Ghostwriter v2.2-rc1

This is a release candidate (RC) for v2.2.0. This code is final unless anyone reports a bug or issue. We have bumped the minor version to 2.2 in recognition of several impactful changes:

https://ghostwriter.wiki/change-logs/13-april-2021-v2.2.0-rc1

Ghostwriter v2.1

This is a large release that contains many changes. Going forward, expect to see smaller releases and alpha/beta releases as we try new features.

The release is completely compatible with v2.0 (and earlier). You will need to perform database migrations, and new features require reloading the seed_data file to pre-load some new models–e.g., docker-compose -f local.yml run --rm django /seed_data

List of resolved issues, enhancements, and new features:

• Implemented project scope tracking
  • Enabled tracking of one or more scope lists flagged as allowed/disallowed or requiring caution
  • Closes #59
• Implemented project target tracking
  • Enabled tracking of specific hosts with notes
• Committed redesigned project dashboards
  • Notable changes and adjustments:
    • Added a project calendar to track assignments, objectives, tasks, and project dates
    • Added new objective tracker with task management, prioritization, and sorting
• Implemented a new server search in the side bar (under Servers) that searches all static servers, cloud servers in projects, and alternate addresses tied to servers
• Added template linting checks for additional styles that may not be present in a report
  • Closes #139
• Fixed downloads of document names that included periods and commas
  • Closes #149
• Fixed evidence filenames with all uppercase extensions not appearing in reports
  • Closes #74
• Fixed a recursive HTML/JavaScript escape in log entries
  • Closes #133
• Fixed incorrect link in the menu for a point of contact under a client
  • Closes $141
  • Closes #142
    • Bug was inadvertently resolved with the new menus
    • Closing PR because it is no longer compatible
• Fixed docker-compose errors related to latest verison of the crytpography library
  • Closes #147
• Fixed possible issue with assigning a name to an AWS asset in the cloud monitor task
• Closed loophole that could allow a non-unique domain name
  • Could lead to conflicting check-outs
• Updated TinyMCE WYSIWYG editor and related JavaScript to v5.7.0
  • Resolved potential Cross-Site Scripting vulnerability discovered in previous version
• Added Clipboard.js to support better, more flexible "click to copy to clipboard" in the UI
• Added several new Jinja2 expressions, statements, and filters for Word DOCX reports
  • Added project_codename and client_codename (Closes #138)
  • Added expressions and filters for new objectives, targets, and scope lists
  • See wiki documentation
• Improved page loading with certain large forms
  • WYSIWYG editor is now loaded much more selectively
  • Extra forms are no longer created by default when editing a project or client
    • Extra forms can still be added as needed
    • Extra forms still load automatically when creating a new project or client
• Improved performance of operation log entry views with pagination
  • Very large logs could push browsers to their limits
• Implemented initial support for WebSocket channels for reports
  • Groundwork for futurue enhancement – e.g., syncing updates between users editing the same report
• Numerous minor bug fixes and style updates throughout
• Fixed notifications going to the global Slack channel when project channels were available
• Fixed uppercase file extensions blocking evidence files from appearing on pages
• Fixed rare style exception with specific nested HTML elements
• Added error handling for cases where an image file has a corrupted file header and can't be recognized for inserting into Word
• Moved 99% of icons and style elements to the styles.css file
• Updated styles and forms to make it clear what is placeholder text
• Reverted the new finding form to a one-page form–i.e., no tabbed sections–to make it easier to use
• Broke-up stylesheets for easier management of global variables
• Fixed error in cloud monitor notification messages that caused messages to contain the same external IP addresses for all VPS instances
• Fixed bug that caused delete actions on cloud server entries to not be committed
• Fixed ref tags in findings that were ingored if they followed a ref tag with a different target
• Fixed PowerPoint "Conclusion" slide's title
• Fixed filtering for report template selection dropdowns that caused both document types to appear in all dropdown menus
• Added project objectives to the report template variables
  • New template keywords: objectives (List), objectives_total (Int), objectives_complete (Int)
• Modified project "complete" toggle and instructions for clarity
• Set all domain names to lowercase and strip any spaces before creating or updating
  • Addressed cases where a user error could create a duplicate entry
• Clicking prepended text (e.g., filter icon) on filter form fields will now submit the filter
• Fixed error that could cause Oplog entries to not display
• Oplog entries list now shows loading messages and properly displays "no entries" messages
• Fixed incorrect filenames for CSV exports of Oplogs

Ghostwriter v2.0

Release Details

Read this post for full details and examples: https://posts.specterops.io/ghostwriter-v2-0-release-638cef16deb7

Also, this release included an overhaul of the documentation. The latest version is live at: https://ghostwriter.wiki/

Highlights

• Upgraded to Django 3 and updated all dependencies
• Initial commit of CommandCenter application and related configuration options
  • VirusTotal Configuration
  • Global Report Configuration
  • Slack Configuration
  • Company information
  • Namecheap Configuration
• Initial support for adding users to groups for Role-Based Access Controls
• Automated Activity Logging (Oplog application) moved out of beta
• Implemented initial "overwatch" notifications
  • Domain check-out: alert if domain will expire soon and is not set to auto-renew
  • Domain check-out: alert if domain is marked as burned
  • Domain check-out: alert if domain has been previously used with selected client
• Updated user interface elements
  • New tabbed dashboards for clients, projects, and domains
  • New inline forms for creating and managing clients and projects and related items
  • New sidebar menu to improve legibility
  • Migrated buttons and background tasks to WebSockets and AJAX for a more seamless experience
• Initial release of refactored reporting engine
  • New drag-and-drop report management interface
  • Added many more options to the WYSIWYG editor's formatting menus
  • Initial support for rich text objects for Word documents
  • Added new filter_severity filter for Word templates
• Initial support for report template and management
  • Upload report template files for Word and PowerPoint
  • New template linter to check and verify templates
• Security updates and fixes
  • Resolved potential stored cross-site scripting in operational logs
  • Resolved unvalidated evidence file uploads and new note creation
    • Associated user account is now set server-side
  • Resolved issues with WebSocket authentication
  • Locked-down evidence uploads to close potential loopholes
    • Evidence form now only allows specific filetypes: md, txt, log, jpg, jpeg, png
    • Requesting an evidence file requires an active user session
• Removed web scraping from domain health checks
• Numerous bug fixes and enhancements to address reported issues