From 6ed94293db91953709caa8ee2e6fb459350dfc26 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 26 Feb 2018 18:26:43 +0200 Subject: [PATCH 001/117] add intial version of extended info --- infection_monkey/requirements.txt | 1 + .../system_info/windows_info_collector.py | 82 ++++++++++++++++++- 2 files changed, 80 insertions(+), 3 deletions(-) diff --git a/infection_monkey/requirements.txt b/infection_monkey/requirements.txt index 2c96e311c..3ab1c230a 100644 --- a/infection_monkey/requirements.txt +++ b/infection_monkey/requirements.txt @@ -14,3 +14,4 @@ ecdsa netifaces mock nose +wmi \ No newline at end of file diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index 72e189f81..1a6bd1542 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -1,12 +1,26 @@ +import os import logging +import traceback -from mimikatz_collector import MimikatzCollector +import _winreg +from wmi import WMI +#from mimikatz_collector import MimikatzCollector from . import InfoCollector LOG = logging.getLogger(__name__) __author__ = 'uri' +WMI_CLASSES = set(["Win32_OperatingSystem", + "Win32_ComputerSystem", + "Win32_GroupUser", + "Win32_LoggedOnUser", + "Win32_UserProfile", + "win32_UserAccount", + "Win32_Process", + "Win32_Product", + "Win32_Service"]) + class WindowsInfoCollector(InfoCollector): """ @@ -15,6 +29,7 @@ class WindowsInfoCollector(InfoCollector): def __init__(self): super(WindowsInfoCollector, self).__init__() + self.wmi = None def get_info(self): """ @@ -27,6 +42,67 @@ class WindowsInfoCollector(InfoCollector): self.get_hostname() self.get_process_list() self.get_network_info() - mimikatz_collector = MimikatzCollector() - self.info["credentials"] = mimikatz_collector.get_logon_info() + + self.get_wmi_info() + self.get_reg_key(r"SYSTEM\CurrentControlSet\Control\Lsa") + self.get_installed_packages() + + #mimikatz_collector = MimikatzCollector() + #self.info["credentials"] = mimikatz_collector.get_logon_info() + return self.info + + def get_installed_packages(self): + self.info["installed_packages"] = os.popen("dism /online /get-packages").read() + self.info["installed_features"] = os.popen("dism /online /get-features").read() + + def get_wmi_info(self): + for wmi_class_name in WMI_CLASSES: + self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name) + + def get_wmi_class(self, class_name): + if not self.wmi: + self.wmi = WMI() + + try: + wmi_class = getattr(self.wmi, class_name)() + except: + LOG.error("Error getting wmi class '%s'" % (class_name, )) + LOG.error(traceback.format_exc()) + return + + result = [] + + for item in wmi_class: + row = {} + + for prop in item.properties: + value = getattr(item, prop) + row[prop] = value + + for method_name in item.methods: + if not method_name.startswith("GetOwner"): + continue + + method = getattr(item, method_name) + + try: + row[method_name[3:]] = method() + + except: + LOG.error("Error running wmi method '%s'" % (method_name, )) + LOG.error(traceback.format_exc()) + continue + + result.append(row) + + return result + + def get_reg_key(self, subkey_path, store=_winreg.HKEY_LOCAL_MACHINE): + key = _winreg.ConnectRegistry(None, store) + subkey = _winreg.OpenKey(key, subkey_path) + + self.info[subkey_path] = [_winreg.EnumValue(subkey, i) for i in xrange(_winreg.QueryInfoKey(subkey)[0])] + + subkey.Close() + key.Close() \ No newline at end of file From 9c7ead8ddb42bc508c0584a0f366ed31dd525ea4 Mon Sep 17 00:00:00 2001 From: Date: Tue, 27 Feb 2018 06:42:11 -0800 Subject: [PATCH 002/117] add getTextualOutput interface of mimikatz dll --- infection_monkey/system_info/mimikatz_collector.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/infection_monkey/system_info/mimikatz_collector.py b/infection_monkey/system_info/mimikatz_collector.py index e69bcd73e..d7e3cb387 100644 --- a/infection_monkey/system_info/mimikatz_collector.py +++ b/infection_monkey/system_info/mimikatz_collector.py @@ -21,8 +21,10 @@ class MimikatzCollector(object): self._dll = ctypes.WinDLL(self._config.mimikatz_dll_name) collect_proto = ctypes.WINFUNCTYPE(ctypes.c_int) get_proto = ctypes.WINFUNCTYPE(MimikatzCollector.LogonData) + getTextOutput = ctypes.WINFUNCTYPE(ctypes.c_wchar_p) self._collect = collect_proto(("collect", self._dll)) self._get = get_proto(("get", self._dll)) + self._getTextOutput = getTextOutput(("getTextOutput", self._dll)) self._isInit = True except StandardError: LOG.exception("Error initializing mimikatz collector") @@ -41,6 +43,8 @@ class MimikatzCollector(object): logon_data_dictionary = {} hostname = socket.gethostname() + + self.mimikatz_text = self._getTextOutput() for i in range(entry_count): entry = self._get() @@ -74,6 +78,9 @@ class MimikatzCollector(object): except StandardError: LOG.exception("Error getting logon info") return {} + + def get_mimikatz_text(self): + return self.mimikatz_text class LogonData(ctypes.Structure): """ From 805c7ad38aa935f4881364f61eace44273e391b0 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 27 Feb 2018 06:43:40 -0800 Subject: [PATCH 003/117] add info draft --- .../system_info/windows_info_collector.py | 114 ++++++++++++------ 1 file changed, 75 insertions(+), 39 deletions(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index 1a6bd1542..58ce22bc5 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -2,9 +2,12 @@ import os import logging import traceback +import sys +sys.coinit_flags = 0 # needed for proper destruction of the wmi python module +import wmi import _winreg -from wmi import WMI -#from mimikatz_collector import MimikatzCollector + +from mimikatz_collector import MimikatzCollector from . import InfoCollector LOG = logging.getLogger(__name__) @@ -17,10 +20,59 @@ WMI_CLASSES = set(["Win32_OperatingSystem", "Win32_LoggedOnUser", "Win32_UserProfile", "win32_UserAccount", - "Win32_Process", - "Win32_Product", - "Win32_Service"]) + #"Win32_Process", + #"Win32_Product", + #"Win32_Service" + ]) +def fix_obj_for_mongo(o): + if type(o) == dict: + return dict([(k, fix_obj_for_mongo(v)) for k, v in o.iteritems()]) + + elif type(o) in (list, tuple): + return [fix_obj_for_mongo(i) for i in o] + + elif type(o) in (int, float, bool): + return o + + elif type(o) in (str, unicode): + # mongo dosn't like unprintable chars, so we use repr :/ + return repr(o) + + + + else: + return repr(o) + +""" +def fix_wmi_obj_for_mongo(o): + for item in wmi_class: + row = {} + + for prop in item.properties: + try: + value = getattr(item, prop) + except wmi.x_wmi: + continue + + row[prop] = value + + for method_name in item.methods: + if not method_name.startswith("GetOwner"): + continue + + method = getattr(item, method_name) + + try: + row[method_name[3:]] = method() + + except wmi.x_wmi: + #LOG.error("Error running wmi method '%s'" % (method_name, )) + #LOG.error(traceback.format_exc()) + continue + + result.append(row) +""" class WindowsInfoCollector(InfoCollector): """ @@ -47,8 +99,9 @@ class WindowsInfoCollector(InfoCollector): self.get_reg_key(r"SYSTEM\CurrentControlSet\Control\Lsa") self.get_installed_packages() - #mimikatz_collector = MimikatzCollector() - #self.info["credentials"] = mimikatz_collector.get_logon_info() + mimikatz_collector = MimikatzCollector() + self.info["credentials"] = mimikatz_collector.get_logon_info() + self.info["mimikatz"] = mimikatz_collector.get_mimikatz_text() return self.info @@ -58,51 +111,34 @@ class WindowsInfoCollector(InfoCollector): def get_wmi_info(self): for wmi_class_name in WMI_CLASSES: - self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name) + self.info[wmi_class_name] = fix_obj_for_mongo(self.get_wmi_class(wmi_class_name)) def get_wmi_class(self, class_name): if not self.wmi: - self.wmi = WMI() + self.wmi = wmi.WMI() try: wmi_class = getattr(self.wmi, class_name)() - except: - LOG.error("Error getting wmi class '%s'" % (class_name, )) - LOG.error(traceback.format_exc()) + except wmi.x_wmi: + #LOG.error("Error getting wmi class '%s'" % (class_name, )) + #LOG.error(traceback.format_exc()) return - result = [] - - for item in wmi_class: - row = {} - - for prop in item.properties: - value = getattr(item, prop) - row[prop] = value - - for method_name in item.methods: - if not method_name.startswith("GetOwner"): - continue - - method = getattr(item, method_name) - - try: - row[method_name[3:]] = method() - - except: - LOG.error("Error running wmi method '%s'" % (method_name, )) - LOG.error(traceback.format_exc()) - continue - - result.append(row) - - return result + print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + print type(wmi_class) + print "@" * 20 + os._exit(1) + + return wmi_class def get_reg_key(self, subkey_path, store=_winreg.HKEY_LOCAL_MACHINE): key = _winreg.ConnectRegistry(None, store) subkey = _winreg.OpenKey(key, subkey_path) - self.info[subkey_path] = [_winreg.EnumValue(subkey, i) for i in xrange(_winreg.QueryInfoKey(subkey)[0])] + d = dict([_winreg.EnumValue(subkey, i)[:2] for i in xrange(_winreg.QueryInfoKey(subkey)[0])]) + d = fix_obj_for_mongo(d) + + self.info[subkey_path] = d subkey.Close() key.Close() \ No newline at end of file From 020c6398cdea1220cfc465134ce035eb130f6252 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 27 Feb 2018 07:38:54 -0800 Subject: [PATCH 004/117] all info works --- .../system_info/windows_info_collector.py | 63 +++++++++---------- 1 file changed, 29 insertions(+), 34 deletions(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index 58ce22bc5..1fe15fe67 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -20,9 +20,9 @@ WMI_CLASSES = set(["Win32_OperatingSystem", "Win32_LoggedOnUser", "Win32_UserProfile", "win32_UserAccount", - #"Win32_Process", - #"Win32_Product", - #"Win32_Service" + "Win32_Product", + "Win32_Process", + "Win32_Service" ]) def fix_obj_for_mongo(o): @@ -39,40 +39,40 @@ def fix_obj_for_mongo(o): # mongo dosn't like unprintable chars, so we use repr :/ return repr(o) - + elif hasattr(o, "__class__") and o.__class__ == wmi._wmi_object: + return fix_wmi_obj_for_mongo(o) else: return repr(o) -""" def fix_wmi_obj_for_mongo(o): - for item in wmi_class: - row = {} - - for prop in item.properties: - try: - value = getattr(item, prop) - except wmi.x_wmi: - continue + row = {} - row[prop] = value + for prop in o.properties: + try: + value = getattr(o, prop) + except wmi.x_wmi: + continue - for method_name in item.methods: - if not method_name.startswith("GetOwner"): - continue + row[prop] = fix_obj_for_mongo(value) - method = getattr(item, method_name) + for method_name in o.methods: + if not method_name.startswith("GetOwner"): + continue - try: - row[method_name[3:]] = method() - - except wmi.x_wmi: - #LOG.error("Error running wmi method '%s'" % (method_name, )) - #LOG.error(traceback.format_exc()) - continue + method = getattr(o, method_name) - result.append(row) -""" + try: + value = method() + value = fix_obj_for_mongo(value) + row[method_name[3:]] = value + + except wmi.x_wmi: + #LOG.error("Error running wmi method '%s'" % (method_name, )) + #LOG.error(traceback.format_exc()) + continue + + return row class WindowsInfoCollector(InfoCollector): """ @@ -111,7 +111,7 @@ class WindowsInfoCollector(InfoCollector): def get_wmi_info(self): for wmi_class_name in WMI_CLASSES: - self.info[wmi_class_name] = fix_obj_for_mongo(self.get_wmi_class(wmi_class_name)) + self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name) def get_wmi_class(self, class_name): if not self.wmi: @@ -124,12 +124,7 @@ class WindowsInfoCollector(InfoCollector): #LOG.error(traceback.format_exc()) return - print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" - print type(wmi_class) - print "@" * 20 - os._exit(1) - - return wmi_class + return fix_obj_for_mongo(wmi_class) def get_reg_key(self, subkey_path, store=_winreg.HKEY_LOCAL_MACHINE): key = _winreg.ConnectRegistry(None, store) From 833df8d6d4dcdac3921c7b7a785290124843b0db Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Wed, 28 Feb 2018 04:53:02 -0800 Subject: [PATCH 005/117] fix wmi table names --- .../system_info/windows_info_collector.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index 1fe15fe67..9b5e12d7f 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -16,13 +16,14 @@ __author__ = 'uri' WMI_CLASSES = set(["Win32_OperatingSystem", "Win32_ComputerSystem", - "Win32_GroupUser", "Win32_LoggedOnUser", + "Win32_UserAccount", "Win32_UserProfile", - "win32_UserAccount", - "Win32_Product", - "Win32_Process", - "Win32_Service" + "Win32_Group", + "Win32_GroupUser", + #"Win32_Product", + #"Win32_Process", + #"Win32_Service" ]) def fix_obj_for_mongo(o): From 2013e706e59b771b12adac3f606ca47d1e2a1d1f Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Wed, 28 Feb 2018 08:48:21 -0800 Subject: [PATCH 006/117] add intial draft for analyses script for pth map --- monkey_island/mymap.py | 190 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 190 insertions(+) create mode 100644 monkey_island/mymap.py diff --git a/monkey_island/mymap.py b/monkey_island/mymap.py new file mode 100644 index 000000000..106ba95e3 --- /dev/null +++ b/monkey_island/mymap.py @@ -0,0 +1,190 @@ +from pymongo import MongoClient +db = MongoClient().monkeyisland + +DsRole_RoleStandaloneWorkstation = 0 +DsRole_RoleMemberWorkstation = 1 +DsRole_RoleStandaloneServer = 2 +DsRole_RoleMemberServer = 3 +DsRole_RoleBackupDomainController = 4 +DsRole_RolePrimaryDomainController = 5 + +class Machine(object): + def __init__(self, monkey_guid): + self.monkey_guid = str(monkey_guid) + + def GetHostName(self): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + names = set() + + for doc in cur: + for comp in doc["data"]["Win32_ComputerSystem"]: + names.add(eval(comp["Name"])) + + if len(names) == 1: + return names.pop() + + return None + + def GetDomainName(self): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + names = set() + + for doc in cur: + for comp in doc["data"]["Win32_ComputerSystem"]: + names.add(eval(comp["Domain"])) + + if len(names) == 1: + return names.pop() + + return None + + def GetDomainRole(self): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + roles = set() + + for doc in cur: + for comp in doc["data"]["Win32_ComputerSystem"]: + roles.add(comp["DomainRole"]) + + if len(roles) == 1: + return roles.pop() + + return None + + def GetSidByUsername(self, username): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_UserAccount.Name":"u'%s'" % (username,)}) + + SIDs = set() + + for doc in cur: + for user in doc["data"]["Win32_UserAccount"]: + if eval(user["Name"]) != username: + continue + + SIDs.add(eval(user["SID"])) + + if len(SIDs) == 1: + return SIDs.pop() + + return None + + def GetUsernameBySid(self, sid): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_UserAccount.SID":"u'%s'" % (sid,)}) + + names = set() + + for doc in cur: + for user in doc["data"]["Win32_UserAccount"]: + if eval(user["SID"]) != sid: + continue + + names.add(eval(user["Name"])) + + if len(names) == 1: + return names.pop() + + return None + + def GetGroupSidByGroupName(self, group_name): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_Group.Name":"u'%s'" % (group_name,)}) + SIDs = set() + + for doc in cur: + for group in doc["data"]["Win32_Group"]: + if eval(group["Name"]) != group_name: + continue + + SIDs.add(eval(group["SID"])) + + if len(SIDs) == 1: + return SIDs.pop() + + return None + + def GetUsersByGroupSid(self, sid): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_GroupUser.GroupComponent.SID":"u'%s'" % (sid,)}) + + SIDs = set() + + for doc in cur: + for group_user in doc["data"]["Win32_GroupUser"]: + if eval(group_user["GroupComponent"]["SID"]) != sid: + continue + + SIDs.add(eval(group_user["PartComponent"]["SID"])) + + return SIDs + + def GetDomainControllersMonkeyGuidByDomainName(self, domain_name): + cur = db.telemetry.find({"telem_type":"system_info_collection", "data.Win32_ComputerSystem.Domain":"u'%s'" % (domain_name,)}) + + GUIDs = set() + + for doc in cur: + for comp in doc["data"]["Win32_ComputerSystem"]: + if ((comp["DomainRole"] != DsRole_RolePrimaryDomainController) and + (comp["DomainRole"] != DsRole_RoleBackupDomainController)): + continue + + GUIDs.add(doc["monkey_guid"]) + + return GUIDs + + def GetLocalAdmins(self): + return self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")) + + def GetDomainAdminsOfMachine(self): + domain_name = self.GetDomainName() + DCs = self.GetDomainControllersMonkeyGuidByDomainName(domain_name) + + domain_admins = set() + + for dc_monkey_guid in DCs: + domain_admins += Machine(dc_monkey_guid).GetLocalAdmins() + + return domain_admins + + def GetAdmins(self): + return self.GetLocalAdmins() | self.GetDomainAdminsOfMachine() + + def GetCachedSids(self): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + SIDs = set() + + for doc in cur: + for username in doc["data"]["credentials"]: + SIDs.add(self.GetSidByUsername(username)) + + return SIDs + +def GetAllMachines(): + cur = db.telemetry.find({"telem_type":"system_info_collection"}) + + GUIDs = set() + + for doc in cur: + GUIDs.add(doc["monkey_guid"]) + + return GUIDs + +vertices = GetAllMachines() +edges = set() + +for attacker in vertices: + cached = Machine(attacker).GetCachedSids() + + for victim in vertices: + if attacker == victim: + continue + + admins = Machine(victim).GetAdmins() + + if len(cached & admins) > 0: + edges.add((attacker, victim)) + +print vertices +print edges \ No newline at end of file From dd0b73519c80b70f2f5ac5e03fc7012437c42f5a Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Sun, 4 Mar 2018 03:54:41 -0800 Subject: [PATCH 007/117] use the collected sam info --- monkey_island/mymap.py | 200 ++++++++++++++++++++++++++++++++++------- 1 file changed, 170 insertions(+), 30 deletions(-) diff --git a/monkey_island/mymap.py b/monkey_island/mymap.py index 106ba95e3..08973cd46 100644 --- a/monkey_island/mymap.py +++ b/monkey_island/mymap.py @@ -1,3 +1,5 @@ +import hashlib +import binascii from pymongo import MongoClient db = MongoClient().monkeyisland @@ -8,10 +10,27 @@ DsRole_RoleMemberServer = 3 DsRole_RoleBackupDomainController = 4 DsRole_RolePrimaryDomainController = 5 +def myntlm(x): + hash = hashlib.new('md4', x.encode('utf-16le')).digest() + return str(binascii.hexlify(hash)) + class Machine(object): def __init__(self, monkey_guid): self.monkey_guid = str(monkey_guid) + def GetMimikatzOutput(self): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + output = set() + + for doc in cur: + output.add(doc["data"]["mimikatz"]) + + if len(output) == 1: + return output.pop() + + return None + def GetHostName(self): cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) @@ -26,6 +45,17 @@ class Machine(object): return None + def GetIp(self): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + names = set() + + for doc in cur: + for addr in doc["data"]["network_info"]["networks"]: + return str(addr["addr"]) + + return None + def GetDomainName(self): cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) @@ -107,16 +137,19 @@ class Machine(object): def GetUsersByGroupSid(self, sid): cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_GroupUser.GroupComponent.SID":"u'%s'" % (sid,)}) - SIDs = set() + users = dict() for doc in cur: for group_user in doc["data"]["Win32_GroupUser"]: if eval(group_user["GroupComponent"]["SID"]) != sid: continue + + if "PartComponent" not in group_user.keys(): + continue - SIDs.add(eval(group_user["PartComponent"]["SID"])) + users[eval(group_user["PartComponent"]["SID"])] = eval(group_user["PartComponent"]["Name"]) - return SIDs + return users def GetDomainControllersMonkeyGuidByDomainName(self, domain_name): cur = db.telemetry.find({"telem_type":"system_info_collection", "data.Win32_ComputerSystem.Domain":"u'%s'" % (domain_name,)}) @@ -134,7 +167,47 @@ class Machine(object): return GUIDs def GetLocalAdmins(self): - return self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")) + return self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).keys() + + def GetLocalAdminNames(self): + return self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).values() + + def GetLocalAdminSecrets(self): + admin_names = self.GetLocalAdminNames() + sam_users = str(self.GetMimikatzOutput()).split("\nSAMKey :")[1].split("\n\n")[1:] + + admin_secrets = set() + + for sam_user_txt in sam_users: + sam_user = dict([map(str.strip, line.split(":")) for line in filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) + + if sam_user["User"] not in admin_names: + continue + + admin_secrets.add(sam_user["NTLM"].replace("[hashed secret]", "").strip()) + + return admin_secrets + + def GetCachedSecrets(self): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + secrets = set() + + for doc in cur: + for username in doc["data"]["credentials"]: + user = doc["data"]["credentials"][username] + + if "password" in user.keys(): + ntlm = myntlm(str(user["password"])) + elif "ntlm_hash" in user.keys(): + ntlm = str(user["ntlm_hash"]) + else: + continue + + secret = hashlib.md5(ntlm.decode("hex")).hexdigest() + secrets.add(secret) + + return secrets def GetDomainAdminsOfMachine(self): domain_name = self.GetDomainName() @@ -143,13 +216,16 @@ class Machine(object): domain_admins = set() for dc_monkey_guid in DCs: - domain_admins += Machine(dc_monkey_guid).GetLocalAdmins() + domain_admins |= Machine(dc_monkey_guid).GetLocalAdmins() return domain_admins def GetAdmins(self): return self.GetLocalAdmins() | self.GetDomainAdminsOfMachine() + def GetAdminNames(self): + return set(map(lambda x: self.GetUsernameBySid(x), self.GetAdmins())) + def GetCachedSids(self): cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) @@ -161,30 +237,94 @@ class Machine(object): return SIDs -def GetAllMachines(): - cur = db.telemetry.find({"telem_type":"system_info_collection"}) - - GUIDs = set() - - for doc in cur: - GUIDs.add(doc["monkey_guid"]) - - return GUIDs - -vertices = GetAllMachines() -edges = set() - -for attacker in vertices: - cached = Machine(attacker).GetCachedSids() - - for victim in vertices: - if attacker == victim: - continue - - admins = Machine(victim).GetAdmins() + def GetCachedUsernames(self): + cur = db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) - if len(cached & admins) > 0: - edges.add((attacker, victim)) + SIDs = set() + + for doc in cur: + for username in doc["data"]["credentials"]: + SIDs.add(username) + + return SIDs -print vertices -print edges \ No newline at end of file +class PassTheHashMap(object): + def __init__(self): + self.vertices = self.GetAllMachines() + self.edges = set() + + self.GenerateEdgesBySid() # Useful for non-cached domain users + self.GenerateEdgesBySamHash() # This will add edges based only on password hash without caring about username + + def GetAllMachines(self): + cur = db.telemetry.find({"telem_type":"system_info_collection"}) + + GUIDs = set() + + for doc in cur: + GUIDs.add(doc["monkey_guid"]) + + return GUIDs + + def GenerateEdgesBySid(self): + for attacker in self.vertices: + cached = Machine(attacker).GetCachedSids() + + for victim in self.vertices: + if attacker == victim: + continue + + admins = Machine(victim).GetAdmins() + + if len(cached & admins) > 0: + self.edges.add((attacker, victim)) + + def GenerateEdgesBySamHash(self): + for attacker in self.vertices: + cached = Machine(attacker).GetCachedSecrets() + + for victim in self.vertices: + if attacker == victim: + continue + + admins = Machine(victim).GetLocalAdminSecrets() + + if len(cached & admins) > 0: + self.edges.add((attacker, victim)) + + def GenerateEdgesByUsername(self): + for attacker in self.vertices: + cached = Machine(attacker).GetCachedUsernames() + + for victim in self.vertices: + if attacker == victim: + continue + + admins = Machine(victim).GetAdminNames() + + if len(cached & admins) > 0: + self.edges.add((attacker, victim)) + + def Print(self): + print map(lambda x: Machine(x).GetIp(), self.vertices) + print map(lambda x: (Machine(x[0]).GetIp(), Machine(x[1]).GetIp()), self.edges) + +PassTheHashMap().Print() + +#monkey_guid_island = 345051728334 +#monkey_guid_c = 345051740363 +#monkey_guid_d = 345051735830 +# +#island = Machine(monkey_guid_island) +#c = Machine(monkey_guid_c) +#d = Machine(monkey_guid_d) +# +#assert str(island.GetIp()).endswith(".5") +#assert str(c.GetIp()).endswith(".203") +#assert str(d.GetIp()).endswith(".204") + +#print "sam", island.GetLocalAdminSecrets() +#print "lsa", island.GetCachedSecrets() + +#print "cached", c.GetCachedSids() +#print "admins", d.GetAdmins() From 6779d4c75812387f8c942764846803a706be510b Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Sun, 4 Mar 2018 04:11:15 -0800 Subject: [PATCH 008/117] fix --- monkey_island/mymap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey_island/mymap.py b/monkey_island/mymap.py index 08973cd46..a9854468d 100644 --- a/monkey_island/mymap.py +++ b/monkey_island/mymap.py @@ -167,10 +167,10 @@ class Machine(object): return GUIDs def GetLocalAdmins(self): - return self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).keys() + return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).keys()) def GetLocalAdminNames(self): - return self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).values() + return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).values()) def GetLocalAdminSecrets(self): admin_names = self.GetLocalAdminNames() From 00fe34d43189d74248a2330af98bd9b8fd7c0adf Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Sun, 4 Mar 2018 05:22:34 -0800 Subject: [PATCH 009/117] add pth map to ui --- monkey_island/cc/app.py | 3 + monkey_island/cc/resources/pthmap.py | 327 ++++++++++++++++++ monkey_island/cc/ui/src/components/Main.js | 2 + .../components/pages/PassTheHashMapPage.js | 58 ++++ 4 files changed, 390 insertions(+) create mode 100644 monkey_island/cc/resources/pthmap.py create mode 100644 monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js diff --git a/monkey_island/cc/app.py b/monkey_island/cc/app.py index 4733d5089..b6d680a87 100644 --- a/monkey_island/cc/app.py +++ b/monkey_island/cc/app.py @@ -17,6 +17,7 @@ from cc.resources.monkey import Monkey from cc.resources.monkey_configuration import MonkeyConfiguration from cc.resources.monkey_download import MonkeyDownload from cc.resources.netmap import NetMap +from cc.resources.pthmap import PthMap from cc.resources.node import Node from cc.resources.report import Report from cc.resources.root import Root @@ -101,5 +102,7 @@ def init_app(mongo_url): api.add_resource(Node, '/api/netmap/node', '/api/netmap/node/') api.add_resource(Report, '/api/report', '/api/report/') api.add_resource(TelemetryFeed, '/api/telemetry-feed', '/api/telemetry-feed/') + + api.add_resource(PthMap, '/api/pthmap', '/api/pthmap/') return app diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py new file mode 100644 index 000000000..b027991ee --- /dev/null +++ b/monkey_island/cc/resources/pthmap.py @@ -0,0 +1,327 @@ +import flask_restful + +from cc.auth import jwt_required +from cc.services.edge import EdgeService +from cc.services.node import NodeService +from cc.database import mongo + +import hashlib +import binascii +from pymongo import MongoClient + +class PthMap(flask_restful.Resource): + @jwt_required() + def get(self, **kw): + graph = PassTheHashMap() + + return \ + { + "nodes": [{"id": x} for x in graph.vertices], + "edges": [{"id": str(s) + str(t), "from": s, "to": t} for s, t in graph.edges] + } + +DsRole_RoleStandaloneWorkstation = 0 +DsRole_RoleMemberWorkstation = 1 +DsRole_RoleStandaloneServer = 2 +DsRole_RoleMemberServer = 3 +DsRole_RoleBackupDomainController = 4 +DsRole_RolePrimaryDomainController = 5 + +def myntlm(x): + hash = hashlib.new('md4', x.encode('utf-16le')).digest() + return str(binascii.hexlify(hash)) + +class Machine(object): + def __init__(self, monkey_guid): + self.monkey_guid = str(monkey_guid) + + def GetMimikatzOutput(self): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + output = set() + + for doc in cur: + output.add(doc["data"]["mimikatz"]) + + if len(output) == 1: + return output.pop() + + return None + + def GetHostName(self): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + names = set() + + for doc in cur: + for comp in doc["data"]["Win32_ComputerSystem"]: + names.add(eval(comp["Name"])) + + if len(names) == 1: + return names.pop() + + return None + + def GetIp(self): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + names = set() + + for doc in cur: + for addr in doc["data"]["network_info"]["networks"]: + return str(addr["addr"]) + + return None + + def GetDomainName(self): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + names = set() + + for doc in cur: + for comp in doc["data"]["Win32_ComputerSystem"]: + names.add(eval(comp["Domain"])) + + if len(names) == 1: + return names.pop() + + return None + + def GetDomainRole(self): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + roles = set() + + for doc in cur: + for comp in doc["data"]["Win32_ComputerSystem"]: + roles.add(comp["DomainRole"]) + + if len(roles) == 1: + return roles.pop() + + return None + + def GetSidByUsername(self, username): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_UserAccount.Name":"u'%s'" % (username,)}) + + SIDs = set() + + for doc in cur: + for user in doc["data"]["Win32_UserAccount"]: + if eval(user["Name"]) != username: + continue + + SIDs.add(eval(user["SID"])) + + if len(SIDs) == 1: + return SIDs.pop() + + return None + + def GetUsernameBySid(self, sid): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_UserAccount.SID":"u'%s'" % (sid,)}) + + names = set() + + for doc in cur: + for user in doc["data"]["Win32_UserAccount"]: + if eval(user["SID"]) != sid: + continue + + names.add(eval(user["Name"])) + + if len(names) == 1: + return names.pop() + + return None + + def GetGroupSidByGroupName(self, group_name): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_Group.Name":"u'%s'" % (group_name,)}) + SIDs = set() + + for doc in cur: + for group in doc["data"]["Win32_Group"]: + if eval(group["Name"]) != group_name: + continue + + SIDs.add(eval(group["SID"])) + + if len(SIDs) == 1: + return SIDs.pop() + + return None + + def GetUsersByGroupSid(self, sid): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_GroupUser.GroupComponent.SID":"u'%s'" % (sid,)}) + + users = dict() + + for doc in cur: + for group_user in doc["data"]["Win32_GroupUser"]: + if eval(group_user["GroupComponent"]["SID"]) != sid: + continue + + if "PartComponent" not in group_user.keys(): + continue + + users[eval(group_user["PartComponent"]["SID"])] = eval(group_user["PartComponent"]["Name"]) + + return users + + def GetDomainControllersMonkeyGuidByDomainName(self, domain_name): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "data.Win32_ComputerSystem.Domain":"u'%s'" % (domain_name,)}) + + GUIDs = set() + + for doc in cur: + for comp in doc["data"]["Win32_ComputerSystem"]: + if ((comp["DomainRole"] != DsRole_RolePrimaryDomainController) and + (comp["DomainRole"] != DsRole_RoleBackupDomainController)): + continue + + GUIDs.add(doc["monkey_guid"]) + + return GUIDs + + def GetLocalAdmins(self): + return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).keys()) + + def GetLocalAdminNames(self): + return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).values()) + + def GetLocalAdminSecrets(self): + admin_names = self.GetLocalAdminNames() + sam_users = str(self.GetMimikatzOutput()).split("\nSAMKey :")[1].split("\n\n")[1:] + + admin_secrets = set() + + for sam_user_txt in sam_users: + sam_user = dict([map(str.strip, line.split(":")) for line in filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) + + if sam_user["User"] not in admin_names: + continue + + admin_secrets.add(sam_user["NTLM"].replace("[hashed secret]", "").strip()) + + return admin_secrets + + def GetCachedSecrets(self): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + secrets = set() + + for doc in cur: + for username in doc["data"]["credentials"]: + user = doc["data"]["credentials"][username] + + if "password" in user.keys(): + ntlm = myntlm(str(user["password"])) + elif "ntlm_hash" in user.keys(): + ntlm = str(user["ntlm_hash"]) + else: + continue + + secret = hashlib.md5(ntlm.decode("hex")).hexdigest() + secrets.add(secret) + + return secrets + + def GetDomainAdminsOfMachine(self): + domain_name = self.GetDomainName() + DCs = self.GetDomainControllersMonkeyGuidByDomainName(domain_name) + + domain_admins = set() + + for dc_monkey_guid in DCs: + domain_admins |= Machine(dc_monkey_guid).GetLocalAdmins() + + return domain_admins + + def GetAdmins(self): + return self.GetLocalAdmins() | self.GetDomainAdminsOfMachine() + + def GetAdminNames(self): + return set(map(lambda x: self.GetUsernameBySid(x), self.GetAdmins())) + + def GetCachedSids(self): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + SIDs = set() + + for doc in cur: + for username in doc["data"]["credentials"]: + SIDs.add(self.GetSidByUsername(username)) + + return SIDs + + def GetCachedUsernames(self): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + + SIDs = set() + + for doc in cur: + for username in doc["data"]["credentials"]: + SIDs.add(username) + + return SIDs + +class PassTheHashMap(object): + def __init__(self): + self.vertices = self.GetAllMachines() + self.edges = set() + + #self.GenerateEdgesBySid() # Useful for non-cached domain users + self.GenerateEdgesBySamHash() # This will add edges based only on password hash without caring about username + + def GetAllMachines(self): + cur = mongo.db.telemetry.find({"telem_type":"system_info_collection"}) + + GUIDs = set() + + for doc in cur: + GUIDs.add(doc["monkey_guid"]) + + return GUIDs + + def GenerateEdgesBySid(self): + for attacker in self.vertices: + cached = Machine(attacker).GetCachedSids() + + for victim in self.vertices: + if attacker == victim: + continue + + admins = Machine(victim).GetAdmins() + + if len(cached & admins) > 0: + self.edges.add((attacker, victim)) + + def GenerateEdgesBySamHash(self): + for attacker in self.vertices: + cached = Machine(attacker).GetCachedSecrets() + + for victim in self.vertices: + if attacker == victim: + continue + + admins = Machine(victim).GetLocalAdminSecrets() + + if len(cached & admins) > 0: + self.edges.add((attacker, victim)) + + def GenerateEdgesByUsername(self): + for attacker in self.vertices: + cached = Machine(attacker).GetCachedUsernames() + + for victim in self.vertices: + if attacker == victim: + continue + + admins = Machine(victim).GetAdminNames() + + if len(cached & admins) > 0: + self.edges.add((attacker, victim)) + + def Print(self): + print map(lambda x: Machine(x).GetIp(), self.vertices) + print map(lambda x: (Machine(x[0]).GetIp(), Machine(x[1]).GetIp()), self.edges) diff --git a/monkey_island/cc/ui/src/components/Main.js b/monkey_island/cc/ui/src/components/Main.js index 771e2257a..48410bc94 100644 --- a/monkey_island/cc/ui/src/components/Main.js +++ b/monkey_island/cc/ui/src/components/Main.js @@ -7,6 +7,7 @@ import RunServerPage from 'components/pages/RunServerPage'; import ConfigurePage from 'components/pages/ConfigurePage'; import RunMonkeyPage from 'components/pages/RunMonkeyPage'; import MapPage from 'components/pages/MapPage'; +import PassTheHashMapPage from 'components/pages/PassTheHashMapPage'; import TelemetryPage from 'components/pages/TelemetryPage'; import StartOverPage from 'components/pages/StartOverPage'; import ReportPage from 'components/pages/ReportPage'; @@ -162,6 +163,7 @@ class AppComponent extends AuthComponent { {this.renderRoute('/run-monkey', )} {this.renderRoute('/infection/map', )} {this.renderRoute('/infection/telemetry', )} + {this.renderRoute('/pth', )} {this.renderRoute('/start-over', )} {this.renderRoute('/report', )} {this.renderRoute('/license', )} diff --git a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js new file mode 100644 index 000000000..bea2f7b63 --- /dev/null +++ b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js @@ -0,0 +1,58 @@ +import React from 'react'; +import {Col} from 'react-bootstrap'; +import {ReactiveGraph} from 'components/reactive-graph/ReactiveGraph'; +import AuthComponent from '../AuthComponent'; + +class PassTheHashMapPageComponent extends AuthComponent { + constructor(props) { + super(props); + this.state = { + graph: {nodes: [], edges: []}, + selected: null, + selectedType: null, + killPressed: false, + showKillDialog: false, + telemetry: [], + telemetryLastTimestamp: null + }; + } + + componentDidMount() { + this.updateMapFromServer(); + this.interval = setInterval(this.timedEvents, 1000); + } + + componentWillUnmount() { + clearInterval(this.interval); + } + + timedEvents = () => { + this.updateMapFromServer(); + }; + + updateMapFromServer = () => { + this.authFetch('/api/pthmap') + .then(res => res.json()) + .then(res => { + this.setState({graph: res}); + this.props.onStatusChange(); + }); + }; + + render() { + return ( +
+ +

3. Pass The Hash Map

+ + +
+ +
+ +
+ ); + } +} + +export default PassTheHashMapPageComponent; From 8a3216d8125db26462d01482d03f08537e1f0407 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Sun, 4 Mar 2018 06:24:22 -0800 Subject: [PATCH 010/117] works --- .../components/pages/PassTheHashMapPage.js | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js index bea2f7b63..26ce71cc9 100644 --- a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js +++ b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js @@ -2,6 +2,27 @@ import React from 'react'; import {Col} from 'react-bootstrap'; import {ReactiveGraph} from 'components/reactive-graph/ReactiveGraph'; import AuthComponent from '../AuthComponent'; +import Graph from 'react-graph-vis'; + +const options = { + autoResize: true, + layout: { + improvedLayout: false + }, + edges: { + width: 2, + smooth: { + type: 'curvedCW' + } + }, + physics: { + barnesHut: { + gravitationalConstant: -120000, + avoidOverlap: 0.5 + }, + minVelocity: 0.75 + } +}; class PassTheHashMapPageComponent extends AuthComponent { constructor(props) { @@ -43,11 +64,11 @@ class PassTheHashMapPageComponent extends AuthComponent { return (
-

3. Pass The Hash Map

+

Pass The Hash Map

-
- +
+
From 01b071dfe1b3fee7ebd551b08a35dc0e1cd2f508 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 6 Mar 2018 00:32:57 -0800 Subject: [PATCH 011/117] add labels --- monkey_island/cc/resources/pthmap.py | 97 ++++++++++++++++++++++------ 1 file changed, 77 insertions(+), 20 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index b027991ee..93ba9c410 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -16,8 +16,8 @@ class PthMap(flask_restful.Resource): return \ { - "nodes": [{"id": x} for x in graph.vertices], - "edges": [{"id": str(s) + str(t), "from": s, "to": t} for s, t in graph.edges] + "nodes": [{"id": x, "label": Machine(x).GetIp()} for x in graph.vertices], + "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in graph.edges] } DsRole_RoleStandaloneWorkstation = 0 @@ -100,6 +100,9 @@ class Machine(object): return roles.pop() return None + + def IsDomainController(self): + return self.GetDomainRole() in (DsRole_RolePrimaryDomainController, DsRole_RoleBackupDomainController) def GetSidByUsername(self, username): cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_UserAccount.Name":"u'%s'" % (username,)}) @@ -133,6 +136,22 @@ class Machine(object): if len(names) == 1: return names.pop() + if not self.IsDomainController(): + for dc in self.GetDomainControllers(): + username = dc.GetUsernameBySid(sid) + + if username != None: + return username + + return None + + def GetUsernameBySecret(self, secret): + sam = self.GetSam() + + for user, user_secret in sam.iteritems(): + if secret == user_secret: + return user + return None def GetGroupSidByGroupName(self, group_name): @@ -174,12 +193,10 @@ class Machine(object): GUIDs = set() for doc in cur: - for comp in doc["data"]["Win32_ComputerSystem"]: - if ((comp["DomainRole"] != DsRole_RolePrimaryDomainController) and - (comp["DomainRole"] != DsRole_RoleBackupDomainController)): - continue + if not Machine(doc["monkey_guid"]).IsDomainController(): + continue - GUIDs.add(doc["monkey_guid"]) + GUIDs.add(doc["monkey_guid"]) return GUIDs @@ -189,19 +206,28 @@ class Machine(object): def GetLocalAdminNames(self): return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).values()) - def GetLocalAdminSecrets(self): - admin_names = self.GetLocalAdminNames() + def GetSam(self): sam_users = str(self.GetMimikatzOutput()).split("\nSAMKey :")[1].split("\n\n")[1:] - admin_secrets = set() + sam = {} for sam_user_txt in sam_users: sam_user = dict([map(str.strip, line.split(":")) for line in filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) - - if sam_user["User"] not in admin_names: + sam[sam_user["User"]] = sam_user["NTLM"].replace("[hashed secret]", "").strip() + + return sam + + def GetLocalAdminSecrets(self): + admin_names = self.GetLocalAdminNames() + sam = self.GetSam() + + admin_secrets = set() + + for user, secret in sam.iteritems(): + if user not in admin_names: continue - admin_secrets.add(sam_user["NTLM"].replace("[hashed secret]", "").strip()) + admin_secrets.add(secret) return admin_secrets @@ -225,15 +251,19 @@ class Machine(object): secrets.add(secret) return secrets - - def GetDomainAdminsOfMachine(self): + + def GetDomainControllers(self): domain_name = self.GetDomainName() DCs = self.GetDomainControllersMonkeyGuidByDomainName(domain_name) + return map(Machine, DCs) + + def GetDomainAdminsOfMachine(self): + DCs = self.GetDomainControllers() domain_admins = set() - for dc_monkey_guid in DCs: - domain_admins |= Machine(dc_monkey_guid).GetLocalAdmins() + for dc in DCs: + domain_admins |= dc.GetLocalAdmins() return domain_admins @@ -270,7 +300,7 @@ class PassTheHashMap(object): self.vertices = self.GetAllMachines() self.edges = set() - #self.GenerateEdgesBySid() # Useful for non-cached domain users + self.GenerateEdgesBySid() # Useful for non-cached domain users self.GenerateEdgesBySamHash() # This will add edges based only on password hash without caring about username def GetAllMachines(self): @@ -282,6 +312,31 @@ class PassTheHashMap(object): GUIDs.add(doc["monkey_guid"]) return GUIDs + + def ReprSidList(self, sid_list, attacker, victim): + label = set() + + for sid in sid_list: + username = Machine(victim).GetUsernameBySid(sid) + + #if not username: + # username = Machine(attacker).GetUsernameBySid(sid) + + if username: + label.add(username) + + return ",\n".join(label) + + def ReprSecretList(self, secret_list, victim): + label = set() + + for secret in secret_list: + username = Machine(victim).GetUsernameBySecret(secret) + + if username: + label.add(username) + + return ",\n".join(label) def GenerateEdgesBySid(self): for attacker in self.vertices: @@ -294,7 +349,8 @@ class PassTheHashMap(object): admins = Machine(victim).GetAdmins() if len(cached & admins) > 0: - self.edges.add((attacker, victim)) + label = self.ReprSidList(cached & admins, attacker, victim) + self.edges.add((attacker, victim, label)) def GenerateEdgesBySamHash(self): for attacker in self.vertices: @@ -307,7 +363,8 @@ class PassTheHashMap(object): admins = Machine(victim).GetLocalAdminSecrets() if len(cached & admins) > 0: - self.edges.add((attacker, victim)) + label = self.ReprSecretList(cached & admins, victim) + self.edges.add((attacker, victim, label)) def GenerateEdgesByUsername(self): for attacker in self.vertices: From cbc6f2395d40c9d49ed2fbac0d009f503736dbd2 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 6 Mar 2018 04:52:39 -0800 Subject: [PATCH 012/117] add ntds information to map --- monkey_island/cc/resources/pthmap.py | 66 ++++++++++++++++++++++------ 1 file changed, 53 insertions(+), 13 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 93ba9c410..8621c56ef 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -38,15 +38,16 @@ class Machine(object): def GetMimikatzOutput(self): cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) - output = set() + output = None for doc in cur: - output.add(doc["data"]["mimikatz"]) + if not output: + output = doc + + if doc["timestamp"] > output["timestamp"]: + output = doc - if len(output) == 1: - return output.pop() - - return None + return output["data"]["mimikatz"] def GetHostName(self): cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) @@ -146,7 +147,7 @@ class Machine(object): return None def GetUsernameBySecret(self, secret): - sam = self.GetSam() + sam = self.GetLocalSecrets() for user, user_secret in sam.iteritems(): if secret == user_secret: @@ -207,19 +208,58 @@ class Machine(object): return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).values()) def GetSam(self): - sam_users = str(self.GetMimikatzOutput()).split("\nSAMKey :")[1].split("\n\n")[1:] - + if not self.GetMimikatzOutput(): + return {} + + mimikatz = self.GetMimikatzOutput() + + if mimikatz.count("\n42.") != 2: + return {} + + sam_users = mimikatz.split("\n42.")[1].split("\nSAMKey :")[1].split("\n\n")[1:] + sam = {} for sam_user_txt in sam_users: - sam_user = dict([map(str.strip, line.split(":")) for line in filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) + sam_user = dict([map(unicode.strip, line.split(":")) for line in filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) sam[sam_user["User"]] = sam_user["NTLM"].replace("[hashed secret]", "").strip() return sam - + + def GetNtds(self): + if not self.GetMimikatzOutput(): + return {} + + mimikatz = self.GetMimikatzOutput() + + if mimikatz.count("\n42.") != 2: + return {} + + ntds_users = mimikatz.split("\n42.")[2].split("\nRID :")[1:] + ntds = {} + + for ntds_user_txt in ntds_users: + user = ntds_user_txt.split("User :")[1].splitlines()[0].replace("User :", "").strip() + ntlm = ntds_user_txt.split("* Primary\n NTLM :")[1].splitlines()[0].replace("NTLM :", "").strip() + ntlm = ntlm.replace("[hashed secret]", "").strip() + + if ntlm: + ntds[user] = ntlm + + return ntds + + def GetLocalSecrets(self): + sam = self.GetSam() + ntds = self.GetNtds() + + secrets = sam.copy() + secrets.update(ntds) + + return secrets + def GetLocalAdminSecrets(self): admin_names = self.GetLocalAdminNames() - sam = self.GetSam() + sam = self.GetLocalSecrets() admin_secrets = set() @@ -228,7 +268,7 @@ class Machine(object): continue admin_secrets.add(secret) - + return admin_secrets def GetCachedSecrets(self): From 22b0aeb6ccee230fc2e6eede2445283dd167c88f Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 6 Mar 2018 05:37:50 -0800 Subject: [PATCH 013/117] better handle multiple runs of monkey & add a few more queries --- monkey_island/cc/resources/pthmap.py | 212 ++++++++++++++------------- 1 file changed, 107 insertions(+), 105 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 8621c56ef..80233f9cb 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -34,71 +34,49 @@ def myntlm(x): class Machine(object): def __init__(self, monkey_guid): self.monkey_guid = str(monkey_guid) + + self.latest_system_info = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}).sort([("timestamp", 1)]).limit(1) + + if self.latest_system_info.count() > 0: + self.latest_system_info = self.latest_system_info[0] def GetMimikatzOutput(self): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + doc = self.latest_system_info - output = None + if not doc: + return None - for doc in cur: - if not output: - output = doc - - if doc["timestamp"] > output["timestamp"]: - output = doc - - return output["data"]["mimikatz"] + return doc["data"]["mimikatz"] def GetHostName(self): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) - - names = set() + doc = self.latest_system_info - for doc in cur: - for comp in doc["data"]["Win32_ComputerSystem"]: - names.add(eval(comp["Name"])) - - if len(names) == 1: - return names.pop() + for comp in doc["data"]["Win32_ComputerSystem"]: + return eval(comp["Name"]) return None def GetIp(self): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + doc = self.latest_system_info - names = set() - - for doc in cur: - for addr in doc["data"]["network_info"]["networks"]: - return str(addr["addr"]) + for addr in doc["data"]["network_info"]["networks"]: + return str(addr["addr"]) return None def GetDomainName(self): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + doc = self.latest_system_info - names = set() - - for doc in cur: - for comp in doc["data"]["Win32_ComputerSystem"]: - names.add(eval(comp["Domain"])) - - if len(names) == 1: - return names.pop() + for comp in doc["data"]["Win32_ComputerSystem"]: + return eval(comp["Domain"]) return None def GetDomainRole(self): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + doc = self.latest_system_info - roles = set() - - for doc in cur: - for comp in doc["data"]["Win32_ComputerSystem"]: - roles.add(comp["DomainRole"]) - - if len(roles) == 1: - return roles.pop() + for comp in doc["data"]["Win32_ComputerSystem"]: + return comp["DomainRole"] return None @@ -106,36 +84,24 @@ class Machine(object): return self.GetDomainRole() in (DsRole_RolePrimaryDomainController, DsRole_RoleBackupDomainController) def GetSidByUsername(self, username): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_UserAccount.Name":"u'%s'" % (username,)}) - - SIDs = set() + doc = self.latest_system_info - for doc in cur: - for user in doc["data"]["Win32_UserAccount"]: - if eval(user["Name"]) != username: - continue + for user in doc["data"]["Win32_UserAccount"]: + if eval(user["Name"]) != username: + continue - SIDs.add(eval(user["SID"])) - - if len(SIDs) == 1: - return SIDs.pop() + return eval(user["SID"]) return None def GetUsernameBySid(self, sid): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_UserAccount.SID":"u'%s'" % (sid,)}) - - names = set() + doc = self.latest_system_info - for doc in cur: - for user in doc["data"]["Win32_UserAccount"]: - if eval(user["SID"]) != sid: - continue + for user in doc["data"]["Win32_UserAccount"]: + if eval(user["SID"]) != sid: + continue - names.add(eval(user["Name"])) - - if len(names) == 1: - return names.pop() + return eval(user["Name"]) if not self.IsDomainController(): for dc in self.GetDomainControllers(): @@ -155,36 +121,34 @@ class Machine(object): return None + def GetSidBySecret(self, secret): + username = self.GetUsernameBySecret(secret) + return self.GetSidByUsername(username) + def GetGroupSidByGroupName(self, group_name): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_Group.Name":"u'%s'" % (group_name,)}) - SIDs = set() + doc = self.latest_system_info - for doc in cur: - for group in doc["data"]["Win32_Group"]: - if eval(group["Name"]) != group_name: - continue + for group in doc["data"]["Win32_Group"]: + if eval(group["Name"]) != group_name: + continue - SIDs.add(eval(group["SID"])) - - if len(SIDs) == 1: - return SIDs.pop() + return eval(group["SID"]) return None def GetUsersByGroupSid(self, sid): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid, "data.Win32_GroupUser.GroupComponent.SID":"u'%s'" % (sid,)}) + doc = self.latest_system_info users = dict() - for doc in cur: - for group_user in doc["data"]["Win32_GroupUser"]: - if eval(group_user["GroupComponent"]["SID"]) != sid: - continue - - if "PartComponent" not in group_user.keys(): - continue + for group_user in doc["data"]["Win32_GroupUser"]: + if eval(group_user["GroupComponent"]["SID"]) != sid: + continue + + if "PartComponent" not in group_user.keys(): + continue - users[eval(group_user["PartComponent"]["SID"])] = eval(group_user["PartComponent"]["Name"]) + users[eval(group_user["PartComponent"]["SID"])] = eval(group_user["PartComponent"]["Name"]) return users @@ -272,23 +236,22 @@ class Machine(object): return admin_secrets def GetCachedSecrets(self): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + doc = self.latest_system_info secrets = set() - for doc in cur: - for username in doc["data"]["credentials"]: - user = doc["data"]["credentials"][username] - - if "password" in user.keys(): - ntlm = myntlm(str(user["password"])) - elif "ntlm_hash" in user.keys(): - ntlm = str(user["ntlm_hash"]) - else: - continue + for username in doc["data"]["credentials"]: + user = doc["data"]["credentials"][username] + + if "password" in user.keys(): + ntlm = myntlm(str(user["password"])) + elif "ntlm_hash" in user.keys(): + ntlm = str(user["ntlm_hash"]) + else: + continue - secret = hashlib.md5(ntlm.decode("hex")).hexdigest() - secrets.add(secret) + secret = hashlib.md5(ntlm.decode("hex")).hexdigest() + secrets.add(secret) return secrets @@ -314,24 +277,22 @@ class Machine(object): return set(map(lambda x: self.GetUsernameBySid(x), self.GetAdmins())) def GetCachedSids(self): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + doc = self.latest_system_info SIDs = set() - for doc in cur: - for username in doc["data"]["credentials"]: - SIDs.add(self.GetSidByUsername(username)) + for username in doc["data"]["credentials"]: + SIDs.add(self.GetSidByUsername(username)) return SIDs def GetCachedUsernames(self): - cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}) + doc = self.latest_system_info SIDs = set() - for doc in cur: - for username in doc["data"]["credentials"]: - SIDs.add(username) + for username in doc["data"]["credentials"]: + SIDs.add(username) return SIDs @@ -422,3 +383,44 @@ class PassTheHashMap(object): def Print(self): print map(lambda x: Machine(x).GetIp(), self.vertices) print map(lambda x: (Machine(x[0]).GetIp(), Machine(x[1]).GetIp()), self.edges) + + def GetAllSidsStat(self): + SIDs = {} + + for m in self.vertices: + for sid in m.GetLocalAdmins(): + if sid not in SIDs.keys(): + SIDs[sid] = 0 + + SIDs[sid] += 1 + + return SIDs + + def GetAllSecretStat(self): + secrets = {} + + for m in self.vertices: + for secret in m.GetLocalAdminSecrets(): + if secret not in secrets.keys(): + secrets[secret] = 0 + + secrets[secret] += 1 + + return secrets + + def SidToUsername(self, sid): + for m in self.vertices: + username = m.GetUsernameBySid(sid) + + if username: + return username + + return None + + def SecretToSids(self, secret): + SIDs = set() + + for m in self.vertices: + SIDs.add(m.GetSidBySecret(secret)) + + return SIDs \ No newline at end of file From 492bea27a5765984d7784ed4ac05a771c5f85f58 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 6 Mar 2018 07:31:35 -0800 Subject: [PATCH 014/117] add more queries --- monkey_island/cc/resources/pthmap.py | 95 ++++++++++++++++++++++++---- 1 file changed, 82 insertions(+), 13 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 80233f9cb..f1f1825c3 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -289,12 +289,12 @@ class Machine(object): def GetCachedUsernames(self): doc = self.latest_system_info - SIDs = set() + names = set() for username in doc["data"]["credentials"]: - SIDs.add(username) + names.add(username) - return SIDs + return names class PassTheHashMap(object): def __init__(self): @@ -384,31 +384,49 @@ class PassTheHashMap(object): print map(lambda x: Machine(x).GetIp(), self.vertices) print map(lambda x: (Machine(x[0]).GetIp(), Machine(x[1]).GetIp()), self.edges) - def GetAllSidsStat(self): + def GetSecretBySid(self, sid): + for m in self.vertices: + for user, user_secret in m.GetLocalSecrets(): + if m.GetSidByUsername(user) == sid: + return user_secret + + return None + + def GetAllSids(self): SIDs = {} for m in self.vertices: for sid in m.GetLocalAdmins(): if sid not in SIDs.keys(): - SIDs[sid] = 0 + SIDs[sid] = {} + SIDs[sid]["admin_count"] = 0 + SIDs[sid]["cache_count"] = self.GetSecretCacheCount(self.GetSecretBySid(sid)) - SIDs[sid] += 1 + SIDs[sid]["admin_count"] += 1 return SIDs + + def GetSecretCacheCount(self, secret): + count = 0 + + for m in self.vertices: + if secret in m.GetCachedSecrets(): + count += 1 + + return count - def GetAllSecretStat(self): + def GetAllSecrets(self): secrets = {} for m in self.vertices: for secret in m.GetLocalAdminSecrets(): if secret not in secrets.keys(): - secrets[secret] = 0 - - secrets[secret] += 1 + secrets[secret] = {} + secrets[secret]["cache_count"] = GetSecretCacheCount(secret) return secrets - def SidToUsername(self, sid): + def GetUsernameBySid(self, sid): for m in self.vertices: username = m.GetUsernameBySid(sid) @@ -417,10 +435,61 @@ class PassTheHashMap(object): return None - def SecretToSids(self, secret): + def GetSidsBySecret(self, secret): SIDs = set() for m in self.vertices: SIDs.add(m.GetSidBySecret(secret)) - return SIDs \ No newline at end of file + return SIDs + + def GetAllDomainControllers(self): + DCs = set() + + for m in self.vertices: + if m.IsDomainController(): + DCs.add(m) + + def GetSidsByUsername(self, username): + doc = self.latest_system_info + + SIDs = set() + + for m in self.vertices: + sid = m.GetSidByUsername(username) + if sid: + SIDs.add(sid) + + return SIDs + + def GetVictimsBySid(self, sid): + machines = set() + + for m in self.vertices: + if sid in m.GetAdmins(): + machines.add(m) + + return machines + + def GetVictimsBySecret(self, secret): + machines = set() + + SIDs = self.GetSidsBySecret(secret) + + for m in self.vertices: + if len(SIDs & m.GetAdmins()) > 0: + machines.add(m) + + return machines + + def GetAttackersBySecret(self, secret): + machines = set() + + for m in self.vertices: + if secret in m.GetCachedSecrets(): + machines.add(m) + + return machines + + def GetAttackersByVictim(self, victim): + assert False, "TODO, get information from the graph" \ No newline at end of file From 18114ea7fe661626acbbce44c16a1925ff069ff5 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 6 Mar 2018 21:53:22 +0200 Subject: [PATCH 015/117] add draft for some tables --- monkey_island/cc/resources/pthmap.py | 99 +++++++++++++++++++++++----- 1 file changed, 84 insertions(+), 15 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index f1f1825c3..63967d91f 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -167,6 +167,16 @@ class Machine(object): def GetLocalAdmins(self): return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).keys()) + + def GetLocalSids(self): + doc = self.latest_system_info + + SIDs = set() + + for user in doc["data"]["Win32_UserAccount"]: + SIDs.add(eval(user["SID"])) + + return SIDs def GetLocalAdminNames(self): return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).values()) @@ -392,19 +402,22 @@ class PassTheHashMap(object): return None - def GetAllSids(self): - SIDs = {} + def GetAttackableMachineCountBySid(self, sid): + count = 0 for m in self.vertices: - for sid in m.GetLocalAdmins(): - if sid not in SIDs.keys(): - SIDs[sid] = {} - SIDs[sid]["admin_count"] = 0 - SIDs[sid]["cache_count"] = self.GetSecretCacheCount(self.GetSecretBySid(sid)) - - SIDs[sid]["admin_count"] += 1 + if sid in m.GetLocalAdmins(): + count += 1 + + return count + + def GetAttackableMachineCountByMachine(self, attacker): + count = 0 - return SIDs + for secret in attack.GetCachedSecrets(): + count += len(m.GetVictimsBySecret(secret)) + + return count def GetSecretCacheCount(self, secret): count = 0 @@ -415,14 +428,22 @@ class PassTheHashMap(object): return count + def GetAllSids(self): + SIDs = set() + + for m in self.vertices: + SIDs |= m.GetLocalSids() + + return SIDs + def GetAllSecrets(self): - secrets = {} + secrets = set() for m in self.vertices: for secret in m.GetLocalAdminSecrets(): - if secret not in secrets.keys(): - secrets[secret] = {} - secrets[secret]["cache_count"] = GetSecretCacheCount(secret) + secret.add(secret) + #secrets[secret]["cache_count"] = self.GetSecretCacheCount(secret) + #secrets[secret]["sid_count"] = len(self.GetSidsBySecret(secret)) return secrets @@ -492,4 +513,52 @@ class PassTheHashMap(object): return machines def GetAttackersByVictim(self, victim): - assert False, "TODO, get information from the graph" \ No newline at end of file + assert False, "TODO, get information from the graph" + +def main(): + pth = PassTheHashMap() + + print "

Pass The Hash Report

" + + print "

Duplicated Passwords

" + print "

How many users share each secret?

