p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

T1210 refactored. Instead of dedicated telems, relevant info is appended to 'scan' and 'exploit' telemetries

This commit is contained in:
VakarisZ 2019-04-17 11:57:33 +03:00
parent 6fb06bc24d
commit c32d07ae34
23 changed files with 141 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
monkey/infection_monkey/exploit/__init__.py
View File

@ -1,6 +1,7 @@
from abc import ABCMeta, abstractmethod
import infection_monkey.config
from common.utils.exploit_enum import ExploitType
from infection_monkey.utils import get_current_time_string
__author__ = 'itamar'
@ -12,6 +13,7 @@ class HostExploiter(object):
# Usual values are 'vulnerability' or 'brute_force'
EXPLOIT_TYPE = ExploitType.VULNERABILITY
_EXPLOITED_SERVICE = ''
def __init__(self, host):
self._config = infection_monkey.config.WormConfiguration
@ -37,6 +39,21 @@ class HostExploiter(object):
def exploit_host(self):
raise NotImplementedError()
def add_vuln_service_info(self, port=None, url=None):
if port:
service_endpoint = port
elif url:
service_endpoint = url
else:
raise NotImplementedError("You must pass either port or url to add a vulnerable service info.")
if not self._EXPLOITED_SERVICE:
raise NotImplementedError("You must override _EXPLOITED_SERVICE to name a service this exploiter "
"is targeting")
self._exploit_info['exploited_service'] = {'name': self._EXPLOITED_SERVICE,
'endpoint': service_endpoint,
'time': get_current_time_string()}
return
from infection_monkey.exploit.win_ms08_067 import Ms08_067_Exploiter
from infection_monkey.exploit.wmiexec import WmiExploiter

4
monkey/infection_monkey/exploit/elasticgroovy.py
View File

@ -29,6 +29,7 @@ class ElasticGroovyExploiter(WebRCE):
% """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"""
_TARGET_OS_TYPE = ['linux', 'windows']
_EXPLOITED_SERVICE = 'Elastic search'
def __init__(self, host):
super(ElasticGroovyExploiter, self).__init__(host)
@ -58,8 +59,7 @@ class ElasticGroovyExploiter(WebRCE):
result = self.get_results(response)
if not result:
return False
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'url': url, 'service': 'Elastic search'}).send()
self.add_vuln_service_info(url=url)
return result[0]
def upload_monkey(self, url, commands=None):

6
monkey/infection_monkey/exploit/hadoop.py
View File

@ -13,8 +13,6 @@ import posixpath
from infection_monkey.exploit.web_rce import WebRCE
from infection_monkey.exploit.tools import HTTPTools, build_monkey_commandline, get_monkey_depth
from infection_monkey.model import MONKEY_ARG, ID_STRING, HADOOP_WINDOWS_COMMAND, HADOOP_LINUX_COMMAND
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = 'VakarisZ'
@ -23,6 +21,7 @@ LOG = logging.getLogger(__name__)
class HadoopExploiter(WebRCE):
_TARGET_OS_TYPE = ['linux', 'windows']
_EXPLOITED_SERVICE = 'Hadoop'
HADOOP_PORTS = [["8088", False]]
# How long we have our http server open for downloads in seconds
DOWNLOAD_TIMEOUT = 60
@ -50,8 +49,7 @@ class HadoopExploiter(WebRCE):
return False
http_thread.join(self.DOWNLOAD_TIMEOUT)
http_thread.stop()
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'url': self.vulnerable_urls[0], 'service': 'Hadoop'}).send()
self.add_vuln_service_info(url=self.vulnerable_urls[0])
return True
def exploit(self, url, command):

2
monkey/infection_monkey/exploit/rdpgrinder.py
View File

@ -239,6 +239,7 @@ class RdpExploiter(HostExploiter):
_TARGET_OS_TYPE = ['windows']
EXPLOIT_TYPE = ExploitType.BRUTE_FORCE
_EXPLOITED_SERVICE = 'RDP'
def __init__(self, host):
super(RdpExploiter, self).__init__(host)
@ -316,6 +317,7 @@ class RdpExploiter(HostExploiter):
if client_factory.success:
if not self._config.rdp_use_vbs_download:
VictimHostTelem("T1197", ScanStatus.USED.value, self.host, BITS_UPLOAD_STRING)
self.add_vuln_service_info(port=RDP_PORT)
exploited = True
self.report_login_attempt(True, user, password)
break

6
monkey/infection_monkey/exploit/sambacry.py
View File

@ -21,8 +21,6 @@ from infection_monkey.model import DROPPER_ARG
from infection_monkey.network.smbfinger import SMB_SERVICE
from infection_monkey.exploit.tools import build_monkey_commandline, get_target_monkey_by_os, get_monkey_depth
from infection_monkey.pyinstaller_utils import get_binary_file_path
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = 'itay.mizeretz'
@ -36,6 +34,7 @@ class SambaCryExploiter(HostExploiter):
"""
_TARGET_OS_TYPE = ['linux']
_EXPLOITED_SERVICE = "Samba"
# Name of file which contains the monkey's commandline
SAMBACRY_COMMANDLINE_FILENAME = "monkey_commandline.txt"
# Name of file which contains the runner's result
@ -90,8 +89,7 @@ class SambaCryExploiter(HostExploiter):
LOG.info(
"Shares triggered successfully on host %s: %s" % (
self.host.ip_addr, str(successfully_triggered_shares)))
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'port': '139/445', 'service': 'Samba'}).send()
self.add_vuln_service_info(port='139 or 445')
return True
else:
LOG.info("No shares triggered successfully on host %s" % self.host.ip_addr)

6
monkey/infection_monkey/exploit/shellshock.py
View File

@ -11,8 +11,6 @@ from infection_monkey.exploit.tools import get_target_monkey, HTTPTools, get_mon
from infection_monkey.model import DROPPER_ARG
from infection_monkey.exploit.shellshock_resources import CGI_FILES
from infection_monkey.exploit.tools import build_monkey_commandline
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = 'danielg'
@ -28,6 +26,7 @@ class ShellShockExploiter(HostExploiter):
}
_TARGET_OS_TYPE = ['linux']
_EXPLOITED_SERVICE = 'Bash'
def __init__(self, host):
super(ShellShockExploiter, self).__init__(host)
@ -145,8 +144,7 @@ class ShellShockExploiter(HostExploiter):
if not (self.check_remote_file_exists(url, header, exploit, self._config.monkey_log_path_linux)):
LOG.info("Log file does not exist, monkey might not have run")
continue
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'url': url, 'service': 'Bash'}).send()
self.add_vuln_service_info(url=url)
return True
return False

15
monkey/infection_monkey/exploit/smbexec.py
View File

@ -10,8 +10,6 @@ from infection_monkey.network import SMBFinger
from infection_monkey.network.tools import check_tcp_port
from infection_monkey.exploit.tools import build_monkey_commandline
from common.utils.exploit_enum import ExploitType
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
LOG = getLogger(__name__)
@ -19,6 +17,7 @@ LOG = getLogger(__name__)
class SmbExploiter(HostExploiter):
_TARGET_OS_TYPE = ['windows']
EXPLOIT_TYPE = ExploitType.BRUTE_FORCE
_EXPLOITED_SERVICE = 'SMB'
KNOWN_PROTOCOLS = {
'139/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 139),
'445/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 445),
@ -70,10 +69,8 @@ class SmbExploiter(HostExploiter):
LOG.debug("Successfully logged in %r using SMB (%s : %s : %s : %s)",
self.host, user, password, lm_hash, ntlm_hash)
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
VictimHostTelem('T1210', ScanStatus.USED.value, self.host,
{'port': ("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1])),
'service': 'SMB'}).send()
self.add_vuln_service_info(port=("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1])))
exploited = True
break
else:
@ -143,8 +140,6 @@ class SmbExploiter(HostExploiter):
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",
remote_full_path, self.host, cmdline)
VictimHostTelem('T1210', ScanStatus.USED.value, self.host,
{'port': ("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1])),
'service': 'Elastic'}).send()
self.add_vuln_service_info(port=("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1])))
return True

