hckctl

module
v0.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 8, 2023 License: GPL-3.0

README

logo

hckctl

ci

The declarative Breach and Attack Simulation tool
Quick start • Setup • Provider • Development • Roadmap • Contribute


Launch manual and automated attacks with pre-defined and always up-to-date templates of your favourite tools.

Designed to transparently run locally, remotely or integrated in pipelines. hckctl is free and open-source, no vendor lock-in, extensible and built using native providers api.

Create your vulnerable target (box with a specific CVE or whole infrastructures) or connect to your CTF platform (HTB, TryHackMe, Vulnlab, etc.) without wasting anymore time on boring installations, environment setup and network configurations.

Leverage the cloud platform or request a dedicated managed cluster to:

  • orchestrate complex attack scenarios
  • constantly probe and monitor your security posture
  • analyze, aggregate and export results via api
  • trigger instant actions based on observed events and patterns

Quick start

Box

Spin-up a box and access all port-forwarded ports locally

# spawns a temporary docker (default) box locally
hckctl box alpine

# deploys an ephemeral box to your kubernetes cluster
hckctl box arch --provider kube

# creates a managed box
hckctl box parrot --provider cloud
HTB example

Prerequisites

  • start the retired Postman machine in your account
  • edit your vpn network config 
    vim ${HOME}/.config/hck/config.yml

network:
  vpn:
  - name: htb
    # update with your openvpn config path
    path: /home/demo/ctf/openvpn/htb_demo_eu_vip_28.ovpn

Start your pwnbox and solve the challenges

# pulls a preview box (first time might take a while)
hckctl box preview/parrot-sec --network-vpn htb

Start an auto-exploitation box

# TODO review

# exploits the machine and spawns a reverse shell
hckctl box --network-vpn htb --local ../megalopolis/box/ctf/htb-postman.yml

Lab (preview)

TODO video

Access your target from a managed lab

# connects to a vpn, exposes public ports, mount dumps etc.
hckctl lab ctf-linux

Task

Run a task using pre-defined commands

# default commands
hckctl task gobuster --command help
hckctl task fuzzer/ffuf --command version

# use the "default" preset arguments
hckctl task rustscan
# equivalent of
hckctl task rustscan --input address=127.0.0.1
hckctl task scanner/rustscan --command default --input address=127.0.0.1

# use the "full" preset arguments
hckctl task nmap --command full --input address=127.0.0.1 --input port=80

# invoke it with custom arguments
hckctl task nuclei --inline -- -u https://example.com

# monitor the logs
tail -F ${HOME}/.local/state/hck/task/log/task-rustscan-*
HTB example

Prerequisites

  • start the retired Lame and Knife machines in your account
  • edit your vpn network config (see box example above)

Run tasks against the vulnerable machine

# scan with nmap
hckctl task nmap --network-vpn htb --command full --input address=10.10.10.3

# scan with rustscan
hckctl task rustscan --network-vpn htb --inline -- -a 10.10.10.3 --ulimit 5000

# scan with nuclei
hckctl task nuclei --network-vpn htb --input address=10.10.10.3

See output example

Use the shared directory to mount local paths

# download your wordlists
mkdir -p ${HOME}/.local/state/hck/share/wordlists
git clone --depth 1 https://github.com/danielmiessler/SecLists.git \
  ${HOME}/.local/state/hck/share/wordlists/SecLists

# fuzzing with ffuf
hckctl task ffuf --network-vpn htb --input address=10.10.10.242

# fuzzing with gobuster
hckctl task \
  --local ../megalopolis/task/fuzzer/gobuster.yml \
  --network-vpn htb \
  --input address=10.10.10.242 \
  --input wordlist=wordlists/SecLists/Discovery/Web-Content/Apache.fuzz.txt

Flow (preview)

Launch multiple tasks in parallel, collect and combine the results

hckctl flow scan www.example.com
hckctl flow fuzz 127.0.0.1:8080
hckctl flow sql 127.0.0.1:3306
hckctl flow atomic-red-team 127.0.0.1 T1485
hckctl flow c2 ping
hckctl flow campaign/phishing @example.com

Template

Explore all available templates. Pin a git revision to ensure reliability in automated pipelines

hckctl template list

Please, feel free to contribute to the companion repository and add more templates.

Config

Edit the default configurations

# vim ${HOME}/.config/hck/config.yml
# prints current configs
hckctl config

# resets default configs
hckctl config --reset

Setup

Download the latest binaries

# TODO latest
HCKCTL_VERSION=???

curl -sSL https://github.com/hckops/hckctl/releases/download/${HCKCTL_VERSION}/hckctl_linux_x86_64.tar.gz | \
  tar -xzf - -C /usr/local/bin

Provider

TODO setup

List of currently supported providers

  • docker
  • kubernetes: example with local minikube, kind and kube-template
  • cloud
  • podman (coming soon)

Development

# run
go run internal/main.go

# build
just
./build/hckctl

tail -F ${HOME}/.local/state/hck/log/hckctl-*.log

Roadmap

  • machine create and access VMs e.g. DigitalOcean Droplet, AWS EC2, Azure Virtual Machines, QEMU etc.
  • tui similar to lazydocker and k9s
  • network support Tor and ProxyChains
  • plugin add custom cli commands in any language
    • man combine tldr and cheat with task commands
    • prompt chatgpt prompt style
    • htb and thm api to start/stop/list machines and submit flags

Contribute

TODO example of how to point to a specific pr/revision in a forked repo

Directories

Path Synopsis
command
command/box
command/box/flag
command/common
command/common/flag
command/config
command/lab
command/task
command/task/flag
command/template
command/version
pkg
api/v1
box
box/cloud
box/docker
box/kubernetes
box/model
client/common
client/docker
client/kubernetes
client/ssh
common/docker
common/model
event
lab
lab/cloud
lab/model
logger
schema
task
task/docker
task/model
template
util

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.