop": true, + "TimeLineEvents": [ + { + "Command": "create", + "CommandArgs": [ "%homedrive%%homepath%\\Documents", "pdf", "pdf-vary-filenames", "save-array:['c:\\tmp','c:\\tmp\\path2','c:\\tmp\\path3']" ], + "DelayAfter": 900000, + "DelayBefore": 0 + } + ] + } + ] +} +``` + +Some of the key-value pairs are self-explanatory, but let's review a few important ones: + +| Key | Value | +| ---------------------- | --------------------------------------- | +| `workingset` | For the documents Excel creates, how many should we create (max) and how old can they be before we start creating new ones (max-age-in-hours). | +| `Command` | (create) Create new documents. This is currently the only setting, but there is space for new commands to be built in the future | +| `CommandArgs`  | See below | + +For CommandArgs, we began with positional arguments, but this quickly became unwieldy. We are now using named arguments, which are easier to read and maintain, but the mix remains for now. The following arguments are available: + +- [0] The path to the folder where the documents should be created. (old style) +- [1] Also periodically export documents as PDFs as well as saving them natively. (middle style) +- [2] if creating PDFs, vary their name from the original document. (new style) +- [3] Randomly save documents in an array of locations. (new style)