8
monkey/infection_monkey/exploit/sshexec.py
View File

@ -11,8 +11,6 @@ from infection_monkey.model import MONKEY_ARG
from infection_monkey.network.tools import check_tcp_port
from infection_monkey.exploit.tools import build_monkey_commandline
from common.utils.exploit_enum import ExploitType
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = 'hoffer'
@ -24,6 +22,7 @@ TRANSFER_UPDATE_RATE = 15
class SSHExploiter(HostExploiter):
_TARGET_OS_TYPE = ['linux', None]
EXPLOIT_TYPE = ExploitType.BRUTE_FORCE
_EXPLOITED_SERVICE = 'SSH'
def __init__(self, host):
super(SSHExploiter, self).__init__(host)
@ -83,12 +82,11 @@ class SSHExploiter(HostExploiter):
LOG.debug("Successfully logged in %r using SSH (%s : %s)",
self.host, user, curpass)
exploited = True
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'port': port, 'service': 'SSH'}).send()
self.add_vuln_service_info(port=port)
self.report_login_attempt(True, user, curpass)
break
except Exception as exc:
except paramiko.AuthenticationException as exc:
LOG.debug("Error logging into victim %r with user"
" %s and password '%s': (%s)", self.host,
user, curpass, exc)

6
monkey/infection_monkey/exploit/struts2.py
View File

@ -10,8 +10,6 @@ import re
import logging
from infection_monkey.exploit.web_rce import WebRCE
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = "VakarisZ"
@ -22,6 +20,7 @@ DOWNLOAD_TIMEOUT = 300
class Struts2Exploiter(WebRCE):
_TARGET_OS_TYPE = ['linux', 'windows']
_EXPLOITED_SERVICE = 'Struts2'
def __init__(self, host):
super(Struts2Exploiter, self).__init__(host, None)
@ -93,6 +92,5 @@ class Struts2Exploiter(WebRCE):
except httplib.IncompleteRead as e:
page = e.partial
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'url': url, 'service': 'Struts2'}).send()
self.add_vuln_service_info(url=url)
return page

6
monkey/infection_monkey/exploit/weblogic.py
View File

@ -10,8 +10,6 @@ from requests import post, exceptions
from infection_monkey.exploit.web_rce import WebRCE
from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
import threading
import logging
@ -46,6 +44,7 @@ HEADERS = {
class WebLogicExploiter(WebRCE):
_TARGET_OS_TYPE = ['linux', 'windows']
_EXPLOITED_SERVICE = 'Weblogic'
def __init__(self, host):
super(WebLogicExploiter, self).__init__(host, {'linux': '/tmp/monkey.sh',
@ -70,8 +69,7 @@ class WebLogicExploiter(WebRCE):
print('[!] Connection Error')
print(e)
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'url': url, 'service': 'Weblogic'}).send()
self.add_vuln_service_info(url=url)
return True
def add_vulnerable_urls(self, urls, stop_checking=False):

6
monkey/infection_monkey/exploit/wmiexec.py
View File

@ -10,8 +10,6 @@ from infection_monkey.exploit.tools import SmbTools, WmiTools, AccessDeniedExcep
get_monkey_depth, build_monkey_commandline
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
from common.utils.exploit_enum import ExploitType
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
LOG = logging.getLogger(__name__)
@ -19,6 +17,7 @@ LOG = logging.getLogger(__name__)
class WmiExploiter(HostExploiter):
_TARGET_OS_TYPE = ['windows']
EXPLOIT_TYPE = ExploitType.BRUTE_FORCE
_EXPLOITED_SERVICE = 'WMI (Windows Management Instrumentation)'
def __init__(self, host):
super(WmiExploiter, self).__init__(host)
@ -106,8 +105,7 @@ class WmiExploiter(HostExploiter):
LOG.info("Executed dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",
remote_full_path, self.host, result.ProcessId, result.ReturnValue, cmdline)
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'port': 'unknown', 'service': 'WMI'}).send()
self.add_vuln_service_info(port='unknown')
success = True
else:
LOG.debug("Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",

20
monkey/infection_monkey/network/__init__.py
View File

@ -1,4 +1,5 @@
from abc import ABCMeta, abstractmethod
from infection_monkey.utils import get_current_time_string
__author__ = 'itamar'
@ -14,10 +15,27 @@ class HostScanner(object):
class HostFinger(object):
__metaclass__ = ABCMeta
_SCANNED_SERVICE = ''
def format_service_info(self, port=None, url=None):
if port:
service_endpoint = port
elif url:
service_endpoint = url
else:
raise NotImplementedError("You must pass either port or url to get formatted service info.")
if not self._SCANNED_SERVICE:
raise NotImplementedError("You must override _SCANNED_SERVICE property"
" to name what service is being scanned.")
return {'display_name': self._SCANNED_SERVICE,
'endpoint': service_endpoint,
'time': get_current_time_string()}
@abstractmethod
def get_host_fingerprint(self, host):
raise NotImplementedError()
from infection_monkey.network.ping_scanner import PingScanner
from infection_monkey.network.tcp_scanner import TcpScanner
from infection_monkey.network.smbfinger import SMBFinger
@ -26,4 +44,4 @@ from infection_monkey.network.httpfinger import HTTPFinger
from infection_monkey.network.elasticfinger import ElasticFinger
from infection_monkey.network.mysqlfinger import MySQLFinger
from infection_monkey.network.info import local_ips, get_free_tcp_port
from infection_monkey.network.mssql_fingerprint import MSSQLFinger
from infection_monkey.network.mssql_fingerprint import MSSQLFinger

6
monkey/infection_monkey/network/elasticfinger.py
View File

@ -8,8 +8,6 @@ from requests.exceptions import Timeout, ConnectionError
import infection_monkey.config
from infection_monkey.model.host import VictimHost
from infection_monkey.network import HostFinger
from common.utils.attack_utils import ScanStatus
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
ES_PORT = 9200
ES_SERVICE = 'elastic-search-9200'
@ -22,6 +20,7 @@ class ElasticFinger(HostFinger):
"""
Fingerprints elastic search clusters, only on port 9200
"""
_SCANNED_SERVICE = 'Elastic search'
def __init__(self):
self._config = infection_monkey.config.WormConfiguration
@ -41,8 +40,7 @@ class ElasticFinger(HostFinger):
host.services[ES_SERVICE]['cluster_name'] = data['cluster_name']
host.services[ES_SERVICE]['name'] = data['name']
host.services[ES_SERVICE]['version'] = data['version']['number']
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': ES_PORT, 'service': 'Elastic'}).send()
host.services[ES_SERVICE].update(self.format_service_info(url=url))
return True
except Timeout:
LOG.debug("Got timeout while trying to read header information")

6
monkey/infection_monkey/network/httpfinger.py
View File

@ -1,8 +1,6 @@
import infection_monkey.config
from infection_monkey.network import HostFinger
from infection_monkey.model.host import VictimHost
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
import logging
LOG = logging.getLogger(__name__)
@ -12,6 +10,7 @@ class HTTPFinger(HostFinger):
"""
Goal is to recognise HTTP servers, where what we currently care about is apache.
"""
_SCANNED_SERVICE = 'HTTP'
def __init__(self):
self._config = infection_monkey.config.WormConfiguration
@ -42,8 +41,7 @@ class HTTPFinger(HostFinger):
host.services['tcp-' + port[1]]['name'] = 'http'
host.services['tcp-' + port[1]]['data'] = (server,ssl)
LOG.info("Port %d is open on host %s " % (port[0], host))
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': port[0], 'service': 'HTTP/HTTPS'}).send()
host.services['tcp-' + port[1]].update(self.format_service_info(port=port[0]))
break # https will be the same on the same port
except Timeout:
pass

