Merge pull request #62 from alphasoc/mariusz/oast

simulator/oast. Add OAST module. Resolves #59
alphasoc · Mar 2, 2023 · c37b6fe · c37b6fe
2 parents ccf4a7c + cbb3c2c
commit c37b6fe
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -138,16 +138,17 @@ All done!
 
 The modules packaged with the utility are listed in the table below.
 
-| Module        | Description                                                                   |
-| ------------- | ----------------------------------------------------------------------------- |
-| `c2`          | Generates both DNS and IP traffic to a random list of known C2 destinations   |
-| `dga`         | Simulates DGA traffic using random labels and top-level domains               |
-| `imposter`    | Generates DNS traffic to a list of imposter domains                           |
-| `miner`       | Generates Stratum mining protocol traffic to known cryptomining pools         |
-| `scan`        | Performs a port scan of random RFC 5737 addresses using common TCP ports      |
-| `sink`        | Connects to known sinkholed destinations run by security researchers          |
-| `spambot`     | Resolves and connects to random Internet SMTP servers to simulate a spam bot  |
-| `ssh-exfil`   | Simulates an SSH file transfer to a service running on a non-standard SSH port|
-| `ssh-transfer`| Simulates an SSH file transfer to a service running on an SSH port            |
-| `tunnel-dns`  | Generates DNS tunneling requests to \*.sandbox.alphasoc.xyz                   |
-| `tunnel-icmp` | Generates ICMP tunneling traffic to an Internet service operated by AlphaSOC  |
+| Module        | Description                                                                      |
+| ------------- | -------------------------------------------------------------------------------- |
+| `c2`          | Generates both DNS and IP traffic to a random list of known C2 destinations      |
+| `dga`         | Simulates DGA traffic using random labels and top-level domains                  |
+| `imposter`    | Generates DNS traffic to a list of imposter domains                              |
+| `miner`       | Generates Stratum mining protocol traffic to known cryptomining pools            |
+| `oast`        | Simulates out-of-band application security testing (OAST) traffic                |
+| `scan`        | Performs a port scan of random RFC 5737 addresses using common TCP ports         |
+| `sink`        | Connects to known sinkholed destinations run by security researchers             |
+| `spambot`     | Resolves and connects to random Internet SMTP servers to simulate a spam bot     |
+| `ssh-exfil`   | Simulates an SSH file transfer to a service running on a non-standard SSH port   |
+| `ssh-transfer`| Simulates an SSH file transfer to a service running on an SSH port               |
+| `tunnel-dns`  | Generates DNS tunneling requests to \*.sandbox.alphasoc.xyz                      |
+| `tunnel-icmp` | Generates ICMP tunneling traffic to an Internet service operated by AlphaSOC     |
diff --git a/cmd/run/run.go b/cmd/run/run.go
@@ -287,6 +287,14 @@ var allModules = []Module{
 		HeaderMsg:  "Resolving random imposter domains",
 		Timeout:    1 * time.Second,
 	},
+	Module{
+		Module:     simulator.NewOAST(),
+		Name:       "oast",
+		Pipeline:   PipelineDNS,
+		NumOfHosts: 1,
+		HeaderMsg:  "Preparing to simulate OAST traffic",
+		Timeout:    3 * time.Second,
+	},
 	Module{
 		Module:     simulator.NewSSHTransfer(),
 		Name:       "ssh-transfer",

diff --git a/simulator/oast.go b/simulator/oast.go
@@ -0,0 +1,90 @@
+package simulator
+
+import (
+	"context"
+	"fmt"
+	"math/rand"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/alphasoc/flightsim/utils"
+)
+
+// InteractshDefaultDomains is a list of default domains used by Interactsh.
+var InteractshDefaultDomains = []string{
+	"oast.fun",
+	"oast.live",
+	"oast.me",
+	"oast.online",
+	"oast.pro",
+	"oast.site",
+	"oastify.com",
+}
+
+// OAST simulator. This module simulates the out-of-band security testing (OAST) technique
+// by trying to resolve random FQDNs under one of default domains used by Interactsh.
+type OAST struct {
+	bind BindAddr
+}
+
+// NewOAST creates OAST simulator.
+func NewOAST() *OAST {
+	return &OAST{}
+}
+
+func (oast *OAST) Init(bind BindAddr) error {
+	oast.bind = bind
+	return nil
+}
+
+func (OAST) Cleanup() {
+}
+
+// Simulate DNS lookups of random 33-character long hostnames beneath one of the default
+// domains used by Interactsh.
+func (oast *OAST) Simulate(ctx context.Context, host string) error {
+	d := &net.Dialer{}
+	// Set the user overridden bind iface.
+	if oast.bind.UserSet {
+		d.LocalAddr = &net.UDPAddr{IP: oast.bind.Addr}
+	}
+	r := &net.Resolver{
+		PreferGo: true,
+		Dial:     d.DialContext,
+	}
+
+	for {
+		// Keep going until the passed context expires.
+		select {
+		case <-ctx.Done():
+			return nil
+		// Wait a random amount of time between 100ms and 500ms.
+		case <-time.After(time.Duration(100+rand.Intn(400)) * time.Millisecond):
+		}
+
+		// Generate a random 33-character long hostname.
+		hostname := strings.ToLower(utils.RandString(33))
+
+		lctx, cancelFn := context.WithTimeout(ctx, 200*time.Millisecond)
+		defer cancelFn()
+		_, err := r.LookupIPAddr(lctx, fmt.Sprintf("%s.%s", hostname, host))
+
+		// Ignore "no such host".  Will ignore timeouts as well.
+		if err != nil && !isSoftError(err, "no such host") {
+			return err
+		}
+	}
+}
+
+// Hosts returns a list of default domains used by Interactsh.
+func (OAST) Hosts(scope string, size int) ([]string, error) {
+	var hosts []string
+	for _, i := range rand.Perm(len(InteractshDefaultDomains)) {
+		hosts = append(hosts, InteractshDefaultDomains[i])
+		if len(hosts) == size {
+			break
+		}
+	}
+	return hosts, nil
+}