Git Product home page Git Product logo

Comments (3)

cliffe avatar cliffe commented on August 22, 2024

The audit scenario is not meant to have flags. It aims for some realism. If you want a scenario that gives you flags try the CTF scenarios, such as flawed_fortress_1.xml.

The intention for the audit scenario is to conduct a pen test. We get students to write a formal pen test report.

from secgen.

fsacer avatar fsacer commented on August 22, 2024

Yeah I get it. But still it would be great if this specific non generated flag would not show in scenario.xml/marker.xml files as that is confusing. I was also a bit dissapointed because scenario you could not remotely attack the desktop computer as there was not any remotely exploitable vulnerability in that (it just had lightdm auto login). I don't get it what is the purpose of desktop VM. I feel there should be some specific target you go after as that usually you do in a pentest. You try to get accesss to some data.

Also one other thing it would be nice if there was a scenario that mixed a range of OSes like they do in OSCP exams/labs.

from secgen.

cliffe avatar cliffe commented on August 22, 2024

The desktop is there as part of the scenario for the sake of completeness. Really I would like to expand this scenario significantly to include more internal servers etc, to reflect what is found in real organisations. It would be unusual for a desktop VM to have many running vulnerable services. One idea for further development is to have client side vulnerabilities, such as vulnerable versions of Adobe Reader, and have the VM automate execution of email attachments, so you can launch phishing attacks against the system.

We have initial support for Windows VMs, but we severely lack content (SecGen modules) for Windows at this point... Also it should be easy to add more Linux base boxes, but that does require a fair amount of manual testing of our existing modules, and when we deploy to cloud providers we need to replicate each base box there too.

Thanks again for your interest in the project, and for raising the issues -- it helps the project to know your experiences and help raise things that could use further attention.

Mentioning @thomashaw, just so he sees this conversation on the closed issue.

Thanks again, @fsacer.

from secgen.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.