" + dups = dict(map(lambda x: (x, len(self.GetSidsBySecret(x))), pth.GetAllSecrets())) + + print """""" + print """SecretUser Count""" + for secret, count in sorted(dups.iteritems(), key=lambda (k,v): (v,k), reverse=True): + print """{secret}{count}""".format(secret=secret, count=count) + print """""" + + print "

Cached Passwords

" + print "

On how many machines each secret is cached?

" + cache_counts = dict(map(lambda x: (x, self.GetSecretCacheCount(x)), pth.GetAllSecrets())) + + print """""" + print """SecretMachine Count""" + for secret, count in sorted(cache_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): + print """{secret}{count}""".format(secret=secret, count=count) + print """""" + + print "

User's Creds

" + print "

To how many machines each user is able to connect with admin rights?

" + attackable_counts = dict(map(lambda x: (x, self.GetAttackableMachineCountBySid(x)), pth.GetAllSids())) + + print """""" + print """SIDUsernameMachine Count""" + for sid, count in sorted(attackable_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): + print """{sid}{username}{count}""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) + print """""" + + print "

Machine's Creds

" + print "

To how many machines each machine is able to directly connect with admin rights?

" + attackable_counts = dict(map(lambda m: (m, pth.GetAttackableMachineCountByMachine(m)), pth.vertices)) + + print """""" + print """Attacker IpAttacker HostnameDomain NameVictim Machine Count""" + for m, count in sorted(attackable_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): + print """{ip}{hostname}{domain}{count}""".format(ip=m.GetIp(), hostname=n.GetHostName(), domain=m.GetDomainName(), count=count) + print """""" + +if __name__ == "__main__": + main() \ No newline at end of file From 86be96eb44dad77d352621a8d5c7a7477cbd3975 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 6 Mar 2018 21:55:56 +0200 Subject: [PATCH 016/117] Add dc table --- monkey_island/cc/resources/pthmap.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 63967d91f..68d2b102a 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -559,6 +559,16 @@ def main(): for m, count in sorted(attackable_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): print """{ip}{hostname}{domain}{count}""".format(ip=m.GetIp(), hostname=n.GetHostName(), domain=m.GetDomainName(), count=count) print """""" + + print "

Domain Controllers

" + print "

List of domain controllers (we count them as critical points, so they are listed here)

" + DCs = pth.GetAllDomainControllers() + + print """""" + print """DC IpDC HostnameDomain Name""" + for m in DCs: + print """{ip}{hostname}{domain}""".format(ip=m.GetIp(), hostname=n.GetHostName(), domain=m.GetDomainName()) + print """""" if __name__ == "__main__": main() \ No newline at end of file From 3f9204dd83c32379558d8f51ba5dee055a7594ca Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 6 Mar 2018 22:29:17 +0200 Subject: [PATCH 017/117] add a lot of information to report --- monkey_island/cc/resources/pthmap.py | 86 ++++++++++++++++++++++++++-- 1 file changed, 81 insertions(+), 5 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 68d2b102a..db3952e17 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -415,7 +415,7 @@ class PassTheHashMap(object): count = 0 for secret in attack.GetCachedSecrets(): - count += len(m.GetVictimsBySecret(secret)) + count += len(m.GetAttackableMachinesBySecret(secret)) return count @@ -427,6 +427,14 @@ class PassTheHashMap(object): count += 1 return count + + def GetAllUsernames(self): + names = set() + + for sid in self.GetAllSids(): + names.add(self.GetUsernameBySid(sid)) + + return names def GetAllSids(self): SIDs = set() @@ -483,7 +491,7 @@ class PassTheHashMap(object): return SIDs - def GetVictimsBySid(self, sid): + def GetAttackableMachinesBySid(self, sid): machines = set() for m in self.vertices: @@ -492,7 +500,7 @@ class PassTheHashMap(object): return machines - def GetVictimsBySecret(self, secret): + def GetAttackableMachinesBySecret(self, secret): machines = set() SIDs = self.GetSidsBySecret(secret) @@ -557,7 +565,7 @@ def main(): print """""" print """Attacker IpAttacker HostnameDomain NameVictim Machine Count""" for m, count in sorted(attackable_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): - print """{ip}{hostname}{domain}{count}""".format(ip=m.GetIp(), hostname=n.GetHostName(), domain=m.GetDomainName(), count=count) + print """{ip}{hostname}{domain}{count}""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) print """""" print "

Domain Controllers

" @@ -567,8 +575,76 @@ def main(): print """""" print """DC IpDC HostnameDomain Name""" for m in DCs: - print """{ip}{hostname}{domain}""".format(ip=m.GetIp(), hostname=n.GetHostName(), domain=m.GetDomainName()) + print """{ip}{hostname}{domain}""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName()) print """""" + + print "
" + + for m in pth.vertices: + print """

Machine '{ip}'

+

Hostname '{hostname}'

""".format{ip=m.GetIp(), hostname=m.GetHostName()} + + print """

Cached SIDs

""" + print """
    """ + for sid in m.GetCachedSids(): + print """
  • {username} ({sid})
  • """.format(username=m.GetUsernameBySid(sid), sid=sid) + print """
""" + + print """

Possible Attackers

""" + print """

TODO. see graph.

""" # pth.GetAttackersByVictim(m) + + print """

Admins

""" + print """
    """ + for sid in m.GetAdmins(): + print """
  • {username} ({sid})
  • """.format(username=m.GetUsernameBySid(sid), sid=sid) + print """
""" + print "
" + + for username in pth.GetAllUsernames(): + print """

User '{username}'

""".format(username=username) + + print """

Matching SIDs

""" + print """
    """ + for sid in pth.GetSidsByUsername(username) + print """
  • {username} ({sid})
  • """.format(username=m.GetUsernameBySid(sid), sid=sid) + print """
""" + + print "
" + + for sid in pth.GetAllSids(): + print """

SID '{sid}'

+

Username: '{username}'

+

Secret: '{secret}'

+ """.format(username=pth.GetUsernameBySid(sid), sid=sid, secret=pth.GetSecretBySid(sid)) + + print """

Attackable Machines

""" + print """
    """ + for m in pth.GetAttackableMachinesBySid(sid) + print """
  • {ip} ({hostname})
  • """.format(ip=m.GetIp(), hostname=m.GetHostName()) + print """
""" + + for secret in pth.GetAllSecrets(): + print """

Secret '{secret}'

""".format(secret=secret) + + print """

SIDs that use that secret

""" + print """
    """ + for sid in pth.GetSidsBySecret(secret): + print """
  • {username} ({sid})
  • """.format(username=m.GetUsernameBySid(sid), sid=sid) + print """
""" + + print """

Attackable Machines with that secret

""" + print """
    """ + for m in pth.GetAttackableMachinesBySecret(secret): + print """
  • {hostname}
  • """.format(ip=m.GetIp(), hostname=m.GetHostName()) + print """
""" + + print """

Machines that have this secret cached and can use it to attack other machines

""" + print """
    """ + for m in pth.GetAttackersBySecret(secret): + print """
  • {hostname}
  • """.format(ip=m.GetIp(), hostname=m.GetHostName()) + print """
""" + + if __name__ == "__main__": main() \ No newline at end of file From b56f05335ba4815e06a1b0cc87f0014a2db3e901 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 6 Mar 2018 23:36:04 -0800 Subject: [PATCH 018/117] fix todo --- monkey_island/cc/resources/pthmap.py | 29 ++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index db3952e17..c4a770f51 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -1,9 +1,9 @@ -import flask_restful - -from cc.auth import jwt_required -from cc.services.edge import EdgeService -from cc.services.node import NodeService -from cc.database import mongo +#import flask_restful +# +#from cc.auth import jwt_required +#from cc.services.edge import EdgeService +#from cc.services.node import NodeService +#from cc.database import mongo import hashlib import binascii @@ -521,7 +521,13 @@ class PassTheHashMap(object): return machines def GetAttackersByVictim(self, victim): - assert False, "TODO, get information from the graph" + attackers = set() + + for atck, vic in self.edge: + if vic == victim: + attackers.add(atck) + + return attackers def main(): pth = PassTheHashMap() @@ -585,15 +591,22 @@ def main():

Hostname '{hostname}'

""".format{ip=m.GetIp(), hostname=m.GetHostName()} print """

Cached SIDs

""" + print """

SIDs cached on this machine

""" print """
    """ for sid in m.GetCachedSids(): print """
  • {username} ({sid})
  • """.format(username=m.GetUsernameBySid(sid), sid=sid) print """
""" print """

Possible Attackers

""" - print """

TODO. see graph.

""" # pth.GetAttackersByVictim(m) + print """

Machines that can attack this machine

""" + print """
    """ + for attacker in pth.GetAttackersByVictim(m): + print """
  • {ip} ({hostname})
  • """.format(ip=attacker.GetIp(), hostname=attacker.GetHostName()) + print """
""" + print """

Admins

""" + print """

Users that have admin rights on this machine

""" print """
    """ for sid in m.GetAdmins(): print """
  • {username} ({sid})
  • """.format(username=m.GetUsernameBySid(sid), sid=sid) From 9be9c48253cf7d6a9a44dc9087295efe805d456e Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 6 Mar 2018 23:56:32 -0800 Subject: [PATCH 019/117] analsis runs --- monkey_island/cc/resources/pthmap.py | 87 +++++++++++++++------------- 1 file changed, 47 insertions(+), 40 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index c4a770f51..222762e47 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -9,8 +9,12 @@ import hashlib import binascii from pymongo import MongoClient -class PthMap(flask_restful.Resource): - @jwt_required() +class mongo(object): + db = MongoClient().monkeyisland + +#class PthMap(flask_restful.Resource): +class PthMap(object): +# @jwt_required() def get(self, **kw): graph = PassTheHashMap() @@ -310,6 +314,7 @@ class PassTheHashMap(object): def __init__(self): self.vertices = self.GetAllMachines() self.edges = set() + self.machines = map(Machine, self.vertices) self.GenerateEdgesBySid() # Useful for non-cached domain users self.GenerateEdgesBySamHash() # This will add edges based only on password hash without caring about username @@ -395,34 +400,29 @@ class PassTheHashMap(object): print map(lambda x: (Machine(x[0]).GetIp(), Machine(x[1]).GetIp()), self.edges) def GetSecretBySid(self, sid): - for m in self.vertices: - for user, user_secret in m.GetLocalSecrets(): + for m in self.machines: + for user, user_secret in m.GetLocalSecrets().iteritems(): if m.GetSidByUsername(user) == sid: return user_secret return None - def GetAttackableMachineCountBySid(self, sid): + def GetVictimCountBySid(self, sid): count = 0 - for m in self.vertices: + for m in self.machines: if sid in m.GetLocalAdmins(): count += 1 return count - def GetAttackableMachineCountByMachine(self, attacker): - count = 0 - - for secret in attack.GetCachedSecrets(): - count += len(m.GetAttackableMachinesBySecret(secret)) - - return count + def GetVictimCountByMachine(self, attacker): + return len(self.GetVictimsByAttacker(attacker)) def GetSecretCacheCount(self, secret): count = 0 - for m in self.vertices: + for m in self.machines: if secret in m.GetCachedSecrets(): count += 1 @@ -439,7 +439,7 @@ class PassTheHashMap(object): def GetAllSids(self): SIDs = set() - for m in self.vertices: + for m in self.machines: SIDs |= m.GetLocalSids() return SIDs @@ -447,16 +447,14 @@ class PassTheHashMap(object): def GetAllSecrets(self): secrets = set() - for m in self.vertices: + for m in self.machines: for secret in m.GetLocalAdminSecrets(): - secret.add(secret) - #secrets[secret]["cache_count"] = self.GetSecretCacheCount(secret) - #secrets[secret]["sid_count"] = len(self.GetSidsBySecret(secret)) + secrets.add(secret) return secrets def GetUsernameBySid(self, sid): - for m in self.vertices: + for m in self.machines: username = m.GetUsernameBySid(sid) if username: @@ -467,7 +465,7 @@ class PassTheHashMap(object): def GetSidsBySecret(self, secret): SIDs = set() - for m in self.vertices: + for m in self.machines: SIDs.add(m.GetSidBySecret(secret)) return SIDs @@ -475,37 +473,37 @@ class PassTheHashMap(object): def GetAllDomainControllers(self): DCs = set() - for m in self.vertices: + for m in self.machines: if m.IsDomainController(): DCs.add(m) + + return DCs def GetSidsByUsername(self, username): - doc = self.latest_system_info - SIDs = set() - for m in self.vertices: + for m in self.machines: sid = m.GetSidByUsername(username) if sid: SIDs.add(sid) return SIDs - def GetAttackableMachinesBySid(self, sid): + def GetVictimsBySid(self, sid): machines = set() - for m in self.vertices: + for m in self.machines: if sid in m.GetAdmins(): machines.add(m) return machines - def GetAttackableMachinesBySecret(self, secret): + def GetVictimsBySecret(self, secret): machines = set() SIDs = self.GetSidsBySecret(secret) - for m in self.vertices: + for m in self.machines: if len(SIDs & m.GetAdmins()) > 0: machines.add(m) @@ -514,7 +512,7 @@ class PassTheHashMap(object): def GetAttackersBySecret(self, secret): machines = set() - for m in self.vertices: + for m in self.machines: if secret in m.GetCachedSecrets(): machines.add(m) @@ -523,12 +521,21 @@ class PassTheHashMap(object): def GetAttackersByVictim(self, victim): attackers = set() - for atck, vic in self.edge: + for atck, vic, _ in self.edges: if vic == victim: attackers.add(atck) return attackers + def GetVictimsByAttacker(self, attacker): + victims = set() + + for atck, vic, _ in self.edges: + if atck == attacker: + victims.add(vic) + + return victims + def main(): pth = PassTheHashMap() @@ -536,7 +543,7 @@ def main(): print "

    Duplicated Passwords

    " print "

    How many users share each secret?

    " - dups = dict(map(lambda x: (x, len(self.GetSidsBySecret(x))), pth.GetAllSecrets())) + dups = dict(map(lambda x: (x, len(pth.GetSidsBySecret(x))), pth.GetAllSecrets())) print """""" print """SecretUser Count""" @@ -546,7 +553,7 @@ def main(): print "

    Cached Passwords

    " print "

    On how many machines each secret is cached?

    " - cache_counts = dict(map(lambda x: (x, self.GetSecretCacheCount(x)), pth.GetAllSecrets())) + cache_counts = dict(map(lambda x: (x, pth.GetSecretCacheCount(x)), pth.GetAllSecrets())) print """""" print """SecretMachine Count""" @@ -556,7 +563,7 @@ def main(): print "

    User's Creds

    " print "

    To how many machines each user is able to connect with admin rights?

    " - attackable_counts = dict(map(lambda x: (x, self.GetAttackableMachineCountBySid(x)), pth.GetAllSids())) + attackable_counts = dict(map(lambda x: (x, pth.GetVictimCountBySid(x)), pth.GetAllSids())) print """""" print """SIDUsernameMachine Count""" @@ -566,7 +573,7 @@ def main(): print "

    Machine's Creds

    " print "

    To how many machines each machine is able to directly connect with admin rights?

    " - attackable_counts = dict(map(lambda m: (m, pth.GetAttackableMachineCountByMachine(m)), pth.vertices)) + attackable_counts = dict(map(lambda m: (m, pth.GetVictimCountByMachine(m)), pth.machines)) print """""" print """Attacker IpAttacker HostnameDomain NameVictim Machine Count""" @@ -586,9 +593,9 @@ def main(): print "
    " - for m in pth.vertices: + for m in pth.machines: print """

    Machine '{ip}'

    -

    Hostname '{hostname}'

    """.format{ip=m.GetIp(), hostname=m.GetHostName()} +

    Hostname '{hostname}'

    """.format(ip=m.GetIp(), hostname=m.GetHostName()) print """

    Cached SIDs

    """ print """

    SIDs cached on this machine

    """ @@ -619,7 +626,7 @@ def main(): print """

    Matching SIDs

    """ print """
      """ - for sid in pth.GetSidsByUsername(username) + for sid in pth.GetSidsByUsername(username): print """
    • {username} ({sid})
    • """.format(username=m.GetUsernameBySid(sid), sid=sid) print """
    """ @@ -633,7 +640,7 @@ def main(): print """

    Attackable Machines

    """ print """
      """ - for m in pth.GetAttackableMachinesBySid(sid) + for m in pth.GetVictimsBySid(sid): print """
    • {ip} ({hostname})
    • """.format(ip=m.GetIp(), hostname=m.GetHostName()) print """
    """ @@ -648,7 +655,7 @@ def main(): print """

    Attackable Machines with that secret

    """ print """
      """ - for m in pth.GetAttackableMachinesBySecret(secret): + for m in pth.GetVictimsBySecret(secret): print """
    • {hostname}
    • """.format(ip=m.GetIp(), hostname=m.GetHostName()) print """
    """ From 3291e4f0bc5e71e25db57e8ecee94a90e887e7b7 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Wed, 7 Mar 2018 00:01:43 -0800 Subject: [PATCH 020/117] fix html tableS --- monkey_island/cc/resources/pthmap.py | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 222762e47..3e3b78549 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -545,51 +545,51 @@ def main(): print "

    How many users share each secret?

    " dups = dict(map(lambda x: (x, len(pth.GetSidsBySecret(x))), pth.GetAllSecrets())) - print """""" + print """""" print """""" for secret, count in sorted(dups.iteritems(), key=lambda (k,v): (v,k), reverse=True): - print """""".format(secret=secret, count=count) - print """""" + print """""".format(secret=secret, count=count) + print """
    SecretUser Count
    {secret}{count}
    {secret}{count}
    """ print "

    Cached Passwords

    " print "

    On how many machines each secret is cached?

    " cache_counts = dict(map(lambda x: (x, pth.GetSecretCacheCount(x)), pth.GetAllSecrets())) - print """""" + print """""" print """""" for secret, count in sorted(cache_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): - print """""".format(secret=secret, count=count) - print """""" + print """""".format(secret=secret, count=count) + print """
    SecretMachine Count
    {secret}{count}
    {secret}{count}
    """ print "

    User's Creds

    " print "

    To how many machines each user is able to connect with admin rights?

    " attackable_counts = dict(map(lambda x: (x, pth.GetVictimCountBySid(x)), pth.GetAllSids())) - print """""" + print """""" print """""" for sid, count in sorted(attackable_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): - print """""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) - print """""" + print """""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) + print """
    SIDUsernameMachine Count
    {sid}{username}{count}
    {sid}{username}{count}
    """ print "

    Machine's Creds

    " print "

    To how many machines each machine is able to directly connect with admin rights?

    " attackable_counts = dict(map(lambda m: (m, pth.GetVictimCountByMachine(m)), pth.machines)) - print """""" + print """""" print """""" for m, count in sorted(attackable_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): - print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) - print """""" + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) + print """
    Attacker IpAttacker HostnameDomain NameVictim Machine Count
    {ip}{hostname}{domain}{count}
    {ip}{hostname}{domain}{count}
    """ print "

    Domain Controllers

    " print "

    List of domain controllers (we count them as critical points, so they are listed here)

    " DCs = pth.GetAllDomainControllers() - print """""" + print """""" print """""" for m in DCs: print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName()) - print """""" + print """
    DC IpDC HostnameDomain Name
    {ip}{hostname}{domain}
    """ print "
    " From 458cc20cebae8ebe7d614993d3e579e4164ffe4b Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Wed, 7 Mar 2018 00:03:55 -0800 Subject: [PATCH 021/117] small fixes --- monkey_island/cc/resources/pthmap.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 3e3b78549..3ad75d366 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -466,7 +466,10 @@ class PassTheHashMap(object): SIDs = set() for m in self.machines: - SIDs.add(m.GetSidBySecret(secret)) + sid = m.GetSidBySecret(secret) + + if sid: + SIDs.add(sid) return SIDs @@ -650,7 +653,7 @@ def main(): print """

    SIDs that use that secret

    """ print """
      """ for sid in pth.GetSidsBySecret(secret): - print """
    • {username} ({sid})
    • """.format(username=m.GetUsernameBySid(sid), sid=sid) + print """
    • {username} ({sid})
    • """.format(username=pth.GetUsernameBySid(sid), sid=sid) print """
    """ print """

    Attackable Machines with that secret

    """ From 1ee53972a8dfa70410d5537f2405a271ac1eef18 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Wed, 7 Mar 2018 06:47:29 -0800 Subject: [PATCH 022/117] small fixeS --- monkey_island/cc/resources/pthmap.py | 52 ++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 11 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 3ad75d366..65a3c86a5 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -408,13 +408,7 @@ class PassTheHashMap(object): return None def GetVictimCountBySid(self, sid): - count = 0 - - for m in self.machines: - if sid in m.GetLocalAdmins(): - count += 1 - - return count + return len(self.GetVictimsBySid(sid)) def GetVictimCountByMachine(self, attacker): return len(self.GetVictimsByAttacker(attacker)) @@ -538,6 +532,32 @@ class PassTheHashMap(object): victims.add(vic) return victims + + def GetInPathCountByVictim(self, victim, already_processed=None): + if type(victim) != unicode: + victim = victim.monkey_guid + + if not already_processed: + already_processed = set([victim]) + + count = 0 + + for atck, vic, _ in self.edges: + if atck == vic: + continue + + if vic != victim: + continue + + if atck in already_processed: + continue + + count += 1 + + already_processed.add(atck) + count += self.GetInPathCountByVictim(atck, already_processed) + + return count def main(): pth = PassTheHashMap() @@ -586,12 +606,22 @@ def main(): print "

    Domain Controllers

    " print "

    List of domain controllers (we count them as critical points, so they are listed here)

    " - DCs = pth.GetAllDomainControllers() + DCs = dict(map(lambda m: (m, pth.GetInPathCountByVictim(m)), pth.GetAllDomainControllers())) print """""" - print """""" - for m in DCs: - print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName()) + print """""" + for m, path_count in sorted(DCs.iteritems(), key=lambda (k,v): (v,k), reverse=True): + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), path_count=path_count) + print """
    DC IpDC HostnameDomain Name
    {ip}{hostname}{domain}
    DC IpDC HostnameDomain NameIn-Path Count
    {ip}{hostname}{domain}{path_count}
    """ + + print "

    Most Vulnerable Machines

    " + print "

    List all machines in the network sorted by the potincial to attack them

    " + all_machines = dict(map(lambda m: (m, pth.GetInPathCountByVictim(m)), pth.machines)) + + print """""" + print """""" + for m, path_count in sorted(all_machines.iteritems(), key=lambda (k,v): (v,k), reverse=True): + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), path_count=path_count) print """
    IpHostnameDomain NameIn-Path Count
    {ip}{hostname}{domain}{path_count}
    """ print "
    " From e0b64ee63be88d51b8218b80cdcd807932a8f4fa Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Wed, 7 Mar 2018 06:48:03 -0800 Subject: [PATCH 023/117] cosmetics --- monkey_island/cc/resources/pthmap.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 65a3c86a5..7b513efa2 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -591,7 +591,7 @@ def main(): print """""" print """""" for sid, count in sorted(attackable_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): - print """""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) + print """""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) print """
    SIDUsernameMachine Count
    {sid}{username}{count}
    {sid}{username}{count}
    """ print "

    Machine's Creds

    " @@ -667,8 +667,8 @@ def main(): for sid in pth.GetAllSids(): print """

    SID '{sid}'

    -

    Username: '{username}'

    -

    Secret: '{secret}'

    +

    Username: '{username}'

    +

    Secret: '{secret}'

    """.format(username=pth.GetUsernameBySid(sid), sid=sid, secret=pth.GetSecretBySid(sid)) print """

    Attackable Machines

    """ From ce1c8a54f828e664dabd3949d9bf8ce0d2032ca5 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Wed, 7 Mar 2018 07:45:48 -0800 Subject: [PATCH 024/117] show only real attacks in the graph --- monkey_island/cc/resources/pthmap.py | 73 +++++++++++++--------------- 1 file changed, 35 insertions(+), 38 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 7b513efa2..46e49ad6d 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -116,18 +116,20 @@ class Machine(object): return None - def GetUsernameBySecret(self, secret): + def GetUsernamesBySecret(self, secret): sam = self.GetLocalSecrets() - for user, user_secret in sam.iteritems(): + names = set() + + for username, user_secret in sam.iteritems(): if secret == user_secret: - return user + names.add(username) - return None + return names - def GetSidBySecret(self, secret): - username = self.GetUsernameBySecret(secret) - return self.GetSidByUsername(username) + def GetSidsBySecret(self, secret): + usernames = self.GetUsernamesBySecret(secret) + return set(map(self.GetSidByUsername, usernames)) def GetGroupSidByGroupName(self, group_name): doc = self.latest_system_info @@ -234,25 +236,31 @@ class Machine(object): secrets.update(ntds) return secrets - + def GetLocalAdminSecrets(self): + return set(self.GetLocalAdminCreds().values()) + + def GetLocalAdminCreds(self): admin_names = self.GetLocalAdminNames() sam = self.GetLocalSecrets() - admin_secrets = set() + admin_creds = dict() - for user, secret in sam.iteritems(): - if user not in admin_names: + for username, secret in sam.iteritems(): + if username not in admin_names: continue - admin_secrets.add(secret) + admin_creds[username] = secret - return admin_secrets + return admin_creds def GetCachedSecrets(self): + return set(self.GetCachedCreds().values()) + + def GetCachedCreds(self): doc = self.latest_system_info - secrets = set() + creds = dict() for username in doc["data"]["credentials"]: user = doc["data"]["credentials"][username] @@ -265,9 +273,10 @@ class Machine(object): continue secret = hashlib.md5(ntlm.decode("hex")).hexdigest() - secrets.add(secret) + + creds[username] = secret - return secrets + return creds def GetDomainControllers(self): domain_name = self.GetDomainName() @@ -347,10 +356,7 @@ class PassTheHashMap(object): label = set() for secret in secret_list: - username = Machine(victim).GetUsernameBySecret(secret) - - if username: - label.add(username) + label |= Machine(victim).GetUsernamesBySecret(secret) return ",\n".join(label) @@ -370,16 +376,16 @@ class PassTheHashMap(object): def GenerateEdgesBySamHash(self): for attacker in self.vertices: - cached = Machine(attacker).GetCachedSecrets() + cached_creds = set(Machine(attacker).GetCachedCreds().items()) for victim in self.vertices: if attacker == victim: continue - admins = Machine(victim).GetLocalAdminSecrets() + admin_creds = set(Machine(victim).GetLocalAdminCreds().items()) - if len(cached & admins) > 0: - label = self.ReprSecretList(cached & admins, victim) + if len(cached_creds & admin_creds) > 0: + label = self.ReprSecretList(set(dict(cached_creds & admin_creds).values()), victim) self.edges.add((attacker, victim, label)) def GenerateEdgesByUsername(self): @@ -413,14 +419,8 @@ class PassTheHashMap(object): def GetVictimCountByMachine(self, attacker): return len(self.GetVictimsByAttacker(attacker)) - def GetSecretCacheCount(self, secret): - count = 0 - - for m in self.machines: - if secret in m.GetCachedSecrets(): - count += 1 - - return count + def GetAttackCountBySecret(self, secret): + return len(self.GetAttackersBySecret(secret)) def GetAllUsernames(self): names = set() @@ -460,10 +460,7 @@ class PassTheHashMap(object): SIDs = set() for m in self.machines: - sid = m.GetSidBySecret(secret) - - if sid: - SIDs.add(sid) + SIDs |= m.GetSidsBySecret(secret) return SIDs @@ -575,8 +572,8 @@ def main(): print """""" print "

    Cached Passwords

    " - print "

    On how many machines each secret is cached?

    " - cache_counts = dict(map(lambda x: (x, pth.GetSecretCacheCount(x)), pth.GetAllSecrets())) + print "

    On how many machines each secret is cached (possible attacker count)?

    " + cache_counts = dict(map(lambda x: (x, pth.GetAttackCountBySecret(x)), pth.GetAllSecrets())) print """""" print """""" From 8807e68177b8f59d31dc52074d93bc311859efde Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Sat, 10 Mar 2018 23:18:53 -0800 Subject: [PATCH 025/117] add posssible attacks per sid --- monkey_island/cc/resources/pthmap.py | 36 +++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 46e49ad6d..6caad92fc 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -405,6 +405,30 @@ class PassTheHashMap(object): print map(lambda x: Machine(x).GetIp(), self.vertices) print map(lambda x: (Machine(x[0]).GetIp(), Machine(x[1]).GetIp()), self.edges) + def GetPossibleAttackCountBySid(self, sid): + return len(self.GetPossibleAttacksBySid(sid)) + + def GetPossibleAttacksBySid(self, sid): + attacks = set() + + for attacker in self.vertices: + cached_creds = set(Machine(attacker).GetCachedCreds().items()) + + for victim in self.vertices: + if attacker == victim: + continue + + admin_creds = set(Machine(victim).GetLocalAdminCreds().items()) + + if len(cached_creds & admin_creds) > 0: + curr_attacks = dict(cached_creds & admin_creds) + + for username, secret in curr_attacks.iteritems(): + if Machine(victim).GetSidByUsername(username) == sid: + attacks.add((attacker, victim)) + + return attacks + def GetSecretBySid(self, sid): for m in self.machines: for user, user_secret in m.GetLocalSecrets().iteritems(): @@ -582,7 +606,7 @@ def main(): print """
    SecretMachine Count
    """ print "

    User's Creds

    " - print "

    To how many machines each user is able to connect with admin rights?

    " + print "

    To how many machines each user is able to connect with admin rights

    " attackable_counts = dict(map(lambda x: (x, pth.GetVictimCountBySid(x)), pth.GetAllSids())) print """""" @@ -591,6 +615,16 @@ def main(): print """""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) print """
    {sid}{username}{count}
    """ + print "

    Actual Possible Attacks By SID

    " + print "

    How many attacks possible using each SID (aka len(attacker->victim pairs))

    " + possible_attacks_by_sid = dict(map(lambda x: (x, pth.GetPossibleAttackCountBySid(x)), pth.GetAllSids())) + + print """""" + print """""" + for sid, count in sorted(possible_attacks_by_sid.iteritems(), key=lambda (k,v): (v,k), reverse=True): + print """""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) + print """
    SIDUsernameMachine Count
    {sid}{username}{count}
    """ + print "

    Machine's Creds

    " print "

    To how many machines each machine is able to directly connect with admin rights?

    " attackable_counts = dict(map(lambda m: (m, pth.GetVictimCountByMachine(m)), pth.machines)) From 96c9681bf1bd036df54038dbd90cbf3fa59abd90 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Sat, 10 Mar 2018 23:58:51 -0800 Subject: [PATCH 026/117] eliminate some 'None'-s from the report --- monkey_island/cc/resources/pthmap.py | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 6caad92fc..4f2831d8e 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -95,6 +95,13 @@ class Machine(object): continue return eval(user["SID"]) + + if not self.IsDomainController(): + for dc in self.GetDomainControllers(): + sid = dc.GetSidByUsername(username) + + if sid != None: + return sid return None @@ -305,7 +312,12 @@ class Machine(object): SIDs = set() for username in doc["data"]["credentials"]: - SIDs.add(self.GetSidByUsername(username)) + sid = self.GetSidByUsername(username) + + if not sid: + sid = "__USERNAME__" + username + + SIDs.add(sid) return SIDs @@ -665,7 +677,12 @@ def main(): print """

    SIDs cached on this machine

    """ print """
      """ for sid in m.GetCachedSids(): - print """
    • {username} ({sid})
    • """.format(username=m.GetUsernameBySid(sid), sid=sid) + if sid.startswith("__USERNAME__"): + sids = pth.GetSidsByUsername(sid[len("__USERNAME__"):]) + if len(sids) == 1: + sid = sids.pop() + + print """
    • {username} ({sid})
    • """.format(username=pth.GetUsernameBySid(sid), sid=sid) print """
    """ print """

    Possible Attackers

    """ @@ -691,7 +708,7 @@ def main(): print """

    Matching SIDs

    """ print """
      """ for sid in pth.GetSidsByUsername(username): - print """
    • {username} ({sid})
    • """.format(username=m.GetUsernameBySid(sid), sid=sid) + print """
    • {username} ({sid})
    • """.format(username=pth.GetUsernameBySid(sid), sid=sid) print """
    """ print "
    " From 38c499f6b19069d0c5a99396b5fa32eeb709fd78 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Sun, 1 Apr 2018 05:24:40 -0700 Subject: [PATCH 027/117] able to run island server --- monkey_island/cc/resources/pthmap.py | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 4f2831d8e..2b8890193 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -1,10 +1,3 @@ -#import flask_restful -# -#from cc.auth import jwt_required -#from cc.services.edge import EdgeService -#from cc.services.node import NodeService -#from cc.database import mongo - import hashlib import binascii from pymongo import MongoClient @@ -14,7 +7,7 @@ class mongo(object): #class PthMap(flask_restful.Resource): class PthMap(object): -# @jwt_required() + #@jwt_required() def get(self, **kw): graph = PassTheHashMap() @@ -24,6 +17,21 @@ class PthMap(object): "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in graph.edges] } +if not __name__ == "__main__": + import flask_restful + + from cc.auth import jwt_required + from cc.services.edge import EdgeService + from cc.services.node import NodeService + from cc.database import mongo + + PthMapOrig = PthMap + + class PthMap(flask_restful.Resource): + @jwt_required() + def get(self, **kw): + return PthMapOrig.get(self, **kw) + DsRole_RoleStandaloneWorkstation = 0 DsRole_RoleMemberWorkstation = 1 DsRole_RoleStandaloneServer = 2 From 84998849956e1dff9e49660e14ede92348f60627 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Sun, 1 Apr 2018 08:11:22 -0700 Subject: [PATCH 028/117] fix registry enum bug --- infection_monkey/system_info/windows_info_collector.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index 9b5e12d7f..cf821fa45 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -131,7 +131,7 @@ class WindowsInfoCollector(InfoCollector): key = _winreg.ConnectRegistry(None, store) subkey = _winreg.OpenKey(key, subkey_path) - d = dict([_winreg.EnumValue(subkey, i)[:2] for i in xrange(_winreg.QueryInfoKey(subkey)[0])]) + d = dict([_winreg.EnumValue(subkey, i)[:2] for i in xrange(_winreg.QueryInfoKey(subkey)[1])]) d = fix_obj_for_mongo(d) self.info[subkey_path] = d From fc850726decea40416d4aef96386c88c18b6e044 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 2 Apr 2018 01:41:06 -0700 Subject: [PATCH 029/117] fix utf8 bug --- infection_monkey/config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infection_monkey/config.py b/infection_monkey/config.py index e62820816..6e41938fe 100644 --- a/infection_monkey/config.py +++ b/infection_monkey/config.py @@ -23,7 +23,7 @@ def _cast_by_example(value, example): """ example_type = type(example) if example_type is str: - return str(os.path.expandvars(value)) + return os.path.expandvars(value).encode("utf8") elif example_type is tuple and len(example) != 0: if value is None or value == tuple(None): return tuple() From 990e68fc4dd0c926a96ce31d680d9511c3f7168b Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 3 Apr 2018 10:47:10 +0300 Subject: [PATCH 030/117] Add cache to boost performance and a few more fixes --- monkey_island/cc/resources/pthmap.py | 228 ++++++++++++++++++++++----- 1 file changed, 185 insertions(+), 43 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 2b8890193..b652c86df 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -43,6 +43,57 @@ def myntlm(x): hash = hashlib.new('md4', x.encode('utf-16le')).digest() return str(binascii.hexlify(hash)) +def cache(foo): + def hash(o): + if type(o) in (int, float, str, unicode): + return o + + elif type(o) in (list, tuple): + hashed = tuple([hash(x) for x in o]) + + if "NotHashable" in hashed: + return "NotHashable" + + return hashed + + elif type(o) == dict: + hashed_keys = tuple([hash(k) for k, v in o.iteritems()]) + hashed_vals = tuple([hash(v) for k, v in o.iteritems()]) + + if "NotHashable" in hashed_keys or "NotHashable" in hashed_vals: + return "NotHashable" + + return tuple(zip(hashed_keys, hashed_vals)) + + elif type(o) == Machine: + return o.monkey_guid + + elif type(o) == PthMap: + return "PthMapSingleton" + + elif type(o) == PassTheHashMap: + return "PassTheHashMapSingleton" + + else: + return "NotHashable" + + def wrapper(*args, **kwargs): + hashed = (hash(args), hash(kwargs)) + + if "NotHashable" in hashed: + print foo + return foo(*args, **kwargs) + + if not hasattr(foo, "_mycache_"): + foo._mycache_ = dict() + + if hashed not in foo._mycache_.keys(): + foo._mycache_[hashed] = foo(*args, **kwargs) + + return foo._mycache_[hashed] + + return wrapper + class Machine(object): def __init__(self, monkey_guid): self.monkey_guid = str(monkey_guid) @@ -52,6 +103,7 @@ class Machine(object): if self.latest_system_info.count() > 0: self.latest_system_info = self.latest_system_info[0] + @cache def GetMimikatzOutput(self): doc = self.latest_system_info @@ -60,6 +112,7 @@ class Machine(object): return doc["data"]["mimikatz"] + @cache def GetHostName(self): doc = self.latest_system_info @@ -68,6 +121,7 @@ class Machine(object): return None + @cache def GetIp(self): doc = self.latest_system_info @@ -76,6 +130,7 @@ class Machine(object): return None + @cache def GetDomainName(self): doc = self.latest_system_info @@ -83,7 +138,8 @@ class Machine(object): return eval(comp["Domain"]) return None - + + @cache def GetDomainRole(self): doc = self.latest_system_info @@ -92,9 +148,11 @@ class Machine(object): return None + @cache def IsDomainController(self): return self.GetDomainRole() in (DsRole_RolePrimaryDomainController, DsRole_RoleBackupDomainController) + @cache def GetSidByUsername(self, username): doc = self.latest_system_info @@ -113,6 +171,7 @@ class Machine(object): return None + @cache def GetUsernameBySid(self, sid): doc = self.latest_system_info @@ -130,7 +189,8 @@ class Machine(object): return username return None - + + @cache def GetUsernamesBySecret(self, secret): sam = self.GetLocalSecrets() @@ -142,10 +202,12 @@ class Machine(object): return names + @cache def GetSidsBySecret(self, secret): usernames = self.GetUsernamesBySecret(secret) return set(map(self.GetSidByUsername, usernames)) + @cache def GetGroupSidByGroupName(self, group_name): doc = self.latest_system_info @@ -157,6 +219,7 @@ class Machine(object): return None + @cache def GetUsersByGroupSid(self, sid): doc = self.latest_system_info @@ -173,6 +236,7 @@ class Machine(object): return users + @cache def GetDomainControllersMonkeyGuidByDomainName(self, domain_name): cur = mongo.db.telemetry.find({"telem_type":"system_info_collection", "data.Win32_ComputerSystem.Domain":"u'%s'" % (domain_name,)}) @@ -186,9 +250,11 @@ class Machine(object): return GUIDs + @cache def GetLocalAdmins(self): return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).keys()) + @cache def GetLocalSids(self): doc = self.latest_system_info @@ -199,9 +265,11 @@ class Machine(object): return SIDs + @cache def GetLocalAdminNames(self): return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).values()) - + + @cache def GetSam(self): if not self.GetMimikatzOutput(): return {} @@ -211,16 +279,26 @@ class Machine(object): if mimikatz.count("\n42.") != 2: return {} - sam_users = mimikatz.split("\n42.")[1].split("\nSAMKey :")[1].split("\n\n")[1:] + try: + sam_users = mimikatz.split("\n42.")[1].split("\nSAMKey :")[1].split("\n\n")[1:] - sam = {} - - for sam_user_txt in sam_users: - sam_user = dict([map(unicode.strip, line.split(":")) for line in filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) - sam[sam_user["User"]] = sam_user["NTLM"].replace("[hashed secret]", "").strip() - - return sam - + sam = {} + + for sam_user_txt in sam_users: + sam_user = dict([map(unicode.strip, line.split(":")) for line in filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) + + ntlm = sam_user["NTLM"] + if "[hashed secret]" not in ntlm: + continue + + sam[sam_user["User"]] = ntlm.replace("[hashed secret]", "").strip() + + return sam + + except: + return {} + + @cache def GetNtds(self): if not self.GetMimikatzOutput(): return {} @@ -243,6 +321,7 @@ class Machine(object): return ntds + @cache def GetLocalSecrets(self): sam = self.GetSam() ntds = self.GetNtds() @@ -251,10 +330,12 @@ class Machine(object): secrets.update(ntds) return secrets - + + @cache def GetLocalAdminSecrets(self): return set(self.GetLocalAdminCreds().values()) + @cache def GetLocalAdminCreds(self): admin_names = self.GetLocalAdminNames() sam = self.GetLocalSecrets() @@ -269,35 +350,44 @@ class Machine(object): return admin_creds + @cache def GetCachedSecrets(self): return set(self.GetCachedCreds().values()) + @cache def GetCachedCreds(self): doc = self.latest_system_info creds = dict() - for username in doc["data"]["credentials"]: - user = doc["data"]["credentials"][username] - - if "password" in user.keys(): - ntlm = myntlm(str(user["password"])) - elif "ntlm_hash" in user.keys(): - ntlm = str(user["ntlm_hash"]) - else: - continue + if not self.GetMimikatzOutput(): + return {} + + mimikatz = self.GetMimikatzOutput() + + for user in mimikatz.split("\n42.")[0].split("Authentication Id")[1:]: + username = None + secret = None - secret = hashlib.md5(ntlm.decode("hex")).hexdigest() - - creds[username] = secret + for line in user.splitlines(): + if "User Name" in line: + username = line.split(":")[1].strip() + + if ("NTLM" in line or "Password" in line) and "[hashed secret]" in line: + secret = line.split(":")[1].replace("[hashed secret]", "").strip() + + if username and secret: + creds[username] = secret return creds + @cache def GetDomainControllers(self): domain_name = self.GetDomainName() DCs = self.GetDomainControllersMonkeyGuidByDomainName(domain_name) return map(Machine, DCs) + @cache def GetDomainAdminsOfMachine(self): DCs = self.GetDomainControllers() @@ -308,12 +398,15 @@ class Machine(object): return domain_admins + @cache def GetAdmins(self): return self.GetLocalAdmins() | self.GetDomainAdminsOfMachine() - + + @cache def GetAdminNames(self): return set(map(lambda x: self.GetUsernameBySid(x), self.GetAdmins())) + @cache def GetCachedSids(self): doc = self.latest_system_info @@ -329,6 +422,7 @@ class Machine(object): return SIDs + @cache def GetCachedUsernames(self): doc = self.latest_system_info @@ -342,12 +436,14 @@ class Machine(object): class PassTheHashMap(object): def __init__(self): self.vertices = self.GetAllMachines() + self.edges = set() self.machines = map(Machine, self.vertices) - + self.GenerateEdgesBySid() # Useful for non-cached domain users self.GenerateEdgesBySamHash() # This will add edges based only on password hash without caring about username - + + @cache def GetAllMachines(self): cur = mongo.db.telemetry.find({"telem_type":"system_info_collection"}) @@ -357,7 +453,8 @@ class PassTheHashMap(object): GUIDs.add(doc["monkey_guid"]) return GUIDs - + + @cache def ReprSidList(self, sid_list, attacker, victim): label = set() @@ -372,6 +469,7 @@ class PassTheHashMap(object): return ",\n".join(label) + @cache def ReprSecretList(self, secret_list, victim): label = set() @@ -380,6 +478,7 @@ class PassTheHashMap(object): return ",\n".join(label) + @cache def GenerateEdgesBySid(self): for attacker in self.vertices: cached = Machine(attacker).GetCachedSids() @@ -389,11 +488,12 @@ class PassTheHashMap(object): continue admins = Machine(victim).GetAdmins() - + if len(cached & admins) > 0: label = self.ReprSidList(cached & admins, attacker, victim) self.edges.add((attacker, victim, label)) + @cache def GenerateEdgesBySamHash(self): for attacker in self.vertices: cached_creds = set(Machine(attacker).GetCachedCreds().items()) @@ -408,6 +508,7 @@ class PassTheHashMap(object): label = self.ReprSecretList(set(dict(cached_creds & admin_creds).values()), victim) self.edges.add((attacker, victim, label)) + @cache def GenerateEdgesByUsername(self): for attacker in self.vertices: cached = Machine(attacker).GetCachedUsernames() @@ -421,34 +522,48 @@ class PassTheHashMap(object): if len(cached & admins) > 0: self.edges.add((attacker, victim)) + @cache def Print(self): print map(lambda x: Machine(x).GetIp(), self.vertices) print map(lambda x: (Machine(x[0]).GetIp(), Machine(x[1]).GetIp()), self.edges) + @cache def GetPossibleAttackCountBySid(self, sid): return len(self.GetPossibleAttacksBySid(sid)) + @cache + def GetPossibleAttacksByAttacker(self, attacker): + attacks = set() + + cached_creds = set(Machine(attacker).GetCachedCreds().items()) + + for victim in self.vertices: + if attacker == victim: + continue + + admin_creds = set(Machine(victim).GetLocalAdminCreds().items()) + + if len(cached_creds & admin_creds) > 0: + curr_attacks = dict(cached_creds & admin_creds) + attacks.add((attacker, victim, curr_attacks)) + + return attacks + + @cache def GetPossibleAttacksBySid(self, sid): attacks = set() for attacker in self.vertices: - cached_creds = set(Machine(attacker).GetCachedCreds().items()) + tmp = self.GetPossibleAttacksByAttacker(attacker) - for victim in self.vertices: - if attacker == victim: - continue - - admin_creds = set(Machine(victim).GetLocalAdminCreds().items()) - - if len(cached_creds & admin_creds) > 0: - curr_attacks = dict(cached_creds & admin_creds) - - for username, secret in curr_attacks.iteritems(): - if Machine(victim).GetSidByUsername(username) == sid: - attacks.add((attacker, victim)) + for _, victim, curr_attacks in tmp: + for username, secret in curr_attacks.iteritems(): + if Machine(victim).GetSidByUsername(username) == sid: + attacks.add((attacker, victim)) return attacks + @cache def GetSecretBySid(self, sid): for m in self.machines: for user, user_secret in m.GetLocalSecrets().iteritems(): @@ -457,15 +572,19 @@ class PassTheHashMap(object): return None + @cache def GetVictimCountBySid(self, sid): return len(self.GetVictimsBySid(sid)) + @cache def GetVictimCountByMachine(self, attacker): return len(self.GetVictimsByAttacker(attacker)) + @cache def GetAttackCountBySecret(self, secret): return len(self.GetAttackersBySecret(secret)) + @cache def GetAllUsernames(self): names = set() @@ -474,6 +593,7 @@ class PassTheHashMap(object): return names + @cache def GetAllSids(self): SIDs = set() @@ -482,6 +602,7 @@ class PassTheHashMap(object): return SIDs + @cache def GetAllSecrets(self): secrets = set() @@ -491,6 +612,7 @@ class PassTheHashMap(object): return secrets + @cache def GetUsernameBySid(self, sid): for m in self.machines: username = m.GetUsernameBySid(sid) @@ -500,6 +622,7 @@ class PassTheHashMap(object): return None + @cache def GetSidsBySecret(self, secret): SIDs = set() @@ -508,6 +631,7 @@ class PassTheHashMap(object): return SIDs + @cache def GetAllDomainControllers(self): DCs = set() @@ -517,6 +641,7 @@ class PassTheHashMap(object): return DCs + @cache def GetSidsByUsername(self, username): SIDs = set() @@ -527,6 +652,7 @@ class PassTheHashMap(object): return SIDs + @cache def GetVictimsBySid(self, sid): machines = set() @@ -536,6 +662,7 @@ class PassTheHashMap(object): return machines + @cache def GetVictimsBySecret(self, secret): machines = set() @@ -547,6 +674,7 @@ class PassTheHashMap(object): return machines + @cache def GetAttackersBySecret(self, secret): machines = set() @@ -556,6 +684,7 @@ class PassTheHashMap(object): return machines + @cache def GetAttackersByVictim(self, victim): attackers = set() @@ -565,6 +694,7 @@ class PassTheHashMap(object): return attackers + @cache def GetVictimsByAttacker(self, attacker): victims = set() @@ -574,6 +704,7 @@ class PassTheHashMap(object): return victims + @cache def GetInPathCountByVictim(self, victim, already_processed=None): if type(victim) != unicode: victim = victim.monkey_guid @@ -607,11 +738,14 @@ def main(): print "

    Duplicated Passwords

    " print "

    How many users share each secret?

