p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Compare commits

base: p15670423:master
Branches Tags
p15670423:master
p15670423:2267-add-services-to-machine
p15670423:develop
p15670423:agent-refactor
p15670423:consolidate-agent-event-handlers
p15670423:jd003
p15670423:zmt001
p15670423:2269-publish-events-from-zerologon
p15670423:2269-update-nodes-on-exploit
p15670423:2269-publish-events-from-smbexec-exploiter
p15670423:2269-publish-events-from-wmi
p15670423:2269-publish-events-from-powershell-exploiter
p15670423:2269-bb-use-new-api-endpoints
p15670423:2260-fix-mypy-victimhost
p15670423:2260-fix-mypy-fingerprintdata
p15670423:2260-fix-mypy-portscandata
p15670423:v1.13.0-documentation-updates
p15670423:add-shellcheck-to-travis-build
p15670423:add-shellcheck-precommit-hook
p15670423:2121-update-legacy-code-to-standard
p15670423:PROTECTED_token_test
p15670423:mike-demo
p15670423:reduce-appimage-size
p15670423:release/1.13.0
p15670423:DO-NOT-DELETE_swimm-system-info-collector
p15670423:release/1.12.0
p15670423:release/1.11.0
p15670423:couchdb-exploit
p15670423:release/1.10.0
p15670423:release/1.9.0
p15670423:release/1.8.0
p15693087:develop
p15693087:jd003
p15693087:zmt001
p15693087:2269-publish-events-from-zerologon
p15693087:2269-update-nodes-on-exploit
p15693087:2267-add-services-to-machine
p15693087:2269-publish-events-from-smbexec-exploiter
p15693087:2269-publish-events-from-wmi
p15693087:2269-publish-events-from-powershell-exploiter
p15693087:consolidate-agent-event-handlers
p15693087:2269-bb-use-new-api-endpoints
p15693087:2260-fix-mypy-victimhost
p15693087:2260-fix-mypy-fingerprintdata
p15693087:2260-fix-mypy-portscandata
p15693087:v1.13.0-documentation-updates
p15693087:add-shellcheck-to-travis-build
p15693087:add-shellcheck-precommit-hook
p15693087:2121-update-legacy-code-to-standard
p15693087:PROTECTED_token_test
p15693087:mike-demo
p15693087:reduce-appimage-size
p15693087:agent-refactor
p15693087:master
p15693087:release/1.13.0
p15693087:DO-NOT-DELETE_swimm-system-info-collector
p15693087:release/1.12.0
p15693087:release/1.11.0
p15693087:couchdb-exploit
p15693087:release/1.10.0
p15693087:release/1.9.0
p15693087:release/1.8.0
p15670423:v1.13.0
p15670423:v1.12.0
p15670423:v1.11.0
p15670423:list
p15670423:v1.10.0
p15670423:v1.9.0
p15670423:v1.8.2
p15670423:v1.8.0
p15670423:v1.7.0
p15670423:1.7.0
p15670423:zero-trust-demo-2
p15670423:zero-trust-demo-1
p15670423:v1.6.3
p15670423:v1.6.2
p15670423:v1.6.2-old
p15670423:infection_monkey_1.6.1_AWS_only
p15670423:1.6
p15670423:1.5.2
p15670423:v1.5.1
p15670423:v1.5
..
compare: p15693087:couchdb-exploit
Branches Tags
p15693087:develop
p15693087:jd003
p15693087:zmt001
p15693087:2269-publish-events-from-zerologon
p15693087:2269-update-nodes-on-exploit
p15693087:2267-add-services-to-machine
p15693087:2269-publish-events-from-smbexec-exploiter
p15693087:2269-publish-events-from-wmi
p15693087:2269-publish-events-from-powershell-exploiter
p15693087:consolidate-agent-event-handlers
p15693087:2269-bb-use-new-api-endpoints
p15693087:2260-fix-mypy-victimhost
p15693087:2260-fix-mypy-fingerprintdata
p15693087:2260-fix-mypy-portscandata
p15693087:v1.13.0-documentation-updates
p15693087:add-shellcheck-to-travis-build
p15693087:add-shellcheck-precommit-hook
p15693087:2121-update-legacy-code-to-standard
p15693087:PROTECTED_token_test
p15693087:mike-demo
p15693087:reduce-appimage-size
p15693087:agent-refactor
p15693087:master
p15693087:release/1.13.0
p15693087:DO-NOT-DELETE_swimm-system-info-collector
p15693087:release/1.12.0
p15693087:release/1.11.0
p15693087:couchdb-exploit
p15693087:release/1.10.0
p15693087:release/1.9.0
p15693087:release/1.8.0
p15670423:master
p15670423:2267-add-services-to-machine
p15670423:develop
p15670423:agent-refactor
p15670423:consolidate-agent-event-handlers
p15670423:jd003
p15670423:zmt001
p15670423:2269-publish-events-from-zerologon
p15670423:2269-update-nodes-on-exploit
p15670423:2269-publish-events-from-smbexec-exploiter
p15670423:2269-publish-events-from-wmi
p15670423:2269-publish-events-from-powershell-exploiter
p15670423:2269-bb-use-new-api-endpoints
p15670423:2260-fix-mypy-victimhost
p15670423:2260-fix-mypy-fingerprintdata
p15670423:2260-fix-mypy-portscandata
p15670423:v1.13.0-documentation-updates
p15670423:add-shellcheck-to-travis-build
p15670423:add-shellcheck-precommit-hook
p15670423:2121-update-legacy-code-to-standard
p15670423:PROTECTED_token_test
p15670423:mike-demo
p15670423:reduce-appimage-size
p15670423:release/1.13.0
p15670423:DO-NOT-DELETE_swimm-system-info-collector
p15670423:release/1.12.0
p15670423:release/1.11.0
p15670423:couchdb-exploit
p15670423:release/1.10.0
p15670423:release/1.9.0
p15670423:release/1.8.0
p15670423:v1.13.0
p15670423:v1.12.0
p15670423:v1.11.0
p15670423:list
p15670423:v1.10.0
p15670423:v1.9.0
p15670423:v1.8.2
p15670423:v1.8.0
p15670423:v1.7.0
p15670423:1.7.0
p15670423:zero-trust-demo-2
p15670423:zero-trust-demo-1
p15670423:v1.6.3
p15670423:v1.6.2
p15670423:v1.6.2-old
p15670423:infection_monkey_1.6.1_AWS_only
p15670423:1.6
p15670423:1.5.2
p15670423:v1.5.1
p15670423:v1.5

