diff --git a/chef/cookbooks/metasploitable/attributes/default.rb b/chef/cookbooks/metasploitable/attributes/default.rb index baa6077..d57526e 100644 --- a/chef/cookbooks/metasploitable/attributes/default.rb +++ b/chef/cookbooks/metasploitable/attributes/default.rb @@ -7,17 +7,4 @@ default[:metasploitable][:docker_users] = ['boba_fett', 'greedo', 'chewbacca',] -default[:metasploitable][:files_path] = '/vagrant/chef/cookbooks/metasploitable/files/' - -default[:metasploitable][:ports] = { :cups => 631, - :apache => 80, - :unrealircd => 6697, - :proftpd => 21, - :mysql => 3306, - :chatbot_ui => 80, - :chatbot_nodejs => 3000, - :readme_app => 3500, - :sinatra => 8181, - :samba => 445, - :ssh => 22 -} +default[:metasploitable][:files_path] = '/vagrant/chef/cookbooks/metasploitable/files/' \ No newline at end of file diff --git a/chef/cookbooks/metasploitable/recipes/apache.rb b/chef/cookbooks/metasploitable/recipes/apache.rb index 35e013e..a838fe8 100644 --- a/chef/cookbooks/metasploitable/recipes/apache.rb +++ b/chef/cookbooks/metasploitable/recipes/apache.rb @@ -4,6 +4,12 @@ # # Copyright:: 2017, Rapid7, All Rights Reserved. +include_recipe 'iptables::default' + +iptables_rule '1_apache' do + lines "-A INPUT -p tcp --dport 80 -j ACCEPT" +end + package 'apache2' do action :install end diff --git a/chef/cookbooks/metasploitable/recipes/chatbot.rb b/chef/cookbooks/metasploitable/recipes/chatbot.rb index 876e5f0..891002d 100644 --- a/chef/cookbooks/metasploitable/recipes/chatbot.rb +++ b/chef/cookbooks/metasploitable/recipes/chatbot.rb @@ -8,6 +8,15 @@ include_recipe 'metasploitable::ruby23' include_recipe 'metasploitable::nodejs' +include_recipe 'iptables::default' + +iptables_rule '1_chatbot_ui' do + lines "-A INPUT -p tcp --dport 80 -j ACCEPT" +end + +iptables_rule '1_chatbot_nodejs' do + lines "-A INPUT -p tcp --dport 3000 -j ACCEPT" +end package 'unzip' diff --git a/chef/cookbooks/metasploitable/recipes/cups.rb b/chef/cookbooks/metasploitable/recipes/cups.rb index e381d78..ad9a0d4 100644 --- a/chef/cookbooks/metasploitable/recipes/cups.rb +++ b/chef/cookbooks/metasploitable/recipes/cups.rb @@ -4,6 +4,8 @@ # # Copyright:: 2017, Rapid7, All Rights Reserved. +include_recipe 'iptables::default' + package 'cups' do action :install end @@ -13,6 +15,10 @@ cookbook_file '/etc/cups/cupsd.conf' do mode '0644' end +iptables_rule '1_cups' do + lines "-A INPUT -p tcp --dport 631 -j ACCEPT" +end + service 'cups' do action [:enable, :restart] end diff --git a/chef/cookbooks/metasploitable/recipes/iptables.rb b/chef/cookbooks/metasploitable/recipes/iptables.rb index 9dc8167..1382f5f 100644 --- a/chef/cookbooks/metasploitable/recipes/iptables.rb +++ b/chef/cookbooks/metasploitable/recipes/iptables.rb @@ -4,17 +4,17 @@ # # Copyright:: 2017, Rapid7, All Rights Reserved. -iptables_rule 'established' do - lines '-I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' +include_recipe 'iptables::default' + +iptables_rule '00_established' do + lines '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' end -node[:metasploitable][:ports].keys.each do |service| - iptables_rule service do - lines "-I INPUT -p tcp --dport #{node[:metasploitable][:ports][service.to_sym]} -j ACCEPT" - end +iptables_rule '01_ssh' do + lines "-A INPUT -p tcp --dport 22 -j ACCEPT" end -iptables_rule 'drop_all' do +iptables_rule '999_drop_all' do lines '-A INPUT -j DROP' end diff --git a/chef/cookbooks/metasploitable/recipes/knockd.rb b/chef/cookbooks/metasploitable/recipes/knockd.rb index 8793896..474c70a 100644 --- a/chef/cookbooks/metasploitable/recipes/knockd.rb +++ b/chef/cookbooks/metasploitable/recipes/knockd.rb @@ -22,7 +22,7 @@ execute 'remove_carriage_returns' do command "sed -i -e 's/\r//g' /etc/default/knockd" end -iptables_rule 'knockd' do +iptables_rule '1_knockd' do lines "-I FORWARD 1 -p tcp -m tcp --dport #{node[:flags][:five_of_diamonds][:vuln_port]} -j DROP" end diff --git a/chef/cookbooks/metasploitable/recipes/mysql.rb