    " + dups = dict(map(lambda x: (x, len(pth.GetSidsBySecret(x))), pth.GetAllSecrets())) print """""" print """""" for secret, count in sorted(dups.iteritems(), key=lambda (k,v): (v,k), reverse=True): + if count <= 1: + continue print """""".format(secret=secret, count=count) print """
    SecretUser Count
    {secret}{count}
    """ @@ -622,6 +756,8 @@ def main(): print """""" print """""" for secret, count in sorted(cache_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): + if count <= 0: + continue print """""".format(secret=secret, count=count) print """
    SecretMachine Count
    {secret}{count}
    """ @@ -632,6 +768,8 @@ def main(): print """""" print """""" for sid, count in sorted(attackable_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): + if count <= 1: + continue print """""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) print """
    SIDUsernameMachine Count
    {sid}{username}{count}
    """ @@ -642,6 +780,8 @@ def main(): print """""" print """""" for sid, count in sorted(possible_attacks_by_sid.iteritems(), key=lambda (k,v): (v,k), reverse=True): + if count <= 1: + continue print """""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) print """
    SIDUsernameMachine Count
    {sid}{username}{count}
    """ @@ -652,6 +792,8 @@ def main(): print """""" print """""" for m, count in sorted(attackable_counts.iteritems(), key=lambda (k,v): (v,k), reverse=True): + if count <= 1: + continue print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) print """
    Attacker IpAttacker HostnameDomain NameVictim Machine Count
    {ip}{hostname}{domain}{count}
    """ From e557f78ae35306c68601d4e2088185445eac3a94 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 3 Apr 2018 11:01:53 +0300 Subject: [PATCH 031/117] remove more junk data --- monkey_island/cc/resources/pthmap.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index b652c86df..989df830d 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -814,6 +814,8 @@ def main(): print """""" print """""" for m, path_count in sorted(all_machines.iteritems(), key=lambda (k,v): (v,k), reverse=True): + if count <= 0: + continue print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), path_count=path_count) print """
    IpHostnameDomain NameIn-Path Count
    {ip}{hostname}{domain}{path_count}
    """ From eeae92ccda9ce30b9ec568f39e000b37eb7bb47e Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Wed, 4 Apr 2018 05:55:59 -0700 Subject: [PATCH 032/117] missing line --- infection_monkey/system_info/windows_info_collector.py | 1 + 1 file changed, 1 insertion(+) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index cf7619a78..d459a0e2d 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -101,6 +101,7 @@ class WindowsInfoCollector(InfoCollector): self.get_reg_key(r"SYSTEM\CurrentControlSet\Control\Lsa") self.get_installed_packages() + mimikatz_collector = MimikatzCollector() mimikatz_info = mimikatz_collector.get_logon_info() self.info["credentials"].update(mimikatz_info) self.info["mimikatz"] = mimikatz_collector.get_mimikatz_text() From 826df43708d512a9d89fbaafa3dad1830cfc3938 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 10 Apr 2018 17:51:09 +0300 Subject: [PATCH 033/117] add cahce --- monkey_island/cc/resources/pthmap.py | 38 ++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 989df830d..e33bd4870 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -173,23 +173,40 @@ class Machine(object): @cache def GetUsernameBySid(self, sid): + info = self.GetSidInfo(sid) + + if not info: + return None + + return info["Domain"] + "\\" + info["Username"] + + @cache + def GetSidInfo(self, sid): doc = self.latest_system_info for user in doc["data"]["Win32_UserAccount"]: if eval(user["SID"]) != sid: continue - return eval(user["Name"]) + return { "Domain": eval(user["Domain"]), + "Username": eval(user["Name"]), + "Disabled": user["Disabled"] == "true", + "PasswordRequired": user["PasswordRequired"] == "true", + "PasswordExpires": user["PasswordExpires"] == "true", } if not self.IsDomainController(): for dc in self.GetDomainControllers(): - username = dc.GetUsernameBySid(sid) + domain = dc.GetSidInfo(sid) - if username != None: - return username + if domain != None: + return domain return None + @cache + def GetInstalledServices(self): + "IIS-WebServer" + @cache def GetUsernamesBySecret(self, secret): sam = self.GetLocalSecrets() @@ -622,6 +639,16 @@ class PassTheHashMap(object): return None + @cache + def GetSidInfo(self, sid): + for m in self.machines: + info = m.GetSidInfo(sid) + + if info: + return info + + return None + @cache def GetSidsBySecret(self, secret): SIDs = set() @@ -868,8 +895,9 @@ def main(): for sid in pth.GetAllSids(): print """

    SID '{sid}'

    Username: '{username}'

    +

    Domain: {domain}

    Secret: '{secret}'

    - """.format(username=pth.GetUsernameBySid(sid), sid=sid, secret=pth.GetSecretBySid(sid)) + """.format(username=pth.GetUsernameBySid(sid), sid=sid, secret=pth.GetSecretBySid(sid), domain=pth.GetSidInfo(sid)["Domain"]) print """

    Attackable Machines

    """ print """
      """ From 21cf786d51ad604282bc430ff305c5039a6b09ea Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 10 Apr 2018 17:51:18 +0300 Subject: [PATCH 034/117] add more wmi classeS --- infection_monkey/system_info/windows_info_collector.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index cf821fa45..0b888ec2b 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -21,9 +21,10 @@ WMI_CLASSES = set(["Win32_OperatingSystem", "Win32_UserProfile", "Win32_Group", "Win32_GroupUser", - #"Win32_Product", + "Win32_Product", + "Win32_Service", + "Win32_OptionalFeature", #"Win32_Process", - #"Win32_Service" ]) def fix_obj_for_mongo(o): @@ -131,7 +132,7 @@ class WindowsInfoCollector(InfoCollector): key = _winreg.ConnectRegistry(None, store) subkey = _winreg.OpenKey(key, subkey_path) - d = dict([_winreg.EnumValue(subkey, i)[:2] for i in xrange(_winreg.QueryInfoKey(subkey)[1])]) + d = dict([_winreg.EnumValue(subkey, i)[:2] for i in xrange(_winreg.QueryInfoKey(subkey)[0])]) d = fix_obj_for_mongo(d) self.info[subkey_path] = d From 502997a8e4e3a08b6b3b9304a65ce1ae08bea131 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 10 Apr 2018 18:55:53 +0300 Subject: [PATCH 035/117] add logs --- monkey_island/cc/resources/telemetry.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/monkey_island/cc/resources/telemetry.py b/monkey_island/cc/resources/telemetry.py index d7b21035c..6297710e2 100644 --- a/monkey_island/cc/resources/telemetry.py +++ b/monkey_island/cc/resources/telemetry.py @@ -1,5 +1,6 @@ import json import traceback +import logging import copy from datetime import datetime @@ -16,6 +17,8 @@ from cc.encryptor import encryptor __author__ = 'Barak' +LOG = logging.getLogger(__name__) + class Telemetry(flask_restful.Resource): @jwt_required() @@ -167,11 +170,16 @@ class Telemetry(flask_restful.Resource): @staticmethod def process_system_info_telemetry(telemetry_json): + LOG.debug("Processing system info telemtery for encryption...") + if 'credentials' in telemetry_json['data']: + LOG.debug("Encrypting telemetry credentials...") creds = telemetry_json['data']['credentials'] Telemetry.encrypt_system_info_creds(creds) Telemetry.add_system_info_creds_to_config(creds) Telemetry.replace_user_dot_with_comma(creds) + + LOG.debug("Done enrypting") @staticmethod def process_trace_telemetry(telemetry_json): From b74167178f012f52f4d4dd51d4c54e5c913d00ab Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 12:29:28 +0300 Subject: [PATCH 036/117] add installed services to report --- monkey_island/cc/resources/pthmap.py | 40 +++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index e33bd4870..2df94a190 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -205,8 +205,37 @@ class Machine(object): @cache def GetInstalledServices(self): - "IIS-WebServer" + def IsNameOfCriticalService(name): + services = ("iis", "exchange", "active directory", "domain controller", "mssql") + name = name.lower() + + for ser in services: + if ser in name: + return True + + return False + doc = self.latest_system_info + found = [] + + for product in doc["data"]["Win32_Product"]: + service_name = eval(product["Name"]) + + if not IsNameOfCriticalService(service_name): + continue + + found.append(service_name) + + for service in doc["data"]["Win32_Service"]: + service_name = eval(service["Name"]) + + if not IsNameOfCriticalService(service_name): + continue + + found.append(service_name) + + return found + @cache def GetUsernamesBySecret(self, secret): sam = self.GetLocalSecrets() @@ -878,6 +907,15 @@ def main(): for sid in m.GetAdmins(): print """
    • {username} ({sid})
    • """.format(username=m.GetUsernameBySid(sid), sid=sid) print """
    """ + + print """

    Installed Critical Services

    """ + print """

    List of crtical services found installed on machine

    """ + print """
      """ + for service_name in m.GetInstalledServices(): + print """
    • {service_name}
    • """.format(service_name=service_name) + print """
    """ + + print "
    " From 0fa14d631cff9e2ef373e16f0dae42beda8227b0 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 12:45:32 +0300 Subject: [PATCH 037/117] add critical server list to report --- monkey_island/cc/resources/pthmap.py | 34 +++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 2df94a190..434dc35a7 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -204,9 +204,14 @@ class Machine(object): return None @cache - def GetInstalledServices(self): + def GetCriticalServicesInstalled(self): def IsNameOfCriticalService(name): - services = ("iis", "exchange", "active directory", "domain controller", "mssql") + services = ("W3svc", "MSExchangeServiceHost", "MSSQLServer") + services = map(string.lower, services) + + if not name: + return False + name = name.lower() for ser in services: @@ -217,6 +222,9 @@ class Machine(object): doc = self.latest_system_info found = [] + + if self.IsDomainController(): + found.append("Domain Controller") for product in doc["data"]["Win32_Product"]: service_name = eval(product["Name"]) @@ -787,6 +795,16 @@ class PassTheHashMap(object): return count + @cache + def GetCritialServers(self): + machines = set() + + for m in self.machines: + if m.IsCriticalServer(): + machines.add(m) + + return machines + def main(): pth = PassTheHashMap() @@ -875,6 +893,16 @@ def main(): print """{ip}{hostname}{domain}{path_count}""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), path_count=path_count) print """""" + print "

    Critical Servers

    " + print "

    List of all machines identified as critical servers

    " + critical_servers = pth.GetCritialServers() + + print """""" + print """""" + for m in critical_servers: + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName()) + print """
    IpHostnameDomain Name
    {ip}{hostname}{domain}
    """ + print "
    " for m in pth.machines: @@ -911,7 +939,7 @@ def main(): print """

    Installed Critical Services

    """ print """

    List of crtical services found installed on machine

    """ print """
      """ - for service_name in m.GetInstalledServices(): + for service_name in m.GetCriticalServicesInstalled(): print """
    • {service_name}
    • """.format(service_name=service_name) print """
    """ From 6d5d8595a0bfa9e45956759091ad561f681b2639 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 12:47:52 +0300 Subject: [PATCH 038/117] fix --- monkey_island/cc/resources/pthmap.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 434dc35a7..a27d509e4 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -244,6 +244,10 @@ class Machine(object): return found + @cache + def IsCriticalServer(self): + return len(self.GetCriticalServicesInstalled()) > 0 + @cache def GetUsernamesBySecret(self, secret): sam = self.GetLocalSecrets() From cdadb32ff0620a57b813c61441acc7b79d5b7df6 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 12:49:14 +0300 Subject: [PATCH 039/117] fix --- monkey_island/cc/resources/pthmap.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index a27d509e4..5730a2ade 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -207,7 +207,7 @@ class Machine(object): def GetCriticalServicesInstalled(self): def IsNameOfCriticalService(name): services = ("W3svc", "MSExchangeServiceHost", "MSSQLServer") - services = map(string.lower, services) + services = map(str.lower, services) if not name: return False From 2c68cca5db6ae790b440f103888247ba62068d15 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 13:12:57 +0300 Subject: [PATCH 040/117] add list of the users that share each password --- monkey_island/cc/resources/pthmap.py | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 5730a2ade..110ffa8bd 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -310,7 +310,16 @@ class Machine(object): @cache def GetLocalAdmins(self): - return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).keys()) + admins = self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")) + + #debug = self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Users")) + #admins.update(debug) + + return admins + + @cache + def GetLocalAdminSids(self): + return set(self.GetLocalAdmins().keys()) @cache def GetLocalSids(self): @@ -325,7 +334,7 @@ class Machine(object): @cache def GetLocalAdminNames(self): - return set(self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")).values()) + return set(self.GetLocalAdmins().values()) @cache def GetSam(self): @@ -452,13 +461,13 @@ class Machine(object): domain_admins = set() for dc in DCs: - domain_admins |= dc.GetLocalAdmins() + domain_admins |= dc.GetLocalAdminSids() return domain_admins @cache def GetAdmins(self): - return self.GetLocalAdmins() | self.GetDomainAdminsOfMachine() + return self.GetLocalAdminSids() | self.GetDomainAdminsOfMachine() @cache def GetAdminNames(self): @@ -820,11 +829,16 @@ def main(): dups = dict(map(lambda x: (x, len(pth.GetSidsBySecret(x))), pth.GetAllSecrets())) print """""" - print """""" + print """""" for secret, count in sorted(dups.iteritems(), key=lambda (k,v): (v,k), reverse=True): if count <= 1: continue print """""".format(secret=secret, count=count) + print """""" print """
    SecretUser Count
    SecretUser CountUsers That Share This Password
    {secret}{count}
      """ + for sid in pth.GetSidsBySecret(secret): + print """
    • {username}""" + print """
    • {username}
    • """.format(sid=sid, username=pth.GetUsernameBySid(sid)) + print """
    """ print "

    Cached Passwords

    " From 13bf7107c9ee57f7afc42e760f53bbeca12891f3 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 13:30:55 +0300 Subject: [PATCH 041/117] BUGFIX: Take the latest info_collection got from machine instead of oldest --- monkey_island/cc/resources/pthmap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 110ffa8bd..f61c2d9c9 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -98,7 +98,7 @@ class Machine(object): def __init__(self, monkey_guid): self.monkey_guid = str(monkey_guid) - self.latest_system_info = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}).sort([("timestamp", 1)]).limit(1) + self.latest_system_info = mongo.db.telemetry.find({"telem_type":"system_info_collection", "monkey_guid": self.monkey_guid}).sort([("timestamp", -1)]).limit(1) if self.latest_system_info.count() > 0: self.latest_system_info = self.latest_system_info[0] @@ -282,7 +282,7 @@ class Machine(object): doc = self.latest_system_info users = dict() - + for group_user in doc["data"]["Win32_GroupUser"]: if eval(group_user["GroupComponent"]["SID"]) != sid: continue From 7a7729c21270e352a215efe241b84918cc983fb6 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 13:58:47 +0300 Subject: [PATCH 042/117] add threatning users to report --- monkey_island/cc/resources/pthmap.py | 31 +++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index f61c2d9c9..25f2b05c3 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -818,6 +818,14 @@ class PassTheHashMap(object): return machines + def GetThreateningUsersByVictim(victim): + threatening_users = set() + + for attacker in pth.GetAttackersByVictim(victim): + threatening_users |= (attacker.GetCachedSids() & victim.GetAdmins()) + + return threatening_users + def main(): pth = PassTheHashMap() @@ -836,11 +844,32 @@ def main(): print """{secret}{count}""".format(secret=secret, count=count) print """
      """ for sid in pth.GetSidsBySecret(secret): - print """
    • {username}""" print """
    • {username}
    • """.format(sid=sid, username=pth.GetUsernameBySid(sid)) print """
    """ print """""" + + + print "

    Strong Users That Threat Critical Servers

    " + print "

    Administrators of critical servers that we could find thier secret cached somewhere

    " + + threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetCritialServers())) + + print """""" + print """""" + for m, count in sorted(threatening.iteritems(), key=lambda (k,v): (v,k), reverse=True): + if count <= 0: + continue + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) + print """""" + print """
    Critical ServerHostnameDomainThreatening User CountThreatening Users
    {ip}{hostname}{domain}{count}
      """ + + for sid in pth.GetThreateningUsersByVictim(m): + print """
    • {username}
    • """.format(sid=sid, username=pth.GetUsernameBySid(sid)) + + print """
    """ + + print "

    Cached Passwords

    " print "

    On how many machines each secret is cached (possible attacker count)?

    " cache_counts = dict(map(lambda x: (x, pth.GetAttackCountBySecret(x)), pth.GetAllSecrets())) From 0d4e28b55bf1ae44df8307a80146e95ae0e952bf Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 14:43:26 +0300 Subject: [PATCH 043/117] small fixes --- monkey_island/cc/resources/pthmap.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 25f2b05c3..f006c0fe6 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -48,7 +48,7 @@ def cache(foo): if type(o) in (int, float, str, unicode): return o - elif type(o) in (list, tuple): + elif type(o) in (list, tuple, set): hashed = tuple([hash(x) for x in o]) if "NotHashable" in hashed: @@ -75,13 +75,13 @@ def cache(foo): return "PassTheHashMapSingleton" else: + assert False, "%s of type %s is not hashable" % (repr(o), type(o)) return "NotHashable" def wrapper(*args, **kwargs): hashed = (hash(args), hash(kwargs)) if "NotHashable" in hashed: - print foo return foo(*args, **kwargs) if not hasattr(foo, "_mycache_"): @@ -818,10 +818,10 @@ class PassTheHashMap(object): return machines - def GetThreateningUsersByVictim(victim): + def GetThreateningUsersByVictim(self, victim): threatening_users = set() - for attacker in pth.GetAttackersByVictim(victim): + for attacker in self.GetAttackersByVictim(victim): threatening_users |= (attacker.GetCachedSids() & victim.GetAdmins()) return threatening_users From 29fac1a960e082697efdc68e3f4cd7afd80b7522 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 14:59:06 +0300 Subject: [PATCH 044/117] fix --- monkey_island/cc/resources/pthmap.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index f006c0fe6..9bdfa275d 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -763,13 +763,16 @@ class PassTheHashMap(object): @cache def GetAttackersByVictim(self, victim): - attackers = set() + if type(victim) != unicode: + victim = victim.monkey_guid + attackers = set() + for atck, vic, _ in self.edges: if vic == victim: attackers.add(atck) - return attackers + return set(map(Machine, attackers)) @cache def GetVictimsByAttacker(self, attacker): From 807606dae270036bf2e0eb5bfaf64edf2a49c378 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 15:00:22 +0300 Subject: [PATCH 045/117] i think this is also a bug --- monkey_island/cc/resources/pthmap.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 9bdfa275d..e1d544d3c 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -776,13 +776,16 @@ class PassTheHashMap(object): @cache def GetVictimsByAttacker(self, attacker): + if type(victim) != unicode: + victim = victim.monkey_guid + victims = set() for atck, vic, _ in self.edges: if atck == attacker: victims.add(vic) - return victims + return set(map(Machine, victims)) @cache def GetInPathCountByVictim(self, victim, already_processed=None): From e17f9b8273aa632b8d3df57e60a1fc729edc9636 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 15:02:49 +0300 Subject: [PATCH 046/117] fix --- monkey_island/cc/resources/pthmap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index e1d544d3c..4ac543a31 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -776,8 +776,8 @@ class PassTheHashMap(object): @cache def GetVictimsByAttacker(self, attacker): - if type(victim) != unicode: - victim = victim.monkey_guid + if type(attacker) != unicode: + attacker = attacker.monkey_guid victims = set() From c308532ff49e032d2c24e8fd0aa0817453f0d078 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 15:54:03 +0300 Subject: [PATCH 047/117] show low sevirity threat users --- monkey_island/cc/resources/pthmap.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 4ac543a31..ade484ea7 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -824,6 +824,11 @@ class PassTheHashMap(object): return machines + @cache + def GetNonCritialServers(self): + return self.machines - self.GetCritialServers() + + @cache def GetThreateningUsersByVictim(self, victim): threatening_users = set() @@ -874,6 +879,26 @@ def main(): print """
""" print """""" + + + print "

Strong Users That Threat NonCritical Servers

" + print "

Administrators of non-critical servers that we could find thier secret cached somewhere

" + + threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetNonCritialServers())) + + print """""" + print """""" + for m, count in sorted(threatening.iteritems(), key=lambda (k,v): (v,k), reverse=True): + if count <= 0: + continue + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) + print """""" + print """
Critical ServerHostnameDomainThreatening User CountThreatening Users
{ip}{hostname}{domain}{count}
    """ + + for sid in pth.GetThreateningUsersByVictim(m): + print """
  • {username}
  • """.format(sid=sid, username=pth.GetUsernameBySid(sid)) + + print """
""" print "

Cached Passwords

" From f7556b09306ca1705f94681a2ce7857a11b2c591 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 17 Apr 2018 15:57:44 +0300 Subject: [PATCH 048/117] fix --- monkey_island/cc/resources/pthmap.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index ade484ea7..59fa15832 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -826,7 +826,7 @@ class PassTheHashMap(object): @cache def GetNonCritialServers(self): - return self.machines - self.GetCritialServers() + return set(self.machines) - self.GetCritialServers() @cache def GetThreateningUsersByVictim(self, victim): From 5692d1dc86aa3091b91e19a25b4a11f174a454ee Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 16:19:58 +0300 Subject: [PATCH 049/117] add dns service to critical services --- monkey_island/cc/resources/pthmap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 59fa15832..62cc348af 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -206,7 +206,7 @@ class Machine(object): @cache def GetCriticalServicesInstalled(self): def IsNameOfCriticalService(name): - services = ("W3svc", "MSExchangeServiceHost", "MSSQLServer") + services = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns") services = map(str.lower, services) if not name: @@ -899,7 +899,7 @@ def main(): print """""" print """""" - + print "

Cached Passwords

" print "

On how many machines each secret is cached (possible attacker count)?

" From ebda00b333af697538d48eb3387a7ac433ca971d Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 16:28:29 +0300 Subject: [PATCH 050/117] add list of critical services installed --- monkey_island/cc/resources/pthmap.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 62cc348af..44c621977 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -867,11 +867,17 @@ def main(): threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetCritialServers())) print """""" - print """""" + print """""" for m, count in sorted(threatening.iteritems(), key=lambda (k,v): (v,k), reverse=True): if count <= 0: continue print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) + + print """""" + print """""" print """
Critical ServerHostnameDomainThreatening User CountThreatening Users
Critical ServerHostnameDomainCritical Services InstalledThreatening User CountThreatening Users
{ip}{hostname}{domain}{count}
    """ + for service_name in m.GetCriticalServicesInstalled(): + print """
  • {service_name}
  • """.format(service_name=service_name) + print """
    """ for sid in pth.GetThreateningUsersByVictim(m): @@ -887,11 +893,17 @@ def main(): threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetNonCritialServers())) print """""" - print """""" + print """""" for m, count in sorted(threatening.iteritems(), key=lambda (k,v): (v,k), reverse=True): if count <= 0: continue print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) + + print """""" + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) print """""" + print """""".format(count=count) + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) print """""" + print """""".format(count=count) + print """""" print """
    Critical ServerHostnameDomainThreatening User CountThreatening Users
    Critical ServerHostnameDomainCritical Services InstalledThreatening User CountThreatening Users
    {ip}{hostname}{domain}{count}
      """ + for service_name in m.GetCriticalServicesInstalled(): + print """
    • {service_name}
    • """.format(service_name=service_name) + print """
      """ for sid in pth.GetThreateningUsersByVictim(m): From d59e464578b50c36f53412f095f44998d8c773fb Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 16:44:43 +0300 Subject: [PATCH 051/117] only take running services --- monkey_island/cc/resources/pthmap.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 44c621977..daa52e8dd 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -214,9 +214,10 @@ class Machine(object): name = name.lower() - for ser in services: - if ser in name: - return True + return name in services + #for ser in services: + # if ser in name: + # return True return False @@ -239,6 +240,9 @@ class Machine(object): if not IsNameOfCriticalService(service_name): continue + + if eval(service["State"]) != "Running": + continue found.append(service_name) From b49ba7526f8bb619773616d96160e78b38f2805d Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 16:48:42 +0300 Subject: [PATCH 052/117] fix --- monkey_island/cc/resources/pthmap.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index daa52e8dd..8a65f3197 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -875,13 +875,15 @@ def main(): for m, count in sorted(threatening.iteritems(), key=lambda (k,v): (v,k), reverse=True): if count <= 0: continue - print """
    {ip}{hostname}{domain}{count}
    {ip}{hostname}{domain}
      """ for service_name in m.GetCriticalServicesInstalled(): print """
    • {service_name}
    • """.format(service_name=service_name) print """
    {count}
      """ for sid in pth.GetThreateningUsersByVictim(m): @@ -901,13 +903,15 @@ def main(): for m, count in sorted(threatening.iteritems(), key=lambda (k,v): (v,k), reverse=True): if count <= 0: continue - print """
    {ip}{hostname}{domain}{count}
    {ip}{hostname}{domain}
      """ for service_name in m.GetCriticalServicesInstalled(): print """
    • {service_name}
    • """.format(service_name=service_name) print """
    {count}
      """ for sid in pth.GetThreateningUsersByVictim(m): From 2e3401f285ce01eaa2dca7582519d27feabc78a9 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 16:51:07 +0300 Subject: [PATCH 053/117] fix --- monkey_island/cc/resources/pthmap.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 8a65f3197..93af154d7 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -899,16 +899,12 @@ def main(): threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetNonCritialServers())) print """""" - print """""" + print """""" for m, count in sorted(threatening.iteritems(), key=lambda (k,v): (v,k), reverse=True): if count <= 0: continue print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) - print """""" print """""".format(count=count) From d83dad727dbedf70ddfd7bade362bb3d9f04c289 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 16:53:48 +0300 Subject: [PATCH 054/117] remove secret from display --- monkey_island/cc/resources/pthmap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 93af154d7..0393939cf 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -852,11 +852,11 @@ def main(): dups = dict(map(lambda x: (x, len(pth.GetSidsBySecret(x))), pth.GetAllSecrets())) print """
      Critical ServerHostnameDomainCritical Services InstalledThreatening User CountThreatening Users
      Critical ServerHostnameDomainThreatening User CountThreatening Users
      {ip}{hostname}{domain}
        """ - for service_name in m.GetCriticalServicesInstalled(): - print """
      • {service_name}
      • """.format(service_name=service_name) - print """
      {count}
      """ - print """""" + print """""" for secret, count in sorted(dups.iteritems(), key=lambda (k,v): (v,k), reverse=True): if count <= 1: continue - print """""".format(secret=secret, count=count) + print """""".format(secret=secret, count=count) print """""" print """
      SecretUser CountUsers That Share This Password
      User CountUsers That Share This Password
      {secret}{count}
      {count}
        """ for sid in pth.GetSidsBySecret(secret): print """
      • {username}
      • """.format(sid=sid, username=pth.GetUsernameBySid(sid)) From 99ee46c38a3efcb17a69c12379db133b315e8ab1 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 17:48:21 +0300 Subject: [PATCH 055/117] add unique local admin --- monkey_island/cc/resources/pthmap.py | 39 ++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 0393939cf..d7934663c 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -841,6 +841,18 @@ class PassTheHashMap(object): return threatening_users + @cache + def GetSharedAdmins(self, m): + shared_admins = set() + + for other in pth.machines: + if m == other: + continue + + shared_admins |= (m.GetLocalAdminSids() & other.GetLocalAdminSids()) + + return shared_admins + def main(): pth = PassTheHashMap() @@ -863,8 +875,35 @@ def main(): print """
      """ + + print "

      Local Admin Uniqueness

      " + print "

      We argue that each machine should have it's own distinct set of local admins

      " + dups = dict(map(lambda x: (x, len(pth.GetSharedAdmins(x))), pth.machines)) + print """""" + print """""" + for secret, count in sorted(dups.iteritems(), key=lambda (k,v): (v,k), reverse=True): + if count <= 0: + continue + + print """""".format(ip=m.GetIp(), hostname=m.GetHostName(), domain=m.GetDomainName(), count=count) + + print """""" + + print """""".format(count=count) + + print """""" + print """
      IpHostnameDomainCritical Services InstalledShared User CountShared Users
      {ip}{hostname}{domain}
        """ + for service_name in m.GetCriticalServicesInstalled(): + print """
      • {service_name}
      • """.format(service_name=service_name) + print """
      {count}
        """ + + for sid in pth.GetThreateningUsersByVictim(m): + print """
      • {username}
      • """.format(sid=sid, username=pth.GetUsernameBySid(sid)) + + print """
      """ + print "

      Strong Users That Threat Critical Servers

      " print "

      Administrators of critical servers that we could find thier secret cached somewhere

      " From 0025d242d71b73da5ed3813c8fb18fd68cc0dcb8 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 17:50:38 +0300 Subject: [PATCH 056/117] fix --- monkey_island/cc/resources/pthmap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index d7934663c..3b1607ce7 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -845,7 +845,7 @@ class PassTheHashMap(object): def GetSharedAdmins(self, m): shared_admins = set() - for other in pth.machines: + for other in self.machines: if m == other: continue @@ -883,7 +883,7 @@ def main(): print """""" print """""" - for secret, count in sorted(dups.iteritems(), key=lambda (k,v): (v,k), reverse=True): + for m, count in sorted(dups.iteritems(), key=lambda (k,v): (v,k), reverse=True): if count <= 0: continue From 8ab880340f7e379542c137a6333928ea90236112 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 17:58:15 +0300 Subject: [PATCH 057/117] don't count DomainAdmins as shared admins --- monkey_island/cc/resources/pthmap.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 3b1607ce7..f3e9e93be 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -465,7 +465,7 @@ class Machine(object): domain_admins = set() for dc in DCs: - domain_admins |= dc.GetLocalAdminSids() + domain_admins |= dc.GetUsersByGroupSid(self.GetGroupSidByGroupName("Domain Admins")) return domain_admins @@ -851,6 +851,7 @@ class PassTheHashMap(object): shared_admins |= (m.GetLocalAdminSids() & other.GetLocalAdminSids()) + shared_admins -= m.GetDomainAdminsOfMachine() return shared_admins def main(): From 9594fab1a29f1517bbd5c6bd9267b0bc2090be52 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 18:15:10 +0300 Subject: [PATCH 058/117] shared users seems to work --- monkey_island/cc/resources/pthmap.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index f3e9e93be..67ed3e23d 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -48,6 +48,9 @@ def cache(foo): if type(o) in (int, float, str, unicode): return o + elif type(o) in (type(None),): + return "___None___" + elif type(o) in (list, tuple, set): hashed = tuple([hash(x) for x in o]) @@ -465,7 +468,7 @@ class Machine(object): domain_admins = set() for dc in DCs: - domain_admins |= dc.GetUsersByGroupSid(self.GetGroupSidByGroupName("Domain Admins")) + domain_admins |= set(dc.GetUsersByGroupSid(self.GetGroupSidByGroupName("Domain Admins")).keys()) return domain_admins @@ -899,7 +902,7 @@ def main(): print """""" From 1d25ba90856019381ae2734c740229039ccb3fa7 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 18:40:11 +0300 Subject: [PATCH 059/117] check SidType everywhere to make sure we don't have type errors --- monkey_island/cc/resources/pthmap.py | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 67ed3e23d..400919d50 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -39,6 +39,16 @@ DsRole_RoleMemberServer = 3 DsRole_RoleBackupDomainController = 4 DsRole_RolePrimaryDomainController = 5 +SidTypeUser = 1 +SidTypeGroup = 2 +SidTypeDomain = 3 +SidTypeAlias = 4 +SidTypeWellKnownGroup = 5 +SidTypeDeletedAccount = 6 +SidTypeInvalid = 7 +SidTypeUnknown = 8 +SidTypeComputer = 9 + def myntlm(x): hash = hashlib.new('md4', x.encode('utf-16le')).digest() return str(binascii.hexlify(hash)) @@ -162,6 +172,9 @@ class Machine(object): for user in doc["data"]["Win32_UserAccount"]: if eval(user["Name"]) != username: continue + + if eval(user["SIDType"]) != SidTypeUser: + continue return eval(user["SID"]) @@ -190,6 +203,9 @@ class Machine(object): for user in doc["data"]["Win32_UserAccount"]: if eval(user["SID"]) != sid: continue + + if eval(user["SIDType"]) != SidTypeUser: + continue return { "Domain": eval(user["Domain"]), "Username": eval(user["Name"]), @@ -280,6 +296,9 @@ class Machine(object): if eval(group["Name"]) != group_name: continue + if eval(group["SIDType"]) != SidTypeGroup: + continue + return eval(group["SID"]) return None @@ -293,10 +312,16 @@ class Machine(object): for group_user in doc["data"]["Win32_GroupUser"]: if eval(group_user["GroupComponent"]["SID"]) != sid: continue + + if eval(group_user["GroupComponent"]["SIDType"]) != SidTypeGroup: + continue if "PartComponent" not in group_user.keys(): continue + if eval(group_user["PartComponent"]["SIDType"]) != SidTypeUser: + continue + users[eval(group_user["PartComponent"]["SID"])] = eval(group_user["PartComponent"]["Name"]) return users @@ -335,6 +360,9 @@ class Machine(object): SIDs = set() for user in doc["data"]["Win32_UserAccount"]: + if eval(user["SIDType"]) != SidTypeUser: + continue + SIDs.add(eval(user["SID"])) return SIDs From 72fa6bbd684810ef78881d0f912688833fe3b2cb Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Mon, 30 Apr 2018 18:42:30 +0300 Subject: [PATCH 060/117] no need to eval SidType --- monkey_island/cc/resources/pthmap.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 400919d50..fd882a6c6 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -173,7 +173,7 @@ class Machine(object): if eval(user["Name"]) != username: continue - if eval(user["SIDType"]) != SidTypeUser: + if user["SIDType"] != SidTypeUser: continue return eval(user["SID"]) @@ -204,7 +204,7 @@ class Machine(object): if eval(user["SID"]) != sid: continue - if eval(user["SIDType"]) != SidTypeUser: + if user["SIDType"] != SidTypeUser: continue return { "Domain": eval(user["Domain"]), @@ -296,7 +296,7 @@ class Machine(object): if eval(group["Name"]) != group_name: continue - if eval(group["SIDType"]) != SidTypeGroup: + if group["SIDType"] != SidTypeGroup: continue return eval(group["SID"]) @@ -313,13 +313,13 @@ class Machine(object): if eval(group_user["GroupComponent"]["SID"]) != sid: continue - if eval(group_user["GroupComponent"]["SIDType"]) != SidTypeGroup: + if group_user["GroupComponent"]["SIDType"] != SidTypeGroup: continue if "PartComponent" not in group_user.keys(): continue - if eval(group_user["PartComponent"]["SIDType"]) != SidTypeUser: + if group_user["PartComponent"]["SIDType"] != SidTypeUser: continue users[eval(group_user["PartComponent"]["SID"])] = eval(group_user["PartComponent"]["Name"]) @@ -360,7 +360,7 @@ class Machine(object): SIDs = set() for user in doc["data"]["Win32_UserAccount"]: - if eval(user["SIDType"]) != SidTypeUser: + if user["SIDType"] != SidTypeUser: continue SIDs.add(eval(user["SID"])) From 4c1d0bfff540b78506bd99e39974dda8ee911554 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 8 May 2018 15:40:38 +0300 Subject: [PATCH 061/117] add ldap wmi queries --- .../system_info/windows_info_collector.py | 56 +++++++++++++++++-- 1 file changed, 51 insertions(+), 5 deletions(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index bee391ae8..9e5a77e84 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -5,6 +5,7 @@ import traceback import sys sys.coinit_flags = 0 # needed for proper destruction of the wmi python module import wmi +import win32com import _winreg from mimikatz_collector import MimikatzCollector @@ -27,6 +28,30 @@ WMI_CLASSES = set(["Win32_OperatingSystem", #"Win32_Process", ]) +WMI_LDAP_CLASSES = {"ds_user": ("DS_sAMAccountName", "DS_userPrincipalName", + "DS_sAMAccountType", "ADSIPath", "DS_userAccountControl", + "DS_objectSid", "DS_objectClass", "DS_memberOf", + "DS_primaryGroupID", "DS_pwdLastSet", "DS_badPasswordTime", + "DS_badPwdCount", "DS_lastLogon", "DS_lastLogonTimestamp", + "DS_lastLogoff", "DS_logonCount", "DS_accountExpires"), + + "ds_group": ("DS_whenChanged", "DS_whenCreated", "DS_sAMAccountName", + "DS_sAMAccountType", "DS_objectSid", "DS_objectClass", + "DS_name", "DS_memberOf", "DS_member", "DS_instanceType", + "DS_cn", "DS_description", "DS_distinguishedName", "ADSIPath"), + + "ds_copmuter": ("DS_dNSHostName", "ADSIPath", "DS_accountExpires", + "DS_adminDisplayName", "DS_badPasswordTime", + "DS_badPwdCount", "DS_cn", "DS_distinguishedName", + "DS_instanceType", "DS_lastLogoff", "DS_lastLogon", + "DS_lastLogonTimestamp", "DS_logonCount", "DS_objectClass", + "DS_objectSid", "DS_operatingSystem", "DS_operatingSystemVersion", + "DS_primaryGroupID", "DS_pwdLastSet", "DS_sAMAccountName", + "DS_sAMAccountType", "DS_servicePrincipalName", "DS_userAccountControl", + "DS_whenChanged", "DS_whenCreated"), + } + + def fix_obj_for_mongo(o): if type(o) == dict: return dict([(k, fix_obj_for_mongo(v)) for k, v in o.iteritems()]) @@ -43,7 +68,23 @@ def fix_obj_for_mongo(o): elif hasattr(o, "__class__") and o.__class__ == wmi._wmi_object: return fix_wmi_obj_for_mongo(o) + + elif hasattr(o, "__class__") and o.__class__ == win32com.client.CDispatch: + try: + # objectSid property of ds_user is problematic and need thie special treatment. + # ISWbemObjectEx interface. Class Uint8Array ? + if str(o._oleobj_.GetTypeInfo().GetTypeAttr().iid) == "{269AD56A-8A67-4129-BC8C-0506DCFE9880}": + return o.Value + except: + pass + try: + return o.GetObjectText_() + except: + pass + + return repr(o) + else: return repr(o) @@ -83,7 +124,6 @@ class WindowsInfoCollector(InfoCollector): def __init__(self): super(WindowsInfoCollector, self).__init__() - self.wmi = None def get_info(self): """ @@ -117,12 +157,18 @@ class WindowsInfoCollector(InfoCollector): for wmi_class_name in WMI_CLASSES: self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name) - def get_wmi_class(self, class_name): - if not self.wmi: - self.wmi = wmi.WMI() + for wmi_class_name, props in WMI_LDAP_CLASSES.iteritems(): + self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name, "//./root/directory/ldap", props) + + def get_wmi_class(self, class_name, moniker="//./root/civ2", properties=None): + _wmi = wmi.WMI(moniker=moniker) try: - wmi_class = getattr(self.wmi, class_name)() + if not properties: + wmi_class = getattr(_wmi, class_name)() + else: + wmi_class = getattr(_wmi, class_name)(properties) + except wmi.x_wmi: #LOG.error("Error getting wmi class '%s'" % (class_name, )) #LOG.error(traceback.format_exc()) From 0ca804d4e3aac821885a715a3e85c31f4f402107 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 8 May 2018 15:44:05 +0300 Subject: [PATCH 062/117] add comment --- infection_monkey/system_info/windows_info_collector.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index 9e5a77e84..033389b2e 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -28,6 +28,11 @@ WMI_CLASSES = set(["Win32_OperatingSystem", #"Win32_Process", ]) +# These wmi queries are able to return data about all the users & machines in the domain. +# For these queries to work, the monkey shohuld be run on a domain machine and +# +# monkey should run as *** SYSTEM *** !!! +# WMI_LDAP_CLASSES = {"ds_user": ("DS_sAMAccountName", "DS_userPrincipalName", "DS_sAMAccountType", "ADSIPath", "DS_userAccountControl", "DS_objectSid", "DS_objectClass", "DS_memberOf", From 404da6e6d6f1c2f6846e191d61d1e748799f4d29 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 8 May 2018 15:48:53 +0300 Subject: [PATCH 063/117] typo --- infection_monkey/system_info/windows_info_collector.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index 033389b2e..8a42265a1 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -165,7 +165,7 @@ class WindowsInfoCollector(InfoCollector): for wmi_class_name, props in WMI_LDAP_CLASSES.iteritems(): self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name, "//./root/directory/ldap", props) - def get_wmi_class(self, class_name, moniker="//./root/civ2", properties=None): + def get_wmi_class(self, class_name, moniker="//./root/cimv2", properties=None): _wmi = wmi.WMI(moniker=moniker) try: From 588387a26360159e57e18b2b78578bb8cc8bc5ce Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 8 May 2018 16:12:51 +0300 Subject: [PATCH 064/117] typo --- infection_monkey/system_info/windows_info_collector.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index 8a42265a1..0d0ae6804 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -45,7 +45,7 @@ WMI_LDAP_CLASSES = {"ds_user": ("DS_sAMAccountName", "DS_userPrincipalName", "DS_name", "DS_memberOf", "DS_member", "DS_instanceType", "DS_cn", "DS_description", "DS_distinguishedName", "ADSIPath"), - "ds_copmuter": ("DS_dNSHostName", "ADSIPath", "DS_accountExpires", + "ds_computer": ("DS_dNSHostName", "ADSIPath", "DS_accountExpires", "DS_adminDisplayName", "DS_badPasswordTime", "DS_badPwdCount", "DS_cn", "DS_distinguishedName", "DS_instanceType", "DS_lastLogoff", "DS_lastLogon", From 7af6e6473ccee829b95a60a7dedf834333316b24 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 8 May 2018 17:05:33 +0300 Subject: [PATCH 065/117] Handle the Win32_GroupUser missing PartCompenent issue --- infection_monkey/system_info/windows_info_collector.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index 0d0ae6804..e9e7f71fd 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -100,7 +100,13 @@ def fix_wmi_obj_for_mongo(o): try: value = getattr(o, prop) except wmi.x_wmi: - continue + # This happens in Win32_GroupUser when the user is a domain user. + # For some reason, the wmi query for PartComponent fails. This table + # is actually contains references to Win32_UserAccount and Win32_Group. + # so instead of reading the content to the Win32_UserAccount, we store + # only the id of the row in that table, and get all the other information + # from that table while analyzing the data. + value = o.properties[prop].value row[prop] = fix_obj_for_mongo(value) From e672e26f71043f38cb6492db3a0b9bfa6a57f18c Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 8 May 2018 17:25:46 +0300 Subject: [PATCH 066/117] handle the PartCoponent issue in the report --- monkey_island/cc/resources/pthmap.py | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index fd882a6c6..daf2dab60 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -166,7 +166,7 @@ class Machine(object): return self.GetDomainRole() in (DsRole_RolePrimaryDomainController, DsRole_RoleBackupDomainController) @cache - def GetSidByUsername(self, username): + def GetSidByUsername(self, username, domain=None): doc = self.latest_system_info for user in doc["data"]["Win32_UserAccount"]: @@ -175,6 +175,9 @@ class Machine(object): if user["SIDType"] != SidTypeUser: continue + + if domain and user["Domain"] != domain: + continue return eval(user["SID"]) @@ -319,10 +322,26 @@ class Machine(object): if "PartComponent" not in group_user.keys(): continue - if group_user["PartComponent"]["SIDType"] != SidTypeUser: - continue + if type(group_user["PartComponent"]) in (str, unicode): + # PartComponent is an id to Win32_UserAccount table + + wmi_id = group_user["PartComponent"] + + if "cimv2:Win32_UserAccount" not in wmi_id: + continue + + # u'\\\\WIN-BFA01FFQFLS\\root\\cimv2:Win32_UserAccount.Domain="MYDOMAIN",Name="WIN-BFA01FFQFLS$"' + username = wmi_id.split('cimv2:Win32_UserAccount.Domain="')[1].split('",Name="')[0] + domain = wmi_id.split('cimv2:Win32_UserAccount.Domain="')[1].split('",Name="')[1][:-1] + + sid = self.GetSidByUsername(username, domain) + users[sid] = username + + else: + if group_user["PartComponent"]["SIDType"] != SidTypeUser: + continue - users[eval(group_user["PartComponent"]["SID"])] = eval(group_user["PartComponent"]["Name"]) + users[eval(group_user["PartComponent"]["SID"])] = eval(group_user["PartComponent"]["Name"]) return users From b54eb893307cd2592c3c79af627f9d821c082793 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 11:10:32 +0300 Subject: [PATCH 067/117] Add 'Two machines should not share any local admin.' report --- monkey_island/cc/resources/pthmap.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index daf2dab60..af2688f56 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -49,6 +49,9 @@ SidTypeInvalid = 7 SidTypeUnknown = 8 SidTypeComputer = 9 +def is_group_sid_type(type): + return type in (SidTypeGroup, SidTypeAlias, SidTypeWellKnownGroup) + def myntlm(x): hash = hashlib.new('md4', x.encode('utf-16le')).digest() return str(binascii.hexlify(hash)) @@ -298,8 +301,8 @@ class Machine(object): for group in doc["data"]["Win32_Group"]: if eval(group["Name"]) != group_name: continue - - if group["SIDType"] != SidTypeGroup: + + if not is_group_sid_type(group["SIDType"]): continue return eval(group["SID"]) @@ -316,7 +319,7 @@ class Machine(object): if eval(group_user["GroupComponent"]["SID"]) != sid: continue - if group_user["GroupComponent"]["SIDType"] != SidTypeGroup: + if not is_group_sid_type(group_user["GroupComponent"]["SIDType"]): continue if "PartComponent" not in group_user.keys(): From bad90d35c1d0e71366de50a509f4641d2c510acd Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 12:55:50 +0300 Subject: [PATCH 068/117] FATAL bugfix in cache, better find sid by username --- monkey_island/cc/resources/pthmap.py | 32 ++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index af2688f56..a53277e5d 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -59,7 +59,7 @@ def myntlm(x): def cache(foo): def hash(o): if type(o) in (int, float, str, unicode): - return o + return repr(o) elif type(o) in (type(None),): return "___None___" @@ -605,7 +605,7 @@ class PassTheHashMap(object): @cache def GenerateEdgesBySid(self): for attacker in self.vertices: - cached = Machine(attacker).GetCachedSids() + cached = self.GetCachedSids(Machine(attacker)) for victim in self.vertices: if attacker == victim: @@ -885,12 +885,31 @@ class PassTheHashMap(object): def GetNonCritialServers(self): return set(self.machines) - self.GetCritialServers() + @cache + def GetCachedSids(self, m): + sids = set() + tmp = m.GetCachedSids() + + for sid in tmp: + if sid.startswith("__USERNAME__"): + + s = self.GetSidsByUsername(sid[len("__USERNAME__"):]) + if len(s) == 1: + sids.add(s.pop()) + else: + sids.add(sid) + + else: + sids.add(sid) + + return sids + @cache def GetThreateningUsersByVictim(self, victim): threatening_users = set() for attacker in self.GetAttackersByVictim(victim): - threatening_users |= (attacker.GetCachedSids() & victim.GetAdmins()) + threatening_users |= (self.GetCachedSids(attacker) & victim.GetAdmins()) return threatening_users @@ -1099,12 +1118,7 @@ def main(): print """

      Cached SIDs

      """ print """

      SIDs cached on this machine

      """ print """
        """ - for sid in m.GetCachedSids(): - if sid.startswith("__USERNAME__"): - sids = pth.GetSidsByUsername(sid[len("__USERNAME__"):]) - if len(sids) == 1: - sid = sids.pop() - + for sid in pth.GetCachedSids(m): print """
      • {username} ({sid})
      • """.format(username=pth.GetUsernameBySid(sid), sid=sid) print """
      """ From d0ce419ae04672170e9a10e1df6434d84939fe66 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 13:07:19 +0300 Subject: [PATCH 069/117] add GetAttackersBySid --- monkey_island/cc/resources/pthmap.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index a53277e5d..68a0c998e 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -831,6 +831,16 @@ class PassTheHashMap(object): return set(map(Machine, attackers)) + @cache + def GetAttackersBySid(self, sid): + machines = set() + + for m in self.machines: + if sid in self.GetCachedSids(m): + machines.add(m) + + return machines + @cache def GetVictimsByAttacker(self, attacker): if type(attacker) != unicode: @@ -1166,11 +1176,17 @@ def main():

      Secret: '{secret}'

      """.format(username=pth.GetUsernameBySid(sid), sid=sid, secret=pth.GetSecretBySid(sid), domain=pth.GetSidInfo(sid)["Domain"]) - print """

      Attackable Machines

      """ + print """

      Possible Victims Machines

      """ print """
        """ for m in pth.GetVictimsBySid(sid): print """
      • {ip} ({hostname})
      • """.format(ip=m.GetIp(), hostname=m.GetHostName()) print """
      """ + + print """

      Possible Attackers Machines

      """ + print """
        """ + for m in pth.GetAttackersBySid(sid): + print """
      • {ip} ({hostname})
      • """.format(ip=m.GetIp(), hostname=m.GetHostName()) + print """
      """ for secret in pth.GetAllSecrets(): print """

      Secret '{secret}'

      """.format(secret=secret) From 3cff5edffeaab34fc6ada4a665752062421115a7 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 13:49:23 +0300 Subject: [PATCH 070/117] deepcopy cahced object before returing it --- monkey_island/cc/resources/pthmap.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 68a0c998e..ffb681c75 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -1,5 +1,6 @@ import hashlib import binascii +import copy from pymongo import MongoClient class mongo(object): @@ -106,7 +107,7 @@ def cache(foo): if hashed not in foo._mycache_.keys(): foo._mycache_[hashed] = foo(*args, **kwargs) - return foo._mycache_[hashed] + return copy.deepcopy(foo._mycache_[hashed]) return wrapper From 29e85a868b151e4a00d943471c16b2eee18893e3 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 14:20:09 +0300 Subject: [PATCH 071/117] make attackers more visibile in table --- monkey_island/cc/resources/pthmap.py | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index ffb681c75..f9819dd79 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -120,6 +120,12 @@ class Machine(object): if self.latest_system_info.count() > 0: self.latest_system_info = self.latest_system_info[0] + def __eq__(self, other): + if isinstance(other, self.__class__): + return self.monkey_guid == other.monkey_guid + else: + return False + @cache def GetMimikatzOutput(self): doc = self.latest_system_info @@ -940,6 +946,7 @@ class PassTheHashMap(object): def main(): pth = PassTheHashMap() + print """""" print "

      Pass The Hash Report

      " print "

      Duplicated Passwords

      " @@ -1010,7 +1017,13 @@ def main(): print """
      """ print """
      IpHostnameDomainCritical Services InstalledShared User CountShared Users
        """ - for sid in pth.GetThreateningUsersByVictim(m): + for sid in pth.GetSharedAdmins(m): print """
      • {username}
      • """.format(sid=sid, username=pth.GetUsernameBySid(sid)) print """
        """ for sid in pth.GetThreateningUsersByVictim(m): - print """
      • {username}
      • """.format(sid=sid, username=pth.GetUsernameBySid(sid)) + print """
      • {username} attackers:
          """.format(sid=sid, username=pth.GetUsernameBySid(sid)) + + for mm in pth.GetAttackersBySid(sid): + if m == mm: + continue + print """
        • {ip}
        • """.format(ip=mm.GetIp()) + print """
      • """ print """
      """ @@ -1034,7 +1047,13 @@ def main(): print """
      """ for sid in pth.GetThreateningUsersByVictim(m): - print """
    • {username}
    • """.format(sid=sid, username=pth.GetUsernameBySid(sid)) + print """
    • {username} attackers:
        """.format(sid=sid, username=pth.GetUsernameBySid(sid)) + + for mm in pth.GetAttackersBySid(sid): + if m == mm: + continue + print """
      • {ip}
      • """.format(ip=mm.GetIp()) + print """
    • """ print """
    """ @@ -1177,13 +1196,13 @@ def main():

    Secret: '{secret}'

    """.format(username=pth.GetUsernameBySid(sid), sid=sid, secret=pth.GetSecretBySid(sid), domain=pth.GetSidInfo(sid)["Domain"]) - print """

    Possible Victims Machines

    """ + print """

    Machines the sid is local admin on

    """ print """
      """ for m in pth.GetVictimsBySid(sid): print """
    • {ip} ({hostname})
    • """.format(ip=m.GetIp(), hostname=m.GetHostName()) print """
    """ - print """

    Possible Attackers Machines

    """ + print """

    Machines the sid is in thier cache

    """ print """
      """ for m in pth.GetAttackersBySid(sid): print """
    • {ip} ({hostname})
    • """.format(ip=m.GetIp(), hostname=m.GetHostName()) From 88cb74ce12a8c952b6550bf582cedf37de096bd8 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 14:28:51 +0300 Subject: [PATCH 072/117] hide junk --- monkey_island/cc/resources/pthmap.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index f9819dd79..7472a4476 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -946,7 +946,7 @@ class PassTheHashMap(object): def main(): pth = PassTheHashMap() - print """""" + print """""" print "

      Pass The Hash Report

      " print "

      Duplicated Passwords

      " @@ -1058,6 +1058,7 @@ def main(): print """
""" + print """""" if __name__ == "__main__": main() \ No newline at end of file From cec7ef6071c2fa34b2aebaab14a07c126a414c06 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 15:23:16 +0300 Subject: [PATCH 073/117] rename --- monkey_island/cc/resources/{pthmap.py => pthreport.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename monkey_island/cc/resources/{pthmap.py => pthreport.py} (100%) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthreport.py similarity index 100% rename from monkey_island/cc/resources/pthmap.py rename to monkey_island/cc/resources/pthreport.py From cad048119d8493327a0b932c6404e250018d07b4 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 15:26:46 +0300 Subject: [PATCH 074/117] split pth to be able to run standalone and in website --- monkey_island/cc/resources/pthmap.py | 21 +++++++++++++ monkey_island/cc/resources/pthreport.py | 41 ++++++------------------- 2 files changed, 30 insertions(+), 32 deletions(-) create mode 100644 monkey_island/cc/resources/pthmap.py diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py new file mode 100644 index 000000000..c59bb90cd --- /dev/null +++ b/monkey_island/cc/resources/pthmap.py @@ -0,0 +1,21 @@ +import hashlib +import binascii +import copy +import flask_restful +from pthreport import PassTheHashReport + +from cc.auth import jwt_required +from cc.services.edge import EdgeService +from cc.services.node import NodeService +from cc.database import mongo + +class PthMap(flask_restful.Resource): + @jwt_required() + def get(self, **kw): + graph = PassTheHashReport() + + return \ + { + "nodes": [{"id": x, "label": Machine(x).GetIp()} for x in graph.vertices], + "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in graph.edges] + } diff --git a/monkey_island/cc/resources/pthreport.py b/monkey_island/cc/resources/pthreport.py index 7472a4476..664732dfb 100644 --- a/monkey_island/cc/resources/pthreport.py +++ b/monkey_island/cc/resources/pthreport.py @@ -1,38 +1,15 @@ import hashlib import binascii import copy -from pymongo import MongoClient -class mongo(object): - db = MongoClient().monkeyisland +if __name__ == "__main__": + from pymongo import MongoClient -#class PthMap(flask_restful.Resource): -class PthMap(object): - #@jwt_required() - def get(self, **kw): - graph = PassTheHashMap() - - return \ - { - "nodes": [{"id": x, "label": Machine(x).GetIp()} for x in graph.vertices], - "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in graph.edges] - } - -if not __name__ == "__main__": - import flask_restful - - from cc.auth import jwt_required - from cc.services.edge import EdgeService - from cc.services.node import NodeService + class mongo(object): + db = MongoClient().monkeyisland +else: from cc.database import mongo - PthMapOrig = PthMap - - class PthMap(flask_restful.Resource): - @jwt_required() - def get(self, **kw): - return PthMapOrig.get(self, **kw) - DsRole_RoleStandaloneWorkstation = 0 DsRole_RoleMemberWorkstation = 1 DsRole_RoleStandaloneServer = 2 @@ -88,8 +65,8 @@ def cache(foo): elif type(o) == PthMap: return "PthMapSingleton" - elif type(o) == PassTheHashMap: - return "PassTheHashMapSingleton" + elif type(o) == PassTheHashReport: + return "PassTheHashReportSingleton" else: assert False, "%s of type %s is not hashable" % (repr(o), type(o)) @@ -564,7 +541,7 @@ class Machine(object): return names -class PassTheHashMap(object): +class PassTheHashReport(object): def __init__(self): self.vertices = self.GetAllMachines() @@ -944,7 +921,7 @@ class PassTheHashMap(object): return shared_admins def main(): - pth = PassTheHashMap() + pth = PassTheHashReport() print """""" print "

