Skip to content

Configuring

Jump to bottom
John Torakis edited this page Feb 8, 2021 · 10 revisions

Configuration of Wormnest is done by Environment Variables, meaning that the configuration can be written to a file, and sourced before the execution.

Example Configuration:

wormnest.conf

ALIAS_DIGITS_MAX=12
MANAGE_URL_DIR="00001112managedir"
EXPIRED=redir
REDIRECT_URL="https://google.com"

Running with a configuration:

source wormnest.conf
python3 app.py

The Environment Variables

IP

This can be either 127.0.0.1, the IP address of some particular network interface, or 0.0.0.0 for all interfaces.

Defaults to 0.0.0.0.

PORT

The TCP port of the Web Server.

Defaults to 8000

SRV_DIR

The directory that will serve as the base directory. The files that will be served have to be in this directory.

Defaults to test_directory/

ALIAS_DIGITS_MIN and ALIAS_DIGITS_MAX

The random URLs created by Wormnest will have a certain length. This length will be randomly selected to be between ALIAS_DIGITS_MIN and ALIAS_DIGITS_MAX. It has to be ALIAS_DIGITS_MIN <= ALIAS_DIGITS_MAX

Both default to 8

MANAGE_URL_DIR

The Base URL of the management Web Interface. It serves as a password, as there is no other way to manage the Application. It MUST contain no slashes (/)

  • Defaults to 'manage'
  • Random String if "*" is used

MISS

If a non-existent URL alias is used. Values: [redir|abort]

Defaults to abort.

EXPIRED

If an expired URL alias is used. Values: [redir|abort]

Defaults to abort.

BLACKLISTED

If the IP address of the request is not in the list of the accepted IP network ranges (see IP_WHITELIST and IP_BLACKLIST). Values: [redir|abort]

Defaults to abort.

  • redir: will redirect the client to REDIRECT_URL using an HTTP Response Code of 302
  • abort: will serve an HTTP 404 Not Found error page

REDIRECT_URL

The URL that will be used if the application redirects a client away.

Defaults to https://amazon.com

DEFAULT_FILENAME

A filename that will be used in case there is not selected filename for a URL alias. If USE_ORIGINAL_EXTENSION is set to True, the real filename's extension will be used.

Defaults to ClientDesktopApp

USE_ORIGINAL_EXTENSION

See above DEFAULT_FILENAME.

Defaults to True

LOG_SPAWN_FILE

Logs lines like "/MANAGE_URL_DIR PORT DATE" for every execution. This is mostly to keep track of the MANAGE_URL_DIR, in case it is randomized.

Defaults to wormnest.mgmt_route.txt

IP_WHITELIST

A list of IP address ranges that will be allowed to access the URL aliases of Wormnest. The attack target scope can be set here to avoid domain blacklisting (deny access to various sandboxes like VirusTotal, etc).

Example: IP_WHITELIST="127.0.0.1/8,192.168.4.1/24" - only localhost and the local network 192.168.4.1/24 (notice the lack of spaces " " after the comma ",").

Defaults to 0.0.0.0/0 - all IP addresses

IP_BLACKLIST

A list of IP address ranges that will explicitly NOT be allowed to access the URL aliases of Wormnest (even if they exist in the IP_WHITELIST). Useful for excluding IP ranges of Security Operation Centers (SOCs), or known sandboxes set on the target's premises.

Example: IP_BLACKLIST="192.168.4.5/32" - the local network address 192.168.4.5 will not get any payloads. Same syntax with IP_WHITELIST.

Defaults to "" - No blacklisted IP addresses by default

IP_GEOLOCATION_BLACKLIST

A list of places (country names/codes, cities, regions) separated by comma "," and case-insensitive. If Wormnest aliases are accessed through an IP address that its geolocation matches to any of the listed names, the BLACKLISTED behaviour will be triggered.

Example: IP_GEOLOCATION_BLACKLIST="CN,New York,Atlanta,Greece" - China, Greece, New York and Atlanta will not get any payloads.

Defaults to "" - No blacklisted Geolocations by default

DEFAULT_PATHS_FILE

A JSON file containing URL aliases that will be used as defaults. They are registered without the file existence check.

Defaults to urls.default.json

A sample urls.default.json file

{
  "download_now":{
    "path":"metasploit/generated/meter_pinning_443.exe",
    "filename":"CrazyTaxi_cracked_singlefile_by_Raz0r_team_2006.exe"
  },
  "android":{
    "path":"metasploit/generated/meter_pinning_443.apk",
  },
  [.. More definitions ..]
}

The above will make the default setup of wormnest route the following:

  • http[s]://payload-server:8000/download_now to serve metasploit/generated/meter_pinning_443.exe with a "Content-Disposition" HTTP Header containing CrazyTaxi_cracked_singlefile_by_Raz0r_team_2006.exe as the filename argument

  • http[s]://payload-server:8000/android to serve metasploit/generated/meter_pinning_443.apk with the default filename of ClientDesktopApp and the file's original extension (USE_ORIGINAL_EXTENSION parameter). Hence ClientDesktopApp.apk will be placed in the "Content-Disposition" HTTP Header.

Clone this wiki locally