Skip to Main Content
October 28, 2015

Introducing TAP - An Open-Source Attack Platform

Written by David Kennedy
As security assessors, we don't always have the luxury of being onsite working with our customers all of the time. For that reason, I created the TrustedSec Attack Platform (TAP) device. Basic concept is that you can deploy a box to the customer and have it automatically establish itself back to you in order to perform pentests. While this may seem like a simple concept, reliability, continual updates, and egress filtering is always a challenge. TAP solves that by only requiring one outbound port, using proxychains-ng for all outbound communications, and completely sets up the device for you in an automated fashion. It supports SSH keys, passwords (stored via AES encryption), and more. Additionally, TAP will automatically repair itself if it detects that the SSH port is down as well as if there are other issues with the device. Additionally, there are scripts that the team over here at TrustedSec has created that allows you to establish a full SSH tunnel into the machine with whatever box you want to. The concept is to quickly create and deploy boxes you can send to locations in order to ensure you can maintain access during an assessment. TAP will ensure that the system is always up-to-date with your latest patches, and uses the PenTesters Framework ( to automatically install all of your tools and keep them up-to-date. TAP is recommended to be installed on a more long-term and stable Linux platform such as LTS with Ubuntu for stability and updates. For hardware, we use the Intel NUC series with a solid-state drive, 16 gigs of ram, wireless alfa attached for wireless assessments, and a Verizon LTE card so you don't have to worry about egress filtering if it isn't available. Recommend IPTables off EVERYTHING except for the IP addresses that you want the remote connection coming to, and block all incoming connections. Installing or UnInstalling TAP
python - This will install TAP.

In order to uninstall TAP:

python - This will uninstall TAP.
Setup will walk you through all of the steps you need in order to be successful in deploying the box. Setting up TAP When setting up TAP, the questions you may have is the REMOTE ssh server, this would be an external box you have with SSH exposed. This would be your box you want the TAP machine to connect back to, the machine you have on the Internet waiting for connections. It is not recommended to use root as this is a security oversight. Use a normal user to establish the SSH tunnel. Right now its password only although lateron we will be adding support for SSH keys. The password is stored using AES however the cipher key storage is insecure at the moment. Someone with maintained access to the box could grab the cipher key and decrypt the password in the config with enough time and persistence. Will fix this in a later release date. The second is the LOCAL port that will be on the REMOTE box. When TAP connects back via reverse SSH, it connects to the REMOTE box and establishes a local port on the machine. When you SSH to the remote box on the Internet, you will want to ssh user@localhost -p . This will be the port TAP bindes to on the REMOTE system so you can access it. Once you configure that, TAP has a default path it pulls updates from, you can change this to your own update path. I intentionally kept this off github so you can specify what you want for approved updates. Next, you can send commands to the TAP, it checks every two minutes for new instructions. You need to specify a path, for example: https://websiteurl/commands.txt TAP will check that path every two minutes looking for new commands, note that this next part is IMPORTANT. The first line of the text file MUST contain "EXECUTE COMMAND" (without the double quotes). Once TAP identifies this, it will check to see if the command was executed before and if not it will execute the commands line by line. This is useful when you lose connection with TAP and need to call execute commands to fix it. Once you run setup, it will install the files in /usr/share/tap. It will automatically start if you specify, and will automatically check for updates such as Debian updates, TAP updates, etc. You should also whitelist the update servers if you are using Debian as well as your REMOTE box you connect back to. Thats it! SSH VPN In the event that you decide not to use SSH keys and use passwords, the config stores it in an AES format. If you need to update the password, go to the scripts directory which has an update-password script to update the encrypted password and create a new dynamic cipher key. Also a neat trick once you are there is a small tool we wrote for basically a SSH VPN. This works out great if you aren't doing large traffic volumes such as port scans, vulnerability scans, etc. The below is a simple tool that wraps sshuttle to create the VPN. Just save the below file into a python file and run and use the commands. It'll VPN you in to the remote network where TAP is deployed. You can do anything such as long as it isn't extremely large volume traffic (pretty stable). There's two ways to handle a VPN, first is through the method below with SSHuttle. You can also use a transparent VPN that was created by Geoff Walton at TrustedSec that is located in the under the scripts folder. This will create a TAP interface and VPN you into the system through SSH. With SSHuttle, things like port scans do not work properly, would highly recommend the ssh-tunnel script. Automatic Proxy Chains TAP uses proxychains4 (proxychains-ng) to tunnel all of your http/https traffic through SSH to your remote box. This helps with content/egress filtering so you can ensure you always have everything up-to-date. In order to use proxychains, just type proxychains4 - TAP updates automatically use this. Logging TAP during the setup process will prompt you to see if you want to log all commands executed on the system. If you do, all commands that are entered on the system will be logged so that you can provide to the customer or keep records of what happened on the devices. All logs are saved under /var/log/messages. Download TAP The TrustedSec Attack Platform (TAP) can be downloaded from here: Download Here TAP and this blog post was written by David Kennedy - founder of TrustedSec.