The Problem
Infrastructure management can be quite a burden for offensive security practitioners. Some consultancies have team members that specialize in supporting offensive operations and needed infrastructure, while others may balance those responsibilities between consultants. Whether building physical pentest "dropboxes" or cloud infrastructure, it can be a time-consuming part of the job when you need to get onto hacking and reporting.
Phishing is an easy use case to pick on - There are domains to register, a phishing tech stack to decide on (evilginx and Gophish anyone?), DNS records to setup, the cloud infrastructure to spin up, configuring of that infrastructure... you get the picture. It is a lot to manage (and document). To further complicate the situation, these tools change over time. After all your planning, manually setting up all of this could easily take a few hours. If you use a complicated script for these tasks, it may not be modular or simple to modify. Other common scenarios include C2 infrastructure, password crackers, external scanners, and maybe more dependent on the engagement. Wouldn't it be great if all of this could be simplified and... automated?
The Solution
These problems aren't limited to offensive security - they are broad IT problems. So of course, there are existing tools out there to address them. For many companies using a modern tech stack, manual infrastructure management is no longer realistic. DevOps principles like Continuous Integration and Continuous Development (CI/CD) require speed and automation to test changes and deploy to production quickly. Infrastructure as Code (IaC) and Configuration Management tools support this and have been widely used for many years. As pentesters, we can utilize many of these same tools for our own purposes. Let's look at a few!
The Tools
Terraform
Terraform is not new technology (released in 2014). It is an IaC tool that works with a number of “providers,” including cloud platforms like AWS and on-prem infrastructure. Need to spin up 37 Debian EC2 instances at once for fun? Use Terraform. A list of providers can be found here.
Ansible
Ansible is even older than Terraform (released in 2012). Some time ago Red Hat acquired Ansible, so for better or worse it has backing from a big player in the tech space. Ansible is a configuration management tool. This may seem very similar to IaC if you haven’t used these tools before, but they are typically used complementary to each other (though there is some overlap in functionality). Ansible typically handles configuration tasks on systems after they have been provisioned with a tool like Terraform. Need to make sure APT packages are updated on those 37 Debian instances? You can do it all at once with Ansible.
Applications of these tools to offensive security aren't new. There are great talks and projects already out there that aim to solve the "problem" of manual cloud infrastructure setup. Why write more about it? Frankly, because I've sunk a lot of time into it lately, finally tiring of relying on other people's projects (that I don't have a completely thorough understanding of). I love open source, but there are issues with relying on tools that don't have a robust support system and promised regular updates. You never really know when a tool is going to be abandoned and fall behind in keeping up with changes in the tools or APIs it utilizes.
So - what kind of practical problems can we solve with these tools? I've taken on a few projects this year that provide example use cases. In future posts I will provide a version of each tool and provide more in-depth explanation.
The Projects
Auto-ATOM
For many penetration tests at Contextual Security Solutions, a physical pentest dropbox (our ATOM) is the easiest way to access a client's internal network (if they have a physical network presence). For the most part it is plug and play for the client. Receive the ATOM shipment and connect it to the network. Very little overhead. However, on our side we must configure the device with all our tools before we can ship it out. It doesn't take too long with the processes and automation we have had in place for a while, but recently I tried working this out in Ansible to make it even more efficient. As a bonus, Ansible allows us to carry over the same automation to other mediums like virtual machines.
PhishTank
A few years ago, I was inspired by Ralph May's BuildAPhish and Warhorse projects (linked at the bottom of this post if you want to check them out). I used both projects for past phishing engagements when they were only a few months old but wished for a codebase that was a bit simpler (so my small brain could understand it :)). I understood how things worked at a high level but was no expert at the technologies it was utilizing (Terraform, Ansible, and Docker). So, after fiddling around with the idea for far too long, I started building my own solution, primarily for phishing engagements.
CrackTheCloud
I know. Not a very creative name. I've never been good at that kind of stuff. Some pentesters seem to live for stealing password hashes and running just the right Hashcat command to get that oh-so-sweet cleartext password. Our President Slade Griffin loves to hear when we've obtained a password hash. I love that too... but the logistics of password cracking are a bit of an annoyance for me (it definitely has nothing to do with me accidentally leaving a password cracker on for several days and racking up a hefty bill ... :)).
It is a must in 2025 for our team to have a powerful password cracking rig. Even with the potential pitfalls, the most efficient way to achieve this for most will be with cloud resources. If you are not familiar with how to do this, check out some of our recent blog posts.