1 Commits
master ... couchdb-ex

Author SHA1 Message Date
Ilija Lazoroski 94c2587fee Exploit: Add Apache CouchDB remote code execution exploit 2021-07-22 18:21:04 +02:00
551 changed files with 19217 additions and 14788 deletions
Show Stats Expand all files Collapse all files

1
.flake8
View File

@ -5,7 +5,6 @@ exclude = monkey/monkey_island/cc/ui,vulture_allowlist.py
show-source = True
max-complexity = 10
max-line-length = 100
per-file-ignores = __init__.py:F401
### ignore "whitespace before ':'", "line break before binary operator" for
### compatibility with black, and cyclomatic complexity (for now).

2
.gitignore vendored
View File

@ -85,7 +85,7 @@ MonkeyZoo/*
monkey/logs
# Exported monkey telemetries
/envs/monkey_zoo/blackbox/tests/performance/telemetry_sample/
/monkey/telem_sample/
# Profiling logs
profiler_logs/

3
.gitmodules vendored
View File

@ -1,3 +1,6 @@
[submodule "monkey/monkey_island/cc/services/attack/attack_data"]
path = monkey/monkey_island/cc/services/attack/attack_data
url = https://github.com/guardicore/cti
[submodule "docs/themes/learn"]
path = docs/themes/learn
url = https://github.com/guardicode/hugo-theme-learn.git

4
.pre-commit-config.yaml
View File

@ -44,6 +44,10 @@ repos:
files: "monkey/"
exclude: "monkey/monkey_island/cc/ui"
stages: [push]
- repo: https://github.com/swimmio/pre-commit
rev: v0.2
hooks:
- id: swimm-verify
- repo: https://github.com/jendrikseipp/vulture
rev: v2.3
hooks:

31
.swm/AzD8XysWg1BBXCjCDkfq.swm
View File

@ -17,7 +17,7 @@
"type": "snippet",
"path": "monkey/infection_monkey/config.py",
"comments": [],
"firstLineNumber": 124,
"firstLineNumber": 126,
"lines": [
" exploiter_classes = []",
" system_info_collector_classes = []",
@ -33,18 +33,19 @@
"type": "snippet",
"path": "monkey/infection_monkey/monkey.py",
"comments": [],
"firstLineNumber": 220,
"firstLineNumber": 159,
"lines": [
" if not self._keep_running or not WormConfiguration.alive:",
" break",
" ",
"* machines = self._network.get_victim_machines(",
"* max_find=WormConfiguration.victims_max_find,",
"* stop_callback=ControlClient.check_for_stop,",
"* )",
" is_empty = True",
" for machine in machines:",
" if ControlClient.check_for_stop():"
" if not self._keep_running or not WormConfiguration.alive:",
" break",
"*",
"* machines = self._network.get_victim_machines(",
"* max_find=WormConfiguration.victims_max_find,",
"* stop_callback=ControlClient.check_for_stop,",
"* )",
" is_empty = True",
" for machine in machines:",
" if ControlClient.check_for_stop():"
]
},
{
@ -76,11 +77,11 @@
"symbols": {},
"file_version": "2.0.1",
"meta": {
"app_version": "0.4.9-1",
"app_version": "0.4.1-1",
"file_blobs": {
"monkey/infection_monkey/config.py": "0bede1c57949987f5c8025bd9b8f7aa29d02a6af",
"monkey/infection_monkey/monkey.py": "89d2fa8452dee70f6d2985a9bb452f0159ea8219",
"monkey/monkey_island/cc/services/config_schema/internal.py": "1ce1c864b1df332b65e16b4ce9ed533affd73f9c"
"monkey/infection_monkey/config.py": "ffdea551eb1ae2b65d4700db896c746771e7954c",
"monkey/infection_monkey/monkey.py": "c81a6251746e3af4e93eaa7d50af44d33debe05c",
"monkey/monkey_island/cc/services/config_schema/internal.py": "d03527b89c21dfb832a15e4f7d55f4027d83b453"
}
}
}

16
.swm/JFXftJml8DpmuCPBA9rL.swm
View File

@ -15,6 +15,9 @@
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py",
"comments": [],
"firstLineNumber": 56,
"lines": [
" \"Removes the file afterwards.\",",
" \"attack_techniques\": [\"T1166\"],",
@ -23,7 +26,7 @@
"+ # Swimmer: ADD DETAILS HERE!",
"* \"type\": \"string\",",
"* \"enum\": [\"ScheduleJobs\"],",
"* \"title\": \"Job Scheduling\",",
"* \"title\": \"Job scheduling\",",
"* \"safe\": True,",
"* \"info\": \"Attempts to create a scheduled job on the system and remove it.\",",
"* \"attack_techniques\": [\"T1168\", \"T1053\"],",
@ -31,10 +34,7 @@
" {",
" \"type\": \"string\",",
" \"enum\": [\"Timestomping\"],"
],
"firstLineNumber": 52,
"path": "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py",
"comments": []
]
},
{
"type": "text",
@ -42,11 +42,11 @@
}
],
"symbols": {},
"file_version": "2.0.3",
"file_version": "2.0.1",
"meta": {
"app_version": "0.5.7-0",
"app_version": "0.4.1-1",
"file_blobs": {
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "7d62ac36e875ca3c249d808250cb3268e4d3d68d"
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "ea9b18aba7f71da12c9c82ac39d8a0cf2c472a9c"
}
}
}

13
.swm/OwcKMnALpn7tuBaJY1US.swm
View File

@ -77,9 +77,10 @@
" \"attack_techniques\": [\"T1082\"],",
" },",
"* {",
"+ # SWIMMER: Collector config goes here. Tip: Hostname collection relates to the T1082 and T1016 techniques.",
"* \"type\": \"string\",",
"* \"enum\": [HOSTNAME_COLLECTOR],",
"* \"title\": \"Hostname Collector\",",
"* \"title\": \"Hostname collector\",",
"* \"safe\": True,",
"* \"info\": \"Collects machine's hostname.\",",
"* \"attack_techniques\": [\"T1082\", \"T1016\"],",
@ -109,7 +110,7 @@
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/monkey.py",
"comments": [],
"firstLineNumber": 91,
"firstLineNumber": 92,
"lines": [
" \"default\": [",
" ENVIRONMENT_COLLECTOR,",
@ -194,14 +195,14 @@
}
],
"symbols": {},
"file_version": "2.0.3",
"file_version": "2.0.1",
"meta": {
"app_version": "0.5.7-0",
"app_version": "0.4.4-0",
"file_blobs": {
"monkey/common/common_consts/system_info_collectors_names.py": "175a054e1408805a4cebbe27e2f9616db40988cf",
"monkey/infection_monkey/system_info/collectors/hostname_collector.py": "0aeecd9fb7bde83cccd4501ec03e0da199ec5fc3",
"monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py": "072640352fc9d50fe09752cfc951dab7d99271af",
"monkey/monkey_island/cc/services/config_schema/monkey.py": "da06123a95eebf7f0a68861815ee644bb37c8db6",
"monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py": "9a4a39050eb088876df4fa629e14faf820e714a0",
"monkey/monkey_island/cc/services/config_schema/monkey.py": "e745da5828c63e975625ac2e9b80ce9626324970",
"monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/hostname.py": "e2de4519cbd71bba70e81cf3ff61817437d95a21",
"monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py": "7ce4b6fcfbce0d6cd8a60297213c5be1699b22df"
}

87
.swm/afMu3y3ny5lnrYFWl3EI.swm
View File

@ -1,87 +0,0 @@
{
"id": "afMu3y3ny5lnrYFWl3EI",
"name": "Add a new Post Breach Action (PBA)",
"task": {
"dod": "You should add a new PBA to the Monkey which discovers all user accounts on the machine.",
"tests": [],
"hints": [
"See `ScheduleJobs` PBA for an example of a PBA which only uses shell commands.",
"Make sure to add the PBA to the configuration as well.",
"MITRE ATT&CK technique T1087 articulates that adversaries may attempt to get a listing of accounts on a system or within an environment which can help them determine which accounts can aid in follow-on behavior. Therefore, the AccountDiscovery PBA is relevant to it. Make sure to map this PBA to the MITRE ATT&CK configuration and report."
]
},
"content": [
{
"type": "text",
"text": "Read our [documentation](https://www.guardicore.com/infectionmonkey/docs/development/adding-post-breach-actions/) about adding a new PBA.\n\nAfter that we want you to add the AccountDiscovery PBA. The commands that add users for Windows and Linux can be retrieved from \\`get\\_commands\\_to\\_discover\\_accounts\\` — make sure you see how to use this function correctly.\n\nNote that the PBA should impact the T1087 MITRE technique as well.\n\n**Manual test to confirm**\n--------------------------\n\n1. Run the Monkey Island.\n \n2. Make sure your new PBA is enabled by default in the config. For this test, disable network scanning, exploiting, and all other PBAs.\n \n3. Run the Monkey Agent.\n \n4. See the PBA in the security report and in the MITRE report under the relevant technique."
},
{
"type": "snippet",
"lines": [
" POST_BREACH_JOB_SCHEDULING = \"Schedule jobs\"",
" POST_BREACH_TIMESTOMPING = \"Modify files' timestamps\"",
" POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC = \"Signed script proxy execution\"",
"*POST_BREACH_ACCOUNT_DISCOVERY = \"Account discovery\"",
"+# SWIMMER: Put the new const here!",
" POST_BREACH_CLEAR_CMD_HISTORY = \"Clear command history\""
],
"firstLineNumber": 7,
"path": "monkey/common/common_consts/post_breach_consts.py",
"comments": []
},
{
"type": "snippet",
"lines": [
" ",
" class AccountDiscovery(PBA):",
" def __init__(self):",
"* linux_cmds, windows_cmds = get_commands_to_discover_accounts()",
"+ # SWIMMER: Implement here!",
"* super().__init__(",
"+ pass",
"* POST_BREACH_ACCOUNT_DISCOVERY, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds",
"* )"
],
"firstLineNumber": 7,
"path": "monkey/infection_monkey/post_breach/actions/discover_accounts.py",
"comments": []
},
{
"type": "snippet",
"lines": [
" \"with the help of a pre-existing signed script.\",",
" \"attack_techniques\": [\"T1216\"],",
" },",
"* {",
"+ # SWIMMER: Add details here!",
"* \"type\": \"string\",",
"* \"enum\": [\"AccountDiscovery\"],",
"* \"title\": \"Account Discovery\",",
"* \"safe\": True,",
"* \"info\": \"Attempts to get a listing of user accounts on the system.\",",
"* \"attack_techniques\": [\"T1087\"],",
"* },",
" {",
" \"type\": \"string\",",
" \"enum\": [\"ClearCommandHistory\"],"
],
"firstLineNumber": 80,
"path": "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py",
"comments": []
},
{
"type": "text",
"text": "Many PBAs use shell commands or scripts — see `Timestomping` and `AccountDiscovery`.\n\nOn the other hand, some are less straightforward. You can override functions and implement new classes depending on what is required, to implement complicated PBAs — see `SignedScriptProxyExecution` and `ModifyShellStartupFiles`. \n \n\nThis PBA, along with the others, will run on a system after it has been breached. The purpose of this code is to test whether target systems allow attackers to gather details about all the user accounts that are present on a system or in an environment."
}
],
"symbols": {},
"file_version": "2.0.3",
"meta": {
"app_version": "0.5.7-0",
"file_blobs": {
"monkey/common/common_consts/post_breach_consts.py": "01d31448269e5581dbe0176c289f7dd36cc5854f",
"monkey/infection_monkey/post_breach/actions/discover_accounts.py": "8fdebd0df97655e4cba3aebcdcf3c5ed1d1b6cbd",
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "88a3e8cb59fb0d1c07c9487bcb4eaab7b8087d84"
}
}
}

122
.swm/tbxb2cGgUiJQ8Btma0fp.swm Normal file
View File

@ -0,0 +1,122 @@
{
"id": "tbxb2cGgUiJQ8Btma0fp",
"name": "Add a simple Post Breach action",
"task": {
"dod": "You should add a new PBA to the Monkey which creates a new user on the machine.",
"tests": [],
"hints": [
"See `ScheduleJobs` PBA for an example of a PBA which only uses shell commands.",
"Make sure to add the PBA to the configuration as well.",
"MITRE ATT&CK technique T1136 articulates that adversaries may create an account to maintain access to victim systems, therefore, the BackdoorUser PBA is relevant to it. Make sure to map this PBA to the MITRE ATT&CK configuration and report."
]
},
"content": [
{
"type": "text",
"text": "Read [our documentation about adding a new PBA](https://www.guardicore.com/infectionmonkey/docs/development/adding-post-breach-actions/).\n\nAfter that we want you to add the BackdoorUser PBA. The commands that add users for Win and Linux can be retrieved from `get_commands_to_add_user` - make sure you see how to use this function correctly. \n\nNote that the PBA should impact the T1136 MITRE technique as well! \n\n# Manual test to confirm\n\n1. Run the Monkey Island\n2. Make sure your new PBA is enabled by default in the config - for this test, disable network scanning, exploiting, and all other PBAs\n3. Run Monkey\n4. See the PBA in the security report\n5, See the PBA in the MITRE report in the relevant technique\n"
},
{
"type": "snippet",
"path": "monkey/common/common_consts/post_breach_consts.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" POST_BREACH_COMMUNICATE_AS_NEW_USER = \"Communicate as new user\"",
"*POST_BREACH_BACKDOOR_USER = \"Backdoor user\"",
"+# Swimmer: PUT THE NEW CONST HERE!",
" POST_BREACH_FILE_EXECUTION = \"File execution\"",
" POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = \"Modify shell startup file\"",
" POST_BREACH_HIDDEN_FILES = \"Hide files and directories\""
]
},
{
"type": "snippet",
"path": "monkey/infection_monkey/post_breach/actions/add_user.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
"*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER",
"*from infection_monkey.config import WormConfiguration",
"*from infection_monkey.post_breach.pba import PBA",
"*from infection_monkey.utils.random_password_generator import get_random_password",
"*from infection_monkey.utils.users import get_commands_to_add_user",
"*",
"*",
"*class BackdoorUser(PBA):",
"* def __init__(self):",
"* random_password = get_random_password()",
"*",
"* linux_cmds, windows_cmds = get_commands_to_add_user(",
"* WormConfiguration.user_to_add, random_password",
"* )",
"*",
"* super(BackdoorUser, self).__init__(",
"* POST_BREACH_BACKDOOR_USER, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds",
"* )"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" from common.common_consts.post_breach_consts import (",
"* POST_BREACH_BACKDOOR_USER,",
" POST_BREACH_COMMUNICATE_AS_NEW_USER,",
" )"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py",
"comments": [],
"firstLineNumber": 12,
"lines": [
" unscanned_msg = \"Monkey didn't try creating a new user on the network's systems.\"",
" scanned_msg = \"Monkey tried creating a new user on the network's systems, but failed.\"",
" used_msg = \"Monkey created a new user on the network's systems.\"",
"* pba_names = [POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER]",
"+ pba_names = [POST_BREACH_COMMUNICATE_AS_NEW_USER]"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py",
"comments": [],
"firstLineNumber": 5,
"lines": [
" \"might do after breaching a new machine. Used in ATT&CK and Zero trust reports.\",",
" \"type\": \"string\",",
" \"anyOf\": [",
"* {",
"+ # Swimmer: Add new PBA here to config!",
"* \"type\": \"string\",",
"* \"enum\": [\"BackdoorUser\"],",
"* \"title\": \"Back door user\",",
"* \"safe\": True,",
"* \"info\": \"Attempts to create a new user on the system and delete it afterwards.\",",
"* \"attack_techniques\": [\"T1136\"],",
"* },",
" {",
" \"type\": \"string\",",
" \"enum\": [\"CommunicateAsNewUser\"],"
]
},
{
"type": "text",
"text": "Take a look at the configuration of the island again - see the \"command to run after breach\" option we offer the user? It's implemented exactly like you did right now but each user can do it for themselves. \n\nHowever, what if the PBA needs to do stuff which is more complex than just running a few commands? In that case... "
}
],
"symbols": {},
"file_version": "2.0.1",
"meta": {
"app_version": "0.4.4-0",
"file_blobs": {
"monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3",
"monkey/infection_monkey/post_breach/actions/add_user.py": "26b048a492fcb6d319fc0c01d2f4a0bd302ecbc8",
"monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "dfc5945a362b88c1135f4476526c6c82977b02ee",
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "086dc85693ae02ddfa106099245c0f155139805c"
}
}
}

7
.travis.yml
View File

@ -80,10 +80,9 @@ script:
# verify swimm
- cd $TRAVIS_BUILD_DIR
- curl -L https://github.com/swimmio/SwimmReleases/releases/latest/download/packed-swimm-linux-cli --output swimm-cli
- chmod u+x swimm-cli
- ./swimm-cli --version
- ./swimm-cli verify
- curl -L https://github.com/swimmio/SwimmReleases/releases/download/v0.5.0-0/swimm-cli.js --output swimm_cli
- node swimm_cli --version
- node swimm_cli verify
after_success:
# Upload code coverage results to codecov.io, see https://github.com/codecov/codecov-bash for more information

152
CHANGELOG.md
View File

@ -1,146 +1,60 @@
# Changelog
All notable changes to this project will be documented in this
file.
All notable changes to this project will be documented in this file.
The format is based on [Keep a
Changelog](https://keepachangelog.com/en/1.0.0/).
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [1.13.0] - 2022-01-25
### Added
- A new exploiter that allows propagation via the Log4Shell vulnerability
(CVE-2021-44228). #1663
### Fixed
- Exploiters attempting to start servers listening on privileged ports,
resulting in failed propagation. 8f53a5c
## [1.12.0] - 2021-10-27
### Added
- A new exploiter that allows propagation via PowerShell Remoting. #1246
- A warning regarding antivirus when agent binaries are missing. #1450
- A deployment.json file to store the deployment type. #1205
### Changed
- The name of the "Communicate as new user" post-breach action to "Communicate
as backdoor user". #1410
- Resetting login credentials also cleans the contents of the database. #1495
- ATT&CK report messages (more accurate now). #1483
- T1086 (PowerShell) now also reports if ps1 scripts were run by PBAs. #1513
- ATT&CK report messages to include internal config options as reasons
for unscanned attack techniques. #1518
### Removed
- Internet access check on agent start. #1402
- The "internal.monkey.internet_services" configuration option that enabled
internet access checks. #1402
- Disused traceroute binaries. #1397
- "Back door user" post-breach action. #1410
- Stale code in the Windows system info collector that collected installed
packages and WMI info. #1389
- Insecure access feature in the Monkey Island. #1418
- The "deployment" field from the server_config.json. #1205
- The "Execution through module load" ATT&CK technique,
since it can no longer be exercise with current code. #1416
- Browser window pop-up when Monkey Island starts on Windows. #1428
### Fixed
- Misaligned buttons and input fields on exploiter and network configuration
pages. #1353
- Credentials shown in plain text on configuration screens. #1183
- Crash when unexpected character encoding is used by ping command on German
language systems. #1175
- Malfunctioning timestomping PBA. #1405
- Malfunctioning shell startup script PBA. #1419
- Trap command produced no output. #1406
- Overlapping Guardicore logo in the landing page. #1441
- PBA table collapse in security report on data change. #1423
- Unsigned Windows agent binaries in Linux packages are now signed. #1444
- Some of the gathered credentials no longer appear in plaintext in the
database. #1454
- Encryptor breaking with UTF-8 characters. (Passwords in different languages
can be submitted in the config successfully now.) #1490
- Mimikatz collector no longer fails if Azure credential collector is disabled.
#1512, #1493
- Unhandled error when "modify shell startup files PBA" is unable to find
regular users. #1507
- ATT&CK report bug that showed different techniques' results under a technique
if the PBA behind them was the same. #1514
- ATT&CK report bug that said that the technique "`.bash_profile` and
`.bashrc`" was not attempted when it actually was attempted but failed. #1511
- Bug that periodically cleared the telemetry table's filter. #1392
- Crashes, stack traces, and other malfunctions when data from older versions
of Infection Monkey is present in the data directory. #1114
- Broken update links. #1524
### Security
- Generate a random password when creating a new user for CommunicateAsNewUser
PBA. #1434
- Credentials gathered from victim machines are no longer stored plaintext in
the database. #1454
- Encrypt the database key with user's credentials. #1463
## [1.11.0] - 2021-08-13
## [Unreleased]
### Added
- PostgreSQL fingerprinter. #892
- A runtime-configurable option to specify a data directory where runtime
configuration and other artifacts can be stored. #994
- Scripts to build an AppImage for Monkey Island. #1069, #1090, #1136, #1381
- Scripts to build an AppImage for Monkey Island. #1069, #1090, #1136
- `log_level` option to server config. #1151
- A ransomware simulation payload. #1238
- The capability for a user to specify their own SSL certificate. #1208
- API endpoint for ransomware report. #1297
- A ransomware report. #1240
- A script to build a docker image locally. #1140
- Add ransomware report. #1240
### Changed
- Select server_config.json at runtime. #963
- Select Logger configuration at runtime. #971
- Select `mongo_key.bin` file location at runtime. #994
- Store Monkey agents in the configurable data_dir when monkey is "run from the
- island". #997
- Reformat all code using black. #1070
- Sort all imports using isort. #1081
- Address all flake8 issues. #1071
- server_config.json can be selected at runtime. #963
- Logger configuration can be selected at runtime. #971
- `mongo_key.bin` file location can be selected at runtime. #994
- Monkey agents are stored in the configurable data_dir when monkey is "run
from the island". #997
- Reformated all code using black. #1070
- Sorted all imports usind isort. #1081
- Addressed all flake8 issues. #1071
- Use pipenv for python dependency management. #1091
- Move unit tests to a dedicated `tests/` directory to improve pytest collection
time. #1102
- Skip BB performance tests by default. Run them if `--run-performance-tests`
flag is specified.
- Write Zerologon exploiter's runtime artifacts to a secure temporary directory
- Moved unit tests to a dedicated `tests/` directory to improve pytest
collection time. #1102
- Default BB test suite behavior: if `--run-performance-tests` flag is not
specified, performance tests are skipped.
- Zerologon exploiter writes runtime artifacts to a secure temporary directory
instead of $HOME. #1143
- Put environment config options in `server_config.json` into a separate
section named "environment". #1161
- Automatically register if BlackBox tests are run on a fresh
installation. #1180
- Limit the ports used for scanning in blackbox tests. #1368
- Limit the propagation depth of most blackbox tests. #1400
- Wait less time for monkeys to die when running BlackBox tests. #1400
- Improve the structure of unit tests by scoping fixtures only to relevant
modules instead of having a one huge fixture file. #1178
- Improve and rename the directory structure of unit tests and unit test
infrastructure. #1178
- Launch MongoDB when the Island starts via python. #1148
- Create/check data directory on Island initialization. #1170
- Format some log messages to make them more readable. #1283
- Improve runtime of some unit tests. #1125
- Run curl OR wget (not both) when attempting to communicate as a new user on
Linux. #1407
- Authentication mechanism to use bcrypt on server side. #1139
- `server_config.json` puts environment config options in a separate section
named "environment". #1161
- BlackBox tests can now register if they are ran on a fresh installation. #1180
- Improved the structure of unit tests by scoping fixtures only to relevant modules
instead of having a one huge fixture file, improved and renamed the directory
structure of unit tests and unit test infrastructure. #1178
- MongoDb now gets launched by the Island via python. #1148
- Create/check data directory on Island init. #1170
- The formatting of some log messages to make them more readable. #1283
- Some unit tests to run faster. #1125
### Removed
- Relevant dead code as reported by Vulture. #1149
- Island logger config and --logger-config CLI option. #1151
### Fixed
- Attempt to delete a directory when monkey config reset was called. #1054
- Attempted to delete a directory when monkey config reset was called. #1054
- An errant space in the windows commands to run monkey manually. #1153
- Gevent tracebacks in console output. #859
- Crash and failure to run PBAs if max depth reached. #1374
- gevent tracebacks in console output. #859
### Security
- Address minor issues discovered by Dlint. #1075
- Hash passwords on server-side instead of client side. #1139
- Generate random passwords when creating a new user (create user PBA, ms08_67
exploit). #1174
- Generate random passwords when creating a new user (create user PBA, ms08_67 exploit). #1174
- Implemented configuration encryption/decryption. #1189, #1204
- Create local custom PBA directory with secure permissions. #1270
- Create encryption key file for MongoDB with secure permissions. #1232

