2.10 Resources
Athena OS consists in several elements with the purpose to make comfortable the user. Some of them are key features of the user environment because are needed for reaching the objective of the project: making the user closer to the security and hacking resources.
Red Team Menu is born for organizing in pretty manner all main security tools that users need to start their hacking activity. It consists of two levels:
- 1st level containing several hacking categories, plus Firefox browser and Code OSS as editor
- 2nd level consisting of hacking tools deployed for each hacking category
In details:
| Information Gathering | Dmitry | Nmap | Spiderfoot | TheHarvester | enum4linux | wafw00f | Fierce |
|---|---|---|---|---|---|---|---|
| Vulnerability Analysis | Legion | Nikto | unix-privesc-check | ||||
| Web Application Analysis | WPScan | Burpsuite | dirb | dirbuster | ffuf | Wfuzz | sqlmap |
| Password Attacks | John | Hashcat | Hydra | CEWL | CRUNCH | RSMangler | Medusa |
| Sniffing | mitmproxy | Responder | Wireshark | ||||
| Wireless Testing | Aircrack-ng | Kismet | Reaver | Wifite | Fern Wifi Cracker | Spooftooph | |
| Reverse Engineering | NASM | Radare2 | |||||
| Exploitation | SearchSploit | Metasploit | SEToolkit | ||||
| Post Exploitation | PowerSploit | Mimikatz | evil-winrm | proxychains-ng | weevely |
At the beginning, these tools are not installed to avoid that users would store in the disk space installed tools or services that never use. For users that would like to get these main tools, the Enthusiast Student role must be chosen on the Welcome App.
Red Team menu can be accessed by CTRL+SPACE.
PWNage Menu allows users to access quickly to the main hacking platforms for learning purposes and to join the main Discord InfoSec Communities:
- 1st shell deploys all quick links to the main hacking platforms
- 2nd shell can be accessed by the Discurity icon on top where the user can join several Discord InfoSec servers or open Discord App.
PWNage menu can be accessed by CTRL+TAB.
One of the most interesting features of Athena is the deep integration with Hack The Box platform, accessible by PWNage menu. Athena gives the possibility to play Hack The Box machines directly on the OS environment in a quick and comfortable manner. It offers:
- Connect/Disconnect to/from Hack The Box VPN servers
- Play any active free machine you wish
- Reset the active machine
- Stop any active machine
- Submit a flag and write a review about your hacking experience!
- ... and access to the Hack The Box website
It can be done by accessing to the Hack The Box icon on the PWNage menu. The menu is automatically updated by a command inside /etc/profile.d/run-once.sh in order to call Hack The Box APIs and retrieve the last free active machines.
Playing with one of these machines will edit the PROMPT of the shell by showing the name of the laboratory, the target IP address, the attacker IP address, the Hack The Box username of the user and the prize points.
The set of tools that manages the Hack The Box environment needs of the App Token of the Hack The Box user that can be retrieved on the profile settings of the Hack The Box website. Once retrieved, it can be set by calling htb-update command.
Users can also play retired machines if they have a Hack The Box VIP subscription by htb-play tool. It can list all retired machines by htb-play -l command and then start the machine by specifying its name
Another important security element in Athena is Payload to Dock. It is based on Dash 2 Dock and keeps the access to the most famous payload repositories. It allows to get the latest version of payloads and accessing their path directly by the shell. It shows:
The Dock contains also links to Mimikatz and Powersploit, and allows to run the current SHELL and PowerShell.
At the beginning, these repositories are not installed, to avoid that users would store in the disk space payload repositories that never use. For users that would like to get these repositories, the hacking role that can usually use these resources must be chosen on the Welcome App.
The implementation of this dock leverage on the .desktop files that should contain a similar configuration (here Mimikatz example):
[Desktop Entry]
Type=Application
Encoding=UTF-8
Name=Mimikatz
Comment=Mimikatz
Icon=/usr/share/icons/hicolor/128x128/apps/kali-mimikatz-128x128.png
Exec=gnome-terminal -- fish -c "if test -d /usr/share/windows/mimikatz;cd /usr/share/windows/mimikatz;$SHELL;else;echo \"Mimikatz is not installed. I'm retrieving it for you...\";sudo pacman -S mimikatz;cd /usr/share/windows/mimikatz;$SHELL;end;"
Terminal=false
Categories=Tags;Describing;Application
These .desktop files must be stored in /home/cybee/.local/share/applications (for the current user) or /usr/share/applications folder (for all the users). Then logout and login for applying the changes. At the end, access to the dock bar, click on "Show Applications" icon, search your Desktop Entry, right-click and "Pin to dash".
