MOSE (Master Of SErvers)
Copyright 2020 National Technology & Engineering Solutions of Sandia, LLC (NTESS).
Under the terms of Contract DE-NA0003525 with NTESS,
the U.S. Government retains certain rights in this software
MOSE is a post exploitation tool that enables security professionals with little or no experience with configuration management (CM) technologies to leverage them to compromise environments. CM tools, such as Puppet and Chef, are used to provision systems in a uniform manner based on their function in a network. Upon successfully compromising a CM server, an attacker can use these tools to run commands on any and all systems that are in the CM server’s inventory. However, if the attacker does not have experience with these types of tools, there can be a very time-consuming learning curve. MOSE allows an operator to specify what they want to run without having to get bogged down in the details of how to write code specific to a proprietary CM tool. It also automatically incorporates the desired commands into existing code on the system, removing that burden from the user. MOSE allows the operator to choose which assets they want to target within the scope of the server’s inventory, whether this is a subset of clients or all clients. This is useful for targeting specific assets such as web servers, or choosing to take over all of the systems in the CM server’s inventory.
MOSE + Puppet
Mose + Chef
Dependencies
You must download and install the following for MOSE to work:
- Golang - tested with 1.12.7 through 1.13.4
Be sure to properly set your GOROOT, PATH and GOPATH env vars
- Docker - tested with 18.09.2 through 19.03.4
Getting started
Install all go-specific dependencies and build the binary:
make build
Usage
Usage of ./mose [options]:
-a string
Architecture that the target CM tool is running on (default "amd64")
-c string
Command to run on the targets
-d Display debug output
-ep int
Port used to exfil data from chef server (default 443 with ssl, 9090 without) (default 443)
-f string
Output binary locally at <filepath>
-fu string
File upload option
-l string
Local IP Address
-m string
Name for backdoor payload (default "my_cmd")
-o string
Operating system that the target CM tool is on (default "linux")
-p int
Port used to serve payloads on (default 443 with ssl, 8090 without) (default 443)
-r string
Set the remote host for /etc/hosts in the chef workstation container (format is hostname:ip)
-rfp string
Remote file path to upload a script to (used in conjunction with -fu) (default "/root/.definitelynotevil")
-s string
JSON file to load for MOSE (default "settings.json")
-ssl
Serve payload over TLS
-t string
Configuration management tool to target (default "puppet")
-tts int
Number of seconds to serve the payload (default 60)
TLS Certificates
You should generate and use a TLS certificate signed by a trusted Certificate Authority
A self-signed certificate and key are provided for you, although you really shouldn't use them. This key and certificate are widely distributed, so you can not expect privacy if you do choose to use them. They can be found in the data
directory.
Examples
You can find some examples of how to run MOSE in EXAMPLES.md.
Test Labs
Test labs that can be run with MOSE are at these locations:
Credits
The following resources were used to help motivate the creation of this project: