It has been a while since we released a new version for Ghostwriter. Truth be told, we’ve never actually tagged a release, but we consider the version we debuted at Black Hat Arsenal in August 2019 to be v1.0. Since then, we have added many features and enhancements, but they pale in comparison to the changes in today’s exciting release, Ghostwriter v2.0!
The code and release will be available at 12:00 PST on Friday, November 20th (today). The release will coincide with our Managing Your Red Team Operations with Ghostwriter presentation at SO-CON 2020. Come join us for a presentation and Q&A:
There’s much to discuss, so let’s review the most significant changes.
Everything Gets an Upgrade
We’ve done more than the usual “squashed bugs and fixed things” here. We upgraded Ghostwriter’s back-end to Django 3 and updated all dependencies with it. While reviewing the codebase to future-proof it for upcoming Django 3.x changes, we also refactored most of the codebase for improved speed, responsiveness, and reliability throughout the application.
Here is the current Ghostwriter stack with v2.0:
Ghostwriter’s Tech Stack
We created and released a code style guide to help you more easily understand the code and customize it. You can find it here:
Once we had a Release Candidate (RC), a third-party (i.e., not SpecterOps) performed a penetration test against Ghostwriter’s production deployment with a test account. They discovered some issues in the v2.0 RC (and a handful of low-severity problems in older code), which we resolved for this release. Of course, application security is not a one-and-done thing! We’re happy to do this sort of testing with Ghostwriter and continue to do it going forward.
New Coat of Paint
For starters, we re-worked some of Ghostwriter’s interface and overall style. It’s not just a new coat of paint; the new colors and layout should make it easier for you to quickly access what you need.
Ghostwriter’s New Look
WebSockets Support & Real-Time Comms
We have added support for WebSockets throughout the application. This change enables real-time communication between your client (e.g., your web browser) and the Ghostwriter server. There are many interesting opportunities for us to use WebSockets in the future (we will discuss a few down below). Basically, Ghostwriter can now send you notifications and update web pages in real-time as you and your team collaborate on projects.
With this change, we migrated much of the user interface to WebSockets and AJAX, so you will find many button clicks and other interactions that used to refresh your page will now instantly trigger in the background.
Take Command of Your Configuration
There is a new section of the admin panel called Command Center. Here you can make changes to Ghostwriter’s configuration without ever restarting the server. This means you no longer need to configure things like API keys in the Django settings files and restart your server every time that information changes.
Part of the New Command Center
The settings have expanded to give you more control than ever before. You can now swiftly change colors for finding severity categories, customize settings for image borders in Word reports, or roll API keys.
Automated Activity Logging
Daniel Heinsen (@hotnops) wrote a post about this feature when we released it into the wild as a beta release. You can check it out here:
Updates to Ghostwriter: UI and Operation Logs
Daniel put a lot of work into this feature and covered it well in that post, so there’s not much to add here. Still, it bears repeating that this feature opens many doors for Ghostwriter. The logging endpoint is the application’s first API endpoint. We will add many more in the coming year.
Automated Activity Logging Workflow
This workflow is powerful. You can log your actions from C2 frameworks like Mythic and Cobalt Strike, or just about anything else that can send a web request. That data offers some out of this world possibilities for reporting and further automation. In the future, we may even integrate Ghostwriter’s Activity Logging with a red team SIEM such as RedELK to further expand the data available to Ghostwriter.
We want humans to do what humans do best and leave the rote work to the computers.
Overwatch: Looking Out for You
With WebSockets, it’s now easier than ever for Ghostwriter to offer you real-time suggestions. The SpecterOps team came up with a few ideas for opportunities in the Ghostwriter workflow where the server could highlight a potential mistake. In this release, Ghostwriter will keep an eye on your work as you check-out a domain name. The server will send you an alert (without interrupting you) if it notices any of these conditions:
- The domain name is expiring soon and is not set to auto-renew
- You previously used the domain name with the selected client
- The domain name is marked as “burned”
The notifications don’t prevent you from continuing. They merely point out details that you might have overlooked and would impact operational security or usability. We plan to expand this feature in the future.
