Simple go tool to log red team operations' activities. The idea is to avoid keeping manual track of timestamps when executing commands and instead just focus on executing.
Once Go is installed and configured, run:
❯❯❯ go install github.com/zkvL/opl/cmd/opl@latestIf everything worked correctly, you should be able to run opl -h and see the help output.
You can create a fish shell function to automatically log shell issued commands (opl -cmd <COMMAND>):
# Fish shell
❯❯❯ function logCmd --on-event fish_prompt; set cmd $history[1]; opl -cmd "$cmd"; endWhen you want to delete the function you can simply issue:
❯❯❯ functions -e logCmdIf using zsh instead, you can add this to the $HOME/.zshrc file:
# $HOME/.zshrc
preexec() { opl -cmd "${1}" }Then just source the file to start logging. When you are done simply remove the preexec() function and source again the configuration file.
You may need to restart the zsh shell.
opl will keep a registry of files within the $HOME/operator-logs folder. Each log file will be named with the current date in JSON format, as shown below:
[
{
"date": "2023-08-05 17:26:09 GMT",
"command": "amass enum -d DOMAIN.TARGET",
"ipaddr": "XXX.XXX.XX.XXXX"
},
{
"date": "2023-08-05 17:34:32 GMT",
"command": "nmap --top-ports 1000 [. . .]",
"ipaddr": "XXX.XXX.XX.XXXX",
"operator": "zkvL"
},
]If you want to log an activity, instead of a command, you can add it manually:
❯❯❯ opl 'Login to exposed Jenkins using the JenkinsAdmin account'Without the -cmd flag, opl wont log a source IP address to the log.
{
"date": "2023-08-05 20:16:05 GMT",
"command": "Login to exposed Jenkins using the JenkinsAdmin account",
"ipaddr": ""
},
Finally, you can parse the logs to report activities using the -print flag
❯❯❯ opl -print $HOME/operator-logs
# OR
❯❯❯ opl -print $HOME/operator-logs/YYYY-MM-DD.json
Operator Timestamp (UTC) Operator IP Command/Activity
-----------------------------------------------------------------------------------------
2023-08-05 17:26:09 UTC XXX.XXX.XX.XXXX amass enum -d DOMAIN.TARGET
zkvL 2023-08-05 17:34:32 UTC XXX.XXX.XX.XXXX nmap --top-ports 1000 [. . .]
2023-08-05 20:16:05 UTC Login to exposed Jenkins using the JenkinsAdmin account
[...]The operator field will be added whenever the environment variable OPERATOR is set:
# Fish shell
set -g -x OPERATOR zkvLopl filters out the following common commands from logging:
- alias
- cd
- chmod
- chown
- cp
- exit
- find
- id
- kill
- ls
- locate
- make
- man
- mkdir
- mv
- nano
- opl
- ps
- pwd
- uname
- vim
- which
- whoami
Got the idea of shell env functions to automatically log stuff from c2biz