CIS490

bolyai/CIS490

Fork 0

Commit graph

Author	SHA1	Message	Date
max	613c6fa223	Tier 3: msfrpc-driven exploit driver + first module config Adds the Tier-3 exploit driver — an MSFExploitDriver that plugs into EpisodeRunner.on_phase, fires a Metasploit module against a target VM via msfrpcd, watches for the resulting session, and stamps each transition (exploit_fire, session_open, session_landing_probe, sample_executed, session_dormant, session_killed) into the episode's events.jsonl on the orchestrator's monotonic clock. What landed: - exploits/msfrpc.py — minimal msgpack-over-HTTPS client (auth, module.execute, job/session lifecycle) so we don't depend on a third-party MSF wrapper. - exploits/driver.py — phase-to-msfrpc adapter; idempotent fire, session-open polling with timeout, workload start/stop, teardown. - exploits/modules.py + exploits/modules/vsftpd_234_backdoor.toml — TOML module configs with {{ target_ip }} placeholders, replacing the imperative .rc-script approach the README previously hinted at. - vm/launch_target.sh — SLIRP+restrict=on launcher for the intentionally-vulnerable target VM (host can reach guest via hostfwd, guest cannot reach host or internet). - tools/run_tier3_demo.py — end-to-end runner mirroring run_real_vm_demo. - tests/test_exploits.py — 12 new tests against a fake MSFRpcClient, including an integration test that drives a real EpisodeRunner. Plumbing changes: - EpisodeRunner._emit_event → public emit_event, so external drivers share the runner's monotonic clock and events.jsonl. - mkdir for episode_dir moved to __init__ so emit_event is callable before run() (driver_setup fires pre-schedule). Status: driver + tests pass (40/40); end-to-end against a live msfrpcd + Metasploitable2 image is the next bring-up step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-29 23:11:52 -05:00
Maximus Gorog	fa1574a0a6	Scaffold project: docs, repo skeleton, transport + deploy design Lays down the design surface for the CIS490 behavioral-malware-detection dataset and model. No code yet — schema and topology are decided first so collection can start without rework. Docs: - README: project goal, navigation - architecture: lab topology, KVM choice, episode state machine, deployment-mirror reasoning - threat-model: train/serve parity rule, oracle-vs-deployable feature split, two-model evaluation strategy - data-model: per-episode JSONL layout, row schemas, phase enum - transport: WG-native shipper/receiver design, idempotent uploads - deploy: one-command install for lab-host and receiver roles - lab-setup: KVM prereqs, VM build, snapshot, virtio-serial wiring Skeleton: orchestrator/, collectors/, vm/, exploits/, samples/, training/ (each with a short README explaining purpose). Extended .gitignore to exclude qcow2 images, pcaps, sample binaries, secrets. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-28 23:21:00 -06:00

Author

SHA1

Message

Date

max

613c6fa223

Tier 3: msfrpc-driven exploit driver + first module config

Adds the Tier-3 exploit driver — an MSFExploitDriver that plugs into
EpisodeRunner.on_phase, fires a Metasploit module against a target VM
via msfrpcd, watches for the resulting session, and stamps each
transition (exploit_fire, session_open, session_landing_probe,
sample_executed, session_dormant, session_killed) into the episode's
events.jsonl on the orchestrator's monotonic clock.

What landed:
- exploits/msfrpc.py — minimal msgpack-over-HTTPS client (auth,
  module.execute, job/session lifecycle) so we don't depend on a
  third-party MSF wrapper.
- exploits/driver.py — phase-to-msfrpc adapter; idempotent fire,
  session-open polling with timeout, workload start/stop, teardown.
- exploits/modules.py + exploits/modules/vsftpd_234_backdoor.toml —
  TOML module configs with {{ target_ip }} placeholders, replacing the
  imperative .rc-script approach the README previously hinted at.
- vm/launch_target.sh — SLIRP+restrict=on launcher for the
  intentionally-vulnerable target VM (host can reach guest via
  hostfwd, guest cannot reach host or internet).
- tools/run_tier3_demo.py — end-to-end runner mirroring run_real_vm_demo.
- tests/test_exploits.py — 12 new tests against a fake MSFRpcClient,
  including an integration test that drives a real EpisodeRunner.

Plumbing changes:
- EpisodeRunner._emit_event → public emit_event, so external drivers
  share the runner's monotonic clock and events.jsonl.
- mkdir for episode_dir moved to __init__ so emit_event is callable
  before run() (driver_setup fires pre-schedule).

Status: driver + tests pass (40/40); end-to-end against a live msfrpcd
+ Metasploitable2 image is the next bring-up step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-29 23:11:52 -05:00

Maximus Gorog

fa1574a0a6

Scaffold project: docs, repo skeleton, transport + deploy design

Lays down the design surface for the CIS490 behavioral-malware-detection
dataset and model. No code yet — schema and topology are decided first so
collection can start without rework.

Docs:
- README: project goal, navigation
- architecture: lab topology, KVM choice, episode state machine,
  deployment-mirror reasoning
- threat-model: train/serve parity rule, oracle-vs-deployable feature
  split, two-model evaluation strategy
- data-model: per-episode JSONL layout, row schemas, phase enum
- transport: WG-native shipper/receiver design, idempotent uploads
- deploy: one-command install for lab-host and receiver roles
- lab-setup: KVM prereqs, VM build, snapshot, virtio-serial wiring

Skeleton: orchestrator/, collectors/, vm/, exploits/, samples/,
training/ (each with a short README explaining purpose).
Extended .gitignore to exclude qcow2 images, pcaps, sample binaries,
secrets.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-28 23:21:00 -06:00

2 commits