14
monkey/infection_monkey/network/mssql_fingerprint.py
View File

@ -4,8 +4,6 @@ import socket
from infection_monkey.model.host import VictimHost
from infection_monkey.network import HostFinger
import infection_monkey.config
from common.utils.attack_utils import ScanStatus
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
__author__ = 'Maor Rayzin'
@ -18,7 +16,7 @@ class MSSQLFinger(HostFinger):
SQL_BROWSER_DEFAULT_PORT = 1434
BUFFER_SIZE = 4096
TIMEOUT = 5
SERVICE_NAME = 'MSSQL'
_SCANNED_SERVICE = 'MSSQL'
def __init__(self):
self._config = infection_monkey.config.WormConfiguration
@ -65,22 +63,20 @@ class MSSQLFinger(HostFinger):
sock.close()
return False
host.services[self.SERVICE_NAME] = {}
host.services[self._SCANNED_SERVICE] = {}
# Loop through the server data
instances_list = data[3:].decode().split(';;')
LOG.info('{0} MSSQL instances found'.format(len(instances_list)))
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': MSSQLFinger.SQL_BROWSER_DEFAULT_PORT, 'service': 'MsSQL'}).send()
for instance in instances_list:
instance_info = instance.split(';')
if len(instance_info) > 1:
host.services[self.SERVICE_NAME][instance_info[1]] = {}
host.services[self._SCANNED_SERVICE][instance_info[1]] = {}
for i in range(1, len(instance_info), 2):
# Each instance's info is nested under its own name, if there are multiple instances
# each will appear under its own name
host.services[self.SERVICE_NAME][instance_info[1]][instance_info[i - 1]] = instance_info[i]
host.services[self._SCANNED_SERVICE][instance_info[1]][instance_info[i - 1]] = instance_info[i]
host.services[self._SCANNED_SERVICE].update(self.format_service_info(port=MSSQLFinger.SQL_BROWSER_DEFAULT_PORT))
# Close the socket
sock.close()

8
monkey/infection_monkey/network/mysqlfinger.py
View File

@ -5,12 +5,9 @@ import infection_monkey.config
from infection_monkey.model.host import VictimHost
from infection_monkey.network import HostFinger
from infection_monkey.network.tools import struct_unpack_tracker, struct_unpack_tracker_string
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
MYSQL_PORT = 3306
SQL_SERVICE = 'mysqld-3306'
LOG = logging.getLogger(__name__)
@ -18,7 +15,7 @@ class MySQLFinger(HostFinger):
"""
Fingerprints mysql databases, only on port 3306
"""
_SCANNED_SERVICE = 'MySQL'
SOCKET_TIMEOUT = 0.5
HEADER_SIZE = 4 # in bytes
@ -61,8 +58,7 @@ class MySQLFinger(HostFinger):
host.services[SQL_SERVICE]['minor_version'] = version[1]
host.services[SQL_SERVICE]['build_version'] = version[2]
thread_id, curpos = struct_unpack_tracker(data, curpos, "<I") # ignore thread id
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': MYSQL_PORT, 'service': 'MYSQL'}).send()
host.services[SQL_SERVICE].update(self.format_service_info(port=MYSQL_PORT))
# protocol parsing taken from
# https://nmap.org/nsedoc/scripts/mysql-info.html
if protocol == 10:

7
monkey/infection_monkey/network/smbfinger.py
View File

@ -5,8 +5,6 @@ from odict import odict
from infection_monkey.network import HostFinger
from infection_monkey.model.host import VictimHost
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
SMB_PORT = 445
SMB_SERVICE = 'tcp-445'
@ -102,6 +100,8 @@ class SMBSessionFingerData(Packet):
class SMBFinger(HostFinger):
_SCANNED_SERVICE = 'SMB'
def __init__(self):
from infection_monkey.config import WormConfiguration
self._config = WormConfiguration
@ -152,8 +152,7 @@ class SMBFinger(HostFinger):
host.os['version'] = os_version
else:
host.services[SMB_SERVICE]['os-version'] = os_version
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': SMB_PORT, 'service': 'SMB'}).send()
host.services[SMB_SERVICE].update(self.format_service_info(port=SMB_PORT))
return True
except Exception as exc:
LOG.debug("Error getting smb fingerprint: %s", exc)

7
monkey/infection_monkey/network/sshfinger.py
View File

@ -4,8 +4,6 @@ import infection_monkey.config
from infection_monkey.model.host import VictimHost
from infection_monkey.network import HostFinger
from infection_monkey.network.tools import check_tcp_port
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
SSH_PORT = 22
SSH_SERVICE_DEFAULT = 'tcp-22'
@ -16,6 +14,8 @@ LINUX_DIST_SSH = ['ubuntu', 'debian']
class SSHFinger(HostFinger):
_SCANNED_SERVICE = 'SSH'
def __init__(self):
self._config = infection_monkey.config.WormConfiguration
self._banner_regex = re.compile(SSH_REGEX, re.IGNORECASE)
@ -51,8 +51,7 @@ class SSHFinger(HostFinger):
host.services[SSH_SERVICE_DEFAULT]['banner'] = banner
if self._banner_regex.search(banner):
self._banner_match(SSH_SERVICE_DEFAULT, host, banner)
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': SSH_PORT, 'service': 'SSH'}).send()
host.services[SSH_SERVICE_DEFAULT].update(self.format_service_info(port=SSH_PORT))
return True
return False

7
monkey/infection_monkey/network/tcp_scanner.py
View File

@ -13,6 +13,9 @@ BANNER_READ = 1024
class TcpScanner(HostScanner, HostFinger):
_SCANNED_SERVICE = 'unknown(TCP)'
def __init__(self):
self._config = infection_monkey.config.WormConfiguration
@ -33,12 +36,10 @@ class TcpScanner(HostScanner, HostFinger):
ports, banners = check_tcp_ports(host.ip_addr, target_ports, self._config.tcp_scan_timeout / 1000.0,
self._config.tcp_scan_get_banner)
for port in ports:
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': port, 'service': 'unknown(TCP)'}).send()
for target_port, banner in izip_longest(ports, banners, fillvalue=None):
service = tcp_port_to_service(target_port)
host.services[service] = {}
host.services[service].update(self.format_service_info(port=target_port))
if banner:
host.services[service]['banner'] = banner
if only_one_port:

14
monkey/infection_monkey/transport/attack_telems/base_telem.py
View File

@ -3,7 +3,7 @@ import requests
import json
from infection_monkey.control import ControlClient
import logging
import datetime
from infection_monkey.utils import get_current_time_string
__author__ = "VakarisZ"
@ -21,7 +21,7 @@ class AttackTelem(object):
"""
self.technique = technique
self.result = status
self.data = {'status': status, 'id': GUID, 'time': AttackTelem.get_current_time_string()}
self.data = {'status': status, 'id': GUID, 'time': get_current_time_string()}
if data:
self.data.update(data)
@ -40,13 +40,3 @@ class AttackTelem(object):
except Exception as exc:
LOG.warn("Error connecting to control server %s: %s",
WormConfiguration.current_server, exc)
@staticmethod
def get_current_time_string():
time = datetime.datetime.now()
return "%s-%s-%s %s:%s:%s" % (time.date().year,
time.date().month,
time.date().day,
time.time().hour,
time.time().minute,
time.time().second)

11
monkey/infection_monkey/utils.py
View File

@ -2,7 +2,7 @@ import os
import sys
import shutil
import struct
import datetime
from infection_monkey.config import WormConfiguration
@ -58,3 +58,12 @@ def get_monkey_dir_path():
return WormConfiguration.monkey_dir_windows
else:
return WormConfiguration.monkey_dir_linux
def get_current_time_string():
time = datetime.datetime.now()
return "%s-%s-%s %s:%s:%s" % (time.date().year,
time.date().month,
time.date().day,
time.time().hour,
time.time().minute,
time.time().second)

45
monkey/monkey_island/cc/services/attack/technique_reports/T1210.py
View File

@ -12,24 +12,35 @@ MESSAGES = {
def get_report_data():
data = get_tech_base_data(TECHNIQUE, MESSAGES)
found_services = get_res_by_status(ScanStatus.SCANNED.value)
exploited_services = get_res_by_status(ScanStatus.USED.value)
data.update({'found_services': found_services, 'exploited_services': exploited_services})
data = {'title': technique_title(TECHNIQUE)}
scanned_services = get_scanned_services()
exploited_services = get_exploited_services()
if exploited_services:
data.update({'status': ScanStatus.USED.name, 'message': MESSAGES['used']})
elif scanned_services:
data.update({'status': ScanStatus.SCANNED.name, 'message': MESSAGES['scanned']})
else:
data.update({'status': ScanStatus.UNSCANNED.name, 'message': MESSAGES['unscanned']})
data.update({'scanned_services': scanned_services, 'exploited_services': exploited_services})
return data
def get_res_by_status(status):
results = mongo.db.attack_results.aggregate([{'$match': {'technique': TECHNIQUE, 'status': status}},
{'$group': {
'_id': {'ip_addr': '$machine.ip_addr',
'port': '$port',
'url': '$url'},
'ip_addr': {'$first': '$machine.ip_addr'},
'domain_name': {'$first': '$machine.domain_name'},
'port': {'$first': '$port'},
'url': {'$first': '$url'},
'service': {'$last': '$service'},
'time': {'$first': '$time'}}
}])
def get_scanned_services():
results = mongo.db.telemetry.aggregate([{'$match': {'telem_type': 'scan'}},
{'$group': {
'_id': {'ip_addr': '$data.machine.ip_addr',
'services': '$data.machine.services'
},
'machine': {'$first': '$data.machine'}}}])
return list(results)
def get_exploited_services():
results = mongo.db.telemetry.aggregate([{'$match': {'telem_type': 'exploit', 'data.result': True}},
{'$group': {
'_id': {'ip_addr': '$data.machine.ip_addr',
'info': '$data.info'
},
'service': {'$first': '$data.info.exploited_service'},
'machine': {'$first': '$data.machine'}}}])
return list(results)

32
monkey/monkey_island/cc/ui/src/components/attack/T1210.js
View File

@ -10,21 +10,26 @@ let renderMachine = function (val) {
)
};
let renderPort = function (service){
if(service.url){
return service.url
} else {
return service.port
let formatScanned = function (data){
let result = [];
for(let service in data.machine.services){
let scanned_service = {'machine': data.machine,
'service': {'endpoint': data.machine.services[service].endpoint,
'name': data.machine.services[service].display_name,
'time': data.machine.services[service].time}};
result.push(scanned_service)
}
return result
};
const columns = [
{
columns: [
{Header: 'Machine', id: 'machine', accessor: x => renderMachine(x), style: { 'whiteSpace': 'unset' }, width: 200},
{Header: 'Time', id: 'time', accessor: x => x.time, style: { 'whiteSpace': 'unset' }, width: 170},
{Header: 'Port/url', id: 'port', accessor: x =>renderPort(x), style: { 'whiteSpace': 'unset' }},
{Header: 'Service', id: 'service', accessor: x => x.service, style: { 'whiteSpace': 'unset' }}
{Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.machine),
style: { 'whiteSpace': 'unset' }, width: 200},
{Header: 'Time', id: 'time', accessor: x => x.service.time, style: { 'whiteSpace': 'unset' }, width: 170},
{Header: 'Port/url', id: 'port', accessor: x =>x.service.endpoint, style: { 'whiteSpace': 'unset' }},
{Header: 'Service', id: 'service', accessor: x => x.service.name, style: { 'whiteSpace': 'unset' }}
]
}
];
@ -35,7 +40,7 @@ class T1210 extends React.Component {
super(props);
}
renderFoundServices(data) {
renderScannedServices(data) {
return (
<div>
<br/>
@ -64,11 +69,14 @@ class T1210 extends React.Component {
}
render() {
let scanned_services = this.props.data.scanned_services.map(formatScanned).flat();
console.log(scanned_services);
console.log(this.props.data);
return (
<div>
<div>{this.props.data.message}</div>
{this.props.data.found_services.length > 0 ?
this.renderFoundServices(this.props.data.found_services) : ''}
{scanned_services.length > 0 ?
this.renderScannedServices(scanned_services) : ''}
{this.props.data.exploited_services.length > 0 ?
this.renderExploitedServices(this.props.data.exploited_services) : ''}
<div className="attack-report footer-text">