Creating a secure infrastructure for social engineering campaigns or red teaming operations is a hustle. A lot of organizations are keeping their infrastructure always on and make minor configuration changes (e.g. on the redirectors or the mail servers) but that is not cost effective. Luckily for us, tools exist (like Terraform and ansible) to automate the configuration process to spin up virtual environments on cloud providers. Great articles were created to deploy a robust red team infrastructure using these technologies and open source projects are available on Github. One of these tools is RedBaron, which leverages these technologies to create a basic Red Team Infrastructure, but it requires knowledge on their TF configuration language. This is where Overlord comes in.
Overlord is a tool that provides a python-based console CLI which abstracts the user from the terraform implementation. Briefly, it is a Terraform “code generator” which takes a JSON file that is generated from the user and creates a Terraform file to be executed. It heavily uses the RedBaron implementation as a main resource, but additional modules and configurations were made to make the overall experience easier to follow by anyone.
To better understand how the tool works, let’s take a look at the diagram bellow. By running Overlord, a new project is created. In this example we will include an HTTP C2 and a webserver with their redirectors, a mail server and Gophish client which is used to connect and send the emails for our campaign.
To setup the infrastructure shown on the diagram we will need API keys from our providers (AWS and Digital Ocean). Using the
usemodule command, we can configure each module to our needs. Let’s take a closer look on how the C2 module works. On the module you can choose your provider (in this case AWS with the
set provider command). We want to install Metasploit and leave the
redirector set to 1.
add command the module is added to our campaign. If we want to create a redirector in another provider, we can use the redirector module and add the ID of the C2 which was created for us as shown on the picture bellow:
To add a DNS record, we use the dns_record module. To add the rdir.overlord.red record we need to set the
name to rdir, set the
type to A and set the record to
record -m <module_id> -d overlord.red.
Using similar steps, you can
create the infrastructure of the diagram. When you are finished you can use the create command to save and store the files in the project directory. With the
deploy command, overlord will start creating the machines on Digital Ocean and AWS.
How does it work?
The configuration of all the modules can be found in the
config/config.json file. You can modify each module to suit your needs (e.g. change the default provider from Digital Ocean to AWS or choose a different region). The Project directory contains the variables.json file, which can store your API keys and domains. If this file exists, it pre-loads when Overlord runs and populates the variables so they can be used without typing your domains and API keys every time. Overlord reads the filenames on the
redbaron/data/scripts/tools directory and creates a list of tools which can be used to install tools on the C2 server. You can add your own by adding them in the same directory.