Pass The Hash Report

" From 0fe5a20a6b6397d4723689b6b9e167c0250835d7 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 15:37:23 +0300 Subject: [PATCH 075/117] fix --- monkey_island/cc/resources/pthreport.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey_island/cc/resources/pthreport.py b/monkey_island/cc/resources/pthreport.py index 664732dfb..f3707135c 100644 --- a/monkey_island/cc/resources/pthreport.py +++ b/monkey_island/cc/resources/pthreport.py @@ -62,8 +62,8 @@ def cache(foo): elif type(o) == Machine: return o.monkey_guid - elif type(o) == PthMap: - return "PthMapSingleton" +# elif type(o) == PthMap: +# return "PthMapSingleton" elif type(o) == PassTheHashReport: return "PassTheHashReportSingleton" From f6ebf0b51c445c491a76dab9f446015101e8e661 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 16:29:02 +0300 Subject: [PATCH 076/117] fix bug not running the edge generation functions due to caching --- monkey_island/cc/resources/pthmap.py | 13 +++++---- monkey_island/cc/resources/pthreport.py | 37 +++++++++++++++++++------ 2 files changed, 36 insertions(+), 14 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index c59bb90cd..5230ef30e 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -2,7 +2,7 @@ import hashlib import binascii import copy import flask_restful -from pthreport import PassTheHashReport +from pthreport import PassTheHashReport, Machine from cc.auth import jwt_required from cc.services.edge import EdgeService @@ -12,10 +12,13 @@ from cc.database import mongo class PthMap(flask_restful.Resource): @jwt_required() def get(self, **kw): - graph = PassTheHashReport() - + pth = PassTheHashReport() + + v = copy.deepcopy(pth.vertices) + e = copy.deepcopy(pth.edges) + return \ { - "nodes": [{"id": x, "label": Machine(x).GetIp()} for x in graph.vertices], - "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in graph.edges] + "nodes": [{"id": x, "label": Machine(x).GetIp()} for x in v], + "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in e] } diff --git a/monkey_island/cc/resources/pthreport.py b/monkey_island/cc/resources/pthreport.py index f3707135c..313ef6a20 100644 --- a/monkey_island/cc/resources/pthreport.py +++ b/monkey_island/cc/resources/pthreport.py @@ -542,14 +542,21 @@ class Machine(object): return names class PassTheHashReport(object): + #_instance = None + #def __new__(class_, *args, **kwargs): + # if not class_._instance: + # class_._instance = object.__new__(class_, *args, **kwargs) + # + # return class_._instance + def __init__(self): self.vertices = self.GetAllMachines() - self.edges = set() self.machines = map(Machine, self.vertices) - self.GenerateEdgesBySid() # Useful for non-cached domain users - self.GenerateEdgesBySamHash() # This will add edges based only on password hash without caring about username + self.edges = set() + self.edges |= self.GetEdgesBySid() # Useful for non-cached domain users + self.edges |= self.GetEdgesBySamHash() # This will add edges based only on password hash without caring about username @cache def GetAllMachines(self): @@ -587,7 +594,9 @@ class PassTheHashReport(object): return ",\n".join(label) @cache - def GenerateEdgesBySid(self): + def GetEdgesBySid(self): + edges = set() + for attacker in self.vertices: cached = self.GetCachedSids(Machine(attacker)) @@ -599,10 +608,14 @@ class PassTheHashReport(object): if len(cached & admins) > 0: label = self.ReprSidList(cached & admins, attacker, victim) - self.edges.add((attacker, victim, label)) + edges.add((attacker, victim, label)) + + return edges @cache - def GenerateEdgesBySamHash(self): + def GetEdgesBySamHash(self): + edges = set() + for attacker in self.vertices: cached_creds = set(Machine(attacker).GetCachedCreds().items()) @@ -614,10 +627,14 @@ class PassTheHashReport(object): if len(cached_creds & admin_creds) > 0: label = self.ReprSecretList(set(dict(cached_creds & admin_creds).values()), victim) - self.edges.add((attacker, victim, label)) + edges.add((attacker, victim, label)) + + return edges @cache - def GenerateEdgesByUsername(self): + def GetEdgesByUsername(self): + edges = set() + for attacker in self.vertices: cached = Machine(attacker).GetCachedUsernames() @@ -628,7 +645,9 @@ class PassTheHashReport(object): admins = Machine(victim).GetAdminNames() if len(cached & admins) > 0: - self.edges.add((attacker, victim)) + edges.add((attacker, victim)) + + return edges @cache def Print(self): From 2724e671f7bb502c92ebee9f64077037e35a5ed8 Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 16:42:51 +0300 Subject: [PATCH 077/117] try --- monkey_island/cc/resources/pthmap.py | 11 +++++++--- monkey_island/cc/resources/pthreport.py | 22 ++++++++++++++++++- .../components/pages/PassTheHashMapPage.js | 4 +++- 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 5230ef30e..05d1bf7ef 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -2,7 +2,7 @@ import hashlib import binascii import copy import flask_restful -from pthreport import PassTheHashReport, Machine +from pthreport import PassTheHashReport, Machine, get_report_html from cc.auth import jwt_required from cc.services.edge import EdgeService @@ -19,6 +19,11 @@ class PthMap(flask_restful.Resource): return \ { - "nodes": [{"id": x, "label": Machine(x).GetIp()} for x in v], - "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in e] + "graph": { + "nodes": [{"id": x, "label": Machine(x).GetIp()} for x in v], + "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in e] + }, + + "report_html": get_report_html() } + diff --git a/monkey_island/cc/resources/pthreport.py b/monkey_island/cc/resources/pthreport.py index 313ef6a20..30cc83338 100644 --- a/monkey_island/cc/resources/pthreport.py +++ b/monkey_island/cc/resources/pthreport.py @@ -1228,4 +1228,24 @@ def main(): print """
""" if __name__ == "__main__": - main() \ No newline at end of file + main() + + +from cStringIO import StringIO +import sys + +class Capturing(list): + def __enter__(self): + self._stdout = sys.stdout + sys.stdout = self._stringio = StringIO() + return self + def __exit__(self, *args): + self.extend(self._stringio.getvalue().splitlines()) + del self._stringio # free up some memory + sys.stdout = self._stdout + +def get_report_html(): + with Capturing() as output: + main() + + return "\n".join(output) diff --git a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js index 26ce71cc9..d60ce0abb 100644 --- a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js +++ b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js @@ -29,6 +29,7 @@ class PassTheHashMapPageComponent extends AuthComponent { super(props); this.state = { graph: {nodes: [], edges: []}, + report_html: "", selected: null, selectedType: null, killPressed: false, @@ -55,7 +56,7 @@ class PassTheHashMapPageComponent extends AuthComponent { this.authFetch('/api/pthmap') .then(res => res.json()) .then(res => { - this.setState({graph: res}); + this.setState({graph: res["graph"], report_html: res["report_html"]}); this.props.onStatusChange(); }); }; @@ -70,6 +71,7 @@ class PassTheHashMapPageComponent extends AuthComponent {
+
{this.state.report_html}
); From c298544f22b0f1f5f350bec8eae9f5a02578275c Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 15 May 2018 16:52:08 +0300 Subject: [PATCH 078/117] Revert "try" This reverts commit 2724e671f7bb502c92ebee9f64077037e35a5ed8. --- monkey_island/cc/resources/pthmap.py | 11 +++------- monkey_island/cc/resources/pthreport.py | 22 +------------------ .../components/pages/PassTheHashMapPage.js | 4 +--- 3 files changed, 5 insertions(+), 32 deletions(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 05d1bf7ef..5230ef30e 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -2,7 +2,7 @@ import hashlib import binascii import copy import flask_restful -from pthreport import PassTheHashReport, Machine, get_report_html +from pthreport import PassTheHashReport, Machine from cc.auth import jwt_required from cc.services.edge import EdgeService @@ -19,11 +19,6 @@ class PthMap(flask_restful.Resource): return \ { - "graph": { - "nodes": [{"id": x, "label": Machine(x).GetIp()} for x in v], - "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in e] - }, - - "report_html": get_report_html() + "nodes": [{"id": x, "label": Machine(x).GetIp()} for x in v], + "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in e] } - diff --git a/monkey_island/cc/resources/pthreport.py b/monkey_island/cc/resources/pthreport.py index 30cc83338..313ef6a20 100644 --- a/monkey_island/cc/resources/pthreport.py +++ b/monkey_island/cc/resources/pthreport.py @@ -1228,24 +1228,4 @@ def main(): print """""" if __name__ == "__main__": - main() - - -from cStringIO import StringIO -import sys - -class Capturing(list): - def __enter__(self): - self._stdout = sys.stdout - sys.stdout = self._stringio = StringIO() - return self - def __exit__(self, *args): - self.extend(self._stringio.getvalue().splitlines()) - del self._stringio # free up some memory - sys.stdout = self._stdout - -def get_report_html(): - with Capturing() as output: - main() - - return "\n".join(output) + main() \ No newline at end of file diff --git a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js index d60ce0abb..26ce71cc9 100644 --- a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js +++ b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js @@ -29,7 +29,6 @@ class PassTheHashMapPageComponent extends AuthComponent { super(props); this.state = { graph: {nodes: [], edges: []}, - report_html: "", selected: null, selectedType: null, killPressed: false, @@ -56,7 +55,7 @@ class PassTheHashMapPageComponent extends AuthComponent { this.authFetch('/api/pthmap') .then(res => res.json()) .then(res => { - this.setState({graph: res["graph"], report_html: res["report_html"]}); + this.setState({graph: res}); this.props.onStatusChange(); }); }; @@ -71,7 +70,6 @@ class PassTheHashMapPageComponent extends AuthComponent {
-
{this.state.report_html}
); From 6019432a2b980f63615001eb8a250774fbc27c0e Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Tue, 22 May 2018 03:00:06 -0700 Subject: [PATCH 079/117] pth report is now shown also in the website --- monkey_island/cc/app.py | 2 ++ monkey_island/cc/resources/pthreport.py | 21 ++++++++++++++++++- monkey_island/cc/resources/pthreporthtml.py | 21 +++++++++++++++++++ .../components/pages/PassTheHashMapPage.js | 8 +++++++ 4 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 monkey_island/cc/resources/pthreporthtml.py diff --git a/monkey_island/cc/app.py b/monkey_island/cc/app.py index 981cf3de1..33d1bb53b 100644 --- a/monkey_island/cc/app.py +++ b/monkey_island/cc/app.py @@ -19,6 +19,7 @@ from cc.resources.monkey_configuration import MonkeyConfiguration from cc.resources.monkey_download import MonkeyDownload from cc.resources.netmap import NetMap from cc.resources.pthmap import PthMap +from cc.resources.pthreporthtml import PthReportHtml from cc.resources.node import Node from cc.resources.report import Report from cc.resources.root import Root @@ -106,5 +107,6 @@ def init_app(mongo_url): api.add_resource(TelemetryFeed, '/api/telemetry-feed', '/api/telemetry-feed/') api.add_resource(Log, '/api/log', '/api/log/') api.add_resource(PthMap, '/api/pthmap', '/api/pthmap/') + api.add_resource(PthReportHtml, '/api/pthreport', '/api/pthreport/') return app diff --git a/monkey_island/cc/resources/pthreport.py b/monkey_island/cc/resources/pthreport.py index 313ef6a20..b89a8b078 100644 --- a/monkey_island/cc/resources/pthreport.py +++ b/monkey_island/cc/resources/pthreport.py @@ -1228,4 +1228,23 @@ def main(): print """""" if __name__ == "__main__": - main() \ No newline at end of file + main() + +from cStringIO import StringIO +import sys + +class Capturing(list): + def __enter__(self): + self._stdout = sys.stdout + sys.stdout = self._stringio = StringIO() + return self + def __exit__(self, *args): + self.extend(self._stringio.getvalue().splitlines()) + del self._stringio # free up some memory + sys.stdout = self._stdout + +def get_report_html(): + with Capturing() as output: + main() + + return "\n".join(output) \ No newline at end of file diff --git a/monkey_island/cc/resources/pthreporthtml.py b/monkey_island/cc/resources/pthreporthtml.py new file mode 100644 index 000000000..8aa10870f --- /dev/null +++ b/monkey_island/cc/resources/pthreporthtml.py @@ -0,0 +1,21 @@ +import hashlib +import binascii +import copy +import flask_restful +from pthreport import PassTheHashReport, Machine, get_report_html + +from cc.auth import jwt_required +from cc.services.edge import EdgeService +from cc.services.node import NodeService +from cc.database import mongo + +class PthReportHtml(flask_restful.Resource): + @jwt_required() + def get(self, **kw): + pth = PassTheHashReport() + html = get_report_html() + + return \ + { + "html": html + } diff --git a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js index 26ce71cc9..2ac43f094 100644 --- a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js +++ b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js @@ -29,6 +29,7 @@ class PassTheHashMapPageComponent extends AuthComponent { super(props); this.state = { graph: {nodes: [], edges: []}, + report: "", selected: null, selectedType: null, killPressed: false, @@ -58,6 +59,12 @@ class PassTheHashMapPageComponent extends AuthComponent { this.setState({graph: res}); this.props.onStatusChange(); }); + this.authFetch('/api/pthreport') + .then(res => res.json()) + .then(res => { + this.setState({report: res.html}); + this.props.onStatusChange(); + }); }; render() { @@ -70,6 +77,7 @@ class PassTheHashMapPageComponent extends AuthComponent {
+
); From 800e337f6f0e4fc3f9d25c5dff417ae3dc736a33 Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Thu, 19 Jul 2018 18:35:37 +0300 Subject: [PATCH 080/117] Add credential map to report. currently uses fake static data --- .../cc/ui/src/components/map/MapOptions.js | 35 ++- .../map/preview-pane/InfMapPreviewPane.js | 247 +++++++++++++++++ .../map/preview-pane/PreviewPane.js | 252 +----------------- .../map/preview-pane/PthPreviewPane.js | 63 +++++ .../cc/ui/src/components/pages/MapPage.js | 4 +- .../components/pages/PassTheHashMapPage.js | 94 +++---- .../cc/ui/src/components/pages/ReportPage.js | 46 ++++ .../cc/ui/src/images/nodes/pth/critical.png | Bin 0 -> 20067 bytes .../cc/ui/src/images/nodes/pth/normal.png | Bin 0 -> 19466 bytes 9 files changed, 436 insertions(+), 305 deletions(-) create mode 100644 monkey_island/cc/ui/src/components/map/preview-pane/InfMapPreviewPane.js create mode 100644 monkey_island/cc/ui/src/components/map/preview-pane/PthPreviewPane.js create mode 100644 monkey_island/cc/ui/src/images/nodes/pth/critical.png create mode 100644 monkey_island/cc/ui/src/images/nodes/pth/normal.png diff --git a/monkey_island/cc/ui/src/components/map/MapOptions.js b/monkey_island/cc/ui/src/components/map/MapOptions.js index 701adcf29..f6946ea31 100644 --- a/monkey_island/cc/ui/src/components/map/MapOptions.js +++ b/monkey_island/cc/ui/src/components/map/MapOptions.js @@ -1,4 +1,4 @@ -let groupNames = ['clean_unknown', 'clean_linux', 'clean_windows', 'exploited_linux', 'exploited_windows', 'island', +const groupNames = ['clean_unknown', 'clean_linux', 'clean_windows', 'exploited_linux', 'exploited_windows', 'island', 'island_monkey_linux', 'island_monkey_linux_running', 'island_monkey_windows', 'island_monkey_windows_running', 'manual_linux', 'manual_linux_running', 'manual_windows', 'manual_windows_running', 'monkey_linux', 'monkey_linux_running', 'monkey_windows', 'monkey_windows_running']; @@ -16,7 +16,22 @@ let getGroupsOptions = () => { return groupOptions; }; -export const options = { +const groupNamesPth = ['normal', 'critical']; + +let getGroupsOptionsPth = () => { + let groupOptions = {}; + for (let groupName of groupNamesPth) { + groupOptions[groupName] = + { + shape: 'image', + size: 50, + image: require('../../images/nodes/pth/' + groupName + '.png') + }; + } + return groupOptions; +}; + +export const basic_options = { autoResize: true, layout: { improvedLayout: false @@ -33,10 +48,22 @@ export const options = { avoidOverlap: 0.5 }, minVelocity: 0.75 - }, - groups: getGroupsOptions() + } }; +export const options = (() => { + let opts = JSON.parse(JSON.stringify(basic_options)); /* Deep copy */ + opts.groups = getGroupsOptions(); + return opts; +})(); + +export const optionsPth = (() => { + let opts = JSON.parse(JSON.stringify(basic_options)); /* Deep copy */ + opts.groups = getGroupsOptionsPth(); + opts.physics.barnesHut.gravitationalConstant = -20000; + return opts; +})(); + export function edgeGroupToColor(group) { switch (group) { case 'exploited': diff --git a/monkey_island/cc/ui/src/components/map/preview-pane/InfMapPreviewPane.js b/monkey_island/cc/ui/src/components/map/preview-pane/InfMapPreviewPane.js new file mode 100644 index 000000000..e06043c20 --- /dev/null +++ b/monkey_island/cc/ui/src/components/map/preview-pane/InfMapPreviewPane.js @@ -0,0 +1,247 @@ +import React from 'react'; +import {Icon} from 'react-fa'; +import Toggle from 'react-toggle'; +import {OverlayTrigger, Tooltip} from 'react-bootstrap'; +import download from 'downloadjs' +import PreviewPaneComponent from 'components/map/preview-pane/PreviewPane'; + +class InfMapPreviewPaneComponent extends PreviewPaneComponent { + + osRow(asset) { + return ( + + Operating System + {asset.os.charAt(0).toUpperCase() + asset.os.slice(1)} + + ); + } + + ipsRow(asset) { + return ( + + IP Addresses + {asset.ip_addresses.map(val =>
{val}
)} + + ); + } + + servicesRow(asset) { + return ( + + Services + {asset.services.map(val =>
{val}
)} + + ); + } + + accessibleRow(asset) { + return ( + + + Accessible From  + {this.generateToolTip('List of machine which can access this one using a network protocol')} + + {asset.accessible_from_nodes.map(val =>
{val}
)} + + ); + } + + statusRow(asset) { + return ( + + Status + {(asset.dead) ? 'Dead' : 'Alive'} + + ); + } + + forceKill(event, asset) { + let newConfig = asset.config; + newConfig['alive'] = !event.target.checked; + this.authFetch('/api/monkey/' + asset.guid, + { + method: 'PATCH', + headers: {'Content-Type': 'application/json'}, + body: JSON.stringify({config: newConfig}) + }); + } + + forceKillRow(asset) { + return ( + + + Force Kill  + {this.generateToolTip('If this is on, monkey will die next time it communicates')} + + + this.forceKill(e, asset)}/> + + + + ); + } + + unescapeLog(st) { + return st.substr(1, st.length - 2) // remove quotation marks on beginning and end of string. + .replace(/\\n/g, "\n") + .replace(/\\r/g, "\r") + .replace(/\\t/g, "\t") + .replace(/\\b/g, "\b") + .replace(/\\f/g, "\f") + .replace(/\\"/g, '\"') + .replace(/\\'/g, "\'") + .replace(/\\&/g, "\&"); + } + + downloadLog(asset) { + this.authFetch('/api/log?id=' + asset.id) + .then(res => res.json()) + .then(res => { + let timestamp = res['timestamp']; + timestamp = timestamp.substr(0, timestamp.indexOf('.')); + let filename = res['monkey_label'].split(':').join('-') + ' - ' + timestamp + '.log'; + let logContent = this.unescapeLog(res['log']); + download(logContent, filename, 'text/plain'); + }); + + } + + downloadLogRow(asset) { + return ( + + + Download Log + + + this.downloadLog(asset)}>Download + + + ); + } + + exploitsTimeline(asset) { + if (asset.exploits.length === 0) { + return (
); + } + + return ( +
+

+ Exploit Timeline  + {this.generateToolTip('Timeline of exploit attempts. Red is successful. Gray is unsuccessful')} +

+
    + {asset.exploits.map(exploit => +
  • +
    +
    {new Date(exploit.timestamp).toLocaleString()}
    +
    {exploit.origin}
    +
    {exploit.exploiter}
    +
  • + )} +
+
+ ) + } + + assetInfo(asset) { + return ( +
+ + + {this.osRow(asset)} + {this.ipsRow(asset)} + {this.servicesRow(asset)} + {this.accessibleRow(asset)} + +
+ {this.exploitsTimeline(asset)} +
+ ); + } + + infectedAssetInfo(asset) { + return ( +
+ + + {this.osRow(asset)} + {this.statusRow(asset)} + {this.ipsRow(asset)} + {this.servicesRow(asset)} + {this.accessibleRow(asset)} + {this.forceKillRow(asset)} + {this.downloadLogRow(asset)} + +
+ {this.exploitsTimeline(asset)} +
+ ); + } + + scanInfo(edge) { + return ( +
+ + + + + + + + + + + + + + + +
Operating System{edge.os.type}
IP Address{edge.ip_address}
Services{edge.services.map(val =>
{val}
)}
+ { + (edge.exploits.length === 0) ? + '' : +
+

Timeline

+
    + {edge.exploits.map(exploit => +
  • +
    +
    {new Date(exploit.timestamp).toLocaleString()}
    +
    {exploit.origin}
    +
    {exploit.exploiter}
    +
  • + )} +
+
+ } +
+ ); + } + + islandEdgeInfo() { + return ( +
+
+ ); + } + + getInfoByProps() { + switch (this.props.type) { + case 'edge': + return this.scanInfo(this.props.item); + case 'node': + return this.props.item.group.includes('monkey', 'manual') ? + this.infectedAssetInfo(this.props.item) : this.assetInfo(this.props.item); + case 'island_edge': + return this.islandEdgeInfo(); + } + + return null; + } +} + +export default InfMapPreviewPaneComponent; diff --git a/monkey_island/cc/ui/src/components/map/preview-pane/PreviewPane.js b/monkey_island/cc/ui/src/components/map/preview-pane/PreviewPane.js index 64b228332..c38907eea 100644 --- a/monkey_island/cc/ui/src/components/map/preview-pane/PreviewPane.js +++ b/monkey_island/cc/ui/src/components/map/preview-pane/PreviewPane.js @@ -15,251 +15,25 @@ class PreviewPaneComponent extends AuthComponent { ); } - osRow(asset) { - return ( - - Operating System - {asset.os.charAt(0).toUpperCase() + asset.os.slice(1)} - - ); + // This should be overridden + getInfoByProps() { + return null; } - ipsRow(asset) { - return ( - - IP Addresses - {asset.ip_addresses.map(val =>
{val}
)} - - ); - } - - servicesRow(asset) { - return ( - - Services - {asset.services.map(val =>
{val}
)} - - ); - } - - accessibleRow(asset) { - return ( - - - Accessible From  - {this.generateToolTip('List of machine which can access this one using a network protocol')} - - {asset.accessible_from_nodes.map(val =>
{val}
)} - - ); - } - - statusRow(asset) { - return ( - - Status - {(asset.dead) ? 'Dead' : 'Alive'} - - ); - } - - forceKill(event, asset) { - let newConfig = asset.config; - newConfig['alive'] = !event.target.checked; - this.authFetch('/api/monkey/' + asset.guid, - { - method: 'PATCH', - headers: {'Content-Type': 'application/json'}, - body: JSON.stringify({config: newConfig}) - }); - } - - forceKillRow(asset) { - return ( - - - Force Kill  - {this.generateToolTip('If this is on, monkey will die next time it communicates')} - - - this.forceKill(e, asset)}/> - - - - ); - } - - unescapeLog(st) { - return st.substr(1, st.length - 2) // remove quotation marks on beginning and end of string. - .replace(/\\n/g, "\n") - .replace(/\\r/g, "\r") - .replace(/\\t/g, "\t") - .replace(/\\b/g, "\b") - .replace(/\\f/g, "\f") - .replace(/\\"/g, '\"') - .replace(/\\'/g, "\'") - .replace(/\\&/g, "\&"); - } - - downloadLog(asset) { - this.authFetch('/api/log?id=' + asset.id) - .then(res => res.json()) - .then(res => { - let timestamp = res['timestamp']; - timestamp = timestamp.substr(0, timestamp.indexOf('.')); - let filename = res['monkey_label'].split(':').join('-') + ' - ' + timestamp + '.log'; - let logContent = this.unescapeLog(res['log']); - download(logContent, filename, 'text/plain'); - }); - - } - - downloadLogRow(asset) { - return ( - - - Download Log - - - this.downloadLog(asset)}>Download - - - ); - } - - exploitsTimeline(asset) { - if (asset.exploits.length === 0) { - return (
); + getLabelByProps() { + if (!this.props.item) { + return ''; + } else if (this.props.item.hasOwnProperty('label')) { + return this.props.item['label']; + } else if (this.props.item.hasOwnProperty('_label')) { + return this.props.item['_label']; } - - return ( -
-

- Exploit Timeline  - {this.generateToolTip('Timeline of exploit attempts. Red is successful. Gray is unsuccessful')} -

-
    - {asset.exploits.map(exploit => -
  • -
    -
    {new Date(exploit.timestamp).toLocaleString()}
    -
    {exploit.origin}
    -
    {exploit.exploiter}
    -
  • - )} -
-
- ) - } - - assetInfo(asset) { - return ( -
- - - {this.osRow(asset)} - {this.ipsRow(asset)} - {this.servicesRow(asset)} - {this.accessibleRow(asset)} - -
- {this.exploitsTimeline(asset)} -
- ); - } - - infectedAssetInfo(asset) { - return ( -
- - - {this.osRow(asset)} - {this.statusRow(asset)} - {this.ipsRow(asset)} - {this.servicesRow(asset)} - {this.accessibleRow(asset)} - {this.forceKillRow(asset)} - {this.downloadLogRow(asset)} - -
- {this.exploitsTimeline(asset)} -
- ); - } - - scanInfo(edge) { - return ( -
- - - - - - - - - - - - - - - -
Operating System{edge.os.type}
IP Address{edge.ip_address}
Services{edge.services.map(val =>
{val}
)}
- { - (edge.exploits.length === 0) ? - '' : -
-

Timeline

-
    - {edge.exploits.map(exploit => -
  • -
    -
    {new Date(exploit.timestamp).toLocaleString()}
    -
    {exploit.origin}
    -
    {exploit.exploiter}
    -
  • - )} -
-
- } -
- ); - } - - islandEdgeInfo() { - return ( -
-
- ); + return ''; } render() { - let info = null; - switch (this.props.type) { - case 'edge': - info = this.scanInfo(this.props.item); - break; - case 'node': - info = this.props.item.group.includes('monkey', 'manual') ? - this.infectedAssetInfo(this.props.item) : this.assetInfo(this.props.item); - break; - case 'island_edge': - info = this.islandEdgeInfo(); - break; - } - - let label = ''; - if (!this.props.item) { - label = ''; - } else if (this.props.item.hasOwnProperty('label')) { - label = this.props.item['label']; - } else if (this.props.item.hasOwnProperty('_label')) { - label = this.props.item['_label']; - } + let info = this.getInfoByProps(); + let label = this.getLabelByProps(); return (
diff --git a/monkey_island/cc/ui/src/components/map/preview-pane/PthPreviewPane.js b/monkey_island/cc/ui/src/components/map/preview-pane/PthPreviewPane.js new file mode 100644 index 000000000..f9a5ae1bb --- /dev/null +++ b/monkey_island/cc/ui/src/components/map/preview-pane/PthPreviewPane.js @@ -0,0 +1,63 @@ +import React from 'react'; +import {Icon} from 'react-fa'; +import Toggle from 'react-toggle'; +import {OverlayTrigger, Tooltip} from 'react-bootstrap'; +import download from 'downloadjs' +import PreviewPaneComponent from 'components/map/preview-pane/PreviewPane'; + +class PthPreviewPaneComponent extends PreviewPaneComponent { + nodeInfo(asset) { + return ( +
+ + + + + + + + + + + + + + + + + + + +
Hostname{asset.hostname}
IP Addresses{asset.ips.map(val =>
{val}
)}
Services{asset.services.map(val =>
{val}
)}
Compromised Users{asset.users.map(val =>
{val}
)}
+
+ ); + } + + edgeInfo(edge) { + return ( +
+ + + + + + + +
Compromised Users{edge.users.map(val =>
{val}
)}
+
+ ); + } + + getInfoByProps() { + switch (this.props.type) { + case 'edge': + return this.edgeInfo(this.props.item); + case 'node': + return this.nodeInfo(this.props.item); + } + + return null; + } +} + +export default PthPreviewPaneComponent; diff --git a/monkey_island/cc/ui/src/components/pages/MapPage.js b/monkey_island/cc/ui/src/components/pages/MapPage.js index 4a54aeb8c..00c0cba3c 100644 --- a/monkey_island/cc/ui/src/components/pages/MapPage.js +++ b/monkey_island/cc/ui/src/components/pages/MapPage.js @@ -2,7 +2,7 @@ import React from 'react'; import {Col} from 'react-bootstrap'; import {Link} from 'react-router-dom'; import {Icon} from 'react-fa'; -import PreviewPane from 'components/map/preview-pane/PreviewPane'; +import InfMapPreviewPaneComponent from 'components/map/preview-pane/InfMapPreviewPane'; import {ReactiveGraph} from 'components/reactive-graph/ReactiveGraph'; import {ModalContainer, ModalDialog} from 'react-modal-dialog'; import {options, edgeGroupToColor} from 'components/map/MapOptions'; @@ -190,7 +190,7 @@ class MapPageComponent extends AuthComponent {
: ''} - +
); diff --git a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js index 2ac43f094..8c7ded49b 100644 --- a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js +++ b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js @@ -1,83 +1,57 @@ import React from 'react'; -import {Col} from 'react-bootstrap'; import {ReactiveGraph} from 'components/reactive-graph/ReactiveGraph'; import AuthComponent from '../AuthComponent'; -import Graph from 'react-graph-vis'; - -const options = { - autoResize: true, - layout: { - improvedLayout: false - }, - edges: { - width: 2, - smooth: { - type: 'curvedCW' - } - }, - physics: { - barnesHut: { - gravitationalConstant: -120000, - avoidOverlap: 0.5 - }, - minVelocity: 0.75 - } -}; +import {optionsPth, edgeGroupToColorPth, options} from '../map/MapOptions'; +import PreviewPane from "../map/preview-pane/PreviewPane"; +import {Col} from "react-bootstrap"; +import {Link} from 'react-router-dom'; +import {Icon} from 'react-fa'; +import PthPreviewPaneComponent from "../map/preview-pane/PthPreviewPane"; class PassTheHashMapPageComponent extends AuthComponent { constructor(props) { super(props); this.state = { - graph: {nodes: [], edges: []}, - report: "", + graph: props.graph, selected: null, - selectedType: null, - killPressed: false, - showKillDialog: false, - telemetry: [], - telemetryLastTimestamp: null + selectedType: null }; } - componentDidMount() { - this.updateMapFromServer(); - this.interval = setInterval(this.timedEvents, 1000); - } - - componentWillUnmount() { - clearInterval(this.interval); - } - - timedEvents = () => { - this.updateMapFromServer(); + events = { + select: event => this.selectionChanged(event) }; - updateMapFromServer = () => { - this.authFetch('/api/pthmap') - .then(res => res.json()) - .then(res => { - this.setState({graph: res}); - this.props.onStatusChange(); - }); - this.authFetch('/api/pthreport') - .then(res => res.json()) - .then(res => { - this.setState({report: res.html}); - this.props.onStatusChange(); - }); - }; + selectionChanged(event) { + if (event.nodes.length === 1) { + let displayedNode = this.state.graph.nodes.find( + function (node) { + return node['id'] === event.nodes[0]; + }); + this.setState({selected: displayedNode, selectedType: 'node'}) + } + else if (event.edges.length === 1) { + let displayedEdge = this.state.graph.edges.find( + function (edge) { + return edge['id'] === event.edges[0]; + }); + this.setState({selected: displayedEdge, selectedType: 'edge'}); + } + else { + this.setState({selected: null, selectedType: null}); + } + } render() { return (
- -

Pass The Hash Map

+ +
+ +
-
- -
-
+
); diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index bec4f3625..adb024c72 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -8,6 +8,7 @@ import StolenPasswords from 'components/report-components/StolenPasswords'; import CollapsibleWellComponent from 'components/report-components/CollapsibleWell'; import {Line} from 'rc-progress'; import AuthComponent from '../AuthComponent'; +import PassTheHashMapPageComponent from "./PassTheHashMapPage"; let guardicoreLogoImage = require('../../images/guardicore-logo.png'); let monkeyLogoImage = require('../../images/monkey-icon.svg'); @@ -129,6 +130,7 @@ class ReportPageComponent extends AuthComponent { {this.generateReportFindingsSection()} {this.generateReportRecommendationsSection()} {this.generateReportGlanceSection()} + {this.generateReportPthSection()} {this.generateReportFooter()}
@@ -420,6 +422,50 @@ class ReportPageComponent extends AuthComponent { ); } + generateReportPthSection() { + // TODO: remove this and use updateMapFromSerever to get actual map data. + const my_map = { + nodes: [ + {id: '1', label: 'MYPC-1', group: 'normal', users: ['MYPC-2\\user1', 'Dom\\user2'], ips: ['192.168.0.1'], services: ["DC", "SQL"], 'hostname': 'aaa1'}, + {id: 2, label: 'MYPC-2', group: 'critical', users: ['MYPC-2\\user1', 'Dom\\user2'], ips: ['192.168.0.1'], services: ["DC", "SQL"], 'hostname': 'aaa2'}, + {id: 3, label: 'MYPC-3', group: 'normal', users: ['MYPC-3\\user1', 'Dom\\user3'], ips: ['192.168.0.2'], services: ["DC", "SQL"], 'hostname': 'aaa3'}, + {id: 4, label: 'MYPC-4', group: 'critical', users: ['MYPC-4\\user1', 'Dom\\user4'], ips: ['192.168.0.3', '192.168.0.4'], services: ["DC", "SQL"], 'hostname': 'aaa4'}, + {id: 5, label: 'MYPC-5', group: 'normal', users: ['MYPC-5\\user1', 'Dom\\user5'], ips: ['192.168.0.1'], services: [], 'hostname': 'aaa5'}, + {id: 6, label: 'MYPC-6', group: 'critical', users: ['MYPC-6\\user1', 'Dom\\user6'], ips: ['192.168.0.1'], services: ["DC"], 'hostname': 'aaa6'}, + {id: 7, label: 'MYPC-7', group: 'critical', users: ['MYPC-7\\user1', 'Dom\\user7'], ips: ['192.168.0.1'], services: ["DC", "SQL"], 'hostname': 'aaa7'} + ], + edges: [ + {id: 10, from: '1', to: 2, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla0'}, + {id: 11, from: '1', to: 3, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla1'}, + {id: 12, from: '1', to: 4, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla2'}, + {id: 13, from: 5, to: 6, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla3'}, + {id: 14, from: 6, to: 7, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla4'}, + {id: 15, from: 6, to: 5, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla5'}, + ] + + }; + return ( +
+

+ Pass The Hash !!!!!TODO: change this!!!!!!!! +

+
+ +
+
+ TODO: put relevant tables and stuff here... +
+
+ TODO: put relevant tables and stuff here... +
+
+ TODO: put relevant tables and stuff here... +
+
+
+ ); + } + generateReportFooter() { return ( ); @@ -488,7 +486,7 @@ class ReportPageComponent extends AuthComponent { Credential Map
- +

From af3b5665ce6f697edcfb681577989f936675f2f8 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Tue, 24 Jul 2018 20:49:57 +0300 Subject: [PATCH 088/117] * some logs and un-commenting for testing. --- infection_monkey/system_info/windows_info_collector.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index d6c852801..f6d85355c 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -139,16 +139,18 @@ class WindowsInfoCollector(InfoCollector): self.get_hostname() self.get_process_list() self.get_network_info() - #self.get_azure_info() + self.get_azure_info() - #self.get_wmi_info() + self.get_wmi_info() + LOG.debug('finished get_wmi_info') #self.get_reg_key(r"SYSTEM\CurrentControlSet\Control\Lsa") self.get_installed_packages() mimikatz_collector = MimikatzCollector() mimikatz_info = mimikatz_collector.get_logon_info() if mimikatz_info: - self.info["credentials"].update(mimikatz_info) + if "credentials" in self.info: + self.info["credentials"].update(mimikatz_info) self.info["mimikatz"] = mimikatz_collector.get_mimikatz_text() return self.info From cdfd6284ee51fbe260a872dda4382804c77b7c92 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Wed, 1 Aug 2018 13:07:18 +0300 Subject: [PATCH 089/117] * Added information about what info gathered to the report's issues section --- monkey_island/cc/resources/pthreport.py | 2 +- monkey_island/cc/services/pth_report.py | 51 +++++++++++++++---- monkey_island/cc/services/pth_report_utils.py | 19 +++---- .../cc/ui/src/components/pages/ReportPage.js | 30 ++++++++++- 4 files changed, 80 insertions(+), 22 deletions(-) diff --git a/monkey_island/cc/resources/pthreport.py b/monkey_island/cc/resources/pthreport.py index 31233aa1e..7c4046694 100644 --- a/monkey_island/cc/resources/pthreport.py +++ b/monkey_island/cc/resources/pthreport.py @@ -3,7 +3,7 @@ import flask_restful from cc.auth import jwt_required from cc.services.pth_report import PTHReportService -__author__ = "itay.mizeretz" +__author__ = "maor.rayzin" class PTHReport(flask_restful.Resource): diff --git a/monkey_island/cc/services/pth_report.py b/monkey_island/cc/services/pth_report.py index 45a6e3668..7a615db2d 100644 --- a/monkey_island/cc/services/pth_report.py +++ b/monkey_island/cc/services/pth_report.py @@ -18,7 +18,8 @@ class PTHReportService(object): continue for sid in pth.GetSidsBySecret(secret): usernames_per_sid_list.append(pth.GetUsernameBySid(sid)) - usernames_lists.append(usernames_per_sid_list) + + usernames_lists.append({'cred_group': usernames_per_sid_list}) return usernames_lists @@ -99,24 +100,49 @@ class PTHReportService(object): 'ip': m.GetIp(), 'hostname': m.GetHostName(), 'domain': m.GetDomainName(), - 'services_names': m.GetNonCritialServers(), + 'services_names': [], 'user_count': count, 'threatening_users': threatening_users_attackers_dict } strong_users_non_crit_list.append(machine) return strong_users_non_crit_list + @staticmethod + def get_duplicated_passwords_issues(pth, password_groups): + issues = [] + issues_dict = {} + for group in password_groups: + for username in group['cred_group']: + sid = list(pth.GetSidsByUsername(username.split('\\')[1])) + machine_info = pth.GetSidInfo(sid[0]) + issues.append( + { + 'type': 'shared_password', + 'machine': machine_info.get('hostname').split('.')[0], + 'shared_with': [x for x in group['cred_group'] if x != username], + 'username': username + } + ) + + for issue in issues: + machine = issue['machine'] + if machine not in issues_dict: + issues_dict[machine] = [] + issues_dict[machine].append(issue) + + return issues_dict + @staticmethod def generate_map_nodes(pth): nodes_list = [] for node_id in pth.vertices: machine = Machine(node_id) node = { - "id": str(machine.get_monkey_id()), + "id": str(node_id), "label": '{0} : {1}'.format(machine.GetHostName(), machine.GetIp()), 'group': 'critical' if machine.IsCriticalServer() else 'normal', 'users': list(machine.GetCachedUsernames()), - 'ips': machine.GetIp(), + 'ips': [machine.GetIp()], 'services': machine.GetCriticalServicesInstalled(), 'hostname': machine.GetHostName() } @@ -127,17 +153,23 @@ class PTHReportService(object): @staticmethod def get_report(): pth = PassTheHashReport() + same_password = PTHReportService.get_duplicated_password_nodes(pth) + local_admin_shared = PTHReportService.get_shared_local_admins_nodes(pth) + strong_users_on_crit_services = PTHReportService.get_strong_users_on_crit_services(pth) + strong_users_on_non_crit_services = PTHReportService.get_strong_users_on_non_crit_services(pth) + issues = PTHReportService.get_duplicated_passwords_issues(pth, same_password) report = \ { 'report_info': { - 'same_password': PTHReportService.get_duplicated_password_nodes(pth), - 'local_admin_shared': PTHReportService.get_shared_local_admins_nodes(pth), - 'strong_users_on_crit_services': PTHReportService.get_strong_users_on_crit_services(pth), - 'strong_users_on_non_crit_services': PTHReportService.get_strong_users_on_non_crit_services(pth) + 'same_password': same_password, + 'local_admin_shared': local_admin_shared, + 'strong_users_on_crit_services': strong_users_on_crit_services, + 'strong_users_on_non_crit_services': strong_users_on_non_crit_services, + 'pth_issues': issues }, - 'map': + 'pthmap': { 'nodes': PTHReportService.generate_map_nodes(pth), 'edges': pth.edges @@ -318,4 +350,3 @@ class PTHReportService(object): # for m in pth.GetAttackersBySecret(secret): # print """
  • {hostname}
  • """.format(ip=m.GetIp(), hostname=m.GetHostName()) # print """""" - diff --git a/monkey_island/cc/services/pth_report_utils.py b/monkey_island/cc/services/pth_report_utils.py index 06c40f023..b4839f852 100644 --- a/monkey_island/cc/services/pth_report_utils.py +++ b/monkey_island/cc/services/pth_report_utils.py @@ -212,7 +212,8 @@ class Machine(object): "Username": eval(user.get("Name")), "Disabled": user.get("Disabled") == "true", "PasswordRequired": user.get("PasswordRequired") == "true", - "PasswordExpires": user.get("PasswordExpires") == "true", } + "PasswordExpires": user.get("PasswordExpires") == "true", + 'hostname': doc.get('data').get('hostname'), } if not self.IsDomainController(): for dc in self.GetDomainControllers(): @@ -555,6 +556,7 @@ class Machine(object): return names + class PassTheHashReport(object): # _instance = None # def __new__(class_, *args, **kwargs): @@ -570,7 +572,7 @@ class PassTheHashReport(object): self.edges = self.get_edges_by_sid() # Useful for non-cached domain users #self.edges |= self.GetEdgesBySamHash() # This will add edges based only on password hash without caring about username - @cache + def GetAllMachines(self): cur = mongo.db.telemetry.find({"telem_type": "system_info_collection"}) @@ -610,13 +612,12 @@ class PassTheHashReport(object): attacker_monkey = NodeService.get_monkey_by_guid(attacker) victim_monkey = NodeService.get_monkey_by_guid(victim) - attacker_label = NodeService.get_node_label(attacker_monkey) - victim_label = NodeService.get_node_label(victim_monkey) + attacker_label = NodeService.get_monkey_label(attacker_monkey) + victim_label = NodeService.get_monkey_label(victim_monkey) RIGHT_ARROW = u"\u2192" return "%s %s %s" % (attacker_label, RIGHT_ARROW, victim_label) - @cache def get_edges_by_sid(self): edges_list = [] @@ -637,7 +638,7 @@ class PassTheHashReport(object): 'to': victim, 'users': relevant_users_list, '_label': PassTheHashReport.__get_edge_label(attacker, victim), - 'id': uuid.uuid4() + 'id': str(uuid.uuid4()) }) return edges_list @@ -858,9 +859,9 @@ class PassTheHashReport(object): attackers = set() - for atck, vic, _ in self.edges: - if vic == victim: - attackers.add(atck) + for edge in self.edges: + if edge.get('to', None) == victim: + attackers.add(edge.get('from', None)) return set(map(Machine, attackers)) diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index 03939b01d..ed75da059 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -47,6 +47,7 @@ class ReportPageComponent extends AuthComponent { allMonkeysAreDead: false, runStarted: true }; + this.getPth } componentDidMount() { @@ -117,7 +118,7 @@ class ReportPageComponent extends AuthComponent { .then(res => { this.setState({ pthreport: res.report_info, - pthmap: res.map + pthmap: res.pthmap }); }); } @@ -389,6 +390,7 @@ class ReportPageComponent extends AuthComponent {
    {this.generateIssues(this.state.report.recommendations.issues)} + {this.generateIssues(this.state.pthreport.pth_issues)}
    ); @@ -399,6 +401,7 @@ class ReportPageComponent extends AuthComponent { (100 * this.state.report.glance.exploited.length) / this.state.report.glance.scanned.length; return (
    +

    The Network from the Monkey's Eyes

    @@ -452,7 +455,15 @@ class ReportPageComponent extends AuthComponent {
    - + { /* TODO: use dynamic data */} +
    ); @@ -728,6 +739,18 @@ class ReportPageComponent extends AuthComponent { ); } + generateSharedCredsIssue(issue) { + return ( +
  • + Some users are sharing passwords, this should be fixed by changing passwords. + + The user {issue.username} is sharing access password with: + {this.generateInfoBadges(issue.shared_with)}. + +
  • + ); + } + generateTunnelIssue(issue) { return (
  • @@ -800,6 +823,9 @@ class ReportPageComponent extends AuthComponent { case 'cross_segment': data = this.generateCrossSegmentIssue(issue); break; + case 'shared_password': + data = this.generateSharedCredsIssue(issue); + break; case 'tunnel': data = this.generateTunnelIssue(issue); break; From 3a9a92d1b9f2749c2a91251cf7ec557e5ffc092a Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Sun, 5 Aug 2018 11:46:47 +0300 Subject: [PATCH 090/117] * More info in the recommendations section --- monkey_island/cc/services/pth_report.py | 68 ++++++++++++++++--- .../cc/ui/src/components/pages/ReportPage.js | 32 +++++++++ 2 files changed, 91 insertions(+), 9 deletions(-) diff --git a/monkey_island/cc/services/pth_report.py b/monkey_island/cc/services/pth_report.py index 7a615db2d..6f244e09b 100644 --- a/monkey_island/cc/services/pth_report.py +++ b/monkey_island/cc/services/pth_report.py @@ -3,11 +3,18 @@ from cc.services.pth_report_utils import PassTheHashReport, Machine class PTHReportService(object): + """ + + """ + def __init__(self): pass @staticmethod def get_duplicated_password_nodes(pth): + """ + + """ usernames_lists = [] usernames_per_sid_list = [] @@ -110,7 +117,6 @@ class PTHReportService(object): @staticmethod def get_duplicated_passwords_issues(pth, password_groups): issues = [] - issues_dict = {} for group in password_groups: for username in group['cred_group']: sid = list(pth.GetSidsByUsername(username.split('\\')[1])) @@ -124,13 +130,38 @@ class PTHReportService(object): } ) - for issue in issues: - machine = issue['machine'] - if machine not in issues_dict: - issues_dict[machine] = [] - issues_dict[machine].append(issue) + return issues - return issues_dict + @staticmethod + def get_shared_local_admins_issues(shared_admins_machines): + issues = [] + for machine in shared_admins_machines: + issues.append( + { + 'type': 'shared_admins', + 'machine': machine.get('hostname'), + 'shared_accounts': machine.get('admins_accounts'), + 'ip': machine.get('ip'), + } + ) + + return issues + + @staticmethod + def strong_users_on_crit_issues(strong_users): + issues = [] + for machine in strong_users: + issues.append( + { + 'type': 'strong_users_on_crit', + 'machine': machine.get('hostname'), + 'services': machine.get('services_names'), + 'ip': machine.get('ip'), + 'threatening_users': machine.get('threatening_users') + } + ) + + return issues @staticmethod def generate_map_nodes(pth): @@ -150,14 +181,33 @@ class PTHReportService(object): return nodes_list + @staticmethod + def get_issues_list(issues): + issues_dict = {} + + for issue in issues: + machine = issue['machine'] + if machine not in issues_dict: + issues_dict[machine] = [] + issues_dict[machine].append(issue) + + return issues_dict + @staticmethod def get_report(): + + issues = [] pth = PassTheHashReport() + same_password = PTHReportService.get_duplicated_password_nodes(pth) local_admin_shared = PTHReportService.get_shared_local_admins_nodes(pth) strong_users_on_crit_services = PTHReportService.get_strong_users_on_crit_services(pth) strong_users_on_non_crit_services = PTHReportService.get_strong_users_on_non_crit_services(pth) - issues = PTHReportService.get_duplicated_passwords_issues(pth, same_password) + + issues += PTHReportService.get_duplicated_passwords_issues(pth, same_password) + issues += PTHReportService.get_shared_local_admins_issues(local_admin_shared) + issues += PTHReportService.strong_users_on_crit_issues(strong_users_on_crit_services) + formated_issues = PTHReportService.get_issues_list(issues) report = \ { @@ -167,7 +217,7 @@ class PTHReportService(object): 'local_admin_shared': local_admin_shared, 'strong_users_on_crit_services': strong_users_on_crit_services, 'strong_users_on_non_crit_services': strong_users_on_non_crit_services, - 'pth_issues': issues + 'pth_issues': formated_issues }, 'pthmap': { diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index ed75da059..5db48036b 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -751,6 +751,32 @@ class ReportPageComponent extends AuthComponent { ); } + generateSharedLocalAdminsIssue(issue) { + return ( +
  • + This machine shares a local admin account with another machine + + Here is a list showing users that are acting as admins on this machine and others: + {this.generateInfoBadges(issue.shared_accounts)} + +
  • + ); + } + + generateStrongUsersOnCritIssue(issue) { + return ( +
  • + This critical machine is open to attacks via strong users with access to it. + + The services: {this.generateInfoBadges(issue.services)} have been found on the machine + thus classifying it as a critical machine. + These users has access to it: + {this.generateInfoBadges(issue.threatening_users)}. + +
  • + ); + } + generateTunnelIssue(issue) { return (
  • @@ -826,6 +852,12 @@ class ReportPageComponent extends AuthComponent { case 'shared_password': data = this.generateSharedCredsIssue(issue); break; + case 'shared_admins': + data = this.generateSharedLocalAdminsIssue(issue); + break; + case 'strong_users_on_crit': + data = this.generateStrongUsersOnCritIssue(issue); + break; case 'tunnel': data = this.generateTunnelIssue(issue); break; From 4a780d81a82ed6c5387ec8e54aa91c5975aec881 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Sun, 5 Aug 2018 11:48:48 +0300 Subject: [PATCH 091/117] * removed not needed import * --- infection_monkey/system_info/windows_info_collector.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index f6d85355c..ab5a79099 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -1,6 +1,5 @@ import os import logging -import traceback import sys sys.coinit_flags = 0 # needed for proper destruction of the wmi python module @@ -143,7 +142,7 @@ class WindowsInfoCollector(InfoCollector): self.get_wmi_info() LOG.debug('finished get_wmi_info') - #self.get_reg_key(r"SYSTEM\CurrentControlSet\Control\Lsa") + self.get_reg_key(r"SYSTEM\CurrentControlSet\Control\Lsa") self.get_installed_packages() mimikatz_collector = MimikatzCollector() From 3c40fd7cc3775ec3ad2bdf64a09fb0b6a0e3c6bb Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Wed, 8 Aug 2018 16:03:16 +0300 Subject: [PATCH 092/117] * Added warnings and threats comments about pth findings --- monkey_island/cc/services/pth_report.py | 25 +++++++++---------- monkey_island/cc/services/report.py | 19 +++++++++++--- .../cc/ui/src/components/pages/ReportPage.js | 22 ++++++++++------ 3 files changed, 42 insertions(+), 24 deletions(-) diff --git a/monkey_island/cc/services/pth_report.py b/monkey_island/cc/services/pth_report.py index 6f244e09b..3640e29e2 100644 --- a/monkey_island/cc/services/pth_report.py +++ b/monkey_island/cc/services/pth_report.py @@ -118,17 +118,16 @@ class PTHReportService(object): def get_duplicated_passwords_issues(pth, password_groups): issues = [] for group in password_groups: - for username in group['cred_group']: - sid = list(pth.GetSidsByUsername(username.split('\\')[1])) - machine_info = pth.GetSidInfo(sid[0]) - issues.append( - { - 'type': 'shared_password', - 'machine': machine_info.get('hostname').split('.')[0], - 'shared_with': [x for x in group['cred_group'] if x != username], - 'username': username - } - ) + username = group['cred_group'][0] + sid = list(pth.GetSidsByUsername(username.split('\\')[1])) + machine_info = pth.GetSidInfo(sid[0]) + issues.append( + { + 'type': 'shared_passwords', + 'machine': machine_info.get('hostname').split('.')[0], + 'shared_with': group['cred_group'] + } + ) return issues @@ -207,7 +206,7 @@ class PTHReportService(object): issues += PTHReportService.get_duplicated_passwords_issues(pth, same_password) issues += PTHReportService.get_shared_local_admins_issues(local_admin_shared) issues += PTHReportService.strong_users_on_crit_issues(strong_users_on_crit_services) - formated_issues = PTHReportService.get_issues_list(issues) + #formated_issues = PTHReportService.get_issues_list(issues) report = \ { @@ -217,7 +216,7 @@ class PTHReportService(object): 'local_admin_shared': local_admin_shared, 'strong_users_on_crit_services': strong_users_on_crit_services, 'strong_users_on_non_crit_services': strong_users_on_non_crit_services, - 'pth_issues': formated_issues + 'pth_issues': issues }, 'pthmap': { diff --git a/monkey_island/cc/services/report.py b/monkey_island/cc/services/report.py index 369b29c25..6a89afa58 100644 --- a/monkey_island/cc/services/report.py +++ b/monkey_island/cc/services/report.py @@ -9,6 +9,7 @@ from cc.services.config import ConfigService from cc.services.edge import EdgeService from cc.services.node import NodeService from cc.utils import local_ip_addresses, get_subnets +from pth_report import PTHReportService __author__ = "itay.mizeretz" @@ -43,10 +44,14 @@ class ReportService: AZURE = 6 STOLEN_SSH_KEYS = 7 STRUTS2 = 8 + PTH_CRIT_SERVICES_ACCESS = 10 + class WARNINGS_DICT(Enum): CROSS_SEGMENT = 0 TUNNEL = 1 + SHARED_LOCAL_ADMIN = 2 + SHARED_PASSWORDS = 3 @staticmethod def get_first_monkey_time(): @@ -365,7 +370,8 @@ class ReportService: @staticmethod def get_issues(): issues = ReportService.get_exploits() + ReportService.get_tunnels() +\ - ReportService.get_cross_segment_issues() + ReportService.get_azure_issues() + ReportService.get_cross_segment_issues() + ReportService.get_azure_issues() + \ + PTHReportService.get_report().get('report_info').get('pth_issues', []) issues_dict = {} for issue in issues: machine = issue['machine'] @@ -430,7 +436,9 @@ class ReportService: issues_byte_array[ReportService.ISSUES_DICT.STOLEN_SSH_KEYS.value] = True elif issue['type'] == 'struts2': issues_byte_array[ReportService.ISSUES_DICT.STRUTS2.value] = True - elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \ + elif issue['type'] == 'strong_users_on_crit': + issues_byte_array[ReportService.ISSUES_DICT.PTH_CRIT_SERVICES_ACCESS.value] = True + elif issue['type'].endswith('_password') and issue.get('password', None) in config_passwords and \ issue['username'] in config_users or issue['type'] == 'ssh': issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True elif issue['type'].endswith('_pth') or issue['type'].endswith('_password'): @@ -440,7 +448,7 @@ class ReportService: @staticmethod def get_warnings_overview(issues): - warnings_byte_array = [False] * 2 + warnings_byte_array = [False] * len(ReportService.WARNINGS_DICT) for machine in issues: for issue in issues[machine]: @@ -448,6 +456,10 @@ class ReportService: warnings_byte_array[ReportService.WARNINGS_DICT.CROSS_SEGMENT.value] = True elif issue['type'] == 'tunnel': warnings_byte_array[ReportService.WARNINGS_DICT.TUNNEL.value] = True + elif issue['type'] == 'shared_admins': + warnings_byte_array[ReportService.WARNINGS_DICT.SHARED_LOCAL_ADMIN.value] = True + elif issue['type'] == 'shared_passwords': + warnings_byte_array[ReportService.WARNINGS_DICT.SHARED_PASSWORDS.value] = True return warnings_byte_array @@ -472,6 +484,7 @@ class ReportService: config_users = ReportService.get_config_users() config_passwords = ReportService.get_config_passwords() + report = \ { 'overview': diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index 5db48036b..400381c8a 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -28,13 +28,16 @@ class ReportPageComponent extends AuthComponent { CONFICKER: 5, AZURE: 6, STOLEN_SSH_KEYS: 7, - STRUTS2: 8 + STRUTS2: 8, + PTH_CRIT_SERVICES_ACCESS: 10 }; Warning = { CROSS_SEGMENT: 0, - TUNNEL: 1 + TUNNEL: 1, + SHARED_LOCAL_ADMIN: 2, + SHARED_PASSWORDS: 3 }; constructor(props) { @@ -345,6 +348,9 @@ class ReportPageComponent extends AuthComponent {
  • Struts2 servers are vulnerable to remote code execution. ( CVE-2017-5638)
  • : null } + {this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] ? +
  • Credentials of strong users was found on machines and can give access to critical servers + (DC, MSSQL, etc..)
  • : null } : @@ -370,6 +376,10 @@ class ReportPageComponent extends AuthComponent { communicate. : null} {this.state.report.overview.warnings[this.Warning.TUNNEL] ?
  • Weak segmentation - Machines were able to communicate over unused ports.
  • : null} + {this.state.report.overview.warnings[this.Warning.SHARED_LOCAL_ADMIN] ? +
  • The monkey has found that some users have administrative rights on several machines.
  • : null} + {this.state.report.overview.warnings[this.Warning.SHARED_PASSWORDS] ? +
  • The monkey has found that some users are sharing passwords.
  • : null} : @@ -390,7 +400,6 @@ class ReportPageComponent extends AuthComponent {
    {this.generateIssues(this.state.report.recommendations.issues)} - {this.generateIssues(this.state.pthreport.pth_issues)}
    ); @@ -448,9 +457,6 @@ class ReportPageComponent extends AuthComponent {
    -
    - -
    @@ -744,7 +750,7 @@ class ReportPageComponent extends AuthComponent {
  • Some users are sharing passwords, this should be fixed by changing passwords. - The user {issue.username} is sharing access password with: + These users are sharing access password: {this.generateInfoBadges(issue.shared_with)}.
  • @@ -849,7 +855,7 @@ class ReportPageComponent extends AuthComponent { case 'cross_segment': data = this.generateCrossSegmentIssue(issue); break; - case 'shared_password': + case 'shared_passwords': data = this.generateSharedCredsIssue(issue); break; case 'shared_admins': From 0486b630aaedb7c5a869a1d99404e9cfff499c1c Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Wed, 8 Aug 2018 16:38:11 +0300 Subject: [PATCH 093/117] * Commented out the ldap checkup for bug testing --- infection_monkey/system_info/windows_info_collector.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index ab5a79099..30685569b 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -162,8 +162,8 @@ class WindowsInfoCollector(InfoCollector): for wmi_class_name in WMI_CLASSES: self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name) - for wmi_class_name, props in WMI_LDAP_CLASSES.iteritems(): - self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name, "//./root/directory/ldap", props) + # for wmi_class_name, props in WMI_LDAP_CLASSES.iteritems(): + # self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name, "//./root/directory/ldap", props) def get_wmi_class(self, class_name, moniker="//./root/cimv2", properties=None): _wmi = wmi.WMI(moniker=moniker) From c373bfbcfb3f3af2a669c36c67998727188b12d8 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Thu, 23 Aug 2018 15:17:08 +0300 Subject: [PATCH 094/117] * integrated parts of the pth report to the main report module. * Changed the ui a bit, removed some tables and add information to the current tables. --- monkey_island/cc/services/pth_report.py | 59 +++++++++++++++---- monkey_island/cc/services/pth_report_utils.py | 40 +++++++------ monkey_island/cc/services/report.py | 45 +++++++++----- .../components/pages/PassTheHashMapPage.js | 3 - .../cc/ui/src/components/pages/ReportPage.js | 49 +++------------ .../report-components/StrongUsers.js | 3 +- 6 files changed, 106 insertions(+), 93 deletions(-) diff --git a/monkey_island/cc/services/pth_report.py b/monkey_island/cc/services/pth_report.py index 3640e29e2..03167f81a 100644 --- a/monkey_island/cc/services/pth_report.py +++ b/monkey_island/cc/services/pth_report.py @@ -24,7 +24,8 @@ class PTHReportService(object): if count <= 1: continue for sid in pth.GetSidsBySecret(secret): - usernames_per_sid_list.append(pth.GetUsernameBySid(sid)) + if sid: + usernames_per_sid_list.append(pth.GetUsernameBySid(sid)) usernames_lists.append({'cred_group': usernames_per_sid_list}) @@ -56,7 +57,7 @@ class PTHReportService(object): return shared_admin_machines @staticmethod - def get_strong_users_on_crit_services(pth): + def get_strong_users_on_crit_services_by_machine(pth): threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetCritialServers())) strong_users_crit_list = [] @@ -77,13 +78,34 @@ class PTHReportService(object): 'ip': m.GetIp(), 'hostname': m.GetHostName(), 'domain': m.GetDomainName(), - 'services_names': m.GetCriticalServicesInstalled(), - 'user_count': count, + 'services': m.GetCriticalServicesInstalled(), 'threatening_users': threatening_users_attackers_dict } strong_users_crit_list.append(machine) return strong_users_crit_list + + @staticmethod + def get_strong_users_on_crit_services_by_user(pth): + critical_servers = pth.GetCritialServers() + strong_users_dict = {} + + for server in critical_servers: + users = pth.GetThreateningUsersByVictim(server) + for sid in users: + username = pth.GetUsernameBySid(sid) + if username not in strong_users_dict: + strong_users_dict[username] = { + 'services_names': [], + 'machines': [] + } + strong_users_dict[username]['username'] = username + strong_users_dict[username]['domain'] = server.GetDomainName() + strong_users_dict[username]['services_names'] += server.GetCriticalServicesInstalled() + strong_users_dict[username]['machines'].append(server.GetHostName()) + + return strong_users_dict.values() + @staticmethod def get_strong_users_on_non_crit_services(pth): threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetNonCritialServers())) @@ -117,8 +139,11 @@ class PTHReportService(object): @staticmethod def get_duplicated_passwords_issues(pth, password_groups): issues = [] + previeous_group = [] for group in password_groups: username = group['cred_group'][0] + if username in previeous_group: + continue sid = list(pth.GetSidsByUsername(username.split('\\')[1])) machine_info = pth.GetSidInfo(sid[0]) issues.append( @@ -128,6 +153,7 @@ class PTHReportService(object): 'shared_with': group['cred_group'] } ) + previeous_group += group['cred_group'] return issues @@ -154,19 +180,19 @@ class PTHReportService(object): { 'type': 'strong_users_on_crit', 'machine': machine.get('hostname'), - 'services': machine.get('services_names'), + 'services': machine.get('services'), 'ip': machine.get('ip'), - 'threatening_users': machine.get('threatening_users') + 'threatening_users': machine.get('threatening_users').keys() } ) return issues @staticmethod - def generate_map_nodes(pth): - nodes_list = [] - for node_id in pth.vertices: - machine = Machine(node_id) + def get_machine_details(node_id): + machine = Machine(node_id) + node = {} + if machine.latest_system_info: node = { "id": str(node_id), "label": '{0} : {1}'.format(machine.GetHostName(), machine.GetIp()), @@ -176,6 +202,13 @@ class PTHReportService(object): 'services': machine.GetCriticalServicesInstalled(), 'hostname': machine.GetHostName() } + return node + + @staticmethod + def generate_map_nodes(pth): + nodes_list = [] + for node_id in pth.vertices: + node = PTHReportService.get_machine_details(node_id) nodes_list.append(node) return nodes_list @@ -200,13 +233,13 @@ class PTHReportService(object): same_password = PTHReportService.get_duplicated_password_nodes(pth) local_admin_shared = PTHReportService.get_shared_local_admins_nodes(pth) - strong_users_on_crit_services = PTHReportService.get_strong_users_on_crit_services(pth) + strong_users_on_crit_services = PTHReportService.get_strong_users_on_crit_services_by_user(pth) strong_users_on_non_crit_services = PTHReportService.get_strong_users_on_non_crit_services(pth) issues += PTHReportService.get_duplicated_passwords_issues(pth, same_password) issues += PTHReportService.get_shared_local_admins_issues(local_admin_shared) - issues += PTHReportService.strong_users_on_crit_issues(strong_users_on_crit_services) - #formated_issues = PTHReportService.get_issues_list(issues) + issues += PTHReportService.strong_users_on_crit_issues( + PTHReportService.get_strong_users_on_crit_services_by_machine(pth)) report = \ { diff --git a/monkey_island/cc/services/pth_report_utils.py b/monkey_island/cc/services/pth_report_utils.py index b4839f852..9e9baa6b3 100644 --- a/monkey_island/cc/services/pth_report_utils.py +++ b/monkey_island/cc/services/pth_report_utils.py @@ -99,6 +99,8 @@ class Machine(object): if self.latest_system_info.count() > 0: self.latest_system_info = self.latest_system_info[0] + else: + self.latest_system_info = None self.monkey_info = NodeService.get_monkey_by_guid(self.monkey_guid) @@ -163,7 +165,7 @@ class Machine(object): def IsDomainController(self): return self.GetDomainRole() in (DsRole_RolePrimaryDomainController, DsRole_RoleBackupDomainController) - @cache + #@cache def GetSidByUsername(self, username, domain=None): doc = self.latest_system_info @@ -227,7 +229,7 @@ class Machine(object): @cache def GetCriticalServicesInstalled(self): def IsNameOfCriticalService(name): - services = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns") + services = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns", 'MSSQL$SQLEXPRESS') services = map(str.lower, services) if not name: @@ -290,7 +292,6 @@ class Machine(object): usernames = self.GetUsernamesBySecret(secret) return set(map(self.GetSidByUsername, usernames)) - @cache def GetGroupSidByGroupName(self, group_name): doc = self.latest_system_info @@ -305,7 +306,6 @@ class Machine(object): return None - @cache def GetUsersByGroupSid(self, sid): doc = self.latest_system_info @@ -360,7 +360,6 @@ class Machine(object): return GUIDs - @cache def GetLocalAdmins(self): admins = self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")) @@ -369,7 +368,6 @@ class Machine(object): return admins - @cache def GetLocalAdminSids(self): return set(self.GetLocalAdmins().keys()) @@ -510,7 +508,7 @@ class Machine(object): DCs = self.GetDomainControllersMonkeyGuidByDomainName(domain_name) return map(Machine, DCs) - @cache + def GetDomainAdminsOfMachine(self): DCs = self.GetDomainControllers() @@ -521,15 +519,15 @@ class Machine(object): return domain_admins - @cache + #@cache def GetAdmins(self): - return self.GetLocalAdminSids() | self.GetDomainAdminsOfMachine() + return self.GetLocalAdminSids() # | self.GetDomainAdminsOfMachine() @cache def GetAdminNames(self): return set(map(lambda x: self.GetUsernameBySid(x), self.GetAdmins())) - @cache + #@cache def GetCachedSids(self): doc = self.latest_system_info @@ -622,16 +620,18 @@ class PassTheHashReport(object): edges_list = [] for attacker in self.vertices: - cached = self.GetCachedSids(Machine(attacker)) + cached = list(self.GetCachedSids(Machine(attacker))) for victim in self.vertices: if attacker == victim: continue - admins = Machine(victim).GetAdmins() + admins = list(Machine(victim).GetAdmins()) - if len(cached & admins) > 0: - relevant_users_list = self.ReprSidList(cached & admins, attacker, victim) + cached_admins = [i for i in cached if i in admins] + + if cached_admins: + relevant_users_list = self.ReprSidList(cached_admins, attacker, victim) edges_list.append( { 'from': attacker, @@ -929,7 +929,7 @@ class PassTheHashReport(object): def GetNonCritialServers(self): return set(self.machines) - self.GetCritialServers() - @cache + #@cache def GetCachedSids(self, m): sids = set() tmp = m.GetCachedSids() @@ -958,15 +958,17 @@ class PassTheHashReport(object): return threatening_users - @cache def GetSharedAdmins(self, m): - shared_admins = set() + shared_admins = [] for other in self.machines: if m == other: continue + for sid in m.GetLocalAdminSids(): + if sid in other.GetLocalAdminSids(): + shared_admins.append(sid) - shared_admins |= (m.GetLocalAdminSids() & other.GetLocalAdminSids()) + #shared_admins |= (m.GetLocalAdminSids() & other.GetLocalAdminSids()) - shared_admins -= m.GetDomainAdminsOfMachine() + #shared_admins -= m.GetDomainAdminsOfMachine() return shared_admins \ No newline at end of file diff --git a/monkey_island/cc/services/report.py b/monkey_island/cc/services/report.py index 6a89afa58..122f8ff5d 100644 --- a/monkey_island/cc/services/report.py +++ b/monkey_island/cc/services/report.py @@ -44,9 +44,9 @@ class ReportService: AZURE = 6 STOLEN_SSH_KEYS = 7 STRUTS2 = 8 + MSSQL_TO_BE = 9 PTH_CRIT_SERVICES_ACCESS = 10 - class WARNINGS_DICT(Enum): CROSS_SEGMENT = 0 TUNNEL = 1 @@ -103,25 +103,31 @@ class ReportService: @staticmethod def get_scanned(): + + formatted_nodes = [] + nodes = \ [NodeService.get_displayed_node_by_id(node['_id'], True) for node in mongo.db.node.find({}, {'_id': 1})] \ + [NodeService.get_displayed_node_by_id(monkey['_id'], True) for monkey in mongo.db.monkey.find({}, {'_id': 1})] - nodes = [ - { - 'label': node['label'], - 'ip_addresses': node['ip_addresses'], - 'accessible_from_nodes': - (x['hostname'] for x in - (NodeService.get_displayed_node_by_id(edge['from'], True) - for edge in EdgeService.get_displayed_edges_by_to(node['id'], True))), - 'services': node['services'] - } - for node in nodes] + + for node in nodes: + pth_services = PTHReportService.get_machine_details(NodeService.get_monkey_by_id(node['id']) + .get('guid', None)).get('services', None) + formatted_nodes.append( + { + 'label': node['label'], + 'ip_addresses': node['ip_addresses'], + 'accessible_from_nodes': + (x['hostname'] for x in + (NodeService.get_displayed_node_by_id(edge['from'], True) + for edge in EdgeService.get_displayed_edges_by_to(node['id'], True))), + 'services': node['services'] + pth_services if pth_services else [] + }) logger.info('Scanned nodes generated for reporting') - return nodes + return formatted_nodes @staticmethod def get_exploited(): @@ -160,13 +166,14 @@ class ReportService: origin = NodeService.get_monkey_by_guid(telem['monkey_guid'])['hostname'] for user in monkey_creds: for pass_type in monkey_creds[user]: - creds.append( + cred_row = \ { 'username': user.replace(',', '.'), 'type': PASS_TYPE_DICT[pass_type], 'origin': origin } - ) + if cred_row not in creds: + creds.append(cred_row) logger.info('Stolen creds generated for reporting') return creds @@ -374,7 +381,7 @@ class ReportService: PTHReportService.get_report().get('report_info').get('pth_issues', []) issues_dict = {} for issue in issues: - machine = issue['machine'] + machine = issue.get('machine', '').upper() if machine not in issues_dict: issues_dict[machine] = [] issues_dict[machine].append(issue) @@ -483,6 +490,7 @@ class ReportService: issues = ReportService.get_issues() config_users = ReportService.get_config_users() config_passwords = ReportService.get_config_passwords() + pth_report = PTHReportService.get_report() report = \ @@ -511,6 +519,11 @@ class ReportService: 'recommendations': { 'issues': issues + }, + 'pth': + { + 'map': pth_report.get('pthmap'), + 'info': pth_report.get('report_info') } } diff --git a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js index 8c7ded49b..20faafca7 100644 --- a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js +++ b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js @@ -50,9 +50,6 @@ class PassTheHashMapPageComponent extends AuthComponent { - - - ); } diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index 400381c8a..37c224956 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -29,6 +29,7 @@ class ReportPageComponent extends AuthComponent { AZURE: 6, STOLEN_SSH_KEYS: 7, STRUTS2: 8, + MSSQL_TO_BE: 9, PTH_CRIT_SERVICES_ACCESS: 10 }; @@ -55,9 +56,8 @@ class ReportPageComponent extends AuthComponent { componentDidMount() { this.updateMonkeysRunning().then(res => this.getReportFromServer(res)); - this.getPTHReportFromServer(); this.updateMapFromServer(); - this.interval = setInterval(this.updateMapFromServer, 1000); + /*this.interval = setInterval(this.updateMapFromServer, 1000);*/ } componentWillUnmount() { @@ -132,7 +132,9 @@ class ReportPageComponent extends AuthComponent { .then(res => res.json()) .then(res => { this.setState({ - report: res + report: res, + pthreport: res.pth.info, + pthmap: res.pth.map }); }); } @@ -450,59 +452,24 @@ class ReportPageComponent extends AuthComponent {
    -
    - -
    {this.generateReportPthMap()}
    - -
    -
    - +
    - { /* TODO: use dynamic data */} - +
    ); } generateReportPthMap() { - // TODO: remove this and use updateMapFromSerever to get actual map data. - const my_map = { - nodes: [ - {id: '1', label: 'MYPC-1', group: 'normal', users: ['MYPC-2\\user1', 'Dom\\user2'], ips: ['192.168.0.1'], services: ["DC", "SQL"], 'hostname': 'aaa1'}, - {id: 2, label: 'MYPC-2', group: 'critical', users: ['MYPC-2\\user1', 'Dom\\user2'], ips: ['192.168.0.1'], services: ["DC", "SQL"], 'hostname': 'aaa2'}, - {id: 3, label: 'MYPC-3', group: 'normal', users: ['MYPC-3\\user1', 'Dom\\user3'], ips: ['192.168.0.2'], services: ["DC", "SQL"], 'hostname': 'aaa3'}, - {id: 4, label: 'MYPC-4', group: 'critical', users: ['MYPC-4\\user1', 'Dom\\user4'], ips: ['192.168.0.3', '192.168.0.4'], services: ["DC", "SQL"], 'hostname': 'aaa4'}, - {id: 5, label: 'MYPC-5', group: 'normal', users: ['MYPC-5\\user1', 'Dom\\user5'], ips: ['192.168.0.1'], services: [], 'hostname': 'aaa5'}, - {id: 6, label: 'MYPC-6', group: 'critical', users: ['MYPC-6\\user1', 'Dom\\user6'], ips: ['192.168.0.1'], services: ["DC"], 'hostname': 'aaa6'}, - {id: 7, label: 'MYPC-7', group: 'critical', users: ['MYPC-7\\user1', 'Dom\\user7'], ips: ['192.168.0.1'], services: ["DC", "SQL"], 'hostname': 'aaa7'} - ], - edges: [ - {id: 10, from: '1', to: 2, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla0'}, - {id: 11, from: '1', to: 3, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla1'}, - {id: 12, from: '1', to: 4, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla2'}, - {id: 13, from: 5, to: 6, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla3'}, - {id: 14, from: 6, to: 7, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla4'}, - {id: 15, from: 6, to: 5, users: ['MYPC-3\\user1', 'Dom\\user3'], _label: 'bla5'}, - ] - - }; return (

    Credential Map

    -
    +

    diff --git a/monkey_island/cc/ui/src/components/report-components/StrongUsers.js b/monkey_island/cc/ui/src/components/report-components/StrongUsers.js index bfb933ec1..36068f26e 100644 --- a/monkey_island/cc/ui/src/components/report-components/StrongUsers.js +++ b/monkey_island/cc/ui/src/components/report-components/StrongUsers.js @@ -2,6 +2,7 @@ import React from 'react'; import ReactTable from 'react-table' let renderArray = function(val) { + console.log(val); return
    {val.map(x =>
    {x}
    )}
    ; }; @@ -12,7 +13,7 @@ const columns = [ { Header: 'Username', accessor: 'username'}, { Header: 'Domain', accessor: 'domain'}, { Header: 'Machines', id: 'machines', accessor: x => renderArray(x.machines)}, - { Header: 'Services', id: 'services', accessor: x => renderArray(x.services)} + { Header: 'Services', id: 'services', accessor: x => renderArray(x.services_names)} ] } ]; From 9eb2895c496c6c217bfaa7c2fd236c4fa5be85b7 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Tue, 4 Sep 2018 17:18:01 +0300 Subject: [PATCH 095/117] * CR comments fixed --- infection_monkey/requirements.txt | 1 - .../system_info/mimikatz_collector.py | 6 +- .../system_info/windows_info_collector.py | 13 +- monkey_island/cc/app.py | 4 - monkey_island/cc/resources/pthmap.py | 21 -- monkey_island/cc/resources/pthreport.py | 13 - monkey_island/cc/services/pth_report.py | 176 +--------- monkey_island/cc/services/pth_report_utils.py | 24 +- monkey_island/mymap.py | 330 ------------------ 9 files changed, 13 insertions(+), 575 deletions(-) delete mode 100644 monkey_island/cc/resources/pthmap.py delete mode 100644 monkey_island/cc/resources/pthreport.py delete mode 100644 monkey_island/mymap.py diff --git a/infection_monkey/requirements.txt b/infection_monkey/requirements.txt index 60656280b..9e9adc97f 100644 --- a/infection_monkey/requirements.txt +++ b/infection_monkey/requirements.txt @@ -13,7 +13,6 @@ PyInstaller six ecdsa netifaces -mock nos ipaddress wmi diff --git a/infection_monkey/system_info/mimikatz_collector.py b/infection_monkey/system_info/mimikatz_collector.py index 89222c2e2..4d994c6ab 100644 --- a/infection_monkey/system_info/mimikatz_collector.py +++ b/infection_monkey/system_info/mimikatz_collector.py @@ -21,10 +21,10 @@ class MimikatzCollector(object): self._dll = ctypes.WinDLL(self._config.mimikatz_dll_name) collect_proto = ctypes.WINFUNCTYPE(ctypes.c_int) get_proto = ctypes.WINFUNCTYPE(MimikatzCollector.LogonData) - getTextOutput = ctypes.WINFUNCTYPE(ctypes.c_wchar_p) + get_text_output_proto = ctypes.WINFUNCTYPE(ctypes.c_wchar_p) self._collect = collect_proto(("collect", self._dll)) self._get = get_proto(("get", self._dll)) - self._getTextOutput = getTextOutput(("getTextOutput", self._dll)) + self._get_text_output_proto = get_text_output_proto(("getTextOutput", self._dll)) self._isInit = True except Exception: LOG.exception("Error initializing mimikatz collector") @@ -44,7 +44,7 @@ class MimikatzCollector(object): logon_data_dictionary = {} hostname = socket.gethostname() - self.mimikatz_text = self._getTextOutput() + self.mimikatz_text = self._get_text_output_proto() for i in range(entry_count): entry = self._get() diff --git a/infection_monkey/system_info/windows_info_collector.py b/infection_monkey/system_info/windows_info_collector.py index 30685569b..d63553b8f 100644 --- a/infection_monkey/system_info/windows_info_collector.py +++ b/infection_monkey/system_info/windows_info_collector.py @@ -113,12 +113,11 @@ def fix_wmi_obj_for_mongo(o): row[method_name[3:]] = value except wmi.x_wmi: - #LOG.error("Error running wmi method '%s'" % (method_name, )) - #LOG.error(traceback.format_exc()) continue return row + class WindowsInfoCollector(InfoCollector): """ System information collecting module for Windows operating systems @@ -126,6 +125,7 @@ class WindowsInfoCollector(InfoCollector): def __init__(self): super(WindowsInfoCollector, self).__init__() + self.info['reg'] = {} def get_info(self): """ @@ -162,9 +162,6 @@ class WindowsInfoCollector(InfoCollector): for wmi_class_name in WMI_CLASSES: self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name) - # for wmi_class_name, props in WMI_LDAP_CLASSES.iteritems(): - # self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name, "//./root/directory/ldap", props) - def get_wmi_class(self, class_name, moniker="//./root/cimv2", properties=None): _wmi = wmi.WMI(moniker=moniker) @@ -175,8 +172,6 @@ class WindowsInfoCollector(InfoCollector): wmi_class = getattr(_wmi, class_name)(properties) except wmi.x_wmi: - #LOG.error("Error getting wmi class '%s'" % (class_name, )) - #LOG.error(traceback.format_exc()) return return fix_obj_for_mongo(wmi_class) @@ -188,7 +183,7 @@ class WindowsInfoCollector(InfoCollector): d = dict([_winreg.EnumValue(subkey, i)[:2] for i in xrange(_winreg.QueryInfoKey(subkey)[0])]) d = fix_obj_for_mongo(d) - self.info[subkey_path] = d + self.info['reg'][subkey_path] = d subkey.Close() - key.Close() \ No newline at end of file + key.Close() diff --git a/monkey_island/cc/app.py b/monkey_island/cc/app.py index 0f0754ed3..6b9ac1154 100644 --- a/monkey_island/cc/app.py +++ b/monkey_island/cc/app.py @@ -19,8 +19,6 @@ from cc.resources.monkey import Monkey from cc.resources.monkey_configuration import MonkeyConfiguration from cc.resources.monkey_download import MonkeyDownload from cc.resources.netmap import NetMap -from cc.resources.pthmap import PthMap -from cc.resources.pthreport import PTHReport from cc.resources.node import Node from cc.resources.report import Report from cc.resources.root import Root @@ -108,7 +106,5 @@ def init_app(mongo_url): api.add_resource(TelemetryFeed, '/api/telemetry-feed', '/api/telemetry-feed/') api.add_resource(Log, '/api/log', '/api/log/') api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/') - api.add_resource(PthMap, '/api/pthmap', '/api/pthmap/') - api.add_resource(PTHReport, '/api/pthreport', '/api/pthreport/') return app diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py deleted file mode 100644 index d19afd56f..000000000 --- a/monkey_island/cc/resources/pthmap.py +++ /dev/null @@ -1,21 +0,0 @@ -import copy -import flask_restful - - -from cc.auth import jwt_required -from cc.services.pth_report_utils import PassTheHashReport, Machine - - -class PthMap(flask_restful.Resource): - @jwt_required() - def get(self, **kw): - pth = PassTheHashReport() - - v = copy.deepcopy(pth.vertices) - e = copy.deepcopy(pth.edges) - - return \ - { - "nodes": [{"id": x, "label": Machine(x).GetIp()} for x in v], - "edges": [{"id": str(s) + str(t), "from": s, "to": t, "label": label} for s, t, label in e] - } diff --git a/monkey_island/cc/resources/pthreport.py b/monkey_island/cc/resources/pthreport.py deleted file mode 100644 index 7c4046694..000000000 --- a/monkey_island/cc/resources/pthreport.py +++ /dev/null @@ -1,13 +0,0 @@ -import flask_restful - -from cc.auth import jwt_required -from cc.services.pth_report import PTHReportService - -__author__ = "maor.rayzin" - - -class PTHReport(flask_restful.Resource): - - @jwt_required() - def get(self): - return PTHReportService.get_report() diff --git a/monkey_island/cc/services/pth_report.py b/monkey_island/cc/services/pth_report.py index 03167f81a..512a80a14 100644 --- a/monkey_island/cc/services/pth_report.py +++ b/monkey_island/cc/services/pth_report.py @@ -257,178 +257,4 @@ class PTHReportService(object): 'edges': pth.edges } } - return report - - # print """ ); } @@ -465,9 +474,6 @@ class ReportPageComponent extends AuthComponent {
    -
    - -
    @@ -745,6 +751,18 @@ class ReportPageComponent extends AuthComponent { ); } + generateSharedCredsDomainIssue(issue) { + return ( +
  • + Some domain users are sharing passwords, this should be fixed by changing passwords. + + These users are sharing access password: + {this.generateInfoBadges(issue.shared_with)}. + +
  • + ); + } + generateSharedCredsIssue(issue) { return (
  • @@ -760,10 +778,10 @@ class ReportPageComponent extends AuthComponent { generateSharedLocalAdminsIssue(issue) { return (
  • - This machine shares a local admin account with another machine + Credentials for the user {issue.username} could be found and the user is an administrator account on more than one machines in the domain. - Here is a list showing users that are acting as admins on this machine and others: - {this.generateInfoBadges(issue.shared_accounts)} + Here is a list of machines which has this account defined as an administrator: + {this.generateInfoBadges(issue.shared_machines)}
  • ); @@ -892,7 +910,10 @@ class ReportPageComponent extends AuthComponent { case 'shared_passwords': data = this.generateSharedCredsIssue(issue); break; - case 'shared_admins': + case 'shared_passwords_domain': + data = this.generateSharedCredsDomainIssue(issue); + break; + case 'shared_admins_domain': data = this.generateSharedLocalAdminsIssue(issue); break; case 'strong_users_on_crit': From 822e54f373568fde1bc710f19717aa3f3bb0ee8b Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Sun, 14 Oct 2018 17:57:15 +0300 Subject: [PATCH 098/117] This commit isn't final. I want to reorganise the code structure a bit, to make it prettier and readable, also to add docs. Still need to update the report's text. --- .../monkey_island/cc/resources/telemetry.py | 10 + monkey/monkey_island/cc/services/node.py | 5 + .../monkey_island/cc/services/pth_report.py | 246 +++++++----------- .../cc/services/pth_report_utils.py | 4 + monkey/monkey_island/cc/services/report.py | 9 +- .../cc/ui/src/components/pages/ReportPage.js | 19 +- 6 files changed, 124 insertions(+), 169 deletions(-) diff --git a/monkey/monkey_island/cc/resources/telemetry.py b/monkey/monkey_island/cc/resources/telemetry.py index 0ef453e98..0c390a192 100644 --- a/monkey/monkey_island/cc/resources/telemetry.py +++ b/monkey/monkey_island/cc/resources/telemetry.py @@ -197,11 +197,19 @@ class Telemetry(flask_restful.Resource): Telemetry.create_group_user_connection(info_for_mongo, group_user_dict) for entity in info_for_mongo.values(): if entity['machine_id']: + # Handling for local entities. mongo.db.groupsandusers.update({'SID': entity['SID'], 'machine_id': entity['machine_id']}, entity, upsert=True) else: + # Handlings for domain entities. if not mongo.db.groupsandusers.find_one({'SID': entity['SID']}): mongo.db.groupsandusers.insert_one(entity) + else: + # if entity is domain entity, add the monkey id of current machine to secrets_location. + # (found on this machine) + if entity.get('NTLM_secret'): + mongo.db.groupsandusers.update_one({'SID': entity['SID'], 'type': 1}, + {'$addToSet': {'secret_location': monkey_id}}) Telemetry.add_admin(info_for_mongo[group_info.ADMINISTRATORS_GROUP_KNOWN_SID], monkey_id) Telemetry.update_admins_retrospective(info_for_mongo) @@ -209,6 +217,8 @@ class Telemetry(flask_restful.Resource): telemetry_json['data']['wmi']['Win32_Product'], monkey_id) + + @staticmethod def update_critical_services(wmi_services, wmi_products, machine_id): critical_names = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns", 'MSSQL$SQLEXPRESS', 'SQL') diff --git a/monkey/monkey_island/cc/services/node.py b/monkey/monkey_island/cc/services/node.py index 47cd9cd21..371eefb5a 100644 --- a/monkey/monkey_island/cc/services/node.py +++ b/monkey/monkey_island/cc/services/node.py @@ -97,6 +97,11 @@ class NodeService: def get_monkey_label_by_id(monkey_id): return NodeService.get_monkey_label(NodeService.get_monkey_by_id(monkey_id)) + @staticmethod + def get_monkey_critical_services(monkey_id): + critical_services = mongo.db.monkey.find_one({'_id': monkey_id}, {'critical_services': 1}).get('critical_services', []) + return critical_services + @staticmethod def get_monkey_label(monkey): label = monkey["hostname"] + " : " + monkey["ip_addresses"][0] diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 726fba143..bc995242d 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -1,3 +1,7 @@ +import uuid +from itertools import combinations, product + +from cc.services.edge import EdgeService from cc.services.pth_report_utils import PassTheHashReport, Machine from cc.database import mongo from bson import ObjectId @@ -49,7 +53,6 @@ class PTHReportService(object): @staticmethod def get_duplicated_passwords_issues(): - # TODO: Fix bug if both local and non local account share the same password user_groups = PTHReportService.get_duplicated_passwords_nodes() issues = [] users_gathered = [] @@ -98,195 +101,130 @@ class PTHReportService(object): return issues - @staticmethod - def old_get_shared_local_admins_nodes(pth): - dups = dict(map(lambda x: (x, len(pth.GetSharedAdmins(x))), pth.machines)) - shared_admin_machines = [] - for m, count in sorted(dups.iteritems(), key=lambda (k, v): (v, k), reverse=True): - if count <= 0: - continue - shared_admin_account_list = [] - - for sid in pth.GetSharedAdmins(m): - shared_admin_account_list.append(pth.GetUsernameBySid(sid)) - - machine = { - 'ip': m.GetIp(), - 'hostname': m.GetHostName(), - 'domain': m.GetDomainName(), - 'services_names': m.GetCriticalServicesInstalled(), - 'user_count': count, - 'admins_accounts': shared_admin_account_list - } - - shared_admin_machines.append(machine) - - return shared_admin_machines - - @staticmethod - def get_strong_users_on_crit_services_by_machine(pth): - threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetCritialServers())) - strong_users_crit_list = [] - - for m, count in sorted(threatening.iteritems(), key=lambda (k, v): (v, k), reverse=True): - if count <= 0: - continue - - threatening_users_attackers_dict = {} - for sid in pth.GetThreateningUsersByVictim(m): - username = pth.GetUsernameBySid(sid) - threatening_users_attackers_dict[username] = [] - for mm in pth.GetAttackersBySid(sid): - if m == mm: - continue - threatening_users_attackers_dict[username] = mm.GetIp() - - machine = { - 'ip': m.GetIp(), - 'hostname': m.GetHostName(), - 'domain': m.GetDomainName(), - 'services': m.GetCriticalServicesInstalled(), - 'threatening_users': threatening_users_attackers_dict - } - strong_users_crit_list.append(machine) - return strong_users_crit_list - - @staticmethod - def get_strong_users_on_crit_services_by_user(pth): - critical_servers = pth.GetCritialServers() - strong_users_dict = {} - - for server in critical_servers: - users = pth.GetThreateningUsersByVictim(server) - for sid in users: - username = pth.GetUsernameBySid(sid) - if username not in strong_users_dict: - strong_users_dict[username] = { - 'services_names': [], - 'machines': [] + def get_strong_users_on_critical_machines_nodes(): + crit_machines = {} + pipeline = [ + { + '$unwind': '$admin_on_machines' + }, + { + '$match': {'type': 1, 'domain_name': {'$ne': None}} + }, + { + '$lookup': + { + 'from': 'monkey', + 'localField': 'admin_on_machines', + 'foreignField': '_id', + 'as': 'critical_machine' } - strong_users_dict[username]['username'] = username - strong_users_dict[username]['domain'] = server.GetDomainName() - strong_users_dict[username]['services_names'] += server.GetCriticalServicesInstalled() - strong_users_dict[username]['machines'].append(server.GetHostName()) - - return strong_users_dict.values() - - @staticmethod - def get_strong_users_on_non_crit_services(pth): - threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetNonCritialServers())) - - strong_users_non_crit_list = [] - - for m, count in sorted(threatening.iteritems(), key=lambda (k, v): (v, k), reverse=True): - if count <= 0: - continue - - threatening_users_attackers_dict = {} - for sid in pth.GetThreateningUsersByVictim(m): - username = pth.GetUsernameBySid(sid) - threatening_users_attackers_dict[username] = [] - for mm in pth.GetAttackersBySid(sid): - if m == mm: - continue - threatening_users_attackers_dict[username] = mm.GetIp() - - machine = { - 'ip': m.GetIp(), - 'hostname': m.GetHostName(), - 'domain': m.GetDomainName(), - 'services_names': [], - 'user_count': count, - 'threatening_users': threatening_users_attackers_dict + }, + { + '$match': {'critical_machine.critical_services': {'$ne': []}} + }, + { + '$unwind': '$critical_machine' } - strong_users_non_crit_list.append(machine) - return strong_users_non_crit_list - - - + ] + docs = mongo.db.groupsandusers.aggregate(pipeline) + for doc in docs: + hostname = str(doc['critical_machine']['hostname']) + if not hostname in crit_machines: + crit_machines[hostname] = {} + crit_machines[hostname]['threatening_users'] = [] + crit_machines[hostname]['critical_services'] = doc['critical_machine']['critical_services'] + crit_machines[hostname]['threatening_users'].append( + {'name': str(doc['domain_name']) + '\\' + str(doc['name']), + 'creds_location': doc['secret_location']}) + return crit_machines @staticmethod - def strong_users_on_crit_issues(strong_users): + def get_strong_users_on_crit_issues(): issues = [] - for machine in strong_users: + crit_machines = PTHReportService.get_strong_users_on_critical_machines_nodes() + for machine in crit_machines: issues.append( { 'type': 'strong_users_on_crit', - 'machine': machine.get('hostname'), - 'services': machine.get('services'), - 'ip': machine.get('ip'), - 'threatening_users': machine.get('threatening_users').keys() + 'machine': machine, + 'services': crit_machines[machine].get('critical_services'), + 'threatening_users': [i['name'] for i in crit_machines[machine]['threatening_users']] } ) return issues @staticmethod - def get_machine_details(node_id): - machine = Machine(node_id) - node = {} - if machine.latest_system_info: - node = { - "id": str(node_id), - "label": '{0} : {1}'.format(machine.GetHostName(), machine.GetIp()), - 'group': 'critical' if machine.IsCriticalServer() else 'normal', - 'users': list(machine.GetCachedUsernames()), - 'ips': [machine.GetIp()], - 'services': machine.GetCriticalServicesInstalled(), - 'hostname': machine.GetHostName() - } - return node + def generate_map_nodes(): - @staticmethod - def generate_map_nodes(pth): nodes_list = [] - for node_id in pth.vertices: - node = PTHReportService.get_machine_details(node_id) - nodes_list.append(node) + monkeys = mongo.db.monkey.find({}, {'_id': 1, 'hostname': 1, 'critical_services': 1, 'ip_addresses': 1}) + for monkey in monkeys: + critical_services = monkey.get('critical_services', []) + nodes_list.append({ + 'id': monkey['_id'], + 'label': '{0} : {1}'.format(monkey['hostname'], monkey['ip_addresses'][0]), + 'group': 'critical' if critical_services else 'normal', + 'services': critical_services, + 'hostname': monkey['hostname'] + }) return nodes_list @staticmethod - def get_issues_list(issues): - issues_dict = {} + def generate_edge_nodes(): + edges_list = [] + pipeline = [ + { + '$match': {'admin_on_machines': {'$ne': []}, 'secret_location': {'$ne': []}, 'type': 1} + }, + { + '$project': {'admin_on_machines': 1, 'secret_location': 1} + } + ] + comp_users = mongo.db.groupsandusers.aggregate(pipeline) - for issue in issues: - machine = issue['machine'] - if machine not in issues_dict: - issues_dict[machine] = [] - issues_dict[machine].append(issue) + for user in comp_users: + pairs = PTHReportService.generate_edges_tuples(user['admin_on_machines'], user['secret_location']) + for pair in pairs: + edges_list.append( + { + 'from': pair[0], + 'to': pair[1], + 'id': str(uuid.uuid4()) + } + ) + return edges_list + + + @staticmethod + def generate_edges_tuples(*lists): + + for t in combinations(lists, 2): + for pair in product(*t): + # Don't output pairs containing duplicated elements + if pair[0] != pair[1]: + yield pair - return issues_dict @staticmethod def get_report(): - + PTHReportService.get_strong_users_on_critical_machines_nodes() issues = [] - pth = PassTheHashReport() - - strong_users_on_crit_services = PTHReportService.get_strong_users_on_crit_services_by_user(pth) - strong_users_on_non_crit_services = PTHReportService.get_strong_users_on_non_crit_services(pth) - - issues += PTHReportService.get_duplicated_passwords_issues() - # issues += PTHReportService.get_shared_local_admins_issues(local_admin_shared) - # issues += PTHReportService.strong_users_on_crit_issues( - # PTHReportService.get_strong_users_on_crit_services_by_machine(pth)) - report = \ { 'report_info': { - 'strong_users_on_crit_services': strong_users_on_crit_services, - 'strong_users_on_non_crit_services': strong_users_on_non_crit_services, 'pth_issues': issues }, 'pthmap': { - 'nodes': PTHReportService.generate_map_nodes(pth), - 'edges': pth.edges + 'nodes': PTHReportService.generate_map_nodes(), + 'edges': PTHReportService.generate_edge_nodes() } } - return report \ No newline at end of file + + return report diff --git a/monkey/monkey_island/cc/services/pth_report_utils.py b/monkey/monkey_island/cc/services/pth_report_utils.py index 61fe78765..13fe3654f 100644 --- a/monkey/monkey_island/cc/services/pth_report_utils.py +++ b/monkey/monkey_island/cc/services/pth_report_utils.py @@ -604,6 +604,10 @@ class PassTheHashReport(object): RIGHT_ARROW = u"\u2192" return "%s %s %s" % (attacker_label, RIGHT_ARROW, victim_label) + + + + def get_edges_by_sid(self): edges_list = [] diff --git a/monkey/monkey_island/cc/services/report.py b/monkey/monkey_island/cc/services/report.py index 3af346f34..552250b35 100644 --- a/monkey/monkey_island/cc/services/report.py +++ b/monkey/monkey_island/cc/services/report.py @@ -118,10 +118,7 @@ class ReportService: [NodeService.get_displayed_node_by_id(node['_id'], True) for node in mongo.db.node.find({}, {'_id': 1})] \ + [NodeService.get_displayed_node_by_id(monkey['_id'], True) for monkey in mongo.db.monkey.find({}, {'_id': 1})] - for node in nodes: - pth_services = PTHReportService.get_machine_details(NodeService.get_monkey_by_id(node['id']) - .get('guid', None)).get('services', None) formatted_nodes.append( { 'label': node['label'], @@ -130,7 +127,7 @@ class ReportService: (x['hostname'] for x in (NodeService.get_displayed_node_by_id(edge['from'], True) for edge in EdgeService.get_displayed_edges_by_to(node['id'], True))), - 'services': node['services'] + pth_services if pth_services else [] + 'services': node['services'] }) logger.info('Scanned nodes generated for reporting') @@ -561,7 +558,8 @@ class ReportService: ReportService.get_tunnels, ReportService.get_island_cross_segment_issues, ReportService.get_azure_issues, - PTHReportService.get_duplicated_passwords_issues + PTHReportService.get_duplicated_passwords_issues, + PTHReportService.get_strong_users_on_crit_issues ] issues = functools.reduce(lambda acc, issue_gen: acc + issue_gen(), ISSUE_GENERATORS, []) @@ -720,7 +718,6 @@ class ReportService: 'pth': { 'map': pth_report.get('pthmap'), - 'info': pth_report.get('report_info') } } diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js index f45a5dab3..f4982a9e8 100644 --- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -410,18 +410,19 @@ class ReportPageComponent extends AuthComponent { generateReportRecommendationsSection() { return (
    -

    - Recommendations -

    -
    - {this.generateIssues(this.state.report.recommendations.issues)} -

    Domain related recommendations

    {this.generateIssues(this.state.report.recommendations.domain_issues)}
    +

    + Machine related Recommendations +

    +
    + {this.generateIssues(this.state.report.recommendations.issues)} +
    +
    ); } @@ -474,9 +475,6 @@ class ReportPageComponent extends AuthComponent {
    -
    - -
    ); } @@ -487,6 +485,9 @@ class ReportPageComponent extends AuthComponent {

    Credential Map

    +

    + This map visualizes possible attack paths through the network using credential compromise. Paths represent lateral movement opportunities by attackers. +

    From c8e547ee8a791dead401b8f73bae0d7a5358d7f8 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Sun, 14 Oct 2018 17:58:51 +0300 Subject: [PATCH 099/117] cleaned up imports --- monkey/monkey_island/cc/services/pth_report.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index bc995242d..364c2c5aa 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -1,8 +1,6 @@ import uuid from itertools import combinations, product -from cc.services.edge import EdgeService -from cc.services.pth_report_utils import PassTheHashReport, Machine from cc.database import mongo from bson import ObjectId From ab8ee08b472b4b610d6ac3c0fa3c2e5cedd8ede9 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Tue, 16 Oct 2018 12:05:09 +0300 Subject: [PATCH 100/117] Added strong users table in the report and removed old files --- .../monkey_island/cc/resources/telemetry.py | 2 - .../monkey_island/cc/services/pth_report.py | 44 +- monkey/monkey_island/cc/services/report.py | 1 + .../cc/ui/src/components/pages/ReportPage.js | 20 +- .../report-components/StrongUsers.js | 1 - monkey_island/cc/services/group_info.py | 0 monkey_island/cc/services/pth_report.py | 259 ----- monkey_island/cc/services/pth_report_utils.py | 958 ------------------ monkey_island/cc/services/user_info.py | 0 .../map/preview-pane/InfMapPreviewPane.js | 247 ----- .../map/preview-pane/PthPreviewPane.js | 63 -- .../components/pages/PassTheHashMapPage.js | 58 -- .../report-components/SharedAdmins.js | 42 - .../report-components/SharedCreds.js | 41 - .../report-components/StrongUsers.js | 44 - .../cc/ui/src/images/nodes/pth/critical.png | Bin 20067 -> 0 bytes .../cc/ui/src/images/nodes/pth/normal.png | Bin 19466 -> 0 bytes 17 files changed, 46 insertions(+), 1734 deletions(-) delete mode 100644 monkey_island/cc/services/group_info.py delete mode 100644 monkey_island/cc/services/pth_report.py delete mode 100644 monkey_island/cc/services/pth_report_utils.py delete mode 100644 monkey_island/cc/services/user_info.py delete mode 100644 monkey_island/cc/ui/src/components/map/preview-pane/InfMapPreviewPane.js delete mode 100644 monkey_island/cc/ui/src/components/map/preview-pane/PthPreviewPane.js delete mode 100644 monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js delete mode 100644 monkey_island/cc/ui/src/components/report-components/SharedAdmins.js delete mode 100644 monkey_island/cc/ui/src/components/report-components/SharedCreds.js delete mode 100644 monkey_island/cc/ui/src/components/report-components/StrongUsers.js delete mode 100644 monkey_island/cc/ui/src/images/nodes/pth/critical.png delete mode 100644 monkey_island/cc/ui/src/images/nodes/pth/normal.png diff --git a/monkey/monkey_island/cc/resources/telemetry.py b/monkey/monkey_island/cc/resources/telemetry.py index 0c390a192..644fd6984 100644 --- a/monkey/monkey_island/cc/resources/telemetry.py +++ b/monkey/monkey_island/cc/resources/telemetry.py @@ -217,8 +217,6 @@ class Telemetry(flask_restful.Resource): telemetry_json['data']['wmi']['Win32_Product'], monkey_id) - - @staticmethod def update_critical_services(wmi_services, wmi_products, machine_id): critical_names = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns", 'MSSQL$SQLEXPRESS', 'SQL') diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 364c2c5aa..0bd9c332d 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -7,14 +7,6 @@ from bson import ObjectId class PTHReportService(object): - """ - - """ - - def __init__(self): - pass - - @staticmethod def get_duplicated_passwords_nodes(): users_cred_groups = [] @@ -153,6 +145,34 @@ class PTHReportService(object): return issues + @staticmethod + def get_strong_users_on_crit_details(): + table_entries = [] + user_details = {} + crit_machines = PTHReportService.get_strong_users_on_critical_machines_nodes() + for machine in crit_machines: + for user in crit_machines[machine]['threatening_users']: + username = user['name'] + if username not in user_details: + user_details[username] = {} + user_details[username]['machines'] = [] + user_details[username]['services'] = [] + user_details[username]['machines'].append(machine) + user_details[username]['services'] += crit_machines[machine]['critical_services'] + + for user in user_details: + table_entries.append( + { + 'username': user, + 'machines': user_details[user]['machines'], + 'services_names': user_details[user]['services'] + } + ) + + return table_entries + + + @staticmethod def generate_map_nodes(): @@ -188,14 +208,13 @@ class PTHReportService(object): for pair in pairs: edges_list.append( { - 'from': pair[0], - 'to': pair[1], + 'from': pair[1], + 'to': pair[0], 'id': str(uuid.uuid4()) } ) return edges_list - @staticmethod def generate_edges_tuples(*lists): @@ -205,7 +224,6 @@ class PTHReportService(object): if pair[0] != pair[1]: yield pair - @staticmethod def get_report(): @@ -216,8 +234,10 @@ class PTHReportService(object): { 'report_info': { + 'strong_users_table': PTHReportService.get_strong_users_on_crit_details(), 'pth_issues': issues }, + 'pthmap': { 'nodes': PTHReportService.generate_map_nodes(), diff --git a/monkey/monkey_island/cc/services/report.py b/monkey/monkey_island/cc/services/report.py index 552250b35..304867495 100644 --- a/monkey/monkey_island/cc/services/report.py +++ b/monkey/monkey_island/cc/services/report.py @@ -717,6 +717,7 @@ class ReportService: }, 'pth': { + 'strong_users': pth_report['report_info']['strong_users_table'], 'map': pth_report.get('pthmap'), } } diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js index f4982a9e8..260701c4d 100644 --- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -347,8 +347,7 @@ class ReportPageComponent extends AuthComponent { {this.state.report.overview.issues[this.Issue.HADOOP] ?
  • Hadoop/Yarn servers are vulnerable to remote code execution.
  • : null } {this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] ? -
  • Credentials of strong users was found on machines and can give access to critical servers - (DC, MSSQL, etc..)
  • : null } +
  • Mimikatz found login credentials of a user who has admin access to a server defined as critical.
  • : null }
    : @@ -375,11 +374,9 @@ class ReportPageComponent extends AuthComponent { {this.state.report.overview.warnings[this.Warning.TUNNEL] ?
  • Weak segmentation - Machines were able to communicate over unused ports.
  • : null} {this.state.report.overview.warnings[this.Warning.SHARED_LOCAL_ADMIN] ? -
  • The monkey has found that some users have administrative rights on several machines.
  • : null} - {this.state.report.overview.warnings[this.Warning.SHARED_PASSWORDS_DOMAIN] ? -
  • The monkey has found that some users are sharing passwords on domain accounts.
  • : null} +
  • Shared local administrator account - Different machines have the same account as a local administrator.
  • : null} {this.state.report.overview.warnings[this.Warning.SHARED_PASSWORDS] ? -
  • The monkey has found that some users are sharing passwords.
  • : null} +
  • Multiple users have the same password
  • : null} : @@ -471,10 +468,15 @@ class ReportPageComponent extends AuthComponent {
    +
    {this.generateReportPthMap()} +
    +
    + +
    ); } @@ -488,6 +490,10 @@ class ReportPageComponent extends AuthComponent {

    This map visualizes possible attack paths through the network using credential compromise. Paths represent lateral movement opportunities by attackers.

    +
    + Legend: + Access credentials | +
    @@ -779,7 +785,7 @@ class ReportPageComponent extends AuthComponent { generateSharedLocalAdminsIssue(issue) { return (
  • - Credentials for the user {issue.username} could be found and the user is an administrator account on more than one machines in the domain. + Make sure the right administrator accounts are managing the right machines, and that there isn’t an unintentional local admin sharing. Here is a list of machines which has this account defined as an administrator: {this.generateInfoBadges(issue.shared_machines)} diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/StrongUsers.js b/monkey/monkey_island/cc/ui/src/components/report-components/StrongUsers.js index 36068f26e..a8f045479 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/StrongUsers.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/StrongUsers.js @@ -11,7 +11,6 @@ const columns = [ Header: 'Powerful Users', columns: [ { Header: 'Username', accessor: 'username'}, - { Header: 'Domain', accessor: 'domain'}, { Header: 'Machines', id: 'machines', accessor: x => renderArray(x.machines)}, { Header: 'Services', id: 'services', accessor: x => renderArray(x.services_names)} ] diff --git a/monkey_island/cc/services/group_info.py b/monkey_island/cc/services/group_info.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/monkey_island/cc/services/pth_report.py b/monkey_island/cc/services/pth_report.py deleted file mode 100644 index fe25fd494..000000000 --- a/monkey_island/cc/services/pth_report.py +++ /dev/null @@ -1,259 +0,0 @@ -from cc.services.pth_report_utils import PassTheHashReport, Machine - - -class PTHReportService(object): - - """ - - """ - - def __init__(self): - pass - - @staticmethod - def get_duplicated_password_nodes(pth): - """ - - """ - - usernames_lists = [] - usernames_per_sid_list = [] - dups = dict(map(lambda x: (x, len(pth.GetSidsBySecret(x))), pth.GetAllSecrets())) - - for secret, count in sorted(dups.iteritems(), key=lambda (k, v): (v, k), reverse=True): - if count <= 1: - continue - for sid in pth.GetSidsBySecret(secret): - if sid: - usernames_per_sid_list.append(pth.GetUsernameBySid(sid)) - - usernames_lists.append({'cred_group': usernames_per_sid_list}) - - return usernames_lists - - @staticmethod - def get_shared_local_admins_nodes(pth): - dups = dict(map(lambda x: (x, len(pth.GetSharedAdmins(x))), pth.machines)) - shared_admin_machines = [] - for m, count in sorted(dups.iteritems(), key=lambda (k, v): (v, k), reverse=True): - if count <= 0: - continue - shared_admin_account_list = [] - - for sid in pth.GetSharedAdmins(m): - shared_admin_account_list.append(pth.GetUsernameBySid(sid)) - - machine = { - 'ip': m.GetIp(), - 'hostname': m.GetHostName(), - 'domain': m.GetDomainName(), - 'services_names': m.GetCriticalServicesInstalled(), - 'user_count': count, - 'admins_accounts': shared_admin_account_list - } - - shared_admin_machines.append(machine) - - return shared_admin_machines - - @staticmethod - def get_strong_users_on_crit_services_by_machine(pth): - threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetCritialServers())) - strong_users_crit_list = [] - - for m, count in sorted(threatening.iteritems(), key=lambda (k, v): (v, k), reverse=True): - if count <= 0: - continue - - threatening_users_attackers_dict = {} - for sid in pth.GetThreateningUsersByVictim(m): - username = pth.GetUsernameBySid(sid) - threatening_users_attackers_dict[username] = [] - for mm in pth.GetAttackersBySid(sid): - if m == mm: - continue - threatening_users_attackers_dict[username] = mm.GetIp() - - machine = { - 'ip': m.GetIp(), - 'hostname': m.GetHostName(), - 'domain': m.GetDomainName(), - 'services': m.GetCriticalServicesInstalled(), - 'threatening_users': threatening_users_attackers_dict - } - strong_users_crit_list.append(machine) - return strong_users_crit_list - - @staticmethod - def get_strong_users_on_crit_services_by_user(pth): - critical_servers = pth.GetCritialServers() - strong_users_dict = {} - - for server in critical_servers: - users = pth.GetThreateningUsersByVictim(server) - for sid in users: - username = pth.GetUsernameBySid(sid) - if username not in strong_users_dict: - strong_users_dict[username] = { - 'services_names': [], - 'machines': [] - } - strong_users_dict[username]['username'] = username - strong_users_dict[username]['domain'] = server.GetDomainName() - strong_users_dict[username]['services_names'] += server.GetCriticalServicesInstalled() - strong_users_dict[username]['machines'].append(server.GetHostName()) - - return strong_users_dict.values() - - @staticmethod - def get_strong_users_on_non_crit_services(pth): - threatening = dict(map(lambda x: (x, len(pth.GetThreateningUsersByVictim(x))), pth.GetNonCritialServers())) - - strong_users_non_crit_list = [] - - for m, count in sorted(threatening.iteritems(), key=lambda (k, v): (v, k), reverse=True): - if count <= 0: - continue - - threatening_users_attackers_dict = {} - for sid in pth.GetThreateningUsersByVictim(m): - username = pth.GetUsernameBySid(sid) - threatening_users_attackers_dict[username] = [] - for mm in pth.GetAttackersBySid(sid): - if m == mm: - continue - threatening_users_attackers_dict[username] = mm.GetIp() - - machine = { - 'ip': m.GetIp(), - 'hostname': m.GetHostName(), - 'domain': m.GetDomainName(), - 'services_names': [], - 'user_count': count, - 'threatening_users': threatening_users_attackers_dict - } - strong_users_non_crit_list.append(machine) - return strong_users_non_crit_list - - @staticmethod - def get_duplicated_passwords_issues(pth, password_groups): - issues = [] - previeous_group = [] - for group in password_groups: - username = group['cred_group'][0] - if username in previeous_group: - continue - sid = list(pth.GetSidsByUsername(username.split('\\')[1])) - machine_info = pth.GetSidInfo(sid[0]) - issues.append( - { - 'type': 'shared_passwords', - 'machine': machine_info.get('hostname').split('.')[0], - 'shared_with': group['cred_group'] - } - ) - previeous_group += group['cred_group'] - - return issues - - @staticmethod - def get_shared_local_admins_issues(shared_admins_machines): - issues = [] - for machine in shared_admins_machines: - issues.append( - { - 'type': 'shared_admins', - 'machine': machine.get('hostname'), - 'shared_accounts': machine.get('admins_accounts'), - 'ip': machine.get('ip'), - } - ) - - return issues - - @staticmethod - def strong_users_on_crit_issues(strong_users): - issues = [] - for machine in strong_users: - issues.append( - { - 'type': 'strong_users_on_crit', - 'machine': machine.get('hostname'), - 'services': machine.get('services'), - 'ip': machine.get('ip'), - 'threatening_users': machine.get('threatening_users').keys() - } - ) - - return issues - - @staticmethod - def get_machine_details(node_id): - machine = Machine(node_id) - node = {} - if machine.latest_system_info: - node = { - "id": str(node_id), - "label": '{0} : {1}'.format(machine.GetHostName(), machine.GetIp()), - 'group': 'critical' if machine.IsCriticalServer() else 'normal', - 'users': list(machine.GetCachedUsernames()), - 'ips': [machine.GetIp()], - 'services': machine.GetCriticalServicesInstalled(), - 'hostname': machine.GetHostName() - } - return node - - @staticmethod - def generate_map_nodes(pth): - nodes_list = [] - for node_id in pth.vertices: - node = PTHReportService.get_machine_details(node_id) - nodes_list.append(node) - - return nodes_list - - @staticmethod - def get_issues_list(issues): - issues_dict = {} - - for issue in issues: - machine = issue['machine'] - if machine not in issues_dict: - issues_dict[machine] = [] - issues_dict[machine].append(issue) - - return issues_dict - - @staticmethod - def get_report(): - - issues = [] - pth = PassTheHashReport() - - same_password = PTHReportService.get_duplicated_password_nodes(pth) - local_admin_shared = PTHReportService.get_shared_local_admins_nodes(pth) - strong_users_on_crit_services = PTHReportService.get_strong_users_on_crit_services_by_user(pth) - strong_users_on_non_crit_services = PTHReportService.get_strong_users_on_non_crit_services(pth) - - issues += PTHReportService.get_duplicated_passwords_issues(pth, same_password) - issues += PTHReportService.get_shared_local_admins_issues(local_admin_shared) - issues += PTHReportService.strong_users_on_crit_issues( - PTHReportService.get_strong_users_on_crit_services_by_machine(pth)) - - report = \ - { - 'report_info': - { - 'same_password': same_password, - 'local_admin_shared': local_admin_shared, - 'strong_users_on_crit_services': strong_users_on_crit_services, - 'strong_users_on_non_crit_services': strong_users_on_non_crit_services, - 'pth_issues': issues - }, - 'pthmap': - { - 'nodes': PTHReportService.generate_map_nodes(pth), - 'edges': pth.edges - } - } - return report \ No newline at end of file diff --git a/monkey_island/cc/services/pth_report_utils.py b/monkey_island/cc/services/pth_report_utils.py deleted file mode 100644 index 61fe78765..000000000 --- a/monkey_island/cc/services/pth_report_utils.py +++ /dev/null @@ -1,958 +0,0 @@ -import hashlib -import binascii -import copy -import uuid - -from cc.database import mongo -from cc.services.node import NodeService - -DsRole_RoleStandaloneWorkstation = 0 -DsRole_RoleMemberWorkstation = 1 -DsRole_RoleStandaloneServer = 2 -DsRole_RoleMemberServer = 3 -DsRole_RoleBackupDomainController = 4 -DsRole_RolePrimaryDomainController = 5 - -SidTypeUser = 1 -SidTypeGroup = 2 -SidTypeDomain = 3 -SidTypeAlias = 4 -SidTypeWellKnownGroup = 5 -SidTypeDeletedAccount = 6 -SidTypeInvalid = 7 -SidTypeUnknown = 8 -SidTypeComputer = 9 - - -def is_group_sid_type(type): - return type in (SidTypeGroup, SidTypeAlias, SidTypeWellKnownGroup) - - -def myntlm(x): - hash = hashlib.new('md4', x.encode('utf-16le')).digest() - return str(binascii.hexlify(hash)) - - -def cache(foo): - def hash(o): - if type(o) in (int, float, str, unicode): - return repr(o) - - elif type(o) in (type(None),): - return "___None___" - - elif type(o) in (list, tuple, set): - hashed = tuple([hash(x) for x in o]) - - if "NotHashable" in hashed: - return "NotHashable" - - return hashed - - elif type(o) == dict: - hashed_keys = tuple([hash(k) for k, v in o.iteritems()]) - hashed_vals = tuple([hash(v) for k, v in o.iteritems()]) - - if "NotHashable" in hashed_keys or "NotHashable" in hashed_vals: - return "NotHashable" - - return tuple(zip(hashed_keys, hashed_vals)) - - elif type(o) == Machine: - return o.monkey_guid - - # elif type(o) == PthMap: - # return "PthMapSingleton" - - elif type(o) == PassTheHashReport: - return "PassTheHashReportSingleton" - - else: - assert False, "%s of type %s is not hashable" % (repr(o), type(o)) - return "NotHashable" - - def wrapper(*args, **kwargs): - hashed = (hash(args), hash(kwargs)) - - if "NotHashable" in hashed: - return foo(*args, **kwargs) - - if not hasattr(foo, "_mycache_"): - foo._mycache_ = dict() - - if hashed not in foo._mycache_.keys(): - foo._mycache_[hashed] = foo(*args, **kwargs) - - return copy.deepcopy(foo._mycache_[hashed]) - - return wrapper - - -class Machine(object): - def __init__(self, monkey_guid): - self.monkey_guid = str(monkey_guid) - - self.latest_system_info = mongo.db.telemetry.find( - {"telem_type": "system_info_collection", "monkey_guid": self.monkey_guid}).sort([("timestamp", -1)]).limit( - 1) - - if self.latest_system_info.count() > 0: - self.latest_system_info = self.latest_system_info[0] - else: - self.latest_system_info = None - - self.monkey_info = NodeService.get_monkey_by_guid(self.monkey_guid) - - def __eq__(self, other): - if isinstance(other, self.__class__): - return self.monkey_guid == other.monkey_guid - else: - return False - - @cache - def GetMimikatzOutput(self): - doc = self.latest_system_info - - if not doc: - return None - - return doc.get("data").get("mimikatz") - - @cache - def GetHostName(self): - doc = self.latest_system_info - - for comp in doc.get("data").get("Win32_ComputerSystem", {}): - return eval(comp.get("Name")) - - return None - - @cache - def GetIp(self): - doc = self.latest_system_info - - for addr in doc.get("data").get("network_info", {}).get("networks", {}): - return str(addr["addr"]) - - return None - - @cache - def get_monkey_id(self): - doc = self.monkey_info - - return str(doc.get('_id')) - - @cache - def GetDomainName(self): - doc = self.latest_system_info - - for comp in doc.get("data").get("Win32_ComputerSystem", {}): - return eval(comp.get("Domain")) - - return None - - @cache - def GetDomainRole(self): - doc = self.latest_system_info - - for comp in doc.get("data").get("Win32_ComputerSystem", {}): - return comp.get("DomainRole") - - return None - - @cache - def IsDomainController(self): - return self.GetDomainRole() in (DsRole_RolePrimaryDomainController, DsRole_RoleBackupDomainController) - - #@cache - def GetSidByUsername(self, username, domain=None): - doc = self.latest_system_info - - for user in doc.get("data").get("Win32_UserAccount", {}): - if eval(user.get("Name")) != username: - continue - - if user.get("SIDType") != SidTypeUser: - continue - - if domain and user.get("Domain") != domain: - continue - - return eval(user.get("SID")) - - if not self.IsDomainController(): - for dc in self.GetDomainControllers(): - sid = dc.GetSidByUsername(username) - - if sid != None: - return sid - - return None - - @cache - def GetUsernameBySid(self, sid): - info = self.GetSidInfo(sid) - - if not info: - return None - - return str(info.get("Domain")) + "\\" + str(info.get("Username")) - - @cache - def GetSidInfo(self, sid): - doc = self.latest_system_info - - for user in doc.get("data").get("Win32_UserAccount",{}): - if eval(user.get("SID")) != sid: - continue - - if user.get("SIDType") != SidTypeUser: - continue - - return {"Domain": eval(user.get("Domain")), - "Username": eval(user.get("Name")), - "Disabled": user.get("Disabled") == "true", - "PasswordRequired": user.get("PasswordRequired") == "true", - "PasswordExpires": user.get("PasswordExpires") == "true", - 'hostname': doc.get('data').get('hostname'), } - - if not self.IsDomainController(): - for dc in self.GetDomainControllers(): - domain = dc.GetSidInfo(sid) - - if domain != None: - return domain - - return None - - @cache - def GetCriticalServicesInstalled(self): - def IsNameOfCriticalService(name): - services = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns", 'MSSQL$SQLEXPRESS') - services = map(str.lower, services) - - if not name: - return False - - name = name.lower() - - return name in services - # for ser in services: - # if ser in name: - # return True - - return False - - doc = self.latest_system_info - found = [] - - if self.IsDomainController(): - found.append("Domain Controller") - - for product in doc.get("data").get("Win32_Product", {}): - service_name = eval(product.get("Name")) - - if not IsNameOfCriticalService(service_name): - continue - - found.append(service_name) - - for service in doc.get("data").get("Win32_Service", {}): - service_name = eval(service.get("Name")) - - if not IsNameOfCriticalService(service_name): - continue - - if eval(service.get("State")) != "Running": - continue - - found.append(service_name) - - return found - - @cache - def IsCriticalServer(self): - return len(self.GetCriticalServicesInstalled()) > 0 - - @cache - def GetUsernamesBySecret(self, secret): - sam = self.GetLocalSecrets() - - names = set() - - for username, user_secret in sam.iteritems(): - if secret == user_secret: - names.add(username) - - return names - - @cache - def GetSidsBySecret(self, secret): - usernames = self.GetUsernamesBySecret(secret) - return set(map(self.GetSidByUsername, usernames)) - - def GetGroupSidByGroupName(self, group_name): - doc = self.latest_system_info - - for group in doc.get('data').get("Win32_Group", {}): - if eval(group.get("Name")) != group_name: - continue - - if not is_group_sid_type(group.get("SIDType")): - continue - - return eval(group.get("SID")) - - return None - - def GetUsersByGroupSid(self, sid): - doc = self.latest_system_info - - users = dict() - - for group_user in doc.get('data').get("Win32_GroupUser", {}): - if eval(group_user.get("GroupComponent", {}).get("SID")) != sid: - continue - - if not is_group_sid_type(group_user.get("GroupComponent", {}).get("SIDType")): - continue - - if "PartComponent" not in group_user.keys(): - continue - - if type(group_user.get("PartComponent")) in (str, unicode): - # PartComponent is an id to Win32_UserAccount table - - wmi_id = group_user.get("PartComponent") - - if "cimv2:Win32_UserAccount" not in wmi_id: - continue - - username = wmi_id.split('cimv2:Win32_UserAccount.Domain="')[1].split('",Name="')[0] - domain = wmi_id.split('cimv2:Win32_UserAccount.Domain="')[1].split('",Name="')[1][:-1] - - sid = self.GetSidByUsername(username, domain) - users[sid] = username - - else: - if group_user.get("PartComponent", {}).get("SIDType") != SidTypeUser: - continue - - users[eval(group_user.get("PartComponent", {}).get("SID"))] = eval(group_user.get("PartComponent") - .get("Name")) - - return users - - @cache - def GetDomainControllersMonkeyGuidByDomainName(self, domain_name): - cur = mongo.db.telemetry.find( - {"telem_type": "system_info_collection", "data.Win32_ComputerSystem.Domain": "u'%s'" % (domain_name,)}) - - GUIDs = set() - - for doc in cur: - if not Machine(doc.get("monkey_guid")).IsDomainController(): - continue - - GUIDs.add(doc.get("monkey_guid")) - - return GUIDs - - def GetLocalAdmins(self): - admins = self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")) - - # debug = self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Users")) - # admins.update(debug) - - return admins - - def GetLocalAdminSids(self): - return set(self.GetLocalAdmins().keys()) - - @cache - def GetLocalSids(self): - doc = self.latest_system_info - - SIDs = set() - - for user in doc.get('data').get("Win32_UserAccount", {}): - if user.get("SIDType") != SidTypeUser: - continue - - SIDs.add(eval(user.get("SID"))) - - return SIDs - - @cache - def GetLocalAdminNames(self): - return set(self.GetLocalAdmins().values()) - - @cache - def GetSam(self): - if not self.GetMimikatzOutput(): - return {} - - mimikatz = self.GetMimikatzOutput() - - if mimikatz.count("\n42.") != 2: - return {} - - try: - sam_users = mimikatz.split("\n42.")[1].split("\nSAMKey :")[1].split("\n\n")[1:] - - sam = {} - - for sam_user_txt in sam_users: - sam_user = dict([map(unicode.strip, line.split(":")) for line in - filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) - - ntlm = sam_user.get("NTLM") - if "[hashed secret]" not in ntlm: - continue - - sam[sam_user.get("User")] = ntlm.replace("[hashed secret]", "").strip() - - return sam - - except: - return {} - - @cache - def GetNtds(self): - if not self.GetMimikatzOutput(): - return {} - - mimikatz = self.GetMimikatzOutput() - - if mimikatz.count("\n42.") != 2: - return {} - - ntds_users = mimikatz.split("\n42.")[2].split("\nRID :")[1:] - ntds = {} - - for ntds_user_txt in ntds_users: - user = ntds_user_txt.split("User :")[1].splitlines()[0].replace("User :", "").strip() - ntlm = ntds_user_txt.split("* Primary\n NTLM :")[1].splitlines()[0].replace("NTLM :", "").strip() - ntlm = ntlm.replace("[hashed secret]", "").strip() - - if ntlm: - ntds[user] = ntlm - - return ntds - - @cache - def GetLocalSecrets(self): - sam = self.GetSam() - ntds = self.GetNtds() - - secrets = sam.copy() - secrets.update(ntds) - - return secrets - - @cache - def GetLocalAdminSecrets(self): - return set(self.GetLocalAdminCreds().values()) - - @cache - def GetLocalAdminCreds(self): - admin_names = self.GetLocalAdminNames() - sam = self.GetLocalSecrets() - - admin_creds = dict() - - for username, secret in sam.iteritems(): - if username not in admin_names: - continue - - admin_creds[username] = secret - - return admin_creds - - @cache - def GetCachedSecrets(self): - return set(self.GetCachedCreds().values()) - - @cache - def GetCachedCreds(self): - doc = self.latest_system_info - - creds = dict() - - if not self.GetMimikatzOutput(): - return {} - - mimikatz = self.GetMimikatzOutput() - - for user in mimikatz.split("\n42.")[0].split("Authentication Id")[1:]: - username = None - secret = None - - for line in user.splitlines(): - if "User Name" in line: - username = line.split(":")[1].strip() - - if ("NTLM" in line or "Password" in line) and "[hashed secret]" in line: - secret = line.split(":")[1].replace("[hashed secret]", "").strip() - - if username and secret: - creds[username] = secret - - return creds - - @cache - def GetDomainControllers(self): - domain_name = self.GetDomainName() - DCs = self.GetDomainControllersMonkeyGuidByDomainName(domain_name) - return map(Machine, DCs) - - def GetDomainAdminsOfMachine(self): - DCs = self.GetDomainControllers() - - domain_admins = set() - - for dc in DCs: - domain_admins |= set(dc.GetUsersByGroupSid(self.GetGroupSidByGroupName("Domain Admins")).keys()) - - return domain_admins - - #@cache - def GetAdmins(self): - return self.GetLocalAdminSids() # | self.GetDomainAdminsOfMachine() - - @cache - def GetAdminNames(self): - return set(map(lambda x: self.GetUsernameBySid(x), self.GetAdmins())) - - #@cache - def GetCachedSids(self): - doc = self.latest_system_info - - SIDs = set() - - for username in doc.get('data').get("credentials", {}): - sid = self.GetSidByUsername(username) - - if not sid: - sid = "__USERNAME__" + username - - SIDs.add(sid) - - return SIDs - - @cache - def GetCachedUsernames(self): - doc = self.latest_system_info - - names = set() - - for username in doc.get('data').get("credentials", {}): - names.add(username) - - return names - - -class PassTheHashReport(object): - - def __init__(self): - self.vertices = self.GetAllMachines() - - self.machines = map(Machine, self.vertices) - self.edges = self.get_edges_by_sid() # Useful for non-cached domain users - #self.edges |= self.GetEdgesBySamHash() # This will add edges based only on password hash without caring about username - - - def GetAllMachines(self): - cur = mongo.db.telemetry.find({"telem_type": "system_info_collection"}) - - GUIDs = set() - - for doc in cur: - GUIDs.add(doc.get("monkey_guid")) - - return GUIDs - - @cache - def ReprSidList(self, sid_list, victim): - users_list = [] - - for sid in sid_list: - username = Machine(victim).GetUsernameBySid(sid) - - if username: - users_list.append(username) - - return users_list - - @cache - def ReprSecretList(self, secret_list, victim): - relevant_users_list = [] - - for secret in secret_list: - relevant_users_list.append(Machine(victim).GetUsernamesBySecret(secret)) - - return relevant_users_list - - @staticmethod - def __get_edge_label(attacker, victim): - attacker_monkey = NodeService.get_monkey_by_guid(attacker) - victim_monkey = NodeService.get_monkey_by_guid(victim) - - attacker_label = NodeService.get_monkey_label(attacker_monkey) - victim_label = NodeService.get_monkey_label(victim_monkey) - - RIGHT_ARROW = u"\u2192" - return "%s %s %s" % (attacker_label, RIGHT_ARROW, victim_label) - - def get_edges_by_sid(self): - edges_list = [] - - for attacker in self.vertices: - cached = list(self.GetCachedSids(Machine(attacker))) - - for victim in self.vertices: - if attacker == victim: - continue - - admins = list(Machine(victim).GetAdmins()) - - cached_admins = [i for i in cached if i in admins] - - if cached_admins: - relevant_users_list = self.ReprSidList(cached_admins, victim) - edges_list.append( - { - 'from': attacker, - 'to': victim, - 'users': relevant_users_list, - '_label': PassTheHashReport.__get_edge_label(attacker, victim), - 'id': str(uuid.uuid4()) - }) - - return edges_list - - @cache - def GetEdgesBySamHash(self): - edges = set() - - for attacker in self.vertices: - cached_creds = set(Machine(attacker).GetCachedCreds().items()) - - for victim in self.vertices: - if attacker == victim: - continue - - admin_creds = set(Machine(victim).GetLocalAdminCreds().items()) - - if len(cached_creds & admin_creds) > 0: - label = self.ReprSecretList(set(dict(cached_creds & admin_creds).values()), victim) - edges.add((attacker, victim, label)) - - return edges - - @cache - def GetEdgesByUsername(self): - edges = set() - - for attacker in self.vertices: - cached = Machine(attacker).GetCachedUsernames() - - for victim in self.vertices: - if attacker == victim: - continue - - admins = Machine(victim).GetAdminNames() - - if len(cached & admins) > 0: - edges.add((attacker, victim)) - - return edges - - @cache - def GetPossibleAttackCountBySid(self, sid): - return len(self.GetPossibleAttacksBySid(sid)) - - @cache - def GetPossibleAttacksByAttacker(self, attacker): - attacks = set() - - cached_creds = set(Machine(attacker).GetCachedCreds().items()) - - for victim in self.vertices: - if attacker == victim: - continue - - admin_creds = set(Machine(victim).GetLocalAdminCreds().items()) - - if len(cached_creds & admin_creds) > 0: - curr_attacks = dict(cached_creds & admin_creds) - attacks.add((attacker, victim, curr_attacks)) - - return attacks - - @cache - def GetPossibleAttacksBySid(self, sid): - attacks = set() - - for attacker in self.vertices: - tmp = self.GetPossibleAttacksByAttacker(attacker) - - for _, victim, curr_attacks in tmp: - for username, secret in curr_attacks.iteritems(): - if Machine(victim).GetSidByUsername(username) == sid: - attacks.add((attacker, victim)) - - return attacks - - @cache - def GetSecretBySid(self, sid): - for m in self.machines: - for user, user_secret in m.GetLocalSecrets().iteritems(): - if m.GetSidByUsername(user) == sid: - return user_secret - - return None - - @cache - def GetVictimCountBySid(self, sid): - return len(self.GetVictimsBySid(sid)) - - @cache - def GetVictimCountByMachine(self, attacker): - return len(self.GetVictimsByAttacker(attacker)) - - @cache - def GetAttackCountBySecret(self, secret): - return len(self.GetAttackersBySecret(secret)) - - @cache - def GetAllUsernames(self): - names = set() - - for sid in self.GetAllSids(): - names.add(self.GetUsernameBySid(sid)) - - return names - - @cache - def GetAllSids(self): - SIDs = set() - - for m in self.machines: - SIDs |= m.GetLocalSids() - - return SIDs - - @cache - def GetAllSecrets(self): - secrets = set() - - for m in self.machines: - for secret in m.GetLocalAdminSecrets(): - secrets.add(secret) - - return secrets - - @cache - def GetUsernameBySid(self, sid): - for m in self.machines: - username = m.GetUsernameBySid(sid) - - if username: - return username - - return None - - @cache - def GetSidInfo(self, sid): - for m in self.machines: - info = m.GetSidInfo(sid) - - if info: - return info - - return None - - @cache - def GetSidsBySecret(self, secret): - SIDs = set() - - for m in self.machines: - SIDs |= m.GetSidsBySecret(secret) - - return SIDs - - @cache - def GetAllDomainControllers(self): - DCs = set() - - for m in self.machines: - if m.IsDomainController(): - DCs.add(m) - - return DCs - - @cache - def GetSidsByUsername(self, username): - SIDs = set() - - for m in self.machines: - sid = m.GetSidByUsername(username) - if sid: - SIDs.add(sid) - - return SIDs - - @cache - def GetVictimsBySid(self, sid): - machines = set() - - for m in self.machines: - if sid in m.GetAdmins(): - machines.add(m) - - return machines - - @cache - def GetVictimsBySecret(self, secret): - machines = set() - - SIDs = self.GetSidsBySecret(secret) - - for m in self.machines: - if len(SIDs & m.GetAdmins()) > 0: - machines.add(m) - - return machines - - @cache - def GetAttackersBySecret(self, secret): - machines = set() - - for m in self.machines: - if secret in m.GetCachedSecrets(): - machines.add(m) - - return machines - - @cache - def GetAttackersByVictim(self, victim): - if type(victim) != unicode: - victim = victim.monkey_guid - - attackers = set() - - for edge in self.edges: - if edge.get('to', None) == victim: - attackers.add(edge.get('from', None)) - - return set(map(Machine, attackers)) - - @cache - def GetAttackersBySid(self, sid): - machines = set() - - for m in self.machines: - if sid in self.GetCachedSids(m): - machines.add(m) - - return machines - - @cache - def GetVictimsByAttacker(self, attacker): - if type(attacker) != unicode: - attacker = attacker.monkey_guid - - victims = set() - - for atck, vic, _ in self.edges: - if atck == attacker: - victims.add(vic) - - return set(map(Machine, victims)) - - @cache - def GetInPathCountByVictim(self, victim, already_processed=None): - if type(victim) != unicode: - victim = victim.monkey_guid - - if not already_processed: - already_processed = set([victim]) - - count = 0 - - for atck, vic, _ in self.edges: - if atck == vic: - continue - - if vic != victim: - continue - - if atck in already_processed: - continue - - count += 1 - - already_processed.add(atck) - count += self.GetInPathCountByVictim(atck, already_processed) - - return count - - @cache - def GetCritialServers(self): - machines = set() - - for m in self.machines: - if m.IsCriticalServer(): - machines.add(m) - - return machines - - @cache - def GetNonCritialServers(self): - return set(self.machines) - self.GetCritialServers() - - #@cache - def GetCachedSids(self, m): - sids = set() - tmp = m.GetCachedSids() - - for sid in tmp: - if sid.startswith("__USERNAME__"): - - s = self.GetSidsByUsername(sid[len("__USERNAME__"):]) - if len(s) == 1: - sids.add(s.pop()) - else: - sids.add(sid) - - else: - sids.add(sid) - - return sids - - @cache - def GetThreateningUsersByVictim(self, victim): - threatening_users = set() - - for attacker in self.GetAttackersByVictim(victim): - # For each attacker, get the cached users and check which of them is an admin on the victim - threatening_users |= (self.GetCachedSids(attacker) & victim.GetAdmins()) - - return threatening_users - - def GetSharedAdmins(self, m): - shared_admins = [] - - for other in self.machines: - if m == other: - continue - for sid in m.GetLocalAdminSids(): - if sid in other.GetLocalAdminSids(): - shared_admins.append(sid) - - #shared_admins |= (m.GetLocalAdminSids() & other.GetLocalAdminSids()) - - shared_admins = [admin for admin in shared_admins if admin not in list(m.GetDomainAdminsOfMachine())] - - return shared_admins diff --git a/monkey_island/cc/services/user_info.py b/monkey_island/cc/services/user_info.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/monkey_island/cc/ui/src/components/map/preview-pane/InfMapPreviewPane.js b/monkey_island/cc/ui/src/components/map/preview-pane/InfMapPreviewPane.js deleted file mode 100644 index e06043c20..000000000 --- a/monkey_island/cc/ui/src/components/map/preview-pane/InfMapPreviewPane.js +++ /dev/null @@ -1,247 +0,0 @@ -import React from 'react'; -import {Icon} from 'react-fa'; -import Toggle from 'react-toggle'; -import {OverlayTrigger, Tooltip} from 'react-bootstrap'; -import download from 'downloadjs' -import PreviewPaneComponent from 'components/map/preview-pane/PreviewPane'; - -class InfMapPreviewPaneComponent extends PreviewPaneComponent { - - osRow(asset) { - return ( - - Operating System - {asset.os.charAt(0).toUpperCase() + asset.os.slice(1)} - - ); - } - - ipsRow(asset) { - return ( - - IP Addresses - {asset.ip_addresses.map(val =>
    {val}
    )} - - ); - } - - servicesRow(asset) { - return ( - - Services - {asset.services.map(val =>
    {val}
    )} - - ); - } - - accessibleRow(asset) { - return ( - - - Accessible From  - {this.generateToolTip('List of machine which can access this one using a network protocol')} - - {asset.accessible_from_nodes.map(val =>
    {val}
    )} - - ); - } - - statusRow(asset) { - return ( - - Status - {(asset.dead) ? 'Dead' : 'Alive'} - - ); - } - - forceKill(event, asset) { - let newConfig = asset.config; - newConfig['alive'] = !event.target.checked; - this.authFetch('/api/monkey/' + asset.guid, - { - method: 'PATCH', - headers: {'Content-Type': 'application/json'}, - body: JSON.stringify({config: newConfig}) - }); - } - - forceKillRow(asset) { - return ( - - - Force Kill  - {this.generateToolTip('If this is on, monkey will die next time it communicates')} - - - this.forceKill(e, asset)}/> - - - - ); - } - - unescapeLog(st) { - return st.substr(1, st.length - 2) // remove quotation marks on beginning and end of string. - .replace(/\\n/g, "\n") - .replace(/\\r/g, "\r") - .replace(/\\t/g, "\t") - .replace(/\\b/g, "\b") - .replace(/\\f/g, "\f") - .replace(/\\"/g, '\"') - .replace(/\\'/g, "\'") - .replace(/\\&/g, "\&"); - } - - downloadLog(asset) { - this.authFetch('/api/log?id=' + asset.id) - .then(res => res.json()) - .then(res => { - let timestamp = res['timestamp']; - timestamp = timestamp.substr(0, timestamp.indexOf('.')); - let filename = res['monkey_label'].split(':').join('-') + ' - ' + timestamp + '.log'; - let logContent = this.unescapeLog(res['log']); - download(logContent, filename, 'text/plain'); - }); - - } - - downloadLogRow(asset) { - return ( - - - Download Log - - - this.downloadLog(asset)}>Download - - - ); - } - - exploitsTimeline(asset) { - if (asset.exploits.length === 0) { - return (
    ); - } - - return ( -
    -

    - Exploit Timeline  - {this.generateToolTip('Timeline of exploit attempts. Red is successful. Gray is unsuccessful')} -

    -
      - {asset.exploits.map(exploit => -
    • -
      -
      {new Date(exploit.timestamp).toLocaleString()}
      -
      {exploit.origin}
      -
      {exploit.exploiter}
      -
    • - )} -
    -
    - ) - } - - assetInfo(asset) { - return ( -
    - - - {this.osRow(asset)} - {this.ipsRow(asset)} - {this.servicesRow(asset)} - {this.accessibleRow(asset)} - -
    - {this.exploitsTimeline(asset)} -
    - ); - } - - infectedAssetInfo(asset) { - return ( -
    - - - {this.osRow(asset)} - {this.statusRow(asset)} - {this.ipsRow(asset)} - {this.servicesRow(asset)} - {this.accessibleRow(asset)} - {this.forceKillRow(asset)} - {this.downloadLogRow(asset)} - -
    - {this.exploitsTimeline(asset)} -
    - ); - } - - scanInfo(edge) { - return ( -
    - - - - - - - - - - - - - - - -
    Operating System{edge.os.type}
    IP Address{edge.ip_address}
    Services{edge.services.map(val =>
    {val}
    )}
    - { - (edge.exploits.length === 0) ? - '' : -
    -

    Timeline

    -
      - {edge.exploits.map(exploit => -
    • -
      -
      {new Date(exploit.timestamp).toLocaleString()}
      -
      {exploit.origin}
      -
      {exploit.exploiter}
      -
    • - )} -
    -
    - } -
    - ); - } - - islandEdgeInfo() { - return ( -
    -
    - ); - } - - getInfoByProps() { - switch (this.props.type) { - case 'edge': - return this.scanInfo(this.props.item); - case 'node': - return this.props.item.group.includes('monkey', 'manual') ? - this.infectedAssetInfo(this.props.item) : this.assetInfo(this.props.item); - case 'island_edge': - return this.islandEdgeInfo(); - } - - return null; - } -} - -export default InfMapPreviewPaneComponent; diff --git a/monkey_island/cc/ui/src/components/map/preview-pane/PthPreviewPane.js b/monkey_island/cc/ui/src/components/map/preview-pane/PthPreviewPane.js deleted file mode 100644 index f9a5ae1bb..000000000 --- a/monkey_island/cc/ui/src/components/map/preview-pane/PthPreviewPane.js +++ /dev/null @@ -1,63 +0,0 @@ -import React from 'react'; -import {Icon} from 'react-fa'; -import Toggle from 'react-toggle'; -import {OverlayTrigger, Tooltip} from 'react-bootstrap'; -import download from 'downloadjs' -import PreviewPaneComponent from 'components/map/preview-pane/PreviewPane'; - -class PthPreviewPaneComponent extends PreviewPaneComponent { - nodeInfo(asset) { - return ( -
    - - - - - - - - - - - - - - - - - - - -
    Hostname{asset.hostname}
    IP Addresses{asset.ips.map(val =>
    {val}
    )}
    Services{asset.services.map(val =>
    {val}
    )}
    Compromised Users{asset.users.map(val =>
    {val}
    )}
    -
    - ); - } - - edgeInfo(edge) { - return ( -
    - - - - - - - -
    Compromised Users{edge.users.map(val =>
    {val}
    )}
    -
    - ); - } - - getInfoByProps() { - switch (this.props.type) { - case 'edge': - return this.edgeInfo(this.props.item); - case 'node': - return this.nodeInfo(this.props.item); - } - - return null; - } -} - -export default PthPreviewPaneComponent; diff --git a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js b/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js deleted file mode 100644 index 20faafca7..000000000 --- a/monkey_island/cc/ui/src/components/pages/PassTheHashMapPage.js +++ /dev/null @@ -1,58 +0,0 @@ -import React from 'react'; -import {ReactiveGraph} from 'components/reactive-graph/ReactiveGraph'; -import AuthComponent from '../AuthComponent'; -import {optionsPth, edgeGroupToColorPth, options} from '../map/MapOptions'; -import PreviewPane from "../map/preview-pane/PreviewPane"; -import {Col} from "react-bootstrap"; -import {Link} from 'react-router-dom'; -import {Icon} from 'react-fa'; -import PthPreviewPaneComponent from "../map/preview-pane/PthPreviewPane"; - -class PassTheHashMapPageComponent extends AuthComponent { - constructor(props) { - super(props); - this.state = { - graph: props.graph, - selected: null, - selectedType: null - }; - } - - events = { - select: event => this.selectionChanged(event) - }; - - selectionChanged(event) { - if (event.nodes.length === 1) { - let displayedNode = this.state.graph.nodes.find( - function (node) { - return node['id'] === event.nodes[0]; - }); - this.setState({selected: displayedNode, selectedType: 'node'}) - } - else if (event.edges.length === 1) { - let displayedEdge = this.state.graph.edges.find( - function (edge) { - return edge['id'] === event.edges[0]; - }); - this.setState({selected: displayedEdge, selectedType: 'edge'}); - } - else { - this.setState({selected: null, selectedType: null}); - } - } - - render() { - return ( -
    - -
    - -
    - -
    - ); - } -} - -export default PassTheHashMapPageComponent; diff --git a/monkey_island/cc/ui/src/components/report-components/SharedAdmins.js b/monkey_island/cc/ui/src/components/report-components/SharedAdmins.js deleted file mode 100644 index bf57065d5..000000000 --- a/monkey_island/cc/ui/src/components/report-components/SharedAdmins.js +++ /dev/null @@ -1,42 +0,0 @@ -import React from 'react'; -import ReactTable from 'react-table' - -let renderArray = function(val) { - return
    {val.map(x =>
    {x}
    )}
    ; -}; - -const columns = [ - { - Header: 'Shared Admins Between Machines', - columns: [ - { Header: 'Username', accessor: 'username'}, - { Header: 'Domain', accessor: 'domain'}, - { Header: 'Machines', id: 'machines', accessor: x => renderArray(x.machines)}, - ] - } -]; - -const pageSize = 10; - -class SharedAdminsComponent extends React.Component { - constructor(props) { - super(props); - } - - render() { - let defaultPageSize = this.props.data.length > pageSize ? pageSize : this.props.data.length; - let showPagination = this.props.data.length > pageSize; - return ( -
    - -
    - ); - } -} - -export default SharedAdminsComponent; diff --git a/monkey_island/cc/ui/src/components/report-components/SharedCreds.js b/monkey_island/cc/ui/src/components/report-components/SharedCreds.js deleted file mode 100644 index f42494167..000000000 --- a/monkey_island/cc/ui/src/components/report-components/SharedCreds.js +++ /dev/null @@ -1,41 +0,0 @@ -import React from 'react'; -import ReactTable from 'react-table' - -let renderArray = function(val) { - console.log(val); - return
    {val.map(x =>
    {x}
    )}
    ; -}; - -const columns = [ - { - Header: 'Shared Credentials', - columns: [ - {Header: 'Credential Group', id: 'cred_group', accessor: x => renderArray(x.cred_group) } - ] - } -]; - -const pageSize = 10; - -class SharedCredsComponent extends React.Component { - constructor(props) { - super(props); - } - - render() { - let defaultPageSize = this.props.data.length > pageSize ? pageSize : this.props.data.length; - let showPagination = this.props.data.length > pageSize; - return ( -
    - -
    - ); - } -} - -export default SharedCredsComponent; diff --git a/monkey_island/cc/ui/src/components/report-components/StrongUsers.js b/monkey_island/cc/ui/src/components/report-components/StrongUsers.js deleted file mode 100644 index 36068f26e..000000000 --- a/monkey_island/cc/ui/src/components/report-components/StrongUsers.js +++ /dev/null @@ -1,44 +0,0 @@ -import React from 'react'; -import ReactTable from 'react-table' - -let renderArray = function(val) { - console.log(val); - return
    {val.map(x =>
    {x}
    )}
    ; -}; - -const columns = [ - { - Header: 'Powerful Users', - columns: [ - { Header: 'Username', accessor: 'username'}, - { Header: 'Domain', accessor: 'domain'}, - { Header: 'Machines', id: 'machines', accessor: x => renderArray(x.machines)}, - { Header: 'Services', id: 'services', accessor: x => renderArray(x.services_names)} - ] - } -]; - -const pageSize = 10; - -class StrongUsersComponent extends React.Component { - constructor(props) { - super(props); - } - - render() { - let defaultPageSize = this.props.data.length > pageSize ? pageSize : this.props.data.length; - let showPagination = this.props.data.length > pageSize; - return ( -
    - -
    - ); - } -} - -export default StrongUsersComponent; diff --git a/monkey_island/cc/ui/src/images/nodes/pth/critical.png b/monkey_island/cc/ui/src/images/nodes/pth/critical.png deleted file mode 100644 index 0348a7f5d312b0400da47f60a5f2d81682bd19a6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20067 zcmeHPYgm)Vww?eQs5P;&1Zq((7T8IMjpu7F01~l;o8)@Pde9S z2nU*cP0PB>11sqtJ_&y2%P^!bOz8@7XeY`+J*1he8-ri>8w22_IR5QYc!}rFmcR?` z*hnG4tN9Ae170UKvAp2Lyw3H8SL&xkL&7+O=Md5He@Gp*=M8F}rQt!#L|~+_NsJb= zUs$ZpcyS-6YLIiABY1HjDOXV8$kU5lz+mF@0VNN$+0X21$_)Ov#*TGk)bXas7rM(6 z<-LnQZmhbK9v`Mma6LBd-f@xUKeOggS-;1o~IhPc5-(EBXLDC@foNoL9$aY{`9RA~!3 zKGUVH48B>=0ky7nKG40ON|Po>GMBMVj9KNt#_5~;K8UIcWIZb*eEkzxLowIxbLQT3 zwa8XcK=6KhVv4It9}BV#AX8_9+4{f4;AOn#D<$lX(?@HmX$f7$AxYJ?hgGe(8~rm~ zol=_QIObFE1I@5sCrGbwJj*J43uJ+xvm|}`$_vg+AE;ZnQ5_LTTdA7uRk;J>w~D_KlpVJwCeBmW;)Yb+@66cAGu#{?b{J z%VqgbI+?hjp`Obdqf6Zo{ORWP@SC@q5*W6ZTi&~+RM4r~{|We(IN}ZExfb&*{snHi zwz9}6#JWlPvsUwF=u+!40t7TN_HIQz_sv*J?42b)jKGbiGK)gXXk~l%tR98;F%hYu zTjN>rZ;U!VVI2HCs7bzE&Mkj?!aH+jz)#w(Tf5VAsUHS!-y8!!nP2AlbT)SEkGpr{ z6#Pu}BKzL`ws!orZ$4k_9xEmA>)Ddo9|t`A68uc@25mLbF=6We-nmYSOi8vn`G9n& z2_oWK?FVP92YX&9v&7bpR~~r4WtQ81)VrQc`{?jlsiDBBcJ(OR8Fyn(UbneKmatnY z?ti@Z=vR6BaJ9MQBXeH);jgKohoJN~UGh(LuUz>pO5kBAt)#8~`BgNmti81iO4kq|6z()6bLpT z+`#>3R$@^g*nn6Rh(%%eKV1kmAlQIl1A+|*HhB5}s>DfwI4KY(1>&SI{6P!B1_T=r zY(TI9!3O{SN{=`&5(h@&!1(|A!00lo2W6rcTKHJkxItTSI;TYQ7Z&l2F7Z_|@f|kt zLdtEqjT1Vy?d|!sH+y{edRBZ!LX@Z;GK9oa2L`9(yp&lJ=Fgc0O~V4o zzW&Q_h5I-)#DF#j#`s?P+xP54r^7KoIzVfWF33pxJb#oOjMrRZxOl+Zx08g{VwoMxL z6}P;z^2*C98mN-0ORdk?+Q~US6t($d0DCjt+WKU;T$S-Tqyj-1wSiOkGJB|1v=x>gu*`}Aj20Gb)8{`UEApzt4exsI_-N})P9{1x@FhMo@1j=zV2{Rp(9J3AOz8c z)(_YVkELGV+Qtm0aLKadcx0M{Ead@!Dx-xTjkAY@gg75&$#KThl-3VI79KNBJ6bCl z*W`lSvY`Vv3n#KgRzJvl5~uI)spUmgId5+BiC)g)ziv8Ugsd)6wzU|WKD{D$?yeaf z4Ks1l+RPe9?~y)vb*s}PQ-=aFzg5c$Eg?%?&*E+$Sx=#F;pbIVSJ}vYLNiE>X_etF z$M2TQOMRj@v%;3}ug42IQo+AKklQ|}ZM?QSNQ%?!(zJemK8CEREz*#iE@sU|Xv-@p zQ)Y<9D6>?q%o!b!;Akzb!lJ{_el4GJ}IXDqxOMc|q#?>(% zwJ{z~OsdH-G2{aS=S425>+ea<(lYgKXEwNm*z=A#F03%2ROvjzi;^`vpB{hKcxd+y zDJ?w6bimfkn69|)p3!=hR98Gk)0t^?B-Ol!!h9)H`8Oa(x?pPi_A2L7U0;&?7DveijL2upA|o}eV-$MM5_%H5|3s&b=3ca*qjzh5(izN zc^H{OojF=m&Et7QO-m$SQjw7+PB%s@$r8j=W`pMh4RrW03uP)24!)8iuD7CA7CvQw zNl8`KbCG7>ObH6BQWZX?PoPFBd~oPK>&@^$%qY-dYXbe76mTEWcl7VX={b-)SF4YO zpc4n3g`TgLQJ04w^xPhP%o9bgz|{pkEkWwp{>Q|=`Kmp=7C>1J#U1hVuK^{|$z%tU zdS2MC7rN>#mkV@A;kyP##8i>rrq`2d_P;7IEjsG|4KlEb{#`|Ff9l7c<$o9n(*y$B z-+MDW5s!~YnI@Q0nGJev60Y#@R;eVS97k^-ZWaT`Z>q=vfV|MH;3BLb_Nm3DR4=1a z01+$QD5WDs=PU`jFAMjsV+Rc#83I|EUVjJA#5EdX#<9GT+byJf^=aY_7={e_?DzA@ zr=BnJGH#%)Mw(>MB3s@+a9+M9Y#eE5yh@dyBu$I}s#!-N6=evJdlJk;F!G&A&K<1PZuQp89-an^7vj+XpQR#~0y91??Un?H zrDh0wiAw6$1}5)*MYs`Qt~TM>oPuk+6C?LarieFI3D-+!BSkG%x;)(2T2)gulqU4{ zh)c8DJGQYiXZ&)#C&pZdhvpC2{+ilqx8;BFG`839 zE!x=2s!2%GadasPzi%N0IawX0T@rusWGOp$U~qVB1=zW_mQmjW7h7$Hx!^4W-Kf6Q z_ns^!YnEc)mWZI z3)}lE=qtyaHk~h-Adax&EN5xXNe}b_1T_$^x^7_8J{<_B#wQgB`Ho(&dMNfNOBpo~ zJSyy696xzrv7`|H)xYMwruYX$b227gy+D7RGjxF$M`Et7n!7<7ixefGZ>%i5s1@f| z2eYpr+7m-YgL)oG8~_HAW(ua5(rB8CZe7OfyrR3Qxm9fKe^?lxrj;LU4g*{Gv`Zu z#X+4fEgk}xU@zw-ecrtXu$Gnffb@KqA)^tiMFl#sT`r?e!9$&hhf2qTkFBn0bzbGo zAn~|b%cY#jp6GYb%lVVu^WFmssq6f}X)n#p%G_!^5F4ff`BS^51KcUy?X@H@m*~;W zBtgGJyVXn6uwV6KujO?V2TW%hr6L#L-J86Sz8sbOBvZ}7ql?5CsRE4=%u|6;|GgUFXm8aQY(Y=t=)s9qLA20n&i+(bSfoR^5DY#l*5gs?RfV~ri?Z}e; z1y4+VV}Rm#0(}NJw=E7wM=-G3ju)^Q>#SRxpmbx4;Tt%VOC3y5x!@7fR^ zgZN!qi!>*JKZ~{tF;}y^{us|m>5Mc$Xwdm)bF}Na+^G@{hy=M6j!ylRoHG=ZG*c+N zqda8G9?Om`n;$U_`A4$6cyv?uyX|)p)qgl;_%Jc8y~{(fbZ_Z=leycjJ{W|;E^xiC z&T79Rgbf6zReorMxSs16FzaFS9f;sqvzD%r!4=a@LLY&ALs^kTp&sV}yRJrwCiyi4ls@k6^Xrh9?hz*z*adrP;qC>iKa zj7)*K*a45H5KLBJc3v|){(!OKO{MV!Jg#1*d9-&M~ExRGIAVnHeTd6{$~>L9&orE zU(r$gpV?9|ij%q+rO5a-e~p9hDTcF0`9#iwhkntB7lkJd7F9!?--G9O!Sudhdbjte z7~e6ZAt9m@?R*c#5i34d3|jP&7V~Jd5GE}FP}KtK=oxV4QvWC{BPsTCyU*4(B#lr1%~i+-Te(wQfoBfhc+t<|2y}-h9ADvn4^18b zO2=}Rz?CVY!8XQuh|g9BpBqd{UdHmWEi`@l9M+C3wcyBWC<33jPU4e0x(iMX)PdPc zsTN!ZS@~dgSDc3ev(ek_C+^a}#8;akxJa)z-WL~5D!_<+l?E&zUgpGj-e&lZxs1g6zizpG1u?dc`dlNoe>A2K! zne&R+>~9eAO7h&WZaXcs@9C}^%-8-canAIdHz5nxUs!+Tzy7@Ti(8DpBk|#mWBD6` zW=>vqb=9&vW=p=Faqqiz3$V7cb9{5QdlEP9nz7mYp5^A|NzsqyZa25No6@LQ?`uCN z*XW-Iyl)366+L8`miFfg@vna>8ycL)I;P0(53yRTYuYqF<5;6$F+#zI-QZvLid6lN z-Ua$7&`*T_>|9WzdSj*T75AU(_NvF*k?pi4Fqp0485Z%vf&`-GjmyxIw$E$Wy$zI z2cIocFEB(%!faRk8pEaUZBt7~sWlbbw1=~7$@b!aM%OPvnN1#RSLfEOO{&j2oa1O^ zO5;-X;!V|M<6Awo#n4P6j@J!djdVVwT4T+TQlN#viNTF`lr6r?u;92~ zW6k!-a1CM>7GZh|uvpAZ=@aQe=*L$>KI#nJ##(=1aWa^$;v;UgA_OzAO z1W?IX^4>PPE{{0=t)w?$tB6d%X!DML-f^AK;pZ~wgtu`4B%zYjcaCz1(Bb9sHei-E za}i)2zwvykm-k(u#KiGANzJa@(XblOA6}~vWDUhPb(*%!w**t*}3T*u6PvQKR60kZCLnSde!Tpl!7+t}%#o)t~i zlMAKAg*Go<|HRR4Lfn%=+5#f{t-pUj#^N7KYO-~?S#U`jS~v(h}+?j(9AEq zYa=bTbD4N*)IaGxLHJh`l!U3yJE{7eHLU{39BK0N;$gb<;?NTXr!3&au?pKa^UNz6 z-4@Z+0UC``u-r3!p=VM;yXJ&qa*6HR8^!Y{TH}}gvd}ZV`Hwq$w#=gL2%N?V>A9S~ z`m6^K_r3^Uo_}03;3mXj}qQ&!kxZSI$sh4cwYpEvcZkbbe$Z$0!o zq<^>HWR8)OH+R_m*Z3I40JAyVZYU)_<_q zZ$0$4H1wBA^jC9q*P!&rzWQU||A1p(#cHn70ndCa8_h)Cqdz(+OK{pYr}6Yr)+Cfx z8pHCS8@1~1dFt<<^vQ0sOlyP0gRJa9}594zrXd* zT=MaXfBgF^{?w0G`~_dWyVKto=B2W|akQo=>1^1F_fSjjhe81H%J&d?(+8^TZKQ;O zi5h|>?Ih(FkzpzRx>AOhBca3{x@1s4lJ}wFL35<*j;EL95i!I`b>$}o;)@g2D;;hwFI?9UV}X!=%=M&V3qOwl*ef46`Wi ztjM+%T_(ChoafvnuF8%aV<;xE8Wf8}O-xhwBT%(drzsg+(BPu0(edC_4eX8N9$HY_ zRoeVrP#tu&O9ax*ABnY2eL=%4f8<>LCL9x4X$={h(nLU}jUXfol9ID=`0*cDbBWSwuBCm`By z6(){fl~+JzR29KcLMUHawJ-1zduX)lBR0F-UR@HAh<)&KZ_fw_+yw%cMfoagYNUo2 z8}OS1I3#>})D0c?O>M0Bsn(Q`E!*+|E8=G4TAjg#*l!lDju9ASXD}Co_8A-$9OmFb z<_Df-$I}_gOoZNUvBpvu<)2j@0BlIv-b2MA{u^qyJc_a!M2#{NM7c;X1PoOr1|9|s+`9k?P9*2;7uIjFNh5mZAf{8Jm|I$F+SA8*MQ&p?vd z(8ubifyCFvCKzJ9*i*0=376@FHa8CGygS|S;ec!X$sVc^;#Y$KuI2rey}L2kvjg?= z3M`D4HMTfAh*rHfkd1C@wktz0sL072^Tfx2=(^N?Eea85GXoI&HIyGKd_@mRYX%LL zzAkN)nITFDs3t`{N^B|~Mfa5jautXR0C8zS37sT+5-QdBDj6USToxGM^%md|;$``x4Fo6RpJ=95vp9Lm{I1t2N+7r>O;WJILDTv|%dTs|% zI@e5KS@JaoDA)(|CNzK=SWSW>Co{VV24lXeM2B_4%`fwI2l`9lS%wUZ=sLeDW- zh|Q>-hi>_$-oG^^b*iuv{Hq2b91KPM0RDZ5f<*yW#q&_OE9j^U3h!KIzY?_!D&%Vn(VNA<>L(Jd=ssvAnj&1q zxI{e3Oas-x9v>B#*jGE>fO4oMSG)j)MHzR|W>7w|D0@%4VSA z&&@Hfu5av)sgYtSWw-Lgi&6MyYi$2_<+()vPS(vb)REFhef7J1jS-B?M8l;@~L;M=qvX7#ts&CG-$V;O%X9G4UqqmI*fj}L@SH!@D{S2nkhi+)gY~|aMANckQ}^#xlFyKYN7f#1~DcYjGiB}G6Pugn|#eABnJ=Sxt1qx zP1Rw;ypLF6Mp}No$|++STNSOUO0rdFVUTW`)fLn}du)|zB6RETmD520bRJ)5nMVH9 z5=h_fYLb0|9zv2&z7a%ZQUW)iw-tDA!9KJW=3~Eac>-~b{XB%LE$yLBMYJ;TW=>Ss zXm11tLt9e)mAVLn(ky{_yMwiCwxtD|BmMLv;ex1ET3&Mh?lDC3;EB2W8f9})|6OoX z+O>_(%B@n3g>LdTxoQ%sEC#U)q8`yi#WX}*N%jUnOl5PTRW5W-Wt9OcAs7-Wg6x?swO26x1ll)$!8C7+zeB_XvX_90)#lRmn8L2RqZ0Y`P;qD!)+EZelpEz!t}!x7Q3dX@Su z2H_zKKe%Cel;vzc8>OX!o9Recm+HnYE!Zoynj$h1K6}wBR{=LHQ-s2xg-ls-AR@*x z$x5{WBJHroUi5dEE?#YKiPA2}yag=aKI+C^QLsq55i*4r@PDVur28sAHAEy^&~?r7 zu+#0pCCFx9*eRwlhMhJ+Z6xJRF$3COZmxJ8lH^D&B+*fcv@4ae-RBVPVvK<5lPh*Z zk_8hDakSdn`54M1u7`kwgzop|30s?`{lhi$G5vg%QcgEP$s541%?{?`7539nT7}H> z17U&Ef|WPkJ6IuV$#DHXO+7HE-4q1Y1hmUK6{<5#D_LrvtWH7QqoNObE9nNPWjY7l z^2L|BRwQp6%kMt8h;hjPRu@(PPvF!pK9`-TF~KLcqB>tia#Ry|+=LyZOr!_7XiI?=$%z}It=H!zn*o7!_foXm3K{+=x`4U#h7|4)Q z%}^{XI9Wc7pEcE8&t^iV;BH|FP&kaw!r^Jkl0iQ!{8dB|kMBv`se~!J0u0`c&u(Y^ z{<(ZgvRbf)*<(0&eXE25cb)+#F|Ay^zK*GUBNvScw)_>t6!QIi!_gUnSFkc`#i* zG8Ne@GRMR=b6%9za26xt!iKyLgx{zhT9b$v$-KCw7|9M$@tflE>Ip_^I9B*io%}wx z_|bk4fA5YVd)E;+_S|;Pi~cTCggbK36y1WMcIM&!=&G54Y^EE}K(RVa(fIT46q$dH zIyPBjJD!kMa&SJ7K&-tH|1`MaCgVGEd=~0IK{$&jc3`pIkiW+x5CmTDh9WdwQ;iYk zOoY(Gi0V%(Ey}7*+LLJ~9Q}mRfvvJ*`0;Kd@{v8hIR$EBFR2g;|`g zMCwC>K8_?0klm`;GA47xgzvP*60?;iYWZN+OVTEcgw(1bRjpL3vFx1_+29*_{824w z22A`uS>wL^4{2h_u&*+)o6*3?#R@~(G&YP_CEW5ngNXGx#8oFO}EZ$#sHuKtbgPN?$4hooAf4r$d?kNTWKl*0r= nc#$QP>VN)j7jSXfpS8Hwy{`*XyZtg?5Rm7_EgOo~hyVEBe}7>m From 4ce30de3020dabcf0cd1e07b2bee235ed58f31be Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Tue, 16 Oct 2018 13:59:32 +0300 Subject: [PATCH 101/117] Changed the way the username is displayed in the shared admin bulletin --- monkey/monkey_island/cc/services/pth_report.py | 2 -- monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js | 3 ++- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 0bd9c332d..95e0717e1 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -171,8 +171,6 @@ class PTHReportService(object): return table_entries - - @staticmethod def generate_map_nodes(): diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js index 260701c4d..98224541c 100644 --- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -787,7 +787,8 @@ class ReportPageComponent extends AuthComponent {
  • Make sure the right administrator accounts are managing the right machines, and that there isn’t an unintentional local admin sharing. - Here is a list of machines which has this account defined as an administrator: + Here is a list of machines which the account {issue.username} is defined as an administrator: {this.generateInfoBadges(issue.shared_machines)}
  • From b443652b0ea58cc3a7892ab0a7f8fce0614356ec Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Tue, 16 Oct 2018 18:53:56 +0300 Subject: [PATCH 102/117] Cleaned up the code and removed not needed files --- .../monkey_island/cc/services/pth_report.py | 13 +- .../cc/services/pth_report_utils.py | 962 ------------------ monkey/monkey_island/cc/services/report.py | 5 +- 3 files changed, 11 insertions(+), 969 deletions(-) delete mode 100644 monkey/monkey_island/cc/services/pth_report_utils.py diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 95e0717e1..7a3dbc39b 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -222,18 +222,22 @@ class PTHReportService(object): if pair[0] != pair[1]: yield pair + @staticmethod + def get_pth_map(): + return { + 'nodes': PTHReportService.generate_map_nodes(), + 'edges': PTHReportService.generate_edge_nodes() + } + @staticmethod def get_report(): PTHReportService.get_strong_users_on_critical_machines_nodes() - - issues = [] report = \ { 'report_info': { - 'strong_users_table': PTHReportService.get_strong_users_on_crit_details(), - 'pth_issues': issues + 'strong_users_table': PTHReportService.get_strong_users_on_crit_details() }, 'pthmap': @@ -244,3 +248,4 @@ class PTHReportService(object): } return report + diff --git a/monkey/monkey_island/cc/services/pth_report_utils.py b/monkey/monkey_island/cc/services/pth_report_utils.py deleted file mode 100644 index 13fe3654f..000000000 --- a/monkey/monkey_island/cc/services/pth_report_utils.py +++ /dev/null @@ -1,962 +0,0 @@ -import hashlib -import binascii -import copy -import uuid - -from cc.database import mongo -from cc.services.node import NodeService - -DsRole_RoleStandaloneWorkstation = 0 -DsRole_RoleMemberWorkstation = 1 -DsRole_RoleStandaloneServer = 2 -DsRole_RoleMemberServer = 3 -DsRole_RoleBackupDomainController = 4 -DsRole_RolePrimaryDomainController = 5 - -SidTypeUser = 1 -SidTypeGroup = 2 -SidTypeDomain = 3 -SidTypeAlias = 4 -SidTypeWellKnownGroup = 5 -SidTypeDeletedAccount = 6 -SidTypeInvalid = 7 -SidTypeUnknown = 8 -SidTypeComputer = 9 - - -def is_group_sid_type(type): - return type in (SidTypeGroup, SidTypeAlias, SidTypeWellKnownGroup) - - -def myntlm(x): - hash = hashlib.new('md4', x.encode('utf-16le')).digest() - return str(binascii.hexlify(hash)) - - -def cache(foo): - def hash(o): - if type(o) in (int, float, str, unicode): - return repr(o) - - elif type(o) in (type(None),): - return "___None___" - - elif type(o) in (list, tuple, set): - hashed = tuple([hash(x) for x in o]) - - if "NotHashable" in hashed: - return "NotHashable" - - return hashed - - elif type(o) == dict: - hashed_keys = tuple([hash(k) for k, v in o.iteritems()]) - hashed_vals = tuple([hash(v) for k, v in o.iteritems()]) - - if "NotHashable" in hashed_keys or "NotHashable" in hashed_vals: - return "NotHashable" - - return tuple(zip(hashed_keys, hashed_vals)) - - elif type(o) == Machine: - return o.monkey_guid - - # elif type(o) == PthMap: - # return "PthMapSingleton" - - elif type(o) == PassTheHashReport: - return "PassTheHashReportSingleton" - - else: - assert False, "%s of type %s is not hashable" % (repr(o), type(o)) - return "NotHashable" - - def wrapper(*args, **kwargs): - hashed = (hash(args), hash(kwargs)) - - if "NotHashable" in hashed: - return foo(*args, **kwargs) - - if not hasattr(foo, "_mycache_"): - foo._mycache_ = dict() - - if hashed not in foo._mycache_.keys(): - foo._mycache_[hashed] = foo(*args, **kwargs) - - return copy.deepcopy(foo._mycache_[hashed]) - - return wrapper - - -class Machine(object): - def __init__(self, monkey_guid): - self.monkey_guid = str(monkey_guid) - - self.latest_system_info = mongo.db.telemetry.find( - {"telem_type": "system_info_collection", "monkey_guid": self.monkey_guid}).sort([("timestamp", -1)]).limit( - 1) - - if self.latest_system_info.count() > 0: - self.latest_system_info = self.latest_system_info[0] - else: - self.latest_system_info = None - - self.monkey_info = NodeService.get_monkey_by_guid(self.monkey_guid) - - def __eq__(self, other): - if isinstance(other, self.__class__): - return self.monkey_guid == other.monkey_guid - else: - return False - - @cache - def GetMimikatzOutput(self): - doc = self.latest_system_info - - if not doc: - return None - - return doc.get("data").get("mimikatz") - - @cache - def GetHostName(self): - doc = self.latest_system_info - - for comp in doc.get("data").get("Win32_ComputerSystem", {}): - return eval(comp.get("Name")) - - return None - - @cache - def GetIp(self): - doc = self.latest_system_info - - for addr in doc.get("data").get("network_info", {}).get("networks", {}): - return str(addr["addr"]) - - return None - - @cache - def get_monkey_id(self): - doc = self.monkey_info - - return str(doc.get('_id')) - - @cache - def GetDomainName(self): - doc = self.latest_system_info - - for comp in doc.get("data").get("Win32_ComputerSystem", {}): - return eval(comp.get("Domain")) - - return None - - @cache - def GetDomainRole(self): - doc = self.latest_system_info - - for comp in doc.get("data").get("Win32_ComputerSystem", {}): - return comp.get("DomainRole") - - return None - - @cache - def IsDomainController(self): - return self.GetDomainRole() in (DsRole_RolePrimaryDomainController, DsRole_RoleBackupDomainController) - - #@cache - def GetSidByUsername(self, username, domain=None): - doc = self.latest_system_info - - for user in doc.get("data").get("Win32_UserAccount", {}): - if eval(user.get("Name")) != username: - continue - - if user.get("SIDType") != SidTypeUser: - continue - - if domain and user.get("Domain") != domain: - continue - - return eval(user.get("SID")) - - if not self.IsDomainController(): - for dc in self.GetDomainControllers(): - sid = dc.GetSidByUsername(username) - - if sid != None: - return sid - - return None - - @cache - def GetUsernameBySid(self, sid): - info = self.GetSidInfo(sid) - - if not info: - return None - - return str(info.get("Domain")) + "\\" + str(info.get("Username")) - - @cache - def GetSidInfo(self, sid): - doc = self.latest_system_info - - for user in doc.get("data").get("Win32_UserAccount",{}): - if eval(user.get("SID")) != sid: - continue - - if user.get("SIDType") != SidTypeUser: - continue - - return {"Domain": eval(user.get("Domain")), - "Username": eval(user.get("Name")), - "Disabled": user.get("Disabled") == "true", - "PasswordRequired": user.get("PasswordRequired") == "true", - "PasswordExpires": user.get("PasswordExpires") == "true", - 'hostname': doc.get('data').get('hostname'), } - - if not self.IsDomainController(): - for dc in self.GetDomainControllers(): - domain = dc.GetSidInfo(sid) - - if domain != None: - return domain - - return None - - @cache - def GetCriticalServicesInstalled(self): - def IsNameOfCriticalService(name): - services = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns", 'MSSQL$SQLEXPRESS') - services = map(str.lower, services) - - if not name: - return False - - name = name.lower() - - return name in services - # for ser in services: - # if ser in name: - # return True - - return False - - doc = self.latest_system_info - found = [] - - if self.IsDomainController(): - found.append("Domain Controller") - - for product in doc.get("data").get("Win32_Product", {}): - service_name = eval(product.get("Name")) - - if not IsNameOfCriticalService(service_name): - continue - - found.append(service_name) - - for service in doc.get("data").get("Win32_Service", {}): - service_name = eval(service.get("Name")) - - if not IsNameOfCriticalService(service_name): - continue - - if eval(service.get("State")) != "Running": - continue - - found.append(service_name) - - return found - - @cache - def IsCriticalServer(self): - return len(self.GetCriticalServicesInstalled()) > 0 - - @cache - def GetUsernamesBySecret(self, secret): - sam = self.GetLocalSecrets() - - names = set() - - for username, user_secret in sam.iteritems(): - if secret == user_secret: - names.add(username) - - return names - - @cache - def GetSidsBySecret(self, secret): - usernames = self.GetUsernamesBySecret(secret) - return set(map(self.GetSidByUsername, usernames)) - - def GetGroupSidByGroupName(self, group_name): - doc = self.latest_system_info - - for group in doc.get('data').get("Win32_Group", {}): - if eval(group.get("Name")) != group_name: - continue - - if not is_group_sid_type(group.get("SIDType")): - continue - - return eval(group.get("SID")) - - return None - - def GetUsersByGroupSid(self, sid): - doc = self.latest_system_info - - users = dict() - - for group_user in doc.get('data').get("Win32_GroupUser", {}): - if eval(group_user.get("GroupComponent", {}).get("SID")) != sid: - continue - - if not is_group_sid_type(group_user.get("GroupComponent", {}).get("SIDType")): - continue - - if "PartComponent" not in group_user.keys(): - continue - - if type(group_user.get("PartComponent")) in (str, unicode): - # PartComponent is an id to Win32_UserAccount table - - wmi_id = group_user.get("PartComponent") - - if "cimv2:Win32_UserAccount" not in wmi_id: - continue - - username = wmi_id.split('cimv2:Win32_UserAccount.Domain="')[1].split('",Name="')[0] - domain = wmi_id.split('cimv2:Win32_UserAccount.Domain="')[1].split('",Name="')[1][:-1] - - sid = self.GetSidByUsername(username, domain) - users[sid] = username - - else: - if group_user.get("PartComponent", {}).get("SIDType") != SidTypeUser: - continue - - users[eval(group_user.get("PartComponent", {}).get("SID"))] = eval(group_user.get("PartComponent") - .get("Name")) - - return users - - @cache - def GetDomainControllersMonkeyGuidByDomainName(self, domain_name): - cur = mongo.db.telemetry.find( - {"telem_type": "system_info_collection", "data.Win32_ComputerSystem.Domain": "u'%s'" % (domain_name,)}) - - GUIDs = set() - - for doc in cur: - if not Machine(doc.get("monkey_guid")).IsDomainController(): - continue - - GUIDs.add(doc.get("monkey_guid")) - - return GUIDs - - def GetLocalAdmins(self): - admins = self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Administrators")) - - # debug = self.GetUsersByGroupSid(self.GetGroupSidByGroupName("Users")) - # admins.update(debug) - - return admins - - def GetLocalAdminSids(self): - return set(self.GetLocalAdmins().keys()) - - @cache - def GetLocalSids(self): - doc = self.latest_system_info - - SIDs = set() - - for user in doc.get('data').get("Win32_UserAccount", {}): - if user.get("SIDType") != SidTypeUser: - continue - - SIDs.add(eval(user.get("SID"))) - - return SIDs - - @cache - def GetLocalAdminNames(self): - return set(self.GetLocalAdmins().values()) - - @cache - def GetSam(self): - if not self.GetMimikatzOutput(): - return {} - - mimikatz = self.GetMimikatzOutput() - - if mimikatz.count("\n42.") != 2: - return {} - - try: - sam_users = mimikatz.split("\n42.")[1].split("\nSAMKey :")[1].split("\n\n")[1:] - - sam = {} - - for sam_user_txt in sam_users: - sam_user = dict([map(unicode.strip, line.split(":")) for line in - filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) - - ntlm = sam_user.get("NTLM") - if "[hashed secret]" not in ntlm: - continue - - sam[sam_user.get("User")] = ntlm.replace("[hashed secret]", "").strip() - - return sam - - except: - return {} - - @cache - def GetNtds(self): - if not self.GetMimikatzOutput(): - return {} - - mimikatz = self.GetMimikatzOutput() - - if mimikatz.count("\n42.") != 2: - return {} - - ntds_users = mimikatz.split("\n42.")[2].split("\nRID :")[1:] - ntds = {} - - for ntds_user_txt in ntds_users: - user = ntds_user_txt.split("User :")[1].splitlines()[0].replace("User :", "").strip() - ntlm = ntds_user_txt.split("* Primary\n NTLM :")[1].splitlines()[0].replace("NTLM :", "").strip() - ntlm = ntlm.replace("[hashed secret]", "").strip() - - if ntlm: - ntds[user] = ntlm - - return ntds - - @cache - def GetLocalSecrets(self): - sam = self.GetSam() - ntds = self.GetNtds() - - secrets = sam.copy() - secrets.update(ntds) - - return secrets - - @cache - def GetLocalAdminSecrets(self): - return set(self.GetLocalAdminCreds().values()) - - @cache - def GetLocalAdminCreds(self): - admin_names = self.GetLocalAdminNames() - sam = self.GetLocalSecrets() - - admin_creds = dict() - - for username, secret in sam.iteritems(): - if username not in admin_names: - continue - - admin_creds[username] = secret - - return admin_creds - - @cache - def GetCachedSecrets(self): - return set(self.GetCachedCreds().values()) - - @cache - def GetCachedCreds(self): - doc = self.latest_system_info - - creds = dict() - - if not self.GetMimikatzOutput(): - return {} - - mimikatz = self.GetMimikatzOutput() - - for user in mimikatz.split("\n42.")[0].split("Authentication Id")[1:]: - username = None - secret = None - - for line in user.splitlines(): - if "User Name" in line: - username = line.split(":")[1].strip() - - if ("NTLM" in line or "Password" in line) and "[hashed secret]" in line: - secret = line.split(":")[1].replace("[hashed secret]", "").strip() - - if username and secret: - creds[username] = secret - - return creds - - @cache - def GetDomainControllers(self): - domain_name = self.GetDomainName() - DCs = self.GetDomainControllersMonkeyGuidByDomainName(domain_name) - return map(Machine, DCs) - - def GetDomainAdminsOfMachine(self): - DCs = self.GetDomainControllers() - - domain_admins = set() - - for dc in DCs: - domain_admins |= set(dc.GetUsersByGroupSid(self.GetGroupSidByGroupName("Domain Admins")).keys()) - - return domain_admins - - #@cache - def GetAdmins(self): - return self.GetLocalAdminSids() # | self.GetDomainAdminsOfMachine() - - @cache - def GetAdminNames(self): - return set(map(lambda x: self.GetUsernameBySid(x), self.GetAdmins())) - - #@cache - def GetCachedSids(self): - doc = self.latest_system_info - - SIDs = set() - - for username in doc.get('data').get("credentials", {}): - sid = self.GetSidByUsername(username) - - if not sid: - sid = "__USERNAME__" + username - - SIDs.add(sid) - - return SIDs - - @cache - def GetCachedUsernames(self): - doc = self.latest_system_info - - names = set() - - for username in doc.get('data').get("credentials", {}): - names.add(username) - - return names - - -class PassTheHashReport(object): - - def __init__(self): - self.vertices = self.GetAllMachines() - - self.machines = map(Machine, self.vertices) - self.edges = self.get_edges_by_sid() # Useful for non-cached domain users - #self.edges |= self.GetEdgesBySamHash() # This will add edges based only on password hash without caring about username - - - def GetAllMachines(self): - cur = mongo.db.telemetry.find({"telem_type": "system_info_collection"}) - - GUIDs = set() - - for doc in cur: - GUIDs.add(doc.get("monkey_guid")) - - return GUIDs - - @cache - def ReprSidList(self, sid_list, victim): - users_list = [] - - for sid in sid_list: - username = Machine(victim).GetUsernameBySid(sid) - - if username: - users_list.append(username) - - return users_list - - @cache - def ReprSecretList(self, secret_list, victim): - relevant_users_list = [] - - for secret in secret_list: - relevant_users_list.append(Machine(victim).GetUsernamesBySecret(secret)) - - return relevant_users_list - - @staticmethod - def __get_edge_label(attacker, victim): - attacker_monkey = NodeService.get_monkey_by_guid(attacker) - victim_monkey = NodeService.get_monkey_by_guid(victim) - - attacker_label = NodeService.get_monkey_label(attacker_monkey) - victim_label = NodeService.get_monkey_label(victim_monkey) - - RIGHT_ARROW = u"\u2192" - return "%s %s %s" % (attacker_label, RIGHT_ARROW, victim_label) - - - - - - def get_edges_by_sid(self): - edges_list = [] - - for attacker in self.vertices: - cached = list(self.GetCachedSids(Machine(attacker))) - - for victim in self.vertices: - if attacker == victim: - continue - - admins = list(Machine(victim).GetAdmins()) - - cached_admins = [i for i in cached if i in admins] - - if cached_admins: - relevant_users_list = self.ReprSidList(cached_admins, victim) - edges_list.append( - { - 'from': attacker, - 'to': victim, - 'users': relevant_users_list, - '_label': PassTheHashReport.__get_edge_label(attacker, victim), - 'id': str(uuid.uuid4()) - }) - - return edges_list - - @cache - def GetEdgesBySamHash(self): - edges = set() - - for attacker in self.vertices: - cached_creds = set(Machine(attacker).GetCachedCreds().items()) - - for victim in self.vertices: - if attacker == victim: - continue - - admin_creds = set(Machine(victim).GetLocalAdminCreds().items()) - - if len(cached_creds & admin_creds) > 0: - label = self.ReprSecretList(set(dict(cached_creds & admin_creds).values()), victim) - edges.add((attacker, victim, label)) - - return edges - - @cache - def GetEdgesByUsername(self): - edges = set() - - for attacker in self.vertices: - cached = Machine(attacker).GetCachedUsernames() - - for victim in self.vertices: - if attacker == victim: - continue - - admins = Machine(victim).GetAdminNames() - - if len(cached & admins) > 0: - edges.add((attacker, victim)) - - return edges - - @cache - def GetPossibleAttackCountBySid(self, sid): - return len(self.GetPossibleAttacksBySid(sid)) - - @cache - def GetPossibleAttacksByAttacker(self, attacker): - attacks = set() - - cached_creds = set(Machine(attacker).GetCachedCreds().items()) - - for victim in self.vertices: - if attacker == victim: - continue - - admin_creds = set(Machine(victim).GetLocalAdminCreds().items()) - - if len(cached_creds & admin_creds) > 0: - curr_attacks = dict(cached_creds & admin_creds) - attacks.add((attacker, victim, curr_attacks)) - - return attacks - - @cache - def GetPossibleAttacksBySid(self, sid): - attacks = set() - - for attacker in self.vertices: - tmp = self.GetPossibleAttacksByAttacker(attacker) - - for _, victim, curr_attacks in tmp: - for username, secret in curr_attacks.iteritems(): - if Machine(victim).GetSidByUsername(username) == sid: - attacks.add((attacker, victim)) - - return attacks - - @cache - def GetSecretBySid(self, sid): - for m in self.machines: - for user, user_secret in m.GetLocalSecrets().iteritems(): - if m.GetSidByUsername(user) == sid: - return user_secret - - return None - - @cache - def GetVictimCountBySid(self, sid): - return len(self.GetVictimsBySid(sid)) - - @cache - def GetVictimCountByMachine(self, attacker): - return len(self.GetVictimsByAttacker(attacker)) - - @cache - def GetAttackCountBySecret(self, secret): - return len(self.GetAttackersBySecret(secret)) - - @cache - def GetAllUsernames(self): - names = set() - - for sid in self.GetAllSids(): - names.add(self.GetUsernameBySid(sid)) - - return names - - @cache - def GetAllSids(self): - SIDs = set() - - for m in self.machines: - SIDs |= m.GetLocalSids() - - return SIDs - - @cache - def GetAllSecrets(self): - secrets = set() - - for m in self.machines: - for secret in m.GetLocalAdminSecrets(): - secrets.add(secret) - - return secrets - - @cache - def GetUsernameBySid(self, sid): - for m in self.machines: - username = m.GetUsernameBySid(sid) - - if username: - return username - - return None - - @cache - def GetSidInfo(self, sid): - for m in self.machines: - info = m.GetSidInfo(sid) - - if info: - return info - - return None - - @cache - def GetSidsBySecret(self, secret): - SIDs = set() - - for m in self.machines: - SIDs |= m.GetSidsBySecret(secret) - - return SIDs - - @cache - def GetAllDomainControllers(self): - DCs = set() - - for m in self.machines: - if m.IsDomainController(): - DCs.add(m) - - return DCs - - @cache - def GetSidsByUsername(self, username): - SIDs = set() - - for m in self.machines: - sid = m.GetSidByUsername(username) - if sid: - SIDs.add(sid) - - return SIDs - - @cache - def GetVictimsBySid(self, sid): - machines = set() - - for m in self.machines: - if sid in m.GetAdmins(): - machines.add(m) - - return machines - - @cache - def GetVictimsBySecret(self, secret): - machines = set() - - SIDs = self.GetSidsBySecret(secret) - - for m in self.machines: - if len(SIDs & m.GetAdmins()) > 0: - machines.add(m) - - return machines - - @cache - def GetAttackersBySecret(self, secret): - machines = set() - - for m in self.machines: - if secret in m.GetCachedSecrets(): - machines.add(m) - - return machines - - @cache - def GetAttackersByVictim(self, victim): - if type(victim) != unicode: - victim = victim.monkey_guid - - attackers = set() - - for edge in self.edges: - if edge.get('to', None) == victim: - attackers.add(edge.get('from', None)) - - return set(map(Machine, attackers)) - - @cache - def GetAttackersBySid(self, sid): - machines = set() - - for m in self.machines: - if sid in self.GetCachedSids(m): - machines.add(m) - - return machines - - @cache - def GetVictimsByAttacker(self, attacker): - if type(attacker) != unicode: - attacker = attacker.monkey_guid - - victims = set() - - for atck, vic, _ in self.edges: - if atck == attacker: - victims.add(vic) - - return set(map(Machine, victims)) - - @cache - def GetInPathCountByVictim(self, victim, already_processed=None): - if type(victim) != unicode: - victim = victim.monkey_guid - - if not already_processed: - already_processed = set([victim]) - - count = 0 - - for atck, vic, _ in self.edges: - if atck == vic: - continue - - if vic != victim: - continue - - if atck in already_processed: - continue - - count += 1 - - already_processed.add(atck) - count += self.GetInPathCountByVictim(atck, already_processed) - - return count - - @cache - def GetCritialServers(self): - machines = set() - - for m in self.machines: - if m.IsCriticalServer(): - machines.add(m) - - return machines - - @cache - def GetNonCritialServers(self): - return set(self.machines) - self.GetCritialServers() - - #@cache - def GetCachedSids(self, m): - sids = set() - tmp = m.GetCachedSids() - - for sid in tmp: - if sid.startswith("__USERNAME__"): - - s = self.GetSidsByUsername(sid[len("__USERNAME__"):]) - if len(s) == 1: - sids.add(s.pop()) - else: - sids.add(sid) - - else: - sids.add(sid) - - return sids - - @cache - def GetThreateningUsersByVictim(self, victim): - threatening_users = set() - - for attacker in self.GetAttackersByVictim(victim): - # For each attacker, get the cached users and check which of them is an admin on the victim - threatening_users |= (self.GetCachedSids(attacker) & victim.GetAdmins()) - - return threatening_users - - def GetSharedAdmins(self, m): - shared_admins = [] - - for other in self.machines: - if m == other: - continue - for sid in m.GetLocalAdminSids(): - if sid in other.GetLocalAdminSids(): - shared_admins.append(sid) - - #shared_admins |= (m.GetLocalAdminSids() & other.GetLocalAdminSids()) - - shared_admins = [admin for admin in shared_admins if admin not in list(m.GetDomainAdminsOfMachine())] - - return shared_admins diff --git a/monkey/monkey_island/cc/services/report.py b/monkey/monkey_island/cc/services/report.py index 304867495..f82f1518d 100644 --- a/monkey/monkey_island/cc/services/report.py +++ b/monkey/monkey_island/cc/services/report.py @@ -684,7 +684,6 @@ class ReportService: config_users = ReportService.get_config_users() config_passwords = ReportService.get_config_passwords() cross_segment_issues = ReportService.get_cross_segment_issues() - pth_report = PTHReportService.get_report() report = \ { @@ -717,8 +716,8 @@ class ReportService: }, 'pth': { - 'strong_users': pth_report['report_info']['strong_users_table'], - 'map': pth_report.get('pthmap'), + 'strong_users': PTHReportService.get_strong_users_on_crit_details(), + 'map': PTHReportService.get_pth_map(), } } From c208d0ebe80d32dff154637bf613faa95e95d0c3 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Thu, 18 Oct 2018 17:10:14 +0300 Subject: [PATCH 103/117] re-arranged the code and cleaned up a bit --- .../monkey_island/cc/resources/telemetry.py | 154 ++---------------- .../monkey_island/cc/services/group_info.py | 4 - monkey/monkey_island/cc/services/user_info.py | 2 + .../cc/services/wmi_info_handler.py | 148 +++++++++++++++++ 4 files changed, 162 insertions(+), 146 deletions(-) delete mode 100644 monkey/monkey_island/cc/services/group_info.py create mode 100644 monkey/monkey_island/cc/services/wmi_info_handler.py diff --git a/monkey/monkey_island/cc/resources/telemetry.py b/monkey/monkey_island/cc/resources/telemetry.py index 644fd6984..efd5e2414 100644 --- a/monkey/monkey_island/cc/resources/telemetry.py +++ b/monkey/monkey_island/cc/resources/telemetry.py @@ -1,5 +1,4 @@ import json -import traceback import logging import copy from datetime import datetime @@ -10,11 +9,12 @@ from flask import request from cc.auth import jwt_required from cc.database import mongo -from cc.services import user_info, group_info +from cc.services import user_info from cc.services.config import ConfigService from cc.services.edge import EdgeService from cc.services.node import NodeService from cc.encryptor import encryptor +from cc.services.wmi_info_handler import WMIHandler __author__ = 'Barak' @@ -188,147 +188,17 @@ class Telemetry(flask_restful.Resource): if 'mimikatz' in telemetry_json['data']: users_secrets = user_info.extract_secrets_from_mimikatz(telemetry_json['data'].get('mimikatz', '')) if 'wmi' in telemetry_json['data']: - info_for_mongo = {} - users_info = telemetry_json['data']['wmi']['Win32_UserAccount'] - groups_info = telemetry_json['data']['wmi']['Win32_Group'] - group_user_dict = telemetry_json['data']['wmi']['Win32_GroupUser'] - Telemetry.add_groups_to_collection(groups_info, info_for_mongo, monkey_id) - Telemetry.add_users_to_collection(users_info, info_for_mongo, users_secrets, monkey_id) - Telemetry.create_group_user_connection(info_for_mongo, group_user_dict) - for entity in info_for_mongo.values(): - if entity['machine_id']: - # Handling for local entities. - mongo.db.groupsandusers.update({'SID': entity['SID'], - 'machine_id': entity['machine_id']}, entity, upsert=True) - else: - # Handlings for domain entities. - if not mongo.db.groupsandusers.find_one({'SID': entity['SID']}): - mongo.db.groupsandusers.insert_one(entity) - else: - # if entity is domain entity, add the monkey id of current machine to secrets_location. - # (found on this machine) - if entity.get('NTLM_secret'): - mongo.db.groupsandusers.update_one({'SID': entity['SID'], 'type': 1}, - {'$addToSet': {'secret_location': monkey_id}}) - - Telemetry.add_admin(info_for_mongo[group_info.ADMINISTRATORS_GROUP_KNOWN_SID], monkey_id) - Telemetry.update_admins_retrospective(info_for_mongo) - Telemetry.update_critical_services(telemetry_json['data']['wmi']['Win32_Service'], - telemetry_json['data']['wmi']['Win32_Product'], - monkey_id) - - @staticmethod - def update_critical_services(wmi_services, wmi_products, machine_id): - critical_names = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns", 'MSSQL$SQLEXPRESS', 'SQL') - - services_names_list = [str(i['Name'])[2:-1] for i in wmi_services] - products_names_list = [str(i['Name'])[2:-2] for i in wmi_products] - - for name in critical_names: - if name in services_names_list or name in products_names_list: - logger.info('found a critical service') - mongo.db.monkey.update({'_id': machine_id}, {'$addToSet': {'critical_services': name}}) - - @staticmethod - def update_admins_retrospective(info_for_mongo): - for profile in info_for_mongo: - groups_from_mongo = mongo.db.groupsandusers.find({'SID': {'$in': info_for_mongo[profile]['member_of']}}, - {'admin_on_machines': 1}) - for group in groups_from_mongo: - if group['admin_on_machines']: - mongo.db.groupsandusers.update_one({'SID': info_for_mongo[profile]['SID']}, - {'$addToSet': {'admin_on_machines': { - '$each': group['admin_on_machines']}}}) - - @staticmethod - def add_admin(group, machine_id): - for sid in group['entities_list']: - mongo.db.groupsandusers.update_one({'SID': sid}, - {'$addToSet': {'admin_on_machines': machine_id}}) - entity_details = mongo.db.groupsandusers.find_one({'SID': sid}, - {'type': 1, 'entities_list': 1}) - if entity_details.get('type') == 2: - Telemetry.add_admin(entity_details, machine_id) - - @staticmethod - def add_groups_to_collection(groups_info, info_for_mongo, monkey_id): - for group in groups_info: - if not group.get('LocalAccount'): - base_entity = Telemetry.build_entity_document(group) - else: - base_entity = Telemetry.build_entity_document(group, monkey_id) - base_entity['entities_list'] = [] - base_entity['type'] = 2 - info_for_mongo[base_entity.get('SID')] = base_entity - - @staticmethod - def add_users_to_collection(users_info, info_for_mongo, users_secrets, monkey_id): - for user in users_info: - if not user.get('LocalAccount'): - base_entity = Telemetry.build_entity_document(user) - else: - base_entity = Telemetry.build_entity_document(user, monkey_id) - base_entity['NTLM_secret'] = users_secrets.get(base_entity['name'], {}).get('ntlm') - base_entity['SAM_secret'] = users_secrets.get(base_entity['name'], {}).get('sam') - base_entity['secret_location'] = [] - - base_entity['type'] = 1 - info_for_mongo[base_entity.get('SID')] = base_entity - - @staticmethod - def build_entity_document(entity_info, monkey_id=None): - general_properties_dict = { - 'SID': str(entity_info['SID'])[4:-1], - 'name': str(entity_info['Name'])[2:-1], - 'machine_id': monkey_id, - 'member_of': [], - 'admin_on_machines': [] - } - - if monkey_id: - general_properties_dict['domain_name'] = None - else: - general_properties_dict['domain_name'] = str(entity_info['Domain'])[2:-1] - - return general_properties_dict - - @staticmethod - def create_group_user_connection(info_for_mongo, group_user_list): - for group_user_couple in group_user_list: - group_part = group_user_couple['GroupComponent'] - child_part = group_user_couple['PartComponent'] - group_sid = str(group_part['SID'])[4:-1] - groups_entities_list = info_for_mongo[group_sid]['entities_list'] - child_sid = '' - - if type(child_part) in (unicode, str): - child_part = str(child_part) - if "cimv2:Win32_UserAccount" in child_part: - # domain user - domain_name = child_part.split('cimv2:Win32_UserAccount.Domain="')[1].split('",Name="')[0] - name = child_part.split('cimv2:Win32_UserAccount.Domain="')[1].split('",Name="')[1][:-2] - - if "cimv2:Win32_Group" in child_part: - # domain group - domain_name = child_part.split('cimv2:Win32_Group.Domain="')[1].split('",Name="')[0] - name = child_part.split('cimv2:Win32_Group.Domain="')[1].split('",Name="')[1][:-2] - - for entity in info_for_mongo: - if info_for_mongo[entity]['name'] == name and info_for_mongo[entity]['domain'] == domain_name: - child_sid = info_for_mongo[entity]['SID'] - else: - child_sid = str(child_part['SID'])[4:-1] - - if child_sid and child_sid not in groups_entities_list: - groups_entities_list.append(child_sid) - - if child_sid: #and info_for_mongo.get(child_sid, {}).get('type') == 1: - if child_sid in info_for_mongo: - info_for_mongo[child_sid]['member_of'].append(group_sid) - - -################################################################ + wmi_handler = WMIHandler(monkey_id, telemetry_json['data']['wmi'], users_secrets) + wmi_handler.add_groups_to_collection() + wmi_handler.add_users_to_collection() + wmi_handler.create_group_user_connection() + wmi_handler.insert_info_to_mongo() + wmi_handler.add_admin(wmi_handler.info_for_mongo[wmi_handler.ADMINISTRATORS_GROUP_KNOWN_SID], monkey_id) + wmi_handler.update_admins_retrospective() + wmi_handler.update_critical_services(telemetry_json['data']['wmi']['Win32_Service'], + telemetry_json['data']['wmi']['Win32_Product'], + monkey_id) @staticmethod def add_ip_to_ssh_keys(ip, ssh_info): diff --git a/monkey/monkey_island/cc/services/group_info.py b/monkey/monkey_island/cc/services/group_info.py deleted file mode 100644 index 5b4008ef6..000000000 --- a/monkey/monkey_island/cc/services/group_info.py +++ /dev/null @@ -1,4 +0,0 @@ - - -ADMINISTRATORS_GROUP_KNOWN_SID = '1-5-32-544' - diff --git a/monkey/monkey_island/cc/services/user_info.py b/monkey/monkey_island/cc/services/user_info.py index 9bbdb38cb..c69a011a6 100644 --- a/monkey/monkey_island/cc/services/user_info.py +++ b/monkey/monkey_island/cc/services/user_info.py @@ -41,3 +41,5 @@ def extract_secrets_from_mimikatz(mim_string): extract_ntlm_secrets(mim_string, users_dict) return users_dict + + diff --git a/monkey/monkey_island/cc/services/wmi_info_handler.py b/monkey/monkey_island/cc/services/wmi_info_handler.py new file mode 100644 index 000000000..133f4742a --- /dev/null +++ b/monkey/monkey_island/cc/services/wmi_info_handler.py @@ -0,0 +1,148 @@ +from cc.database import mongo + + +class WMIHandler: + + ADMINISTRATORS_GROUP_KNOWN_SID = '1-5-32-544' + + def __init__(self, monkey_id, wmi_info, user_secrets): + + self.monkey_id = monkey_id + self.info_for_mongo = {} + self.users_secrets = user_secrets + self.users_info = wmi_info['Win32_UserAccount'] + self.groups_info = wmi_info['Win32_Group'] + self.groups_and_users = wmi_info['Win32_GroupUser'] + + def process_and_handle(self): + + self.add_groups_to_collection() + self.add_users_to_collection() + self.create_group_user_connection() + self.add_admin(self.info_for_mongo[self.ADMINISTRATORS_GROUP_KNOWN_SID], self.monkey_id) + self.update_admins_retrospective() + self.insert_info_to_mongo() + + def update_critical_services(self, wmi_services, wmi_products, machine_id): + critical_names = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns", 'MSSQL$SQLEXPRESS', 'SQL') + + services_names_list = [str(i['Name'])[2:-1] for i in wmi_services] + products_names_list = [str(i['Name'])[2:-2] for i in wmi_products] + + for name in critical_names: + if name in services_names_list or name in products_names_list: + mongo.db.monkey.update({'_id': machine_id}, {'$addToSet': {'critical_services': name}}) + + def build_entity_document(self, entity_info, monkey_id=None): + general_properties_dict = { + 'SID': str(entity_info['SID'])[4:-1], + 'name': str(entity_info['Name'])[2:-1], + 'machine_id': monkey_id, + 'member_of': [], + 'admin_on_machines': [] + } + + if monkey_id: + general_properties_dict['domain_name'] = None + else: + general_properties_dict['domain_name'] = str(entity_info['Domain'])[2:-1] + + return general_properties_dict + + def add_users_to_collection(self): + for user in self.users_info: + if not user.get('LocalAccount'): + base_entity = self.build_entity_document(user) + else: + base_entity = self.build_entity_document(user, self.monkey_id) + base_entity['NTLM_secret'] = self.users_secrets.get(base_entity['name'], {}).get('ntlm') + base_entity['SAM_secret'] = self.users_secrets.get(base_entity['name'], {}).get('sam') + base_entity['secret_location'] = [] + + base_entity['type'] = 1 + self.info_for_mongo[base_entity.get('SID')] = base_entity + + def add_groups_to_collection(self): + for group in self.groups_info: + if not group.get('LocalAccount'): + base_entity = self.build_entity_document(group) + else: + base_entity = self.build_entity_document(group, self.monkey_id) + base_entity['entities_list'] = [] + base_entity['type'] = 2 + self.info_for_mongo[base_entity.get('SID')] = base_entity + + def create_group_user_connection(self): + for group_user_couple in self.groups_and_users: + group_part = group_user_couple['GroupComponent'] + child_part = group_user_couple['PartComponent'] + group_sid = str(group_part['SID'])[4:-1] + groups_entities_list = self.info_for_mongo[group_sid]['entities_list'] + child_sid = '' + + if type(child_part) in (unicode, str): + child_part = str(child_part) + name = None + domain_name = None + if "cimv2:Win32_UserAccount" in child_part: + # domain user + domain_name = child_part.split('cimv2:Win32_UserAccount.Domain="')[1].split('",Name="')[0] + name = child_part.split('cimv2:Win32_UserAccount.Domain="')[1].split('",Name="')[1][:-2] + + if "cimv2:Win32_Group" in child_part: + # domain group + domain_name = child_part.split('cimv2:Win32_Group.Domain="')[1].split('",Name="')[0] + name = child_part.split('cimv2:Win32_Group.Domain="')[1].split('",Name="')[1][:-2] + + for entity in self.info_for_mongo: + if self.info_for_mongo[entity]['name'] == name and \ + self.info_for_mongo[entity]['domain'] == domain_name: + child_sid = self.info_for_mongo[entity]['SID'] + else: + child_sid = str(child_part['SID'])[4:-1] + + if child_sid and child_sid not in groups_entities_list: + groups_entities_list.append(child_sid) + + if child_sid: + if child_sid in self.info_for_mongo: + self.info_for_mongo[child_sid]['member_of'].append(group_sid) + + def insert_info_to_mongo(self): + for entity in self.info_for_mongo.values(): + if entity['machine_id']: + # Handling for local entities. + mongo.db.groupsandusers.update({'SID': entity['SID'], + 'machine_id': entity['machine_id']}, entity, upsert=True) + else: + # Handlings for domain entities. + if not mongo.db.groupsandusers.find_one({'SID': entity['SID']}): + mongo.db.groupsandusers.insert_one(entity) + else: + # if entity is domain entity, add the monkey id of current machine to secrets_location. + # (found on this machine) + if entity.get('NTLM_secret'): + mongo.db.groupsandusers.update_one({'SID': entity['SID'], 'type': 1}, + {'$addToSet': {'secret_location': self.monkey_id}}) + + def update_admins_retrospective(self): + for profile in self.info_for_mongo: + groups_from_mongo = mongo.db.groupsandusers.find({ + 'SID': {'$in': self.info_for_mongo[profile]['member_of']}}, + {'admin_on_machines': 1}) + + for group in groups_from_mongo: + if group['admin_on_machines']: + mongo.db.groupsandusers.update_one({'SID': self.info_for_mongo[profile]['SID']}, + {'$addToSet': {'admin_on_machines': { + '$each': group['admin_on_machines']}}}) + + def add_admin(self, group, machine_id): + for sid in group['entities_list']: + mongo.db.groupsandusers.update_one({'SID': sid}, + {'$addToSet': {'admin_on_machines': machine_id}}) + entity_details = mongo.db.groupsandusers.find_one({'SID': sid}, + {'type': 1, 'entities_list': 1}) + if entity_details.get('type') == 2: + self.add_admin(entity_details, machine_id) + From 029c278a82ccd4013b883e8649766b7330cb35e7 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Thu, 18 Oct 2018 18:34:34 +0300 Subject: [PATCH 104/117] added png assets for the report --- .../cc/ui/src/images/nodes/pth/critical.png | Bin 0 -> 20067 bytes .../cc/ui/src/images/nodes/pth/normal.png | Bin 0 -> 19466 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 monkey/monkey_island/cc/ui/src/images/nodes/pth/critical.png create mode 100644 monkey/monkey_island/cc/ui/src/images/nodes/pth/normal.png diff --git a/monkey/monkey_island/cc/ui/src/images/nodes/pth/critical.png b/monkey/monkey_island/cc/ui/src/images/nodes/pth/critical.png new file mode 100644 index 0000000000000000000000000000000000000000..0348a7f5d312b0400da47f60a5f2d81682bd19a6 GIT binary patch literal 20067 zcmeHPYgm)Vww?eQs5P;&1Zq((7T8IMjpu7F01~l;o8)@Pde9S z2nU*cP0PB>11sqtJ_&y2%P^!bOz8@7XeY`+J*1he8-ri>8w22_IR5QYc!}rFmcR?` z*hnG4tN9Ae170UKvAp2Lyw3H8SL&xkL&7+O=Md5He@Gp*=M8F}rQt!#L|~+_NsJb= zUs$ZpcyS-6YLIiABY1HjDOXV8$kU5lz+mF@0VNN$+0X21$_)Ov#*TGk)bXas7rM(6 z<-LnQZmhbK9v`Mma6LBd-f@xUKeOggS-;1o~IhPc5-(EBXLDC@foNoL9$aY{`9RA~!3 zKGUVH48B>=0ky7nKG40ON|Po>GMBMVj9KNt#_5~;K8UIcWIZb*eEkzxLowIxbLQT3 zwa8XcK=6KhVv4It9}BV#AX8_9+4{f4;AOn#D<$lX(?@HmX$f7$AxYJ?hgGe(8~rm~ zol=_QIObFE1I@5sCrGbwJj*J43uJ+xvm|}`$_vg+AE;ZnQ5_LTTdA7uRk;J>w~D_KlpVJwCeBmW;)Yb+@66cAGu#{?b{J z%VqgbI+?hjp`Obdqf6Zo{ORWP@SC@q5*W6ZTi&~+RM4r~{|We(IN}ZExfb&*{snHi zwz9}6#JWlPvsUwF=u+!40t7TN_HIQz_sv*J?42b)jKGbiGK)gXXk~l%tR98;F%hYu zTjN>rZ;U!VVI2HCs7bzE&Mkj?!aH+jz)#w(Tf5VAsUHS!-y8!!nP2AlbT)SEkGpr{ z6#Pu}BKzL`ws!orZ$4k_9xEmA>)Ddo9|t`A68uc@25mLbF=6We-nmYSOi8vn`G9n& z2_oWK?FVP92YX&9v&7bpR~~r4WtQ81)VrQc`{?jlsiDBBcJ(OR8Fyn(UbneKmatnY z?ti@Z=vR6BaJ9MQBXeH);jgKohoJN~UGh(LuUz>pO5kBAt)#8~`BgNmti81iO4kq|6z()6bLpT z+`#>3R$@^g*nn6Rh(%%eKV1kmAlQIl1A+|*HhB5}s>DfwI4KY(1>&SI{6P!B1_T=r zY(TI9!3O{SN{=`&5(h@&!1(|A!00lo2W6rcTKHJkxItTSI;TYQ7Z&l2F7Z_|@f|kt zLdtEqjT1Vy?d|!sH+y{edRBZ!LX@Z;GK9oa2L`9(yp&lJ=Fgc0O~V4o zzW&Q_h5I-)#DF#j#`s?P+xP54r^7KoIzVfWF33pxJb#oOjMrRZxOl+Zx08g{VwoMxL z6}P;z^2*C98mN-0ORdk?+Q~US6t($d0DCjt+WKU;T$S-Tqyj-1wSiOkGJB|1v=x>gu*`}Aj20Gb)8{`UEApzt4exsI_-N})P9{1x@FhMo@1j=zV2{Rp(9J3AOz8c z)(_YVkELGV+Qtm0aLKadcx0M{Ead@!Dx-xTjkAY@gg75&$#KThl-3VI79KNBJ6bCl z*W`lSvY`Vv3n#KgRzJvl5~uI)spUmgId5+BiC)g)ziv8Ugsd)6wzU|WKD{D$?yeaf z4Ks1l+RPe9?~y)vb*s}PQ-=aFzg5c$Eg?%?&*E+$Sx=#F;pbIVSJ}vYLNiE>X_etF z$M2TQOMRj@v%;3}ug42IQo+AKklQ|}ZM?QSNQ%?!(zJemK8CEREz*#iE@sU|Xv-@p zQ)Y<9D6>?q%o!b!;Akzb!lJ{_el4GJ}IXDqxOMc|q#?>(% zwJ{z~OsdH-G2{aS=S425>+ea<(lYgKXEwNm*z=A#F03%2ROvjzi;^`vpB{hKcxd+y zDJ?w6bimfkn69|)p3!=hR98Gk)0t^?B-Ol!!h9)H`8Oa(x?pPi_A2L7U0;&?7DveijL2upA|o}eV-$MM5_%H5|3s&b=3ca*qjzh5(izN zc^H{OojF=m&Et7QO-m$SQjw7+PB%s@$r8j=W`pMh4RrW03uP)24!)8iuD7CA7CvQw zNl8`KbCG7>ObH6BQWZX?PoPFBd~oPK>&@^$%qY-dYXbe76mTEWcl7VX={b-)SF4YO zpc4n3g`TgLQJ04w^xPhP%o9bgz|{pkEkWwp{>Q|=`Kmp=7C>1J#U1hVuK^{|$z%tU zdS2MC7rN>#mkV@A;kyP##8i>rrq`2d_P;7IEjsG|4KlEb{#`|Ff9l7c<$o9n(*y$B z-+MDW5s!~YnI@Q0nGJev60Y#@R;eVS97k^-ZWaT`Z>q=vfV|MH;3BLb_Nm3DR4=1a z01+$QD5WDs=PU`jFAMjsV+Rc#83I|EUVjJA#5EdX#<9GT+byJf^=aY_7={e_?DzA@ zr=BnJGH#%)Mw(>MB3s@+a9+M9Y#eE5yh@dyBu$I}s#!-N6=evJdlJk;F!G&A&K<1PZuQp89-an^7vj+XpQR#~0y91??Un?H zrDh0wiAw6$1}5)*MYs`Qt~TM>oPuk+6C?LarieFI3D-+!BSkG%x;)(2T2)gulqU4{ zh)c8DJGQYiXZ&)#C&pZdhvpC2{+ilqx8;BFG`839 zE!x=2s!2%GadasPzi%N0IawX0T@rusWGOp$U~qVB1=zW_mQmjW7h7$Hx!^4W-Kf6Q z_ns^!YnEc)mWZI z3)}lE=qtyaHk~h-Adax&EN5xXNe}b_1T_$^x^7_8J{<_B#wQgB`Ho(&dMNfNOBpo~ zJSyy696xzrv7`|H)xYMwruYX$b227gy+D7RGjxF$M`Et7n!7<7ixefGZ>%i5s1@f| z2eYpr+7m-YgL)oG8~_HAW(ua5(rB8CZe7OfyrR3Qxm9fKe^?lxrj;LU4g*{Gv`Zu z#X+4fEgk}xU@zw-ecrtXu$Gnffb@KqA)^tiMFl#sT`r?e!9$&hhf2qTkFBn0bzbGo zAn~|b%cY#jp6GYb%lVVu^WFmssq6f}X)n#p%G_!^5F4ff`BS^51KcUy?X@H@m*~;W zBtgGJyVXn6uwV6KujO?V2TW%hr6L#L-J86Sz8sbOBvZ}7ql?5CsRE4=%u|6;|GgUFXm8aQY(Y=t=)s9qLA20n&i+(bSfoR^5DY#l*5gs?RfV~ri?Z}e; z1y4+VV}Rm#0(}NJw=E7wM=-G3ju)^Q>#SRxpmbx4;Tt%VOC3y5x!@7fR^ zgZN!qi!>*JKZ~{tF;}y^{us|m>5Mc$Xwdm)bF}Na+^G@{hy=M6j!ylRoHG=ZG*c+N zqda8G9?Om`n;$U_`A4$6cyv?uyX|)p)qgl;_%Jc8y~{(fbZ_Z=leycjJ{W|;E^xiC z&T79Rgbf6zReorMxSs16FzaFS9f;sqvzD%r!4=a@LLY&ALs^kTp&sV}yRJrwCiyi4ls@k6^Xrh9?hz*z*adrP;qC>iKa zj7)*K*a45H5KLBJc3v|){(!OKO{MV!Jg#1*d9-&M~ExRGIAVnHeTd6{$~>L9&orE zU(r$gpV?9|ij%q+rO5a-e~p9hDTcF0`9#iwhkntB7lkJd7F9!?--G9O!Sudhdbjte z7~e6ZAt9m@?R*c#5i34d3|jP&7V~Jd5GE}FP}KtK=oxV4QvWC{BPsTCyU*4(B#lr1%~i+-Te(wQfoBfhc+t<|2y}-h9ADvn4^18b zO2=}Rz?CVY!8XQuh|g9BpBqd{UdHmWEi`@l9M+C3wcyBWC<33jPU4e0x(iMX)PdPc zsTN!ZS@~dgSDc3ev(ek_C+^a}#8;akxJa)z-WL~5D!_<+l?E&zUgpGj-e&lZxs1g6zizpG1u?dc`dlNoe>A2K! zne&R+>~9eAO7h&WZaXcs@9C}^%-8-canAIdHz5nxUs!+Tzy7@Ti(8DpBk|#mWBD6` zW=>vqb=9&vW=p=Faqqiz3$V7cb9{5QdlEP9nz7mYp5^A|NzsqyZa25No6@LQ?`uCN z*XW-Iyl)366+L8`miFfg@vna>8ycL)I;P0(53yRTYuYqF<5;6$F+#zI-QZvLid6lN z-Ua$7&`*T_>|9WzdSj*T75AU(_NvF*k?pi4Fqp0485Z%vf&`-GjmyxIw$E$Wy$zI z2cIocFEB(%!faRk8pEaUZBt7~sWlbbw1=~7$@b!aM%OPvnN1#RSLfEOO{&j2oa1O^ zO5;-X;!V|M<6Awo#n4P6j@J!djdVVwT4T+TQlN#viNTF`lr6r?u;92~ zW6k!-a1CM>7GZh|uvpAZ=@aQe=*L$>KI#nJ##(=1aWa^$;v;UgA_OzAO z1W?IX^4>PPE{{0=t)w?$tB6d%X!DML-f^AK;pZ~wgtu`4B%zYjcaCz1(Bb9sHei-E za}i)2zwvykm-k(u#KiGANzJa@(XblOA6}~vWDUhPb(*%!w**t*}3T*u6PvQKR60kZCLnSde!Tpl!7+t}%#o)t~i zlMAKAg*Go<|HRR4Lfn%=+5#f{t-pUj#^N7KYO-~?S#U`jS~v(h}+?j(9AEq zYa=bTbD4N*)IaGxLHJh`l!U3yJE{7eHLU{39BK0N;$gb<;?NTXr!3&au?pKa^UNz6 z-4@Z+0UC``u-r3!p=VM;yXJ&qa*6HR8^!Y{TH}}gvd}ZV`Hwq$w#=gL2%N?V>A9S~ z`m6^K_r3^Uo_}03;3mXj}qQ&!kxZSI$sh4cwYpEvcZkbbe$Z$0!o zq<^>HWR8)OH+R_m*Z3I40JAyVZYU)_<_q zZ$0$4H1wBA^jC9q*P!&rzWQU||A1p(#cHn70ndCa8_h)Cqdz(+OK{pYr}6Yr)+Cfx z8pHCS8@1~1dFt<<^vQ0sOlyP0gRJa9}594zrXd* zT=MaXfBgF^{?w0G`~_dWyVKto=B2W|akQo=>1^1F_fSjjhe81H%J&d?(+8^TZKQ;O zi5h|>?Ih(FkzpzRx>AOhBca3{x@1s4lJ}wFL35<*j;EL95i!I`b>$}o;)@g2D;;hwFI?9UV}X!=%=M&V3qOwl*ef46`Wi ztjM+%T_(ChoafvnuF8%aV<;xE8Wf8}O-xhwBT%(drzsg+(BPu0(edC_4eX8N9$HY_ zRoeVrP#tu&O9ax*ABnY2eL=%4f8<>LCL9x4X$={h(nLU}jUXfol9ID=`0*cDbBWSwuBCm`By z6(){fl~+JzR29KcLMUHawJ-1zduX)lBR0F-UR@HAh<)&KZ_fw_+yw%cMfoagYNUo2 z8}OS1I3#>})D0c?O>M0Bsn(Q`E!*+|E8=G4TAjg#*l!lDju9ASXD}Co_8A-$9OmFb z<_Df-$I}_gOoZNUvBpvu<)2j@0BlIv-b2MA{u^qyJc_a!M2#{NM7c;X1PoOr1|9|s+`9k?P9*2;7uIjFNh5mZAf{8Jm|I$F+SA8*MQ&p?vd z(8ubifyCFvCKzJ9*i*0=376@FHa8CGygS|S;ec!X$sVc^;#Y$KuI2rey}L2kvjg?= z3M`D4HMTfAh*rHfkd1C@wktz0sL072^Tfx2=(^N?Eea85GXoI&HIyGKd_@mRYX%LL zzAkN)nITFDs3t`{N^B|~Mfa5jautXR0C8zS37sT+5-QdBDj6USToxGM^%md|;$``x4Fo6RpJ=95vp9Lm{I1t2N+7r>O;WJILDTv|%dTs|% zI@e5KS@JaoDA)(|CNzK=SWSW>Co{VV24lXeM2B_4%`fwI2l`9lS%wUZ=sLeDW- zh|Q>-hi>_$-oG^^b*iuv{Hq2b91KPM0RDZ5f<*yW#q&_OE9j^U3h!KIzY?_!D&%Vn(VNA<>L(Jd=ssvAnj&1q zxI{e3Oas-x9v>B#*jGE>fO4oMSG)j)MHzR|W>7w|D0@%4VSA z&&@Hfu5av)sgYtSWw-Lgi&6MyYi$2_<+()vPS(vb)REFhef7J1jS-B?M8l;@~L;M=qvX7#ts&CG-$V;O%X9G4UqqmI*fj}L@SH!@D{S2nkhi+)gY~|aMANckQ}^#xlFyKYN7f#1~DcYjGiB}G6Pugn|#eABnJ=Sxt1qx zP1Rw;ypLF6Mp}No$|++STNSOUO0rdFVUTW`)fLn}du)|zB6RETmD520bRJ)5nMVH9 z5=h_fYLb0|9zv2&z7a%ZQUW)iw-tDA!9KJW=3~Eac>-~b{XB%LE$yLBMYJ;TW=>Ss zXm11tLt9e)mAVLn(ky{_yMwiCwxtD|BmMLv;ex1ET3&Mh?lDC3;EB2W8f9})|6OoX z+O>_(%B@n3g>LdTxoQ%sEC#U)q8`yi#WX}*N%jUnOl5PTRW5W-Wt9OcAs7-Wg6x?swO26x1ll)$!8C7+zeB_XvX_90)#lRmn8L2RqZ0Y`P;qD!)+EZelpEz!t}!x7Q3dX@Su z2H_zKKe%Cel;vzc8>OX!o9Recm+HnYE!Zoynj$h1K6}wBR{=LHQ-s2xg-ls-AR@*x z$x5{WBJHroUi5dEE?#YKiPA2}yag=aKI+C^QLsq55i*4r@PDVur28sAHAEy^&~?r7 zu+#0pCCFx9*eRwlhMhJ+Z6xJRF$3COZmxJ8lH^D&B+*fcv@4ae-RBVPVvK<5lPh*Z zk_8hDakSdn`54M1u7`kwgzop|30s?`{lhi$G5vg%QcgEP$s541%?{?`7539nT7}H> z17U&Ef|WPkJ6IuV$#DHXO+7HE-4q1Y1hmUK6{<5#D_LrvtWH7QqoNObE9nNPWjY7l z^2L|BRwQp6%kMt8h;hjPRu@(PPvF!pK9`-TF~KLcqB>tia#Ry|+=LyZOr!_7XiI?=$%z}It=H!zn*o7!_foXm3K{+=x`4U#h7|4)Q z%}^{XI9Wc7pEcE8&t^iV;BH|FP&kaw!r^Jkl0iQ!{8dB|kMBv`se~!J0u0`c&u(Y^ z{<(ZgvRbf)*<(0&eXE25cb)+#F|Ay^zK*GUBNvScw)_>t6!QIi!_gUnSFkc`#i* zG8Ne@GRMR=b6%9za26xt!iKyLgx{zhT9b$v$-KCw7|9M$@tflE>Ip_^I9B*io%}wx z_|bk4fA5YVd)E;+_S|;Pi~cTCggbK36y1WMcIM&!=&G54Y^EE}K(RVa(fIT46q$dH zIyPBjJD!kMa&SJ7K&-tH|1`MaCgVGEd=~0IK{$&jc3`pIkiW+x5CmTDh9WdwQ;iYk zOoY(Gi0V%(Ey}7*+LLJ~9Q}mRfvvJ*`0;Kd@{v8hIR$EBFR2g;|`g zMCwC>K8_?0klm`;GA47xgzvP*60?;iYWZN+OVTEcgw(1bRjpL3vFx1_+29*_{824w z22A`uS>wL^4{2h_u&*+)o6*3?#R@~(G&YP_CEW5ngNXGx#8oFO}EZ$#sHuKtbgPN?$4hooAf4r$d?kNTWKl*0r= nc#$QP>VN)j7jSXfpS8Hwy{`*XyZtg?5Rm7_EgOo~hyVEBe}7>m literal 0 HcmV?d00001 From d02b9c25387d13b27704fb29e9978556df20dac5 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Mon, 22 Oct 2018 17:16:58 +0300 Subject: [PATCH 105/117] small bug fix --- monkey/monkey_island/cc/services/wmi_info_handler.py | 1 + 1 file changed, 1 insertion(+) diff --git a/monkey/monkey_island/cc/services/wmi_info_handler.py b/monkey/monkey_island/cc/services/wmi_info_handler.py index 133f4742a..b4b12c7a3 100644 --- a/monkey/monkey_island/cc/services/wmi_info_handler.py +++ b/monkey/monkey_island/cc/services/wmi_info_handler.py @@ -25,6 +25,7 @@ class WMIHandler: def update_critical_services(self, wmi_services, wmi_products, machine_id): critical_names = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns", 'MSSQL$SQLEXPRESS', 'SQL') + mongo.db.monkey.update({'_id': machine_id}, {'$set': {'critical_services': []}}) services_names_list = [str(i['Name'])[2:-1] for i in wmi_services] products_names_list = [str(i['Name'])[2:-2] for i in wmi_products] From 17b344f62f4c141667f0b49c3557e32fec1fe4dc Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Thu, 25 Oct 2018 14:17:31 +0300 Subject: [PATCH 106/117] 99% done with RCR, not yet been tested. --- monkey/common/utils/__init__.py | 0 monkey/common/utils/mongo_utils.py | 83 ++++++ monkey/common/utils/reg_utils.py | 25 ++ monkey/common/utils/wmi_utils.py | 27 ++ .../system_info/mimikatz_collector.py | 1 + .../system_info/windows_info_collector.py | 147 +--------- .../system_info/wmi_consts.py | 32 +++ .../cc/island_logger_default_config.json | 2 +- .../monkey_island/cc/resources/telemetry.py | 14 +- monkey/monkey_island/cc/services/node.py | 4 + .../monkey_island/cc/services/pth_report.py | 258 +++++++++--------- monkey/monkey_island/cc/services/report.py | 25 +- monkey/monkey_island/cc/services/user_info.py | 69 ++--- .../cc/services/wmi_info_handler.py | 21 +- .../cc/ui/src/components/Main.js | 1 - .../cc/ui/src/components/pages/ReportPage.js | 13 +- .../report-components/SharedAdmins.js | 42 --- .../report-components/SharedCreds.js | 41 --- 18 files changed, 375 insertions(+), 430 deletions(-) create mode 100644 monkey/common/utils/__init__.py create mode 100644 monkey/common/utils/mongo_utils.py create mode 100644 monkey/common/utils/reg_utils.py create mode 100644 monkey/common/utils/wmi_utils.py create mode 100644 monkey/infection_monkey/system_info/wmi_consts.py delete mode 100644 monkey/monkey_island/cc/ui/src/components/report-components/SharedAdmins.js delete mode 100644 monkey/monkey_island/cc/ui/src/components/report-components/SharedCreds.js diff --git a/monkey/common/utils/__init__.py b/monkey/common/utils/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/monkey/common/utils/mongo_utils.py b/monkey/common/utils/mongo_utils.py new file mode 100644 index 000000000..7524a545e --- /dev/null +++ b/monkey/common/utils/mongo_utils.py @@ -0,0 +1,83 @@ +import wmi +import win32com + +__author__ = 'maor.rayzin' + + +class MongoUtils: + + def __init__(self): + # Static class + pass + + @staticmethod + def fix_obj_for_mongo(o): + if type(o) == dict: + return dict([(k, MongoUtils.fix_obj_for_mongo(v)) for k, v in o.iteritems()]) + + elif type(o) in (list, tuple): + return [MongoUtils.fix_obj_for_mongo(i) for i in o] + + elif type(o) in (int, float, bool): + return o + + elif type(o) in (str, unicode): + # mongo dosn't like unprintable chars, so we use repr :/ + return repr(o) + + elif hasattr(o, "__class__") and o.__class__ == wmi._wmi_object: + return MongoUtils.fix_wmi_obj_for_mongo(o) + + elif hasattr(o, "__class__") and o.__class__ == win32com.client.CDispatch: + try: + # objectSid property of ds_user is problematic and need thie special treatment. + # ISWbemObjectEx interface. Class Uint8Array ? + if str(o._oleobj_.GetTypeInfo().GetTypeAttr().iid) == "{269AD56A-8A67-4129-BC8C-0506DCFE9880}": + return o.Value + except: + pass + + try: + return o.GetObjectText_() + except: + pass + + return repr(o) + + else: + return repr(o) + + @staticmethod + def fix_wmi_obj_for_mongo(o): + row = {} + + for prop in o.properties: + try: + value = getattr(o, prop) + except wmi.x_wmi: + # This happens in Win32_GroupUser when the user is a domain user. + # For some reason, the wmi query for PartComponent fails. This table + # is actually contains references to Win32_UserAccount and Win32_Group. + # so instead of reading the content to the Win32_UserAccount, we store + # only the id of the row in that table, and get all the other information + # from that table while analyzing the data. + value = o.properties[prop].value + + row[prop] = MongoUtils.fix_obj_for_mongo(value) + + for method_name in o.methods: + if not method_name.startswith("GetOwner"): + continue + + method = getattr(o, method_name) + + try: + value = method() + value = MongoUtils.fix_obj_for_mongo(value) + row[method_name[3:]] = value + + except wmi.x_wmi: + continue + + return row + diff --git a/monkey/common/utils/reg_utils.py b/monkey/common/utils/reg_utils.py new file mode 100644 index 000000000..1e6c297b3 --- /dev/null +++ b/monkey/common/utils/reg_utils.py @@ -0,0 +1,25 @@ +import _winreg + +from common.utils.mongo_utils import MongoUtils + +__author__ = 'maor.rayzin' + + +class RegUtils: + + def __init__(self): + # Static class + pass + + @staticmethod + def get_reg_key(subkey_path, store=_winreg.HKEY_LOCAL_MACHINE): + key = _winreg.ConnectRegistry(None, store) + subkey = _winreg.OpenKey(key, subkey_path) + + d = dict([_winreg.EnumValue(subkey, i)[:2] for i in xrange(_winreg.QueryInfoKey(subkey)[0])]) + d = MongoUtils.fix_obj_for_mongo(d) + + subkey.Close() + key.Close() + + return d diff --git a/monkey/common/utils/wmi_utils.py b/monkey/common/utils/wmi_utils.py new file mode 100644 index 000000000..7b1dae455 --- /dev/null +++ b/monkey/common/utils/wmi_utils.py @@ -0,0 +1,27 @@ +import wmi + +from mongo_utils import MongoUtils + +__author__ = 'maor.rayzin' + + +class WMIUtils: + + def __init__(self): + # Static class + pass + + @staticmethod + def get_wmi_class(class_name, moniker="//./root/cimv2", properties=None): + _wmi = wmi.WMI(moniker=moniker) + + try: + if not properties: + wmi_class = getattr(_wmi, class_name)() + else: + wmi_class = getattr(_wmi, class_name)(properties) + + except wmi.x_wmi: + return + + return MongoUtils.fix_obj_for_mongo(wmi_class) diff --git a/monkey/infection_monkey/system_info/mimikatz_collector.py b/monkey/infection_monkey/system_info/mimikatz_collector.py index 1d8294ce5..4ef764251 100644 --- a/monkey/infection_monkey/system_info/mimikatz_collector.py +++ b/monkey/infection_monkey/system_info/mimikatz_collector.py @@ -57,6 +57,7 @@ class MimikatzCollector(object): Gets the logon info from mimikatz. Returns a dictionary of users with their known credentials. """ + LOG.info('Getting mimikatz logon information') if not self._isInit: return {} LOG.debug("Running mimikatz collector") diff --git a/monkey/infection_monkey/system_info/windows_info_collector.py b/monkey/infection_monkey/system_info/windows_info_collector.py index 8479fcf7f..abf0771fa 100644 --- a/monkey/infection_monkey/system_info/windows_info_collector.py +++ b/monkey/infection_monkey/system_info/windows_info_collector.py @@ -1,125 +1,20 @@ import os import logging - import sys -sys.coinit_flags = 0 # needed for proper destruction of the wmi python module -import wmi -import win32com -import _winreg -from mimikatz_collector import MimikatzCollector -from . import InfoCollector +sys.coinit_flags = 0 # needed for proper destruction of the wmi python module + import infection_monkey.config from infection_monkey.system_info.mimikatz_collector import MimikatzCollector from infection_monkey.system_info import InfoCollector +from infection_monkey.system_info.wmi_consts import WMI_CLASSES +from common.utils.wmi_utils import WMIUtils LOG = logging.getLogger(__name__) LOG.info('started windows info collector') __author__ = 'uri' -WMI_CLASSES = {"Win32_OperatingSystem", "Win32_ComputerSystem", "Win32_LoggedOnUser", "Win32_UserAccount", - "Win32_UserProfile", "Win32_Group", "Win32_GroupUser", "Win32_Product", "Win32_Service", - "Win32_OptionalFeature"} - -# These wmi queries are able to return data about all the users & machines in the domain. -# For these queries to work, the monkey shohuld be run on a domain machine and -# -# monkey should run as *** SYSTEM *** !!! -# -WMI_LDAP_CLASSES = {"ds_user": ("DS_sAMAccountName", "DS_userPrincipalName", - "DS_sAMAccountType", "ADSIPath", "DS_userAccountControl", - "DS_objectSid", "DS_objectClass", "DS_memberOf", - "DS_primaryGroupID", "DS_pwdLastSet", "DS_badPasswordTime", - "DS_badPwdCount", "DS_lastLogon", "DS_lastLogonTimestamp", - "DS_lastLogoff", "DS_logonCount", "DS_accountExpires"), - - "ds_group": ("DS_whenChanged", "DS_whenCreated", "DS_sAMAccountName", - "DS_sAMAccountType", "DS_objectSid", "DS_objectClass", - "DS_name", "DS_memberOf", "DS_member", "DS_instanceType", - "DS_cn", "DS_description", "DS_distinguishedName", "ADSIPath"), - - "ds_computer": ("DS_dNSHostName", "ADSIPath", "DS_accountExpires", - "DS_adminDisplayName", "DS_badPasswordTime", - "DS_badPwdCount", "DS_cn", "DS_distinguishedName", - "DS_instanceType", "DS_lastLogoff", "DS_lastLogon", - "DS_lastLogonTimestamp", "DS_logonCount", "DS_objectClass", - "DS_objectSid", "DS_operatingSystem", "DS_operatingSystemVersion", - "DS_primaryGroupID", "DS_pwdLastSet", "DS_sAMAccountName", - "DS_sAMAccountType", "DS_servicePrincipalName", "DS_userAccountControl", - "DS_whenChanged", "DS_whenCreated"), - } - - -def fix_obj_for_mongo(o): - if type(o) == dict: - return dict([(k, fix_obj_for_mongo(v)) for k, v in o.iteritems()]) - - elif type(o) in (list, tuple): - return [fix_obj_for_mongo(i) for i in o] - - elif type(o) in (int, float, bool): - return o - - elif type(o) in (str, unicode): - # mongo dosn't like unprintable chars, so we use repr :/ - return repr(o) - - elif hasattr(o, "__class__") and o.__class__ == wmi._wmi_object: - return fix_wmi_obj_for_mongo(o) - - elif hasattr(o, "__class__") and o.__class__ == win32com.client.CDispatch: - try: - # objectSid property of ds_user is problematic and need thie special treatment. - # ISWbemObjectEx interface. Class Uint8Array ? - if str(o._oleobj_.GetTypeInfo().GetTypeAttr().iid) == "{269AD56A-8A67-4129-BC8C-0506DCFE9880}": - return o.Value - except: - pass - - try: - return o.GetObjectText_() - except: - pass - - return repr(o) - - else: - return repr(o) - -def fix_wmi_obj_for_mongo(o): - row = {} - - for prop in o.properties: - try: - value = getattr(o, prop) - except wmi.x_wmi: - # This happens in Win32_GroupUser when the user is a domain user. - # For some reason, the wmi query for PartComponent fails. This table - # is actually contains references to Win32_UserAccount and Win32_Group. - # so instead of reading the content to the Win32_UserAccount, we store - # only the id of the row in that table, and get all the other information - # from that table while analyzing the data. - value = o.properties[prop].value - - row[prop] = fix_obj_for_mongo(value) - - for method_name in o.methods: - if not method_name.startswith("GetOwner"): - continue - - method = getattr(o, method_name) - - try: - value = method() - value = fix_obj_for_mongo(value) - row[method_name[3:]] = value - - except wmi.x_wmi: - continue - - return row - class WindowsInfoCollector(InfoCollector): """ @@ -147,8 +42,8 @@ class WindowsInfoCollector(InfoCollector): self.get_wmi_info() LOG.debug('finished get_wmi_info') - #self.get_reg_key(r"SYSTEM\CurrentControlSet\Control\Lsa") self.get_installed_packages() + LOG.debug('Got installed packages') mimikatz_collector = MimikatzCollector() mimikatz_info = mimikatz_collector.get_logon_info() @@ -156,39 +51,17 @@ class WindowsInfoCollector(InfoCollector): if "credentials" in self.info: self.info["credentials"].update(mimikatz_info) self.info["mimikatz"] = mimikatz_collector.get_mimikatz_text() + else: + LOG.info('No mimikatz info was gathered') return self.info def get_installed_packages(self): + LOG.info('getting installed packages') self.info["installed_packages"] = os.popen("dism /online /get-packages").read() self.info["installed_features"] = os.popen("dism /online /get-features").read() def get_wmi_info(self): + LOG.info('getting wmi info') for wmi_class_name in WMI_CLASSES: - self.info['wmi'][wmi_class_name] = self.get_wmi_class(wmi_class_name) - - def get_wmi_class(self, class_name, moniker="//./root/cimv2", properties=None): - _wmi = wmi.WMI(moniker=moniker) - - try: - if not properties: - wmi_class = getattr(_wmi, class_name)() - else: - wmi_class = getattr(_wmi, class_name)(properties) - - except wmi.x_wmi: - return - - return fix_obj_for_mongo(wmi_class) - - def get_reg_key(self, subkey_path, store=_winreg.HKEY_LOCAL_MACHINE): - key = _winreg.ConnectRegistry(None, store) - subkey = _winreg.OpenKey(key, subkey_path) - - d = dict([_winreg.EnumValue(subkey, i)[:2] for i in xrange(_winreg.QueryInfoKey(subkey)[0])]) - d = fix_obj_for_mongo(d) - - self.info['reg'][subkey_path] = d - - subkey.Close() - key.Close() + self.info['wmi'][wmi_class_name] = WMIUtils.get_wmi_class(wmi_class_name) diff --git a/monkey/infection_monkey/system_info/wmi_consts.py b/monkey/infection_monkey/system_info/wmi_consts.py new file mode 100644 index 000000000..a87e297d9 --- /dev/null +++ b/monkey/infection_monkey/system_info/wmi_consts.py @@ -0,0 +1,32 @@ +WMI_CLASSES = {"Win32_OperatingSystem", "Win32_ComputerSystem", "Win32_LoggedOnUser", "Win32_UserAccount", + "Win32_UserProfile", "Win32_Group", "Win32_GroupUser", "Win32_Product", "Win32_Service", + "Win32_OptionalFeature"} + +# These wmi queries are able to return data about all the users & machines in the domain. +# For these queries to work, the monkey should be run on a domain machine and +# +# monkey should run as *** SYSTEM *** !!! +# +WMI_LDAP_CLASSES = {"ds_user": ("DS_sAMAccountName", "DS_userPrincipalName", + "DS_sAMAccountType", "ADSIPath", "DS_userAccountControl", + "DS_objectSid", "DS_objectClass", "DS_memberOf", + "DS_primaryGroupID", "DS_pwdLastSet", "DS_badPasswordTime", + "DS_badPwdCount", "DS_lastLogon", "DS_lastLogonTimestamp", + "DS_lastLogoff", "DS_logonCount", "DS_accountExpires"), + + "ds_group": ("DS_whenChanged", "DS_whenCreated", "DS_sAMAccountName", + "DS_sAMAccountType", "DS_objectSid", "DS_objectClass", + "DS_name", "DS_memberOf", "DS_member", "DS_instanceType", + "DS_cn", "DS_description", "DS_distinguishedName", "ADSIPath"), + + "ds_computer": ("DS_dNSHostName", "ADSIPath", "DS_accountExpires", + "DS_adminDisplayName", "DS_badPasswordTime", + "DS_badPwdCount", "DS_cn", "DS_distinguishedName", + "DS_instanceType", "DS_lastLogoff", "DS_lastLogon", + "DS_lastLogonTimestamp", "DS_logonCount", "DS_objectClass", + "DS_objectSid", "DS_operatingSystem", "DS_operatingSystemVersion", + "DS_primaryGroupID", "DS_pwdLastSet", "DS_sAMAccountName", + "DS_sAMAccountType", "DS_servicePrincipalName", "DS_userAccountControl", + "DS_whenChanged", "DS_whenCreated"), + } + diff --git a/monkey/monkey_island/cc/island_logger_default_config.json b/monkey/monkey_island/cc/island_logger_default_config.json index 7c2886410..34a57b374 100644 --- a/monkey/monkey_island/cc/island_logger_default_config.json +++ b/monkey/monkey_island/cc/island_logger_default_config.json @@ -17,7 +17,7 @@ "info_file_handler": { "class": "logging.handlers.RotatingFileHandler", - "level": "DEBUG", + "level": "INFO", "formatter": "simple", "filename": "info.log", "maxBytes": 10485760, diff --git a/monkey/monkey_island/cc/resources/telemetry.py b/monkey/monkey_island/cc/resources/telemetry.py index efd5e2414..1680f7664 100644 --- a/monkey/monkey_island/cc/resources/telemetry.py +++ b/monkey/monkey_island/cc/resources/telemetry.py @@ -186,19 +186,11 @@ class Telemetry(flask_restful.Resource): Telemetry.add_system_info_creds_to_config(creds) Telemetry.replace_user_dot_with_comma(creds) if 'mimikatz' in telemetry_json['data']: - users_secrets = user_info.extract_secrets_from_mimikatz(telemetry_json['data'].get('mimikatz', '')) + users_secrets = user_info.MimikatzSecrets.\ + extract_secrets_from_mimikatz(telemetry_json['data'].get('mimikatz', '')) if 'wmi' in telemetry_json['data']: wmi_handler = WMIHandler(monkey_id, telemetry_json['data']['wmi'], users_secrets) - wmi_handler.add_groups_to_collection() - wmi_handler.add_users_to_collection() - wmi_handler.create_group_user_connection() - wmi_handler.insert_info_to_mongo() - - wmi_handler.add_admin(wmi_handler.info_for_mongo[wmi_handler.ADMINISTRATORS_GROUP_KNOWN_SID], monkey_id) - wmi_handler.update_admins_retrospective() - wmi_handler.update_critical_services(telemetry_json['data']['wmi']['Win32_Service'], - telemetry_json['data']['wmi']['Win32_Product'], - monkey_id) + wmi_handler.process_and_handle_wmi_info() @staticmethod def add_ip_to_ssh_keys(ip, ssh_info): diff --git a/monkey/monkey_island/cc/services/node.py b/monkey/monkey_island/cc/services/node.py index 371eefb5a..87b2a1aec 100644 --- a/monkey/monkey_island/cc/services/node.py +++ b/monkey/monkey_island/cc/services/node.py @@ -325,3 +325,7 @@ class NodeService: @staticmethod def get_node_hostname(node): return node['hostname'] if 'hostname' in node else node['os']['version'] + + @staticmethod + def get_hostname_by_id(node_id): + NodeService.get_node_hostname(mongo.db.monkey.find_one({'_id': node_id}, {'hostname': 1})) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 7a3dbc39b..11d2be821 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -1,16 +1,16 @@ -import uuid -from itertools import combinations, product +from itertools import product from cc.database import mongo from bson import ObjectId +from cc.services.node import NodeService + +__author__ = 'maor.rayzin' class PTHReportService(object): @staticmethod - def get_duplicated_passwords_nodes(): - users_cred_groups = [] - + def __dup_passwords_mongoquery(): pipeline = [ {"$match": { 'NTLM_secret': { @@ -26,74 +26,16 @@ class PTHReportService(object): }}, {'$match': {'count': {'$gt': 1}}} ] - docs = mongo.db.groupsandusers.aggregate(pipeline) - for doc in docs: - users_list = [] - for user in doc['Docs']: - hostname = None - if user['machine_id']: - machine = mongo.db.monkey.find_one({'_id': ObjectId(user['machine_id'])}, {'hostname': 1}) - if machine.get('hostname'): - hostname = machine['hostname'] - users_list.append({'username': user['name'], 'domain_name': user['domain_name'], - 'hostname': hostname}) - users_cred_groups.append({'cred_groups': users_list}) - - return users_cred_groups + return mongo.db.groupsandusers.aggregate(pipeline) @staticmethod - def get_duplicated_passwords_issues(): - user_groups = PTHReportService.get_duplicated_passwords_nodes() - issues = [] - users_gathered = [] - for group in user_groups: - for user_info in group['cred_groups']: - users_gathered.append(user_info['username']) - issues.append( - { - 'type': 'shared_passwords_domain' if user_info['domain_name'] else 'shared_passwords', - 'machine': user_info['hostname'] if user_info['hostname'] else user_info['domain_name'], - 'shared_with': [i['username'] for i in group['cred_groups']], - 'is_local': False if user_info['domain_name'] else True - } - ) - break - return issues + def __get_admin_on_machines_format(admin_on_machines): + + machines = mongo.db.monkey.find({'_id': {'$in': admin_on_machines}}, {'hostname': 1}) + return [i['hostname'] for i in list(machines)] @staticmethod - def get_shared_admins_nodes(): - admins = mongo.db.groupsandusers.find({'type': 1, 'admin_on_machines.1': {'$exists': True}}, - {'admin_on_machines': 1, 'name': 1, 'domain_name': 1}) - admins_info_list = [] - for admin in admins: - machines = mongo.db.monkey.find({'_id': {'$in': admin['admin_on_machines']}}, {'hostname': 1}) - - # appends the host names of the machines this user is admin on. - admins_info_list.append({'name': admin['name'],'domain_name': admin['domain_name'], - 'admin_on_machines': [i['hostname'] for i in list(machines)]}) - - return admins_info_list - - @staticmethod - def get_shared_admins_issues(): - admins_info = PTHReportService.get_shared_admins_nodes() - issues = [] - for admin in admins_info: - issues.append( - { - 'is_local': False, - 'type': 'shared_admins_domain', - 'machine': admin['domain_name'], - 'username': admin['name'], - 'shared_machines': admin['admin_on_machines'], - } - ) - - return issues - - @staticmethod - def get_strong_users_on_critical_machines_nodes(): - crit_machines = {} + def __strong_users_on_crit_query(): pipeline = [ { '$unwind': '$admin_on_machines' @@ -117,13 +59,82 @@ class PTHReportService(object): '$unwind': '$critical_machine' } ] - docs = mongo.db.groupsandusers.aggregate(pipeline) + return mongo.db.groupsandusers.aggregate(pipeline) + + @staticmethod + def get_duplicated_passwords_nodes(): + users_cred_groups = [] + docs = PTHReportService.__dup_passwords_mongoquery() + for doc in docs: + users_list = [ + { + 'username': user['name'], + 'domain_name': user['domain_name'], + 'hostname': NodeService.get_hostname_by_id(ObjectId(user['machine_id'])) + if user['machine_id'] else None + } for user in doc['Docs'] + ] + users_cred_groups.append({'cred_groups': users_list}) + + return users_cred_groups + + @staticmethod + def get_duplicated_passwords_issues(): + user_groups = PTHReportService.get_duplicated_passwords_nodes() + issues = [] + for group in user_groups: + user_info = group['cred_groups'][0] + issues.append( + { + 'type': 'shared_passwords_domain' if user_info['domain_name'] else 'shared_passwords', + 'machine': user_info['hostname'] if user_info['hostname'] else user_info['domain_name'], + 'shared_with': [i['username'] for i in group['cred_groups']], + 'is_local': False if user_info['domain_name'] else True + } + ) + return issues + + @staticmethod + def get_shared_admins_nodes(): + + # This mongo queries users the best solution to figure out if an array + # object has at least two objects in it, by making sure any value exists in the array index 1. + admins = mongo.db.groupsandusers.find({'type': 1, 'admin_on_machines.1': {'$exists': True}}, + {'admin_on_machines': 1, 'name': 1, 'domain_name': 1}) + return [ + { + 'name': admin['name'], + 'domain_name': admin['domain_name'], + 'admin_on_machines': PTHReportService.__get_admin_on_machines_format(admin['admin_on_machines']) + } for admin in admins + ] + + @staticmethod + def get_shared_admins_issues(): + admins_info = PTHReportService.get_shared_admins_nodes() + return [ + { + 'is_local': False, + 'type': 'shared_admins_domain', + 'machine': admin['domain_name'], + 'username': admin['name'], + 'shared_machines': admin['admin_on_machines'], + } + for admin in admins_info] + + @staticmethod + def get_strong_users_on_critical_machines_nodes(): + + crit_machines = {} + docs = PTHReportService.__strong_users_on_crit_query() + for doc in docs: hostname = str(doc['critical_machine']['hostname']) - if not hostname in crit_machines: - crit_machines[hostname] = {} - crit_machines[hostname]['threatening_users'] = [] - crit_machines[hostname]['critical_services'] = doc['critical_machine']['critical_services'] + if hostname not in crit_machines: + crit_machines[hostname] = { + 'threatening_users': [], + 'critical_services': doc['critical_machine']['critical_services'] + } crit_machines[hostname]['threatening_users'].append( {'name': str(doc['domain_name']) + '\\' + str(doc['name']), 'creds_location': doc['secret_location']}) @@ -131,107 +142,92 @@ class PTHReportService(object): @staticmethod def get_strong_users_on_crit_issues(): - issues = [] crit_machines = PTHReportService.get_strong_users_on_critical_machines_nodes() - for machine in crit_machines: - issues.append( - { - 'type': 'strong_users_on_crit', - 'machine': machine, - 'services': crit_machines[machine].get('critical_services'), - 'threatening_users': [i['name'] for i in crit_machines[machine]['threatening_users']] - } - ) - return issues + return [ + { + 'type': 'strong_users_on_crit', + 'machine': machine, + 'services': crit_machines[machine].get('critical_services'), + 'threatening_users': [i['name'] for i in crit_machines[machine]['threatening_users']] + } for machine in crit_machines + ] @staticmethod def get_strong_users_on_crit_details(): - table_entries = [] user_details = {} crit_machines = PTHReportService.get_strong_users_on_critical_machines_nodes() for machine in crit_machines: for user in crit_machines[machine]['threatening_users']: username = user['name'] if username not in user_details: - user_details[username] = {} - user_details[username]['machines'] = [] - user_details[username]['services'] = [] + user_details[username] = { + 'machines': [], + 'services': [] + } user_details[username]['machines'].append(machine) user_details[username]['services'] += crit_machines[machine]['critical_services'] - for user in user_details: - table_entries.append( - { - 'username': user, - 'machines': user_details[user]['machines'], - 'services_names': user_details[user]['services'] - } - ) - - return table_entries + return [ + { + 'username': user, + 'machines': user_details[user]['machines'], + 'services_names': user_details[user]['services'] + } for user in user_details + ] @staticmethod def generate_map_nodes(): - - nodes_list = [] monkeys = mongo.db.monkey.find({}, {'_id': 1, 'hostname': 1, 'critical_services': 1, 'ip_addresses': 1}) - for monkey in monkeys: - critical_services = monkey.get('critical_services', []) - nodes_list.append({ + + return [ + { 'id': monkey['_id'], 'label': '{0} : {1}'.format(monkey['hostname'], monkey['ip_addresses'][0]), - 'group': 'critical' if critical_services else 'normal', - 'services': critical_services, + 'group': 'critical' if monkey.get('critical_services', []) else 'normal', + 'services': monkey.get('critical_services', []), 'hostname': monkey['hostname'] - }) - - return nodes_list + } for monkey in monkeys + ] @staticmethod - def generate_edge_nodes(): + def generate_edges(): edges_list = [] - pipeline = [ + + comp_users = mongo.db.groupsandusers.find( { - '$match': {'admin_on_machines': {'$ne': []}, 'secret_location': {'$ne': []}, 'type': 1} + 'admin_on_machines': {'$ne': []}, + 'secret_location': {'$ne': []}, + 'type': 1 }, { - '$project': {'admin_on_machines': 1, 'secret_location': 1} + 'admin_on_machines': 1, 'secret_location': 1 } - ] - comp_users = mongo.db.groupsandusers.aggregate(pipeline) + ) for user in comp_users: - pairs = PTHReportService.generate_edges_tuples(user['admin_on_machines'], user['secret_location']) - for pair in pairs: + # A list comp, to get all unique pairs of attackers and victims. + for pair in [pair for pair in product(user['admin_on_machines'], user['secret_location']) + if pair[0] != pair[1]]: edges_list.append( { 'from': pair[1], 'to': pair[0], - 'id': str(uuid.uuid4()) + 'id': str(pair[1]) + str(pair[0]) } ) return edges_list - @staticmethod - def generate_edges_tuples(*lists): - - for t in combinations(lists, 2): - for pair in product(*t): - # Don't output pairs containing duplicated elements - if pair[0] != pair[1]: - yield pair - @staticmethod def get_pth_map(): return { 'nodes': PTHReportService.generate_map_nodes(), - 'edges': PTHReportService.generate_edge_nodes() + 'edges': PTHReportService.generate_edges() } @staticmethod def get_report(): - + pth_map = PTHReportService.get_pth_map() PTHReportService.get_strong_users_on_critical_machines_nodes() report = \ { @@ -242,8 +238,8 @@ class PTHReportService(object): 'pthmap': { - 'nodes': PTHReportService.generate_map_nodes(), - 'edges': PTHReportService.generate_edge_nodes() + 'nodes': pth_map.get('nodes'), + 'edges': pth_map.get('edges') } } diff --git a/monkey/monkey_island/cc/services/report.py b/monkey/monkey_island/cc/services/report.py index f82f1518d..26a5c87f1 100644 --- a/monkey/monkey_island/cc/services/report.py +++ b/monkey/monkey_island/cc/services/report.py @@ -1,6 +1,5 @@ import itertools import functools -import pprint import ipaddress import logging @@ -160,7 +159,7 @@ class ReportService: @staticmethod def get_stolen_creds(): PASS_TYPE_DICT = {'password': 'Clear Password', 'lm_hash': 'LM hash', 'ntlm_hash': 'NTLM hash'} - creds = [] + creds = set() for telem in mongo.db.telemetry.find( {'telem_type': 'system_info_collection', 'data.credentials': {'$exists': True}}, {'data.credentials': 1, 'monkey_guid': 1} @@ -177,14 +176,9 @@ class ReportService: 'type': PASS_TYPE_DICT[pass_type], 'origin': origin } - if cred_row not in creds: - creds.append(cred_row) + creds.add(cred_row) logger.info('Stolen creds generated for reporting') - return creds - - @staticmethod - def get_pth_shared_passwords(): - pass + return list(creds) @staticmethod def get_ssh_keys(): @@ -544,7 +538,7 @@ class ReportService: domain_issues_dict = {} for issue in issues: if not issue.get('is_local', True): - machine = issue.get('machine', '').upper() + machine = issue.get('machine').upper() if machine not in domain_issues_dict: domain_issues_dict[machine] = [] domain_issues_dict[machine].append(issue) @@ -566,7 +560,7 @@ class ReportService: issues_dict = {} for issue in issues: if issue.get('is_local', True): - machine = issue.get('machine', '').upper() + machine = issue.get('machine').upper() if machine not in issues_dict: issues_dict[machine] = [] issues_dict[machine].append(issue) @@ -707,17 +701,14 @@ class ReportService: 'exploited': ReportService.get_exploited(), 'stolen_creds': ReportService.get_stolen_creds(), 'azure_passwords': ReportService.get_azure_creds(), - 'ssh_keys': ReportService.get_ssh_keys() + 'ssh_keys': ReportService.get_ssh_keys(), + 'strong_users': PTHReportService.get_strong_users_on_crit_details(), + 'pth_map': PTHReportService.get_pth_map() }, 'recommendations': { 'issues': issues, 'domain_issues': domain_issues - }, - 'pth': - { - 'strong_users': PTHReportService.get_strong_users_on_crit_details(), - 'map': PTHReportService.get_pth_map(), } } diff --git a/monkey/monkey_island/cc/services/user_info.py b/monkey/monkey_island/cc/services/user_info.py index c69a011a6..e233c1f31 100644 --- a/monkey/monkey_island/cc/services/user_info.py +++ b/monkey/monkey_island/cc/services/user_info.py @@ -1,45 +1,52 @@ +__author__ = 'maor.rayzin' + -def extract_sam_secrets(mim_string, users_dict): - users_secrets = mim_string.split("\n42.")[1].split("\nSAMKey :")[1].split("\n\n")[1:] +class MimikatzSecrets(object): - if mim_string.count("\n42.") != 2: - return {} + def __init__(self): + # Static class + pass - for sam_user_txt in users_secrets: - sam_user = dict([map(unicode.strip, line.split(":")) for line in - filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) - username = sam_user.get("User") - users_dict[username] = {} + @staticmethod + def extract_sam_secrets(mim_string, users_dict): + users_secrets = mim_string.split("\n42.")[1].split("\nSAMKey :")[1].split("\n\n")[1:] - ntlm = sam_user.get("NTLM") - if "[hashed secret]" not in ntlm: - continue + if mim_string.count("\n42.") != 2: + return {} - users_dict[username]['SAM'] = ntlm.replace("[hashed secret]", "").strip() + for sam_user_txt in users_secrets: + sam_user = dict([map(unicode.strip, line.split(":")) for line in + filter(lambda l: l.count(":") == 1, sam_user_txt.splitlines())]) + username = sam_user.get("User") + users_dict[username] = {} + ntlm = sam_user.get("NTLM") + if "[hashed secret]" not in ntlm: + continue -def extract_ntlm_secrets(mim_string, users_dict): + users_dict[username]['SAM'] = ntlm.replace("[hashed secret]", "").strip() - if mim_string.count("\n42.") != 2: - return {} + @staticmethod + def extract_ntlm_secrets(mim_string, users_dict): - ntds_users = mim_string.split("\n42.")[2].split("\nRID :")[1:] + if mim_string.count("\n42.") != 2: + return {} - for ntds_user_txt in ntds_users: - user = ntds_user_txt.split("User :")[1].splitlines()[0].replace("User :", "").strip() - ntlm = ntds_user_txt.split("* Primary\n NTLM :")[1].splitlines()[0].replace("NTLM :", "").strip() - ntlm = ntlm.replace("[hashed secret]", "").strip() - users_dict[user] = {} - if ntlm: - users_dict[user]['ntlm'] = ntlm + ntds_users = mim_string.split("\n42.")[2].split("\nRID :")[1:] + for ntds_user_txt in ntds_users: + user = ntds_user_txt.split("User :")[1].splitlines()[0].replace("User :", "").strip() + ntlm = ntds_user_txt.split("* Primary\n NTLM :")[1].splitlines()[0].replace("NTLM :", "").strip() + ntlm = ntlm.replace("[hashed secret]", "").strip() + users_dict[user] = {} + if ntlm: + users_dict[user]['ntlm'] = ntlm -def extract_secrets_from_mimikatz(mim_string): - users_dict = {} - extract_sam_secrets(mim_string, users_dict) - extract_ntlm_secrets(mim_string, users_dict) - - return users_dict - + @staticmethod + def extract_secrets_from_mimikatz(mim_string): + users_dict = {} + MimikatzSecrets.extract_sam_secrets(mim_string, users_dict) + MimikatzSecrets.extract_ntlm_secrets(mim_string, users_dict) + return users_dict diff --git a/monkey/monkey_island/cc/services/wmi_info_handler.py b/monkey/monkey_island/cc/services/wmi_info_handler.py index b4b12c7a3..61f85eb61 100644 --- a/monkey/monkey_island/cc/services/wmi_info_handler.py +++ b/monkey/monkey_island/cc/services/wmi_info_handler.py @@ -1,7 +1,9 @@ from cc.database import mongo +__author__ = 'maor.rayzin' -class WMIHandler: + +class WMIHandler(object): ADMINISTRATORS_GROUP_KNOWN_SID = '1-5-32-544' @@ -13,26 +15,29 @@ class WMIHandler: self.users_info = wmi_info['Win32_UserAccount'] self.groups_info = wmi_info['Win32_Group'] self.groups_and_users = wmi_info['Win32_GroupUser'] + self.products = wmi_info['Win32_Service'] + self.services = wmi_info['Win32_Product'] - def process_and_handle(self): + def process_and_handle_wmi_info(self): self.add_groups_to_collection() self.add_users_to_collection() self.create_group_user_connection() + self.insert_info_to_mongo() self.add_admin(self.info_for_mongo[self.ADMINISTRATORS_GROUP_KNOWN_SID], self.monkey_id) self.update_admins_retrospective() - self.insert_info_to_mongo() + self.update_critical_services() - def update_critical_services(self, wmi_services, wmi_products, machine_id): + def update_critical_services(self): critical_names = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns", 'MSSQL$SQLEXPRESS', 'SQL') - mongo.db.monkey.update({'_id': machine_id}, {'$set': {'critical_services': []}}) + mongo.db.monkey.update({'_id': self.monkey_id}, {'$set': {'critical_services': []}}) - services_names_list = [str(i['Name'])[2:-1] for i in wmi_services] - products_names_list = [str(i['Name'])[2:-2] for i in wmi_products] + services_names_list = [str(i['Name'])[2:-1] for i in self.services] + products_names_list = [str(i['Name'])[2:-2] for i in self.products] for name in critical_names: if name in services_names_list or name in products_names_list: - mongo.db.monkey.update({'_id': machine_id}, {'$addToSet': {'critical_services': name}}) + mongo.db.monkey.update({'_id': self.monkey_id}, {'$addToSet': {'critical_services': name}}) def build_entity_document(self, entity_info, monkey_id=None): general_properties_dict = { diff --git a/monkey/monkey_island/cc/ui/src/components/Main.js b/monkey/monkey_island/cc/ui/src/components/Main.js index 5a5a4e526..114775756 100644 --- a/monkey/monkey_island/cc/ui/src/components/Main.js +++ b/monkey/monkey_island/cc/ui/src/components/Main.js @@ -163,7 +163,6 @@ class AppComponent extends AuthComponent { {this.renderRoute('/run-monkey', )} {this.renderRoute('/infection/map', )} {this.renderRoute('/infection/telemetry', )} - {this.renderRoute('/pth', )} {this.renderRoute('/start-over', )} {this.renderRoute('/report', )} {this.renderRoute('/license', )} diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js index 98224541c..67dc9e0c4 100644 --- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -9,9 +9,7 @@ import CollapsibleWellComponent from 'components/report-components/CollapsibleWe import {Line} from 'rc-progress'; import AuthComponent from '../AuthComponent'; import PassTheHashMapPageComponent from "./PassTheHashMapPage"; -import SharedCreds from "components/report-components/SharedCreds"; import StrongUsers from "components/report-components/StrongUsers"; -import SharedAdmins from "components/report-components/SharedAdmins"; let guardicoreLogoImage = require('../../images/guardicore-logo.png'); let monkeyLogoImage = require('../../images/monkey-icon.svg'); @@ -47,13 +45,10 @@ class ReportPageComponent extends AuthComponent { super(props); this.state = { report: {}, - pthreport: {}, - pthmap: {}, graph: {nodes: [], edges: []}, allMonkeysAreDead: false, runStarted: true }; - this.getPth } componentDidMount() { @@ -122,9 +117,7 @@ class ReportPageComponent extends AuthComponent { .then(res => res.json()) .then(res => { this.setState({ - report: res, - pthreport: res.pth.info, - pthmap: res.pth.map + report: res }); }); } @@ -475,7 +468,7 @@ class ReportPageComponent extends AuthComponent {
    - +
    ); @@ -495,7 +488,7 @@ class ReportPageComponent extends AuthComponent { Access credentials |
    - +

    diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/SharedAdmins.js b/monkey/monkey_island/cc/ui/src/components/report-components/SharedAdmins.js deleted file mode 100644 index bf57065d5..000000000 --- a/monkey/monkey_island/cc/ui/src/components/report-components/SharedAdmins.js +++ /dev/null @@ -1,42 +0,0 @@ -import React from 'react'; -import ReactTable from 'react-table' - -let renderArray = function(val) { - return
    {val.map(x =>
    {x}
    )}
    ; -}; - -const columns = [ - { - Header: 'Shared Admins Between Machines', - columns: [ - { Header: 'Username', accessor: 'username'}, - { Header: 'Domain', accessor: 'domain'}, - { Header: 'Machines', id: 'machines', accessor: x => renderArray(x.machines)}, - ] - } -]; - -const pageSize = 10; - -class SharedAdminsComponent extends React.Component { - constructor(props) { - super(props); - } - - render() { - let defaultPageSize = this.props.data.length > pageSize ? pageSize : this.props.data.length; - let showPagination = this.props.data.length > pageSize; - return ( -
    - -
    - ); - } -} - -export default SharedAdminsComponent; diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/SharedCreds.js b/monkey/monkey_island/cc/ui/src/components/report-components/SharedCreds.js deleted file mode 100644 index f42494167..000000000 --- a/monkey/monkey_island/cc/ui/src/components/report-components/SharedCreds.js +++ /dev/null @@ -1,41 +0,0 @@ -import React from 'react'; -import ReactTable from 'react-table' - -let renderArray = function(val) { - console.log(val); - return
    {val.map(x =>
    {x}
    )}
    ; -}; - -const columns = [ - { - Header: 'Shared Credentials', - columns: [ - {Header: 'Credential Group', id: 'cred_group', accessor: x => renderArray(x.cred_group) } - ] - } -]; - -const pageSize = 10; - -class SharedCredsComponent extends React.Component { - constructor(props) { - super(props); - } - - render() { - let defaultPageSize = this.props.data.length > pageSize ? pageSize : this.props.data.length; - let showPagination = this.props.data.length > pageSize; - return ( -
    - -
    - ); - } -} - -export default SharedCredsComponent; From b85fb8c94ae5816aa28709ff0eeec9d799f61437 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Mon, 29 Oct 2018 13:06:09 +0200 Subject: [PATCH 107/117] Some bug fixes and CR after shocks --- monkey/monkey_island/cc/services/node.py | 2 +- monkey/monkey_island/cc/services/pth_report.py | 3 +-- monkey/monkey_island/cc/services/report.py | 9 +++++---- monkey/monkey_island/cc/services/user_info.py | 2 +- monkey/monkey_island/cc/services/wmi_info_handler.py | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/monkey/monkey_island/cc/services/node.py b/monkey/monkey_island/cc/services/node.py index 87b2a1aec..072917974 100644 --- a/monkey/monkey_island/cc/services/node.py +++ b/monkey/monkey_island/cc/services/node.py @@ -328,4 +328,4 @@ class NodeService: @staticmethod def get_hostname_by_id(node_id): - NodeService.get_node_hostname(mongo.db.monkey.find_one({'_id': node_id}, {'hostname': 1})) + return NodeService.get_node_hostname(mongo.db.monkey.find_one({'_id': node_id}, {'hostname': 1})) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 11d2be821..c29049951 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -70,8 +70,7 @@ class PTHReportService(object): { 'username': user['name'], 'domain_name': user['domain_name'], - 'hostname': NodeService.get_hostname_by_id(ObjectId(user['machine_id'])) - if user['machine_id'] else None + 'hostname': NodeService.get_hostname_by_id(ObjectId(user['machine_id'])) if user['machine_id'] else None } for user in doc['Docs'] ] users_cred_groups.append({'cred_groups': users_list}) diff --git a/monkey/monkey_island/cc/services/report.py b/monkey/monkey_island/cc/services/report.py index 26a5c87f1..216882fa7 100644 --- a/monkey/monkey_island/cc/services/report.py +++ b/monkey/monkey_island/cc/services/report.py @@ -159,7 +159,7 @@ class ReportService: @staticmethod def get_stolen_creds(): PASS_TYPE_DICT = {'password': 'Clear Password', 'lm_hash': 'LM hash', 'ntlm_hash': 'NTLM hash'} - creds = set() + creds = [] for telem in mongo.db.telemetry.find( {'telem_type': 'system_info_collection', 'data.credentials': {'$exists': True}}, {'data.credentials': 1, 'monkey_guid': 1} @@ -176,9 +176,10 @@ class ReportService: 'type': PASS_TYPE_DICT[pass_type], 'origin': origin } - creds.add(cred_row) + if cred_row not in creds: + creds.append(cred_row) logger.info('Stolen creds generated for reporting') - return list(creds) + return creds @staticmethod def get_ssh_keys(): @@ -560,7 +561,7 @@ class ReportService: issues_dict = {} for issue in issues: if issue.get('is_local', True): - machine = issue.get('machine').upper() + machine = issue.get('machine', '').upper() if machine not in issues_dict: issues_dict[machine] = [] issues_dict[machine].append(issue) diff --git a/monkey/monkey_island/cc/services/user_info.py b/monkey/monkey_island/cc/services/user_info.py index e233c1f31..9aca91a59 100644 --- a/monkey/monkey_island/cc/services/user_info.py +++ b/monkey/monkey_island/cc/services/user_info.py @@ -22,7 +22,7 @@ class MimikatzSecrets(object): users_dict[username] = {} ntlm = sam_user.get("NTLM") - if "[hashed secret]" not in ntlm: + if not ntlm or "[hashed secret]" not in ntlm: continue users_dict[username]['SAM'] = ntlm.replace("[hashed secret]", "").strip() diff --git a/monkey/monkey_island/cc/services/wmi_info_handler.py b/monkey/monkey_island/cc/services/wmi_info_handler.py index 61f85eb61..d119772f5 100644 --- a/monkey/monkey_island/cc/services/wmi_info_handler.py +++ b/monkey/monkey_island/cc/services/wmi_info_handler.py @@ -29,7 +29,7 @@ class WMIHandler(object): self.update_critical_services() def update_critical_services(self): - critical_names = ("W3svc", "MSExchangeServiceHost", "MSSQLServer", "dns", 'MSSQL$SQLEXPRESS', 'SQL') + critical_names = ("W3svc", "MSExchangeServiceHost", "dns", 'MSSQL$SQLEXPRES') mongo.db.monkey.update({'_id': self.monkey_id}, {'$set': {'critical_services': []}}) services_names_list = [str(i['Name'])[2:-1] for i in self.services] From 242c2c8700826c4a0a82f6f8636354da422954ae Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Mon, 29 Oct 2018 14:24:52 +0200 Subject: [PATCH 108/117] Added hostname to shared creds users --- monkey/monkey_island/cc/services/pth_report.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index c29049951..90ee4956d 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -87,7 +87,7 @@ class PTHReportService(object): { 'type': 'shared_passwords_domain' if user_info['domain_name'] else 'shared_passwords', 'machine': user_info['hostname'] if user_info['hostname'] else user_info['domain_name'], - 'shared_with': [i['username'] for i in group['cred_groups']], + 'shared_with': [i['hostname'] + '\\' + i['username'] for i in group['cred_groups']], 'is_local': False if user_info['domain_name'] else True } ) From f60c12b391f563a775733e9987a1cc5ac45d1430 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Mon, 29 Oct 2018 15:01:23 +0200 Subject: [PATCH 109/117] Added hostname to all issues generated --- monkey/monkey_island/cc/services/pth_report.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 90ee4956d..9a862f212 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -29,10 +29,10 @@ class PTHReportService(object): return mongo.db.groupsandusers.aggregate(pipeline) @staticmethod - def __get_admin_on_machines_format(admin_on_machines): + def __get_admin_on_machines_format(admin_on_machines, domain_name): machines = mongo.db.monkey.find({'_id': {'$in': admin_on_machines}}, {'hostname': 1}) - return [i['hostname'] for i in list(machines)] + return [domain_name + '\\' + i['hostname'] for i in list(machines)] @staticmethod def __strong_users_on_crit_query(): @@ -104,7 +104,7 @@ class PTHReportService(object): { 'name': admin['name'], 'domain_name': admin['domain_name'], - 'admin_on_machines': PTHReportService.__get_admin_on_machines_format(admin['admin_on_machines']) + 'admin_on_machines': PTHReportService.__get_admin_on_machines_format(admin['admin_on_machines'], admin['domain_name']) } for admin in admins ] @@ -116,7 +116,7 @@ class PTHReportService(object): 'is_local': False, 'type': 'shared_admins_domain', 'machine': admin['domain_name'], - 'username': admin['name'], + 'username': admin['domain_name'] + '\\' + admin['name'], 'shared_machines': admin['admin_on_machines'], } for admin in admins_info] From 3a2d9a9cc275b67f4fb8cadb763912327aa2ef15 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Mon, 29 Oct 2018 15:25:30 +0200 Subject: [PATCH 110/117] Excluded the name Administrator from the shared admin issue, it spams the report --- monkey/monkey_island/cc/services/pth_report.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 9a862f212..edb882561 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -98,7 +98,10 @@ class PTHReportService(object): # This mongo queries users the best solution to figure out if an array # object has at least two objects in it, by making sure any value exists in the array index 1. - admins = mongo.db.groupsandusers.find({'type': 1, 'admin_on_machines.1': {'$exists': True}}, + # Excluding the name Administrator - its spamming the lists and not a surprise the domain Administrator account + # is shared. + admins = mongo.db.groupsandusers.find({'type': 1, 'name': {'$ne': 'Administrator'}, + 'admin_on_machines.1': {'$exists': True}}, {'admin_on_machines': 1, 'name': 1, 'domain_name': 1}) return [ { From 707c88434cb937fb8e6b20168cd3e3582ff41252 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Wed, 31 Oct 2018 14:20:56 +0200 Subject: [PATCH 111/117] RE-CR: changed names, added doc, created consts. --- .../monkey_island/cc/resources/telemetry.py | 6 ++-- .../cc/services/groups_and_users_consts.py | 5 +++ .../{user_info.py => mimikatz_utils.py} | 0 .../monkey_island/cc/services/pth_report.py | 35 ++++++++++++++++--- monkey/monkey_island/cc/services/report.py | 2 +- .../{wmi_info_handler.py => wmi_handler.py} | 9 ++--- 6 files changed, 45 insertions(+), 12 deletions(-) create mode 100644 monkey/monkey_island/cc/services/groups_and_users_consts.py rename monkey/monkey_island/cc/services/{user_info.py => mimikatz_utils.py} (100%) rename monkey/monkey_island/cc/services/{wmi_info_handler.py => wmi_handler.py} (96%) diff --git a/monkey/monkey_island/cc/resources/telemetry.py b/monkey/monkey_island/cc/resources/telemetry.py index 1680f7664..0db3b0eb4 100644 --- a/monkey/monkey_island/cc/resources/telemetry.py +++ b/monkey/monkey_island/cc/resources/telemetry.py @@ -9,12 +9,12 @@ from flask import request from cc.auth import jwt_required from cc.database import mongo -from cc.services import user_info +from cc.services import mimikatz_utils from cc.services.config import ConfigService from cc.services.edge import EdgeService from cc.services.node import NodeService from cc.encryptor import encryptor -from cc.services.wmi_info_handler import WMIHandler +from cc.services.wmi_handler import WMIHandler __author__ = 'Barak' @@ -186,7 +186,7 @@ class Telemetry(flask_restful.Resource): Telemetry.add_system_info_creds_to_config(creds) Telemetry.replace_user_dot_with_comma(creds) if 'mimikatz' in telemetry_json['data']: - users_secrets = user_info.MimikatzSecrets.\ + users_secrets = mimikatz_utils.MimikatzSecrets.\ extract_secrets_from_mimikatz(telemetry_json['data'].get('mimikatz', '')) if 'wmi' in telemetry_json['data']: wmi_handler = WMIHandler(monkey_id, telemetry_json['data']['wmi'], users_secrets) diff --git a/monkey/monkey_island/cc/services/groups_and_users_consts.py b/monkey/monkey_island/cc/services/groups_and_users_consts.py new file mode 100644 index 000000000..03fefbe02 --- /dev/null +++ b/monkey/monkey_island/cc/services/groups_and_users_consts.py @@ -0,0 +1,5 @@ +"""This file will include consts values regarding the groupsandusers collection""" + +USERTYPE = 1 + +GROUPTYPE = 2 \ No newline at end of file diff --git a/monkey/monkey_island/cc/services/user_info.py b/monkey/monkey_island/cc/services/mimikatz_utils.py similarity index 100% rename from monkey/monkey_island/cc/services/user_info.py rename to monkey/monkey_island/cc/services/mimikatz_utils.py diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index edb882561..f72a430ba 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -3,6 +3,7 @@ from itertools import product from cc.database import mongo from bson import ObjectId +from cc.services.groups_and_users_consts import USERTYPE from cc.services.node import NodeService __author__ = 'maor.rayzin' @@ -11,6 +12,19 @@ class PTHReportService(object): @staticmethod def __dup_passwords_mongoquery(): + """ + This function build and query the mongoDB for users found that are using the same passwords, this is done + by comparing the NTLM hash found for each user by mimikatz. + :return: + A list of mongo documents (dicts in python) that look like this: + { + '_id': The NTLM hash, + 'count': How many users share it. + 'Docs': the name, domain name, _Id, and machine_id of the users + } + """ + + pipeline = [ {"$match": { 'NTLM_secret': { @@ -30,18 +44,31 @@ class PTHReportService(object): @staticmethod def __get_admin_on_machines_format(admin_on_machines, domain_name): - + """ + This function finds for each admin user, what machines its admin of and compile them to a list. + :param admin_on_machines: A list of "monkey" documents "_id"s + :param domain_name: The admin's domain name + :return: + A list of formatted machines names *domain*\*hostname*, to use in shared admins issues. + """ machines = mongo.db.monkey.find({'_id': {'$in': admin_on_machines}}, {'hostname': 1}) return [domain_name + '\\' + i['hostname'] for i in list(machines)] @staticmethod def __strong_users_on_crit_query(): + """ + This function build and query the mongoDB for users that mimikatz was able to find cached NTLM hash and + are administrators on machines with services predefined as important services thus making these machines + critical. + :return: + A list of said users + """ pipeline = [ { '$unwind': '$admin_on_machines' }, { - '$match': {'type': 1, 'domain_name': {'$ne': None}} + '$match': {'type': USERTYPE, 'domain_name': {'$ne': None}} }, { '$lookup': @@ -100,7 +127,7 @@ class PTHReportService(object): # object has at least two objects in it, by making sure any value exists in the array index 1. # Excluding the name Administrator - its spamming the lists and not a surprise the domain Administrator account # is shared. - admins = mongo.db.groupsandusers.find({'type': 1, 'name': {'$ne': 'Administrator'}, + admins = mongo.db.groupsandusers.find({'type': USERTYPE, 'name': {'$ne': 'Administrator'}, 'admin_on_machines.1': {'$exists': True}}, {'admin_on_machines': 1, 'name': 1, 'domain_name': 1}) return [ @@ -200,7 +227,7 @@ class PTHReportService(object): { 'admin_on_machines': {'$ne': []}, 'secret_location': {'$ne': []}, - 'type': 1 + 'type': USERTYPE }, { 'admin_on_machines': 1, 'secret_location': 1 diff --git a/monkey/monkey_island/cc/services/report.py b/monkey/monkey_island/cc/services/report.py index 216882fa7..fe8928a56 100644 --- a/monkey/monkey_island/cc/services/report.py +++ b/monkey/monkey_island/cc/services/report.py @@ -561,7 +561,7 @@ class ReportService: issues_dict = {} for issue in issues: if issue.get('is_local', True): - machine = issue.get('machine', '').upper() + machine = issue.get('machine').upper() if machine not in issues_dict: issues_dict[machine] = [] issues_dict[machine].append(issue) diff --git a/monkey/monkey_island/cc/services/wmi_info_handler.py b/monkey/monkey_island/cc/services/wmi_handler.py similarity index 96% rename from monkey/monkey_island/cc/services/wmi_info_handler.py rename to monkey/monkey_island/cc/services/wmi_handler.py index d119772f5..a0ffcba8b 100644 --- a/monkey/monkey_island/cc/services/wmi_info_handler.py +++ b/monkey/monkey_island/cc/services/wmi_handler.py @@ -1,4 +1,5 @@ from cc.database import mongo +from cc.services.groups_and_users_consts import USERTYPE __author__ = 'maor.rayzin' @@ -15,8 +16,8 @@ class WMIHandler(object): self.users_info = wmi_info['Win32_UserAccount'] self.groups_info = wmi_info['Win32_Group'] self.groups_and_users = wmi_info['Win32_GroupUser'] - self.products = wmi_info['Win32_Service'] - self.services = wmi_info['Win32_Product'] + self.services = wmi_info['Win32_Service'] + self.products = wmi_info['Win32_Product'] def process_and_handle_wmi_info(self): @@ -128,7 +129,7 @@ class WMIHandler(object): # if entity is domain entity, add the monkey id of current machine to secrets_location. # (found on this machine) if entity.get('NTLM_secret'): - mongo.db.groupsandusers.update_one({'SID': entity['SID'], 'type': 1}, + mongo.db.groupsandusers.update_one({'SID': entity['SID'], 'type': USERTYPE}, {'$addToSet': {'secret_location': self.monkey_id}}) def update_admins_retrospective(self): @@ -148,7 +149,7 @@ class WMIHandler(object): mongo.db.groupsandusers.update_one({'SID': sid}, {'$addToSet': {'admin_on_machines': machine_id}}) entity_details = mongo.db.groupsandusers.find_one({'SID': sid}, - {'type': 1, 'entities_list': 1}) + {'type': USERTYPE, 'entities_list': 1}) if entity_details.get('type') == 2: self.add_admin(entity_details, machine_id) From 3bf917af80056686bcb1131a0de54e348ca7d23c Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Wed, 31 Oct 2018 14:28:52 +0200 Subject: [PATCH 112/117] RE-CR: tiny corrections --- .../monkey_island/cc/services/groups_and_users_consts.py | 5 +++-- monkey/monkey_island/cc/services/wmi_handler.py | 8 ++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/monkey/monkey_island/cc/services/groups_and_users_consts.py b/monkey/monkey_island/cc/services/groups_and_users_consts.py index 03fefbe02..0e22a34ba 100644 --- a/monkey/monkey_island/cc/services/groups_and_users_consts.py +++ b/monkey/monkey_island/cc/services/groups_and_users_consts.py @@ -1,5 +1,6 @@ """This file will include consts values regarding the groupsandusers collection""" -USERTYPE = 1 +__author__ = 'maor.rayzin' -GROUPTYPE = 2 \ No newline at end of file +USERTYPE = 1 +GROUPTYPE = 2 diff --git a/monkey/monkey_island/cc/services/wmi_handler.py b/monkey/monkey_island/cc/services/wmi_handler.py index a0ffcba8b..5842ae5c6 100644 --- a/monkey/monkey_island/cc/services/wmi_handler.py +++ b/monkey/monkey_island/cc/services/wmi_handler.py @@ -1,5 +1,5 @@ from cc.database import mongo -from cc.services.groups_and_users_consts import USERTYPE +from cc.services.groups_and_users_consts import USERTYPE, GROUPTYPE __author__ = 'maor.rayzin' @@ -66,7 +66,7 @@ class WMIHandler(object): base_entity['SAM_secret'] = self.users_secrets.get(base_entity['name'], {}).get('sam') base_entity['secret_location'] = [] - base_entity['type'] = 1 + base_entity['type'] = USERTYPE self.info_for_mongo[base_entity.get('SID')] = base_entity def add_groups_to_collection(self): @@ -76,7 +76,7 @@ class WMIHandler(object): else: base_entity = self.build_entity_document(group, self.monkey_id) base_entity['entities_list'] = [] - base_entity['type'] = 2 + base_entity['type'] = GROUPTYPE self.info_for_mongo[base_entity.get('SID')] = base_entity def create_group_user_connection(self): @@ -150,6 +150,6 @@ class WMIHandler(object): {'$addToSet': {'admin_on_machines': machine_id}}) entity_details = mongo.db.groupsandusers.find_one({'SID': sid}, {'type': USERTYPE, 'entities_list': 1}) - if entity_details.get('type') == 2: + if entity_details.get('type') == GROUPTYPE: self.add_admin(entity_details, machine_id) From 0bd252d83206b0a3afd75cd6954095c8cbb05071 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Wed, 31 Oct 2018 14:51:23 +0200 Subject: [PATCH 113/117] RE-CR: more docs --- monkey/monkey_island/cc/services/pth_report.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index f72a430ba..858f7c87a 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -8,7 +8,12 @@ from cc.services.node import NodeService __author__ = 'maor.rayzin' + class PTHReportService(object): + """ + A static class supplying utils to produce a report based on the PTH related information + gathered via mimikatz and wmi. + """ @staticmethod def __dup_passwords_mongoquery(): From f12ee32e219f66dd08594cec7f9b61a88cdf5447 Mon Sep 17 00:00:00 2001 From: itaymmguardicore <30774653+itaymmguardicore@users.noreply.github.com> Date: Mon, 5 Nov 2018 16:48:18 +0200 Subject: [PATCH 114/117] Update monkey/monkey_island/cc/services/pth_report.py Co-Authored-By: MaorCore <39161867+MaorCore@users.noreply.github.com> --- monkey/monkey_island/cc/services/pth_report.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 858f7c87a..89fe2aad5 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -18,7 +18,7 @@ class PTHReportService(object): @staticmethod def __dup_passwords_mongoquery(): """ - This function build and query the mongoDB for users found that are using the same passwords, this is done + This function builds and queries the mongoDB for users that are using the same passwords. this is done by comparing the NTLM hash found for each user by mimikatz. :return: A list of mongo documents (dicts in python) that look like this: From c28f2d6c63a84f5a58aa2d8565bc4084020789e3 Mon Sep 17 00:00:00 2001 From: itaymmguardicore <30774653+itaymmguardicore@users.noreply.github.com> Date: Mon, 5 Nov 2018 16:48:23 +0200 Subject: [PATCH 115/117] Update monkey/monkey_island/cc/services/pth_report.py Co-Authored-By: MaorCore <39161867+MaorCore@users.noreply.github.com> --- monkey/monkey_island/cc/services/pth_report.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 89fe2aad5..fad7ecf17 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -50,7 +50,7 @@ class PTHReportService(object): @staticmethod def __get_admin_on_machines_format(admin_on_machines, domain_name): """ - This function finds for each admin user, what machines its admin of and compile them to a list. + This function finds for each admin user, which machines its an admin of, and compile them to a list. :param admin_on_machines: A list of "monkey" documents "_id"s :param domain_name: The admin's domain name :return: From 5b8b0258c056a405adb684b4c858d71e99643cc6 Mon Sep 17 00:00:00 2001 From: itaymmguardicore <30774653+itaymmguardicore@users.noreply.github.com> Date: Mon, 5 Nov 2018 16:48:28 +0200 Subject: [PATCH 116/117] Update monkey/monkey_island/cc/services/pth_report.py Co-Authored-By: MaorCore <39161867+MaorCore@users.noreply.github.com> --- monkey/monkey_island/cc/services/pth_report.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index fad7ecf17..3ae19cf17 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -52,7 +52,7 @@ class PTHReportService(object): """ This function finds for each admin user, which machines its an admin of, and compile them to a list. :param admin_on_machines: A list of "monkey" documents "_id"s - :param domain_name: The admin's domain name + :param domain_name: The admins' domain name :return: A list of formatted machines names *domain*\*hostname*, to use in shared admins issues. """ From cf9656068bfad60e4cd93902d4e63a2b385520a8 Mon Sep 17 00:00:00 2001 From: itaymmguardicore <30774653+itaymmguardicore@users.noreply.github.com> Date: Mon, 5 Nov 2018 16:48:32 +0200 Subject: [PATCH 117/117] Update monkey/monkey_island/cc/services/pth_report.py Co-Authored-By: MaorCore <39161867+MaorCore@users.noreply.github.com> --- monkey/monkey_island/cc/services/pth_report.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/monkey_island/cc/services/pth_report.py b/monkey/monkey_island/cc/services/pth_report.py index 3ae19cf17..6a0138c4f 100644 --- a/monkey/monkey_island/cc/services/pth_report.py +++ b/monkey/monkey_island/cc/services/pth_report.py @@ -62,7 +62,7 @@ class PTHReportService(object): @staticmethod def __strong_users_on_crit_query(): """ - This function build and query the mongoDB for users that mimikatz was able to find cached NTLM hash and + This function build and query the mongoDB for users that mimikatz was able to find cached NTLM hashes and are administrators on machines with services predefined as important services thus making these machines critical. :return: