74 lines
2 KiB
Markdown
74 lines
2 KiB
Markdown
# Code Design
|
|
- seperate into files
|
|
- e.g. planning/exploitation/privesc
|
|
- db abstraction in shared lib
|
|
|
|
# CLI Design
|
|
- offer wizards
|
|
- also offer shell with single steps
|
|
|
|
# Basic AutoHacker MVP
|
|
- scan ports
|
|
- search exploits
|
|
- select remote root ones
|
|
- try them all
|
|
- root shell
|
|
- corrupt logs for safety
|
|
- add "rootkit" functionality like 5hell
|
|
|
|
# Worming the LAN
|
|
- Planning & Target Selection
|
|
- track LAN & WAN ips
|
|
- exploit to LAN ips after searching in WAN
|
|
- build tree-database of pcs
|
|
- simple greedy search
|
|
|
|
# Worming them all
|
|
- Add PrivEsc from non-root access kinds
|
|
- scan local libraries
|
|
- plan based on results with hardcode step rules
|
|
- e.g. root file + guest shell = steps abc
|
|
- user shell = steps def
|
|
- guest shell + user file ?
|
|
- save exploit chain to db
|
|
- exploits to reach root
|
|
- how to derive uniq id ?
|
|
- most npc machines should never reconnect ?
|
|
- hash usernames / lib versions / sth ?
|
|
- lib versions could help invalidations of chain after update
|
|
- tackle later
|
|
- pathfinding for shortest path to a machine when reconnecting
|
|
- single tree for all machines ? (could have 2-per machine or 1 global + 1per machine)
|
|
- exploit chains for library sets instead of just machines
|
|
- handle multiple paths
|
|
|
|
|
|
# Advanced Feats
|
|
- convinience/configurability
|
|
- search for specific ip
|
|
- stop after x machines
|
|
- fancy progress dashboard
|
|
- security
|
|
- special router behaviour to ensure proper cleanup
|
|
- manual proxying ? also via non root ?
|
|
- machine id
|
|
- admin detection
|
|
- online user detection
|
|
- player detection
|
|
- also persist non root access level on machines
|
|
- subnet aware crawling
|
|
- moar/better hacking techniques
|
|
- whatever bouncing is
|
|
- more privesc paths
|
|
- bruteforce pws
|
|
- router exploits
|
|
- intentional library downgrades
|
|
- install known secure versions from somewhere
|
|
- scp or apt ?
|
|
- incorporate rshells
|
|
- with seperate rshell
|
|
- with auto launch somewhere
|
|
- sniffing
|
|
- unecrypted ssh
|
|
- crack ftp/other protos
|
|
- crack encryption
|