The applications in Payload to Dock are defined in dconf-shell.ini in favorite-apps field.
On the system, for accessing these resources in a quick manner, several environment variables have been defined:
| Environment Variable | Value |
|---|---|
| $PAYLOADS | /usr/share/payloads |
| $AUTOWORDLISTS | /usr/share/payloads/Auto_Wordlists |
| $FUZZDB | /usr/share/payloads/FuzzDB |
| $PAYLOADSALLTHETHINGS | /usr/share/payloads/PayloadsAllTheThings |
| $SECLISTS | /usr/share/payloads/SecLists |
| $SECURITYWORDLIST | /usr/share/payloads/Security-Wordlist |
| $MIMIKATZ | /usr/share/windows/mimikatz |
| $POWERSPLOIT | /usr/share/windows/powersploit |
| $ROCKYOU | /usr/share/payloads/SecLists/Passwords/Leaked-Databases/rockyou.txt |
| $DIRBIG | /usr/share/payloads/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt |
| $DIRMEDIUM | /usr/share/payloads/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt |
| $DIRSMALL | /usr/share/payloads/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt |
| $WEBAPI_COMMON | /usr/share/payloads/SecLists/Discovery/Web-Content/api/api-endpoints.txt |
| $WEBAPI_MAZEN | /usr/share/payloads/SecLists/Discovery/Web-Content/common-api-endpoints-mazen160.txt |
| $WEBCOMMON | /usr/share/payloads/SecLists/Discovery/Web-Content/common.txt |
| $WEBPARAM | /usr/share/payloads/SecLists/Discovery/Web-Content/burp-parameter-names.txt |
In this manner, the user can retrieve the needed payload with less effort, for example:
ffuf -u <target_url> -w $DIRSMALL
or
john file.hash --wordlist=$ROCKYOU
Firefox ESR has been modified in order to integrate at the installation time the addons you need for your web application pentesting activity. The preinstalled addons are:
- Cookie Quick Manager
- FoxyProxy Standard
- Hack-Tools
- HacKontext
- HTTPS Everywhere
- Penetration Testing Kit
- Privacy
- uBlock Origin
- Wappalyzer
These extensions have been added by default on Firefox by importing $HOME/.mozilla/firefox-esr folder containing the installed extensions to the target Athena system.
In particular, HacKontext is an extension that allows users to inject website information, HTTP headers and body parameters of the active browser tab on specific InfoSec command-line tools in order to improve and speed up their correct usage. It helps users to copy and paste headers and any parameters automatically to the tools.
As example, by visiting Arch Linux forum authentication page and selecting “Copy as FFUF”, the clipboard stores the following string:
ffuf -u https://bbs/.archlinux.org/login.php?action=in -H ‘Host: bbs.archlinux.org’ -H ‘User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0’ -H ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8’ -H ‘Accept-Language: en-US,en;q=0.5’ -H ‘Accept-Encoding: gzip, deflate, br’ -H ‘Content-Type: application/x-www-form-urlencoded’ -H ‘Content-Length: 176’ -H ‘Origin: https://bbs/.archlinux.org’ -H ‘Connection: keep-alive’ -H ‘Referer: https://bbs/.archlinux.org/login.php’ -H ‘Upgrade-Insecure-Requests: 1’ -H ‘Sec-Fetch-Dest: document’ -H ‘Sec-Fetch-Mode: navigate’ -H ‘Sec-Fetch-Site: same-origin’ -H ‘Sec-Fetch-User: ?1’ -H ‘DNT: 1’ -H ‘Sec-GPC: 1’ -d ‘form_sent=1&redirect_url=https://bbs.archlinux.org/index.php&csrf_token=7b2829f6ea8fbbc02cb3035a025fed10a9d166fb&req_username=usertest&req_password=passtest&login=Login’
and the user can edit this string for adding the preferred wordlist and fuzzing parameters for attacking the target.
NIST Feed is a special tool able to inform users about a new published or updated CVE by a popup notification! The notification contains a description of the CVE.
NIST Feed can be configured according to the parameters shown by nist-feed -h. Users can decide which kind of CVE they wish to be informed about, for instance CVEs with a high impact on the confidentiality and integrity, or CRITICAL CVEs. Some examples:
- Set Desktop Notifications for latest or updated CVE with CRITICAL severity:
nist-feed -n -l -s CRITICAL - Show details about the last three CVEs. No Desktop Notifications:
nist-feed -r 3 - Show details about the last twenty CVEs with PHYSICAL as attack vector and MEDIUM severity. No Desktop Notifications:
nist-feed -V AV:P -s MEDIUM - Set Desktop Notifications for latest or updated CVE having high Confidentiality, Integrity and Availability impact:
or
nist-feed -n -l -m C:H/I:H/A:Hnist-feed -n -l -c C:H -i I:H -a A:H - Set Desktop Notifications for latest or updated CVE with HIGH attack complexity and NETWORK as attack vector:
nist-feed -n -l -A AC:H -V AV:N
Reference: https://nvd.nist.gov/
The -s argument is used for setting a scheduled popup notification on crontab according to the specified filters.
When the popup notification is shown, users can left-click on it for accessing to the NIST NVD page with all detailed information, or right-click for closing it.
Athena tool surface can be increased by extending these main tools with the ones from BlackArch repository.
BlackArch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. Its repository contains 2800+ tools, classified for categories. You can install tools individually or in groups according to the categories they belong. BlackArch Repository is compatible with only Arch-based distributions as Athena OS.
On Athena OS, the installation of BlackArch Repository occurs by the usage of strap.sh file as described on the official documentation: https://blackarch.org/downloads.html in the section Installing on top of ArchLinux. At the time of Athena ISO creation, this script is placed in airootfs/usr/local/bin/ folder and it is run with Calamares Installer by shellprocess-<before|final>.conf file. strap.sh stores blackarch.gpg, blackarch-trusted and blackarch-revoked files in /usr/share/pacman/keyrings folder, enable Multilib repository and add BlackArch server repository in /etc/pacman.conf file and then execute pacman-key --init and pacman-key --populate. In this manner, all the keys inside /usr/share/pacman/keyrings are installed and trusted correctly.
Note: Multilib needs to be enabled because it is generally used to run 32-bit applications on a 64-bit system, and some security tools on BlackArch belong to this category. In general, this is often useful when running older games or really anything else that is meant for 32-bit systems. Enabling support for multilib is a relatively common operation for many Arch Linux users. It is also relatively easy as far as Arch goes. For enabling it manually, in /etc/pacman.conf uncomment these two lines:
#[multilib]
#Include = /etc/pacman.d/mirrorlist
and run sudo pacman -Syyu.
BlackArch hacking tools can be installed in several ways. Users can install a single tool, categories or all the tools. For installing a single tool, just execute sudo pacman -S <tool-name>. For installing a category, execute sudo pacman -S <category-name>. There are several categories that users can install:
| Category | Description |
|---|---|
| blackarch-anti-forensic | Countering forensic activities. |
| blackarch-automation | Workflow automation. |
| blackarch-automobile | Analyzing automotive applications. |
| blackarch-backdoor | Exploiting or open backdoors on already vulnerable systems. |
| blackarch-binary | Operating on binary in some form. |
| blackarch-bluetooth | Using Bluetooth attacks. |
| blackarch-code-audit | Auditing existing source code for vulnerability analysis. |
| blackarch-cracker | Cracking cryptographic functions. |
| blackarch-crypto | Working with cryptography, with the exception of cracking. |
| blackarch-database | Database exploitations on any level. |
| blackarch-debugger | Debugging resources in realtime. |
| blackarch-decompiler | Reversing a compiled program into source code. |
| blackarch-defensive | Protecting resources from malware and attacks. |
| blackarch-disassembler | Producing assembly output rather than the raw source code. |
| blackarch-dos | Using DoS (Denial of Service) attacks. |
| blackarch-drone | Managing physically engineered drones. |
| blackarch-exploitation | Taking advantages of exploits in other programs or services. |
| blackarch-fingerprint | Exploiting fingerprint biometric equipment. |
| blackarch-firmware | Exploiting vulnerabilities in firmware. |
| blackarch-forensic | Finding information on physical disks or embedded memory. |
| blackarch-fuzzer | Fuzzing tools. |
| blackarch-hardware | Exploiting or managing anything to do with physical hardware. |
| blackarch-honeypot | Acting as "honeypots", i.e., programs that appear to be vulnerable services used to attract hackers into a trap. |
| blackarch-ids | Intrusion Detection System tools. |
| blackarch-keylogger | Recording and retaining keystrokes on a target system. |
| blackarch-malware | Malicious software or malware detection. |
| blackarch-misc | Miscellaneous tools. |
| blackarch-mobile | Manipulating mobile platforms. |
| blackarch-networking | Scanning selected systems for vulnerabilities or information about the network. |
| blackarch-nfc | NFC technology tools. |
| blackarch-packer | Operating on or involve packers. |
| blackarch-proxy | Acting as a proxy, i.e., redirecting traffic through another node on the internet. |
| blackarch-radio | Operating on radio frequency. |
| blackarch-recon | Actively seeking vulnerable exploits in the wild. |
| blackarch-reversing | Any decompiler, disassembler or any similar program. |
| blackarch-scanner | Scanning selected systems for vulnerabilities or information about the network. |
| blackarch-sniffer | Analyzing network traffic. |
| blackarch-social | Social engineering attacks. |
| blackarch-spoof | Spoofing attacker entity. |
| blackarch-stego | Analyzing resources for hidden information. |
| blackarch-tunnel | Tunneling network traffic on a given network. |
| blackarch-voip | Operating on VoIP programs and protocols. |
| blackarch-webapp | Web application attacks tools. |
| blackarch-windows | Native Windows packages. |
| blackarch-wireless | Operating on wireless networks on any level. |
It is also possible to install all hacking tools by sudo pacman -S blackarch.
