https://github.com/psmths/reave

WIP Post-exploitation framework tailored for hypervisors.
https://github.com/psmths/reave

framework hypervisor pentesting post-exploitation post-exploitation-toolkit python rat red-team

Last synced: 3 months ago
JSON representation

WIP Post-exploitation framework tailored for hypervisors.

• Host: GitHub
• URL: https://github.com/psmths/reave
• Owner: Psmths
• License: gpl-3.0
• Created: 2021-12-17T16:58:08.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2023-09-14T03:01:22.000Z (over 1 year ago)
• Last Synced: 2023-09-14T15:52:36.528Z (over 1 year ago)
• Topics: framework, hypervisor, pentesting, post-exploitation, post-exploitation-toolkit, python, rat, red-team
• Language: Python
• Homepage:
• Size: 404 KB
• Stars: 50
• Watchers: 1
• Forks: 12
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        


  
REAVE




  

  

  

  

  





Reave is a post-exploitation framework tailored for hypervisor endpoints, written in Python. It is currently under development. 

Reave follows a traditional listener/agent model, where the user may set up multiple listeners that accept any number of agents. The framework currently provides a Python agent and supports the following objectives:

 - Interactive terminal sessions with agents

 - Automatic enumeration of hypervisors, including:

   - What guest systems are installed

   - What network shares and datastores are mounted

   - What local users are associated

   - What domain the hypervisor is a part of

 - Modular payloads supporting capabilities such as:

   - Exfiltration: of datastores, files, virtual disks.

   - Persistence: Adding, modifying, deleting local users, installing SSH keys and spawning reverse shells

   - Enumeration: Further network scanning, etc. 

The goal of Reave is to provide a framework one can leverage to automate and expedite pentesting campaigns in environments that are either heavily virtualized, or where target/critical infrastructure is hosted on hypervisor platforms such as ESXi and Proxmox. 

# Screenshots



  



Listener Context




  



Payload Context




  



Automatic Hypervisor Enumeration




  



Centralized C2 Overview


# Usage

On the server, simply run app.py:

```

python3 reave/app.py

```

On the target endpoint, upload the Python agent, located under `agents/client.py`, and execute it. The following configuration options are available:

 - `_LISTENER_HOST` Hostname/IP of the server

 - `_LISTENER_PORTS` List of ports that the agent will attempt to connect to in round-robin fashion

 - `_LISTENER_SECRET` Association key of the listener the agent will bind to

 - `_AGENT_LOGLEVEL` Debug logging level

 - `BEACON_INTERVAL` Interval the agent will beacon on

 - `BEACON_JITTER` Random jitter factor added to beacon interval

 - `START_TIME` What time of day the agent will start beaconing 

 - `END_TIME` What time of day the agent will stop beaconing

 - `SOCKET_TIMEOUT` Timeout for the agent's socket

 - `PID_FILE` PID file the agent uses to ensure it isn't already running on the endpoint 

 - `TRANSFER_BLOCK_SIZE` Block size the agent will use when transfering files to the server 

When an agent has successfully associated to a listener, you can view it by entering the `agent` context and issuing the command `list` (or `ls`). To view all of the information that Reave has automatically enumerated from the endpoint issue the command `info `. For instance, if your agent has a uuid of `18ab`, you would use `info 18ab`. 

To grab an arbitrary file from the agent, you can issue `get 18ab /my/test/file`.

To spawn an interactive shell on the endpoint, you could issue `interact 18ab`.

# Command Line Interface

The command line has three distinct contexts from wich you can control separate operations:

 - Listener

 - Payload

 - Agent

## Listener Context Commands

To enter the listener context, use command `listener`. From there, several options are available:

```

list                            List all active listeners

add         Add a listener

remove                    Remove a listener

```

Exit this context by using command `back`

## Agent Context Commands

To enter the agent context, use command `agent`. From there, several options are available:

```

list                                List all agents (alias: ls)

info                          List agent info, including any auto-enumerated data

interact                      Interactive terminal session with agent. 

                                    'quit' to exit.

get                     Transfer file from the agent endpoint to downloads directory

```

Exit this context by using command `back`

## Payload Context Commands

To enter the `payload` context, use command `payload`. From there, several options are available:

```

list                    List all loaded payloads

info              Get information about a payload

use               Select payload for use

set      Set payload option to value

run agent         Run the payload on an individual agent

```

Exit this context by using command `back`

## Formatting Selection

Reave also supports defining what format you would like to view enumeration data in. To switch to a particular format:

```

format json             Output information in table format.

format table            Output information in JSON format.

```

# Contributors

  - [desultory](https://github.com/desultory)