Information Hubs: New Tabular Dashboards
We have some great things planned for the project pages. The old accordion-style interface had to go to make way for these changes. All of the pages for clients, domains, and projects received new designs to make it easy to glance at the page and see key pieces of information.
New Project Dashboard Design
For example, this project dashboard makes it much easier to see key pieces of information (e.g., assignments, number of findings, objectives) without any clicks. Our goal is to make these pages something you want to keep open in a browser tab while working on an assessment. Likewise, we want non-operators to use them to quickly review the status of a project. Expect to see more changes to these dashboards in the future.
+10 to Reporting
Finally, Ghostwriter v2.0’s report generation capabilities are far more advanced and customizable than ever before. We reworked the report page to make it easier to review findings, their status, and make adjustments. You can now drag-and-drop findings into different positions and categories to update their severity rating and position within your reports.
New Report Management Design
Letter to the Editor
This release drastically changes how Ghostwriter generates reports. We introduced the WYSIWYG editor in January 2020 to enable styling findings
As a reminder, the reporting engine works like this:
Report Composition Workflow
Ghostwriter mirrors your formatting from the WYSIWYG editor in the report output. In addition to the WYSIWYG editor’s HTML, you can also use a variety of Ghostwriter template placeholders (e.g., {{.client}}) to insert project information and Jinja2 expressions and statements to manipulate the data.
You have the most control over the Word documents, where you can create figures and use a broader collection of paragraph and character styles. To unlock all possible options, we upgraded the v2.0 editor with a full suite of formatting and styling options that mirror just about everything you might want to use for your report. The new options include:
- Superscript and subscript
- Strikes
- Highlights
- Alignment options
- Header styles
- Font options — family, size, and color
All of these options will translate to your Word and PowerPoint documents.
The Last Word on Templating
Word documents benefit the most from these changes because we have also added support for rich text objects. These are reporting objects that are like Word document versions of anything you compose within Ghostwriter. Basically, you can now place anything you write in Ghostwriter (e.g., a finding’s description) wherever you want it in a Word document, and it will appear there looking exactly like the content for the WYSIWYG editor.
A demonstration expresses this capability better than words:
WYSIWYG and Template Progression
These new objects work in concert with the full suite of other Jinja2 expressions, statements, and filters available to you. That collection has grown in this release and now includes custom filters like filter_severity to provide additional flexibility in your Word templates.
You can combine the new rich text objects, Jinja2 statements, Jinja2 filters, and Ghostwriter’s filters to do things like this:
Example Use of Template Expressions and Filters
The wiki has the full details and instructions on how to use these new objects. It also has a reference table for all of the statements and expressions.
Speaking of references, you might have noticed the earlier example included a new {{.ref … }}tag that transformed into Figure 1 in the final Word document. That was a fully functional cross-reference to the related figure label.
The one thing a report writer uses often but was not previously possible was a cross-reference. This release enables you to create dynamic cross-references that point to your evidence.
Templating for Success
This release also introduces initial support for report templates. Previously, you had one template.docx for Word and one template.pptx for PowerPoint. To take full advantage of the new templating possibilities, you can now upload multiple templates and switch between them when generating Word documents or PowerPoint presentations.
You can set a default template for both docx and pptx in the global report configuration in Command Center.
With all of the new options for creating report templates, there are bound to be typos and little mistakes. Ghostwriter will lint all of your report templates and notify you if anything goes wrong.
Template Linter Results
Ghostwriter will attempt to open the template, check it for any incorrect or unknown expressions or statements, and then attempt to render a dummy report. This process will catch any filesystem or syntax issues so you can address them before you generate a report.
Wrap-up
The SpecterOps team has many exciting things planned for Ghostwriter. The changes covered in this post were blockers for a number of our ideas. With these new features in place, the stage is set for some serious capability enhancements. For now, we hope you will try v2.0 and find it useful.
Happy reporting!
Documentation
Get the Release
Ghostwriter v2.0 Release was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: https://posts.specterops.io/ghostwriter-v2-0-release-638cef16deb7?source=rss----f05f8696e3cc---4