Getting Started


First thing first, make sure TeamSploit is fully up-to-date:

svn update

Now that TeamSploit is fully up-to-date, you need to configure TeamSploit based on your environment.

nano teamsploit.conf

The configuration file contains all of the options and customization of TeamSploit but does have sane-defaults whenever possible. Additionally it provides self-explaintory names and comments to assist in the configuration process.

You'll want to change the very first option TS_CONFIG to 1 TS_CONFIG=1- this is used to ensure that you actually edited the config file before trying to run TeamSploit.

Next you'll need to decide if you want to use the CLI or GUI version of TeamSploit

CLI Version:TS_GUI=0 GUI Version:TS_GUI=1

The TS_WINDOWS option allows you to specify how many Primary windows you want to load - Primary windows are used to launch exploits, whereasthe Listener window is used to collect shells (from the primaries and teammates).

TS_WINDOWS=2

Moving forward, you need to set which interface you are using for the engagement (this is where you'll be listening for shell responses).

TS_INT=eth0

The TS_LOCAL option can be used if you do NOT wish to connect to an external/shared database. This is useful if you are using TeamSploit solo with no teammates.

Team Database: TS_LOCAL=0 Local Database: TS_LOCAL=1

If you are using a shared database you'll need to configure it:

TS_DB_NAME=teamsploitdb

TS_DB_HOST=192.168.1.100

TS_DB_PORT=5432

TS_DB_USER=teamsploit

TS_DB_PASS=password

If you'd like to have a shared pool of shells, you can connect to a MSFD service:

Do Not Connect: TS_MSFD_CONNECT=0 Connect to Shared MSFD: TS_MSFD_CONNECT=1

TS_MSFD_CONNECT=1

If you are connecting to a shared MSFD service, configure where the service is being run.

TS_MSFD_HOST=192.168.1.100

TS_MSFD_PORT=51337

If you are running with teammates you are going to want to share shells with those teammates:

Share Shells: TS_SHARE_SHELLS=1 Do Not Share Shells: TS_SHARE_SHELLS=0

Configure who will get shells:

TS_TEAM_MATES="192.168.1.101;192.168.1.102;192.168.1.103;193.168.1.104;192.168.1.105"

Now everyone on the team needs to have the SAME listening ports.

TS_TEAM_PORT=1025

TS_TEAM_PORT_2=7000

TS_TEAM_PORT_HTTP=80

TS_TEAM_PORT_HTTPS=443

TS_TEAM_PORT_DNS=53

Next, we have a cool feature that will launch succesful exploits against other teams. This will simply run any exploit against the same system on a range of other teams (specfically using the last octet). This is extremely useful in Capture The Flags.

If you want to execute this function: TS_TARGET_SOLO=0 If you want to skip this automated exploitation: TS_TARGET_SOLO=1

TS_TARGET_RANGES="192.168.21;192.168.22;192.168.22;192.168.23;192.168.24;192.168.25;192.168.26;192.168.27;192.168.28"

TeamSploit's automated post-exploitation will automatically add a user to exploited systems.

TS_ADMIN_USER=user

TS_ADMIN_PASS=password

The next section configures what TeamSploit does during the automated post-exploitation process. TrollWare is a trojan that will ensure you maintain access, but will also lock the users out of the system (while taunting them). NetStopper will automatically stop all services on the system (useful for Denial of Service or scoring in a CTF). The Unpatcher automatically removes ALL system patches on the system, making it more vulnerable if you need to reexploit it.

TS_TROLLWARE=1

TS_NETSTOPPER=0

TS_UNPATCHER=0

Automated vulnerability scanning can also be configured, at present TeamSploit supports Nessus, OpenVAS, and Nexpose. Regardless of which scanner you decide to use the configuration is similiar (only the config keys change and Nesuss has an additionally option), so here is an exmaple with Nessus.

First you'll need to clearify if you wish to connect to the scanner.

Connect: TS_NESSUS_CONNECT=1 Do Not Connect: TS_NESSUS_CONNECT=1

Then you'll need to specify if you wish to automatically scan the configured targets:

Automaticallt Scan Targets: TS_NESSUS_AUTOSCAN=1 Do Not Scan Targets: TS_NESSUS_AUTOSCAN=0

This next option is unique to Nessus only, you'll need to specify the Nessus Scan Policy you wish you use for your automated scanning (make sure you check out this and this blog post for a guide on how to make this extremely Metasploit/TeamSploit friendly.)

TS_NESSUS_POLICY=-1

And now for the easy part, just the scanner information:

TS_NESSUS_HOST=127.0.0.1

TS_NESSUS_PORT=8834

TS_NESSUS_USER=nessus

TS_NESSUS_PASS=password

Now for some really fun stuff - FULLY AUTOMATED EXPLOITATION (based Dark Operator's Exploitation Automation)

Automatically Exploit: TS_AUTO_OWN=1 Do Not Auto-Exploit: TS_AUTO_OWN=0

Now many concurrent exploits should be launched?

TS_AUTO_OWN_JOBS=10

The last section that is important to configure is the IRC settings - these are only used if you are using the GUI version of TeamSplot.

Connect to IRCTS_IRC=1 Do Not Connect to IRCTS_IRC=0

TS_IRC_NICK=TeamSploit

TS_IRC_SERVER=chat.freenode.org

TS_IRC_PORT=6667

TS_IRC_CHANNEL=teamsploit

TS_IRC_SSL=0


Video Demonstration


NOTE: This video is based on a much older version of TeamSploit (Revision 4); as such the video is out-dated, and shows the user manually executing many options. That said it is still a decent demonstration of some of the unique functionalities TeamSploit offers, as well as alook at how you can manually access some of the features.


Further Assistance


Jump on over to IRC and we'll see what we can do...

IRC Server: chat.freenode.org

IRC Port: 6667

IRC Channel: #threatspace