Added AWS keys to config
This commit is contained in:
parent
dd3d5d317a
commit
17d91766df
|
@ -0,0 +1,9 @@
|
|||
from enum import Enum
|
||||
|
||||
|
||||
class PROVIDERS(Enum):
|
||||
AWS = 'aws'
|
||||
AZURE = 'azure'
|
||||
GCP = 'gcp'
|
||||
ALIBABA = 'aliyun'
|
||||
ORACLE = 'oci'
|
|
@ -246,6 +246,10 @@ class Configuration(object):
|
|||
exploit_ntlm_hash_list = []
|
||||
exploit_ssh_keys = []
|
||||
|
||||
access_key_id = ''
|
||||
secret_access_key = ''
|
||||
session_token = ''
|
||||
|
||||
# smb/wmi exploiter
|
||||
smb_download_timeout = 300 # timeout in seconds
|
||||
smb_service_name = "InfectionMonkey"
|
||||
|
|
|
@ -1,22 +1,28 @@
|
|||
import logging
|
||||
|
||||
import infection_monkey.system_info.collectors.scoutsuite_collector.scoutsuite_api as scoutsuite_api
|
||||
from common.cloud.scoutsuite_consts import PROVIDERS
|
||||
from infection_monkey.telemetry.scoutsuite_telem import ScoutSuiteTelem
|
||||
from infection_monkey.config import WormConfiguration
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class CLOUD_TYPES:
|
||||
AWS = 'aws'
|
||||
AZURE = 'azure'
|
||||
GCP = 'gcp'
|
||||
ALIBABA = 'aliyun'
|
||||
ORACLE = 'oci'
|
||||
|
||||
|
||||
def scan_cloud_security(cloud_type: CLOUD_TYPES):
|
||||
results = run_scoutsuite(cloud_type)
|
||||
def scan_cloud_security(cloud_type: PROVIDERS):
|
||||
try:
|
||||
results = run_scoutsuite(cloud_type.value)
|
||||
if 'error' in results and results['error']:
|
||||
raise Exception(results['error'])
|
||||
send_results(results)
|
||||
except Exception as e:
|
||||
logger.error(f"ScoutSuite didn't scan {cloud_type.value} security because: {e}")
|
||||
|
||||
|
||||
def run_scoutsuite(cloud_type):
|
||||
return scoutsuite_api.run(provider=cloud_type)
|
||||
def run_scoutsuite(cloud_type: str):
|
||||
return scoutsuite_api.run(provider=cloud_type,
|
||||
aws_access_key_id=WormConfiguration.access_key_id,
|
||||
aws_secret_access_key=WormConfiguration.secret_access_key,
|
||||
aws_session_token=WormConfiguration.session_token)
|
||||
|
||||
|
||||
def send_results(results):
|
||||
|
|
|
@ -21,12 +21,15 @@ from monkey_island.cc.services.config_schema.config_value_paths import STARTED_O
|
|||
logger = logging.getLogger(__name__)
|
||||
|
||||
# This should be used for config values of array type (array of strings only)
|
||||
ENCRYPTED_CONFIG_ARRAYS = \
|
||||
ENCRYPTED_CONFIG_VALUES = \
|
||||
[
|
||||
['basic', 'credentials', 'exploit_password_list'],
|
||||
['internal', 'exploits', 'exploit_lm_hash_list'],
|
||||
['internal', 'exploits', 'exploit_ntlm_hash_list'],
|
||||
['internal', 'exploits', 'exploit_ssh_keys']
|
||||
PASSWORD_LIST_PATH,
|
||||
LM_HASH_LIST_PATH,
|
||||
NTLM_HASH_LIST_PATH,
|
||||
SSH_KEYS_PATH,
|
||||
AWS_KEYS_PATH + ['access_key_id'],
|
||||
AWS_KEYS_PATH + ['secret_access_key'],
|
||||
AWS_KEYS_PATH + ['session_token']
|
||||
]
|
||||
|
||||
|
||||
|
@ -69,7 +72,10 @@ class ConfigService:
|
|||
for config_key_part in config_key_as_arr:
|
||||
config = config[config_key_part]
|
||||
if should_decrypt:
|
||||
if config_key_as_arr in ENCRYPTED_CONFIG_ARRAYS:
|
||||
if config_key_as_arr in ENCRYPTED_CONFIG_VALUES:
|
||||
if isinstance(config, str):
|
||||
config = encryptor.dec(config)
|
||||
elif isinstance(config, list):
|
||||
config = [encryptor.dec(x) for x in config]
|
||||
return config
|
||||
|
||||
|
@ -79,12 +85,6 @@ class ConfigService:
|
|||
mongo.db.config.update({'name': 'newconfig'},
|
||||
{"$set": {mongo_key: value}})
|
||||
|
||||
@staticmethod
|
||||
def append_to_config_array(config_key_as_arr, value):
|
||||
mongo_key = ".".join(config_key_as_arr)
|
||||
mongo.db.config.update({'name': 'newconfig'},
|
||||
{"$push": {mongo_key: value}})
|
||||
|
||||
@staticmethod
|
||||
def get_flat_config(is_initial_config=False, should_decrypt=True):
|
||||
config_json = ConfigService.get_config(is_initial_config, should_decrypt)
|
||||
|
@ -92,6 +92,10 @@ class ConfigService:
|
|||
for i in config_json:
|
||||
for j in config_json[i]:
|
||||
for k in config_json[i][j]:
|
||||
if isinstance(config_json[i][j][k], dict):
|
||||
for key, value in config_json[i][j][k].items():
|
||||
flat_config_json[key] = value
|
||||
else:
|
||||
flat_config_json[k] = config_json[i][j][k]
|
||||
|
||||
return flat_config_json
|
||||
|
@ -101,8 +105,8 @@ class ConfigService:
|
|||
return SCHEMA
|
||||
|
||||
@staticmethod
|
||||
def add_item_to_config_set_if_dont_exist(item_key, item_value, should_encrypt):
|
||||
item_path_array = item_key.split('.')
|
||||
def add_item_to_config_set_if_dont_exist(item_path_array, item_value, should_encrypt):
|
||||
item_key = '.'.join(item_path_array)
|
||||
items_from_config = ConfigService.get_config_value(item_path_array, False, should_encrypt)
|
||||
if item_value in items_from_config:
|
||||
return
|
||||
|
|
|
@ -94,6 +94,23 @@ INTERNAL = {
|
|||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Is the monkey alive"
|
||||
},
|
||||
"aws_keys": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"access_key_id": {
|
||||
"type": "string",
|
||||
"default": ""
|
||||
},
|
||||
"secret_access_key": {
|
||||
"type": "string",
|
||||
"default": ""
|
||||
},
|
||||
"session_token": {
|
||||
"type": "string",
|
||||
"default": ""
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
|
@ -0,0 +1,63 @@
|
|||
import pkgutil
|
||||
import sys
|
||||
from pathlib import PurePath
|
||||
from typing import Tuple
|
||||
|
||||
from common.cloud.scoutsuite_consts import PROVIDERS
|
||||
from common.utils.exceptions import InvalidAWSKeys
|
||||
from monkey_island.cc.encryptor import encryptor
|
||||
from monkey_island.cc.services.config import ConfigService
|
||||
from monkey_island.cc.services.config_schema.config_value_paths import AWS_KEYS_PATH
|
||||
|
||||
_scoutsuite_api_package = pkgutil.get_loader('common.cloud.scoutsuite.ScoutSuite.__main__')
|
||||
|
||||
|
||||
def _add_scoutsuite_to_python_path():
|
||||
scoutsuite_path = PurePath(_scoutsuite_api_package.path).parent.parent.__str__()
|
||||
sys.path.append(scoutsuite_path)
|
||||
|
||||
|
||||
_add_scoutsuite_to_python_path()
|
||||
|
||||
|
||||
def is_cloud_authentication_setup(provider: PROVIDERS) -> Tuple[bool, str]:
|
||||
if provider == PROVIDERS.AWS.value:
|
||||
if is_aws_keys_setup():
|
||||
return True, "AWS keys already setup. Run monkey on Island to scan."
|
||||
|
||||
import common.cloud.scoutsuite.ScoutSuite.providers.aws.authentication_strategy as auth_strategy
|
||||
try:
|
||||
profile = auth_strategy.AWSAuthenticationStrategy().authenticate()
|
||||
return True, f" Profile \"{profile.session.profile_name}\" is already setup. Run monkey on Island to scan."
|
||||
except Exception:
|
||||
return False, ""
|
||||
|
||||
|
||||
def is_aws_keys_setup():
|
||||
return (ConfigService.get_config_value(AWS_KEYS_PATH + ['access_key_id']) and
|
||||
ConfigService.get_config_value(AWS_KEYS_PATH + ['secret_access_key']))
|
||||
|
||||
|
||||
def set_aws_keys(access_key_id: str, secret_access_key: str, session_token: str):
|
||||
if not access_key_id or not secret_access_key:
|
||||
raise InvalidAWSKeys("Missing some of the following fields: access key ID, secret access key.")
|
||||
_set_aws_key('access_key_id', access_key_id)
|
||||
_set_aws_key('secret_access_key', secret_access_key)
|
||||
_set_aws_key('session_token', session_token)
|
||||
|
||||
|
||||
def _set_aws_key(key_type: str, key_value: str):
|
||||
path_to_keys = AWS_KEYS_PATH
|
||||
encrypted_key = encryptor.enc(key_value)
|
||||
ConfigService.set_config_value(path_to_keys + [key_type], encrypted_key)
|
||||
|
||||
|
||||
def get_aws_keys():
|
||||
return {'access_key_id': _get_aws_key('access_key_id'),
|
||||
'secret_access_key': _get_aws_key('secret_access_key'),
|
||||
'session_token': _get_aws_key('session_token')}
|
||||
|
||||
|
||||
def _get_aws_key(key_type: str):
|
||||
path_to_keys = AWS_KEYS_PATH
|
||||
return ConfigService.get_config_value(config_key_as_arr=path_to_keys + [key_type])
|
|
@ -84,6 +84,9 @@ export default function UiSchema(props) {
|
|||
monkey: {
|
||||
alive: {
|
||||
classNames: 'config-field-hidden'
|
||||
},
|
||||
aws_keys: {
|
||||
classNames: 'config-field-hidden'
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue