p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Fix DUO102 warnings 

Added comments to ignore some because:

"Python uses the Mersenne Twister as the core generator. However, being completely
deterministic, it is not suitable for all purposes, and is completely unsuitable for
cryptographic purposes. Because the generator is deterministic this means attackers
can predict future values given a sufficient amount of previous values.

Normal random use is acceptable if the relevant code is not used for security or
cryptographic purposes."
This commit is contained in:
Shreya 2021-04-21 19:11:13 +05:30 committed by Mike Salvatore
parent d8c1bf5cbe
commit a3fa4663cb
5 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
monkey/infection_monkey/exploit/hadoop.py
View File

@ -7,8 +7,8 @@
import json import json
import logging import logging
import posixpath import posixpath
import random
import string import string
from random import SystemRandom
import requests import requests
@ -69,8 +69,9 @@ class HadoopExploiter(WebRCE):
resp = json.loads(resp.content) resp = json.loads(resp.content)
app_id = resp["application-id"] app_id = resp["application-id"]
# Create a random name for our application in YARN # Create a random name for our application in YARN
safe_random = SystemRandom()
rand_name = ID_STRING + "".join( rand_name = ID_STRING + "".join(
[random.choice(string.ascii_lowercase) for _ in range(self.RAN_STR_LEN)] [safe_random.choice(string.ascii_lowercase) for _ in range(self.RAN_STR_LEN)]
) )
payload = self.build_payload(app_id, rand_name, command) payload = self.build_payload(app_id, rand_name, command)
resp = requests.post( resp = requests.post(

5
monkey/infection_monkey/exploit/shellshock.py
View File

@ -3,7 +3,7 @@
import logging import logging
import string import string
from random import choice from random import SystemRandom
import requests import requests
@ -37,8 +37,9 @@ class ShellShockExploiter(HostExploiter):
def __init__(self, host): def __init__(self, host):
super(ShellShockExploiter, self).__init__(host) super(ShellShockExploiter, self).__init__(host)
self.HTTP = [str(port) for port in self._config.HTTP_PORTS] self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
safe_random = SystemRandom()
self.success_flag = "".join( self.success_flag = "".join(
choice(string.ascii_uppercase + string.digits) for _ in range(20) safe_random.choice(string.ascii_uppercase + string.digits) for _ in range(20)
) )
self.skip_exist = self._config.skip_exploit_if_file_exist self.skip_exist = self._config.skip_exploit_if_file_exist

2
monkey/infection_monkey/network/info.py
View File

@ -1,7 +1,7 @@
import itertools import itertools
import socket import socket
import struct import struct
from random import randint from random import randint # noqa: DUO102
from subprocess import check_output from subprocess import check_output
import netifaces import netifaces

2
monkey/infection_monkey/network/tcp_scanner.py
View File

@ -1,5 +1,5 @@
from itertools import zip_longest from itertools import zip_longest
from random import shuffle from random import shuffle # noqa: DUO102
import infection_monkey.config import infection_monkey.config
from infection_monkey.network.HostFinger import HostFinger from infection_monkey.network.HostFinger import HostFinger

4
monkey/infection_monkey/post_breach/actions/communicate_as_new_user.py
View File

@ -52,8 +52,8 @@ class CommunicateAsNewUser(PBA):
@staticmethod @staticmethod
def get_random_new_user_name(): def get_random_new_user_name():
return USERNAME_PREFIX + "".join( return USERNAME_PREFIX + "".join(
random.choice(string.ascii_lowercase) for _ in range(5) random.choice(string.ascii_lowercase) for _ in range(5) # noqa: DUO102
) # noqa: DUO102 )
@staticmethod @staticmethod
def get_commandline_for_http_request(url, is_windows=is_windows_os()): def get_commandline_for_http_request(url, is_windows=is_windows_os()):