Now That’s What I Call ADHD! 4

Moth & James Marrs //



Introduction

After a month of hard work, Python headaches, dependency hell, and a bit of tool necromancy, ADHD4 is here and we’re thrilled to share it with the community! This version features tools upgraded from Python 2 to Python 3, a fancy new applications menu, updated/reorganized documentation, and more.

What’s This?

ADHD stands for Active Defense Harbinger Distribution. The driving idea of this security image is to actively defend your environment from a malicious attacker. Want to leave an attacker clueless as to what ports are open? ADHD has a tool for that. Want to trick an attacker into falling into a honeypot with a fake file system that doesn’t let them leave? ADHD has a tool for that as well. ADHD is not meant to replace other security solutions; the goal is to supplement them with tools that can make an attacker’s life really difficult. Think of it as a mixtape of some of our favorite tools for active defense.

What’s Old?

If you’re already familiar with ADHD3, we’ve attempted to replicate configurations between versions, and we think we’ve done a rather good job at it. Credentials for the user and the databases have remained the same, and tool directory structures in /opt have remained the same as well. The documentation repository has seen many files changed and rebased, but the links have been updated to make this as hidden as possible. In addition, there’s a handful of tools that have remained the same between versions, so it’s easy to hop back in right where you left off. If you’ve not previously used ADHD, you can find credential information at https://adhdproject.github.io/#!ADHD/Credentials.md.

What’s New?

There is a lot of new stuff in ADHD4. A new OS, updated tools with new features, a shiny application menu similar to Kali’s, and the list goes on. Let’s start with all the Python tools that got updated to Python 3. 

Tool Upgrades

Gcat

You may remember Gcat, a program for establishing and managing C2 channels through Gmail. It hadn’t been updated in a long while, and the alternatives listed in the README were still using Python 2. Gcat is a tool written by one of our own, so we opted to resurrect it. After a bit of work, Gcat now works in Python 3.8. Only two features haven’t been verified (keylogging, shellcode execution), but we imagine we’re not quite done with development.

Cowrie

Cowrie is a medium-interactivity honeypot that spoofs an ssh server to catch and log attacker interactions. Cowrie was a bit of a special case to upgrade. Cowrie is already written in Python 3 and is an evolution of a similar Python 2 tool named Kippo. The author of Cowrie removed a feature present in Kippo that we find desirable: preventing attackers from exiting the honeypot. Rather than upgrading Kippo to Python 3, we decided it was easier to graft the feature over from Kippo to Cowrie.

Spidertrap

Spidertrap is a simple tool designed to catch web crawlers. It works by generating an endless maze of links that leads to yet another endless maze. Spidertrap was relatively painless to upgrade. Most of the process was replacing print statements with print function calls.

Wordpot

Wordpot is a honeypot that mimics a real wordpress install. It is highly customizable through the use of templates. Upgrading Wordpot wasn’t too bad. Most of the work had to do with syntax differences and updated libraries. There were a few issues with using different templates, but after some digging these were easy enough to fix.  After verifying the functionality of the tool with the updates, we forked the tool into the ADHD repository.

Rubberglue

Rubberglue is a tool that reflects attacker traffic back to the attacker. Thanks to the use of the __future__ import, changes to Rubberglue were minimal. After tweaking the imports and blowing the dust off, it was ready to go.

Operating System

ADHD4 now uses Ubuntu 20.04 LTS as its operating system. We went with Ubuntu because a lot of the tools seem to work best with this flavor of linux, and we frankly needed a break from the old version of Linux Mint of past ADHD versions. Choosing Ubuntu 20.04 LTS ensures that ADHD4 will have at least five years of future OS updates. We were also able to take advantage of Ubuntu’s menu bar and create a totally awesome applications menu. The applications menu was lovingly inspired by a similar menu in Kali Linux, and was designed to emulate it as closely as possible. If you are familiar with Kali Linux, we imagine using ADHD’s applications menu will feel similar. When using the applications menu, many tools will open a terminal in the tool directory and print the tool’s usage. This makes it very easy for beginners to run and learn how to use the tools. For some tools that run as services, entries exist to start, stop, and view the status of the service.

Tool Removal

Unfortunately, we also had to remove several tools. The following list shows all the tools that we had to remove from ADHD: Cryptolocked, Invisiport, SQLite Bug Server, HoneyBadger Red, Docz.py, Human.py, Lockdown, OpenBAC, Simple-Pivot-Detect, Sweeper, TALOS, HoneyDrive, and all Windows tools

You may notice that the list of removed tools is rather long. Killing old tools certainly doesn’t give us a warm and fuzzy feeling, so we’re looking to expand the current tool list. 

Get Involved!

Want to get involved with ADHD? Here’s how!

Tool Suggestions

Want to see one of your favorite tools added to a future version of ADHD? Open an issue on the Awesome Active Defense repository at https://github.com/adhdproject/awesome-active-defense and suggest a tool. Be sure to mention @0x6d6f7468 or @martianjay in your issue details to get our attention. We’re looking forward to adding tools provided by the community.

Documentation Contributions

Notice something wonky in one of the repositories? Feel free to open an issue or submit a pull request. Again, please be sure to mention @0x6d6f7468 or @martianjay so we see the requests quickly.

GitHub Repositories

Before downloading the ADHD image, there are several resources you can check out on GitHub for more information. To see the project on GitHub, go to https://github.com/adhdproject. This project contains repositories for all of the tools we have forked and modified, as well as the documentation repository at https://github.com/adhdproject/adhdproject.github.io and the tool list repository https://github.com/adhdproject/awesome-active-defense. To view ADHD’s documentation, browse to https://adhdproject.github.io.

Discord

In addition to GitHub, we will also be available on the BHIS Discord server, which you can join by browsing to https://discord.gg/TPNn833. This invite link will bring you to the new #adhd channel. Mention @moth or @martianjay to say hello! We’re looking forward to having some great conversations there.

Download ADHD

We’ve left you in suspense long enough and we can practically hear you shouting “but guys, where can I download ADHD4?!”. Fret not, friends! If you want to take ADHD4 for a spin, you can find it at https://adhdhost.s3.amazonaws.com/ADHD4/ADHD4-sha1.ova.

Upon downloading ADHD4, we strongly recommend that you validate your download by comparing the file’s signature against at least one of the following hashes:

Filename: ADHD4-sha1.ova
MD5: 3b0cc1846f86acac875679aaabdc8552
SHA1: 19f9f8e2be0fceffaf6e177123f78d896e0850bd
SHA256: b461505166a930b5503f19a9a9e500abe62c924234dbc160f3fa5b2e7c204a5c

On Windows, you can get the hash of a file by running any of the following three commands in PowerShell:

Get-FileHash -Algorithm MD5 .\ADHD4-sha1.ova
Get-FileHash -Algorithm SHA1 .\ADHD4-sha1.ova
Get-FileHash -Algorithm SHA256 .\ADHD4-sha1.ova

To do the same on MacOS or Linux, run any of the following three commands in a terminal:

md5sum ADHD4-sha1.ova
sha1sum ADHD4-sha1.ova
sha256sum ADHD4-sha1.ova

We hope you enjoy it!



Check out our Cyber Range, not just a place to work through challenges and play, but also an open direct/hands-on training environment.

https://www.blackhillsinfosec.com/services/cyber-range/



Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.

Join 2,675 other subscribers