b/chef/cookbooks/metasploitable/recipes/mysql.rb index 22ed8fc..e3b8ab4 100644 --- a/chef/cookbooks/metasploitable/recipes/mysql.rb +++ b/chef/cookbooks/metasploitable/recipes/mysql.rb @@ -4,6 +4,12 @@ # # Copyright:: 2017, Rapid7, All Rights Reserved. +include_recipe 'iptables::default' + +iptables_rule '1_mysql' do + lines "-A INPUT -p tcp --dport 3306 -j ACCEPT" +end + mysql_service 'default' do initial_root_password "#{node[:mysql][:root_password]}" bind_address '0.0.0.0' diff --git a/chef/cookbooks/metasploitable/recipes/proftpd.rb b/chef/cookbooks/metasploitable/recipes/proftpd.rb index 4b8c40a..14b5b89 100644 --- a/chef/cookbooks/metasploitable/recipes/proftpd.rb +++ b/chef/cookbooks/metasploitable/recipes/proftpd.rb @@ -6,6 +6,12 @@ # Install steps taken from https://github.com/rapid7/metasploit-framework/pull/5224 +include_recipe 'iptables::default' + +iptables_rule '1_proftpd' do + lines "-A INPUT -p tcp --dport 21 -j ACCEPT" +end + include_recipe 'metasploitable::apache' proftpd_tar = 'proftpd-1.3.5.tar.gz' diff --git a/chef/cookbooks/metasploitable/recipes/readme_app.rb b/chef/cookbooks/metasploitable/recipes/readme_app.rb index 63fb090..d7fce6c 100644 --- a/chef/cookbooks/metasploitable/recipes/readme_app.rb +++ b/chef/cookbooks/metasploitable/recipes/readme_app.rb @@ -8,6 +8,13 @@ include_recipe 'metasploitable::ruby23' include_recipe 'metasploitable::nodejs' +include_recipe 'iptables::default' + +recipe_port = 3500 + +iptables_rule '1_readme_app' do + lines "-A INPUT -p tcp --dport #{recipe_port} -j ACCEPT" +end package 'git' @@ -23,6 +30,7 @@ directory '/opt/readme_app' do end template '/opt/readme_app/start.sh' do + variables( readme_app_port: recipe_port ) source 'readme_app/start.sh.erb' end diff --git a/chef/cookbooks/metasploitable/recipes/samba.rb b/chef/cookbooks/metasploitable/recipes/samba.rb index dc8e9cb..5a5f8ed 100644 --- a/chef/cookbooks/metasploitable/recipes/samba.rb +++ b/chef/cookbooks/metasploitable/recipes/samba.rb @@ -5,6 +5,11 @@ # Copyright:: 2017, Rapid7, All Rights Reserved. # # +include_recipe 'iptables::default' + +iptables_rule '1_samba' do + lines "-A INPUT -p tcp --dport 445 -j ACCEPT" +end package 'samba' diff --git a/chef/cookbooks/metasploitable/recipes/sinatra.rb b/chef/cookbooks/metasploitable/recipes/sinatra.rb index 94596c0..9f3dd01 100644 --- a/chef/cookbooks/metasploitable/recipes/sinatra.rb +++ b/chef/cookbooks/metasploitable/recipes/sinatra.rb @@ -8,6 +8,11 @@ include_recipe 'metasploitable::sinatra' include_recipe 'metasploitable::ruby23' +include_recipe 'iptables::default' + +iptables_rule '1_sinatra' do + lines "-A INPUT -p tcp --dport 8181 -j ACCEPT" +end server_path = node['ec2'] ? 'aws' : 'virtualbox' diff --git a/chef/cookbooks/metasploitable/recipes/unrealircd.rb b/chef/cookbooks/metasploitable/recipes/unrealircd.rb index d9eb45d..94ff1f1 100644 --- a/chef/cookbooks/metasploitable/recipes/unrealircd.rb +++ b/chef/cookbooks/metasploitable/recipes/unrealircd.rb @@ -7,6 +7,12 @@ # Downloaded from https://www.exploit-db.com/exploits/13853/ # Install steps taken from https://wiki.swiftirc.net/wiki/Installing_and_Configuring_UnrealIRCd_on_Linux +include_recipe 'iptables::default' + +iptables_rule '1_unrealircd' do + lines "-A INPUT -p tcp --dport 6697 -j ACCEPT" +end + unreal_tar = 'Unreal3.2.8.1_backdoor.tar.gz' remote_file "#{Chef::Config[:file_cache_path]}/#{unreal_tar}" do diff --git a/chef/cookbooks/metasploitable/templates/readme_app/start.sh.erb b/chef/cookbooks/metasploitable/templates/readme_app/start.sh.erb index 92b673d..af7d3f8 100644 --- a/chef/cookbooks/metasploitable/templates/readme_app/start.sh.erb +++ b/chef/cookbooks/metasploitable/templates/readme_app/start.sh.erb @@ -2,4 +2,4 @@ cd /opt/readme_app bundle install --path vendor/bundle -bundle exec rails s -b 0.0.0.0 -p <%= node[:metasploitable][:ports][:readme_app] %> +bundle exec rails s -b 0.0.0.0 -p <%= @readme_app_port %>