In Athena you can set any InfoSec role you feel suitable. Currently the implemented roles are:
| Role |
|---|
| Black Hat Omniscient |
| Bug Bounty Hunter |
| Cracker Specialist |
| Enthusiast Student |
| Forensic Analyst |
| Malware Analyst |
| Mobile Analyst |
| Network Analyst |
| OSINT Specialist |
| Red Teamer |
| Web Pentester |
These roles are linked to related-role tools and related BlackArch category group. In Athena repository the role tool packaging is managed by a script that automate the retrieving of tools to be installed by the PKGBUILD in order to exclude any conflicting or problematic tool very easily and prevent installation blocks.
This automation is managed mainly by the following string:
printf "'%s' " $(pacman -Sgq blackarch-webapp blackarch-fuzzer | awk '!seen[$0]++' | sed -e "$(sed 's:.*:s/^&$//ig:' <<<$(printf "%s\n" "${to_exclude[@]}"))") >> PKGBUILD
where the first piece retrieves all the members of a package group, then all duplicated members are removed, finally all packages that need to be excluded are removed. The result is placed as dependencies in the role meta-package.
The following configuration has been used on VIM: https://github.com/amix/vimrc
Settings of Neofetch can be accessed on .config/neofetch/config.conf. You can change the shown ASCII logo and the output system information. For example, for changing logo, open config.conf file and search for ascii_distro. There, the user can change its value with one of the list above that file section.
In Athena, Neofetch, in synergy with lolcat, is implemented inside $HOME/.config/fish/config.fish file as neofetch | lolcat`.
Tmux is implemented with several plugins retrieved from https://github.com/wfxr/tmux-power. Tmux Plugin Manager is used to manage the plugins.
On Athena, tmux themes are set according to the chosen theme at the installation time.
Bfetch is implemented with several textarts. Some examples of output can be seen here: https://asciinema.org/a/381349
In Athena, backgrounds are usually stored in /usr/share/backgrounds/default folder.
The user can change a background desktop also by CLI:
GS_BACKEND=dconf gsettings set org.gnome.desktop.background picture-uri-dark .local/share/backgrounds/neon_circle.jpg
Note: if you are using a dark theme on GNOME, use picture-uri-dark argument. If you are usng a light theme, use picture-uri argument.
For changing Login Screen background in GDM, you can refer to:
Indeed, the file containing information about the Login background is gnome-shell-theme.gresource. The user can create a backup file of it, and create a new one as described in https://wiki.archlinux.org/title/GDM#Login_screen_background_image
During this creation, in lockDialogGroup, remember to set background-size: as cover;;
When the user created this file, it should place it in /usr/share/gnome-shell. Keep the backup file because this operation can break the Login Screen if the user didn't do it well. If it occurs, on the black screen after the reboot, press ALT+F1 or ALT+F2 or ALT+Fx (where x is another number) to call the terminal, enter as root and restore the backup file.
On Athena a new gresource file has been used for changing the Login Screen and for setting a transparent Top Bar. During the creation of Athena, this new gresource file has been placed in airootfs/usr/share/gnome-shell as .gresourcenew. Then, the replacing with the old file is performed by Calamares Installer by shellprocess-<before|final>.conf file.