0
build_scripts/appimage/.gitignore → appimage/.gitignore vendored
View File

2
build_scripts/appimage/AppRun → appimage/AppRun
View File

@ -25,7 +25,5 @@ do
fi
done
export PYTHONNOUSERSITE=1
(PYTHONHOME="${APPDIR}/opt/python3.7" exec "${APPDIR}/opt/python3.7/bin/python3.7" "${APPDIR}/usr/src/monkey_island.py" $@)
exit "$?"

35
appimage/README.md Normal file
View File

@ -0,0 +1,35 @@
# Monkey Island AppImage
## About
This directory contains the necessary artifacts for building an Infection
Monkey AppImage
## Building an AppImage
1. Create a clean VM or LXC (not docker!) based on Ubuntu 18.04.
1. Copy the `deployment_scripts/appimage` directory to `$HOME/` in the VM.
1. Run `sudo -v`.
1. On the VM, `cd $HOME/appimage`
1. Execute `./build_appimage.sh`. This will pull all necessary dependencies
and build the AppImage.
NOTE: This script is intended to be run from a clean VM. You can also manually
remove build artifacts by removing the following files and directories.
- $HOME/.monkey_island (optional)
- $HOME/appimage/squashfs-root
- $HOME/git/monkey
- $HOME/appimage/Infection_Monkey*x86_64.AppImage
After removing the above files and directories, you can again execute `bash
build_appimage.sh`.
## Running the AppImage
The build script will produce an AppImage executible named
`Infection_Monkey-x86_64.AppImage`. Simply execute this file and you're off to
the races.
A new directory, `$HOME/.monkey_island` will be created to store runtime
artifacts.

368
appimage/build_appimage.sh Executable file
View File

@ -0,0 +1,368 @@
#!/bin/bash
WORKSPACE=${WORKSPACE:-$HOME}
APPDIR="$PWD/squashfs-root"
INSTALL_DIR="$APPDIR/usr/src"
GIT=$WORKSPACE/git
DEFAULT_REPO_MONKEY_HOME=$GIT/monkey
ISLAND_PATH="$INSTALL_DIR/monkey_island"
MONGO_PATH="$ISLAND_PATH/bin/mongodb"
ISLAND_BINARIES_PATH="$ISLAND_PATH/cc/binaries"
MONKEY_ORIGIN_URL="https://github.com/guardicore/monkey.git"
CONFIG_URL="https://raw.githubusercontent.com/guardicore/monkey/develop/deployment_scripts/config"
NODE_SRC=https://deb.nodesource.com/setup_12.x
APP_TOOL_URL=https://github.com/AppImage/AppImageKit/releases/download/12/appimagetool-x86_64.AppImage
PYTHON_VERSION="3.7.11"
PYTHON_APPIMAGE_URL="https://github.com/niess/python-appimage/releases/download/python3.7/python${PYTHON_VERSION}-cp37-cp37m-manylinux1_x86_64.AppImage"
exit_if_missing_argument() {
if [ -z "$2" ] || [ "${2:0:1}" == "-" ]; then
echo "Error: Argument for $1 is missing" >&2
exit 1
fi
}
echo_help() {
echo "usage: build_appimage.sh [--help] [--agent-binary-dir <PATH>] [--branch <BRANCH>]"
echo " [--monkey-repo <PATH>] [--version <MONKEY_VERSION>]"
echo ""
echo "Creates an AppImage package for Infection Monkey."
echo ""
echo "--agent-binary-dir A directory containing the agent binaries that"
echo " you'd like to include with the AppImage. If this"
echo " parameter is unspecified, the latest release"
echo " binaries will be downloaded from GitHub."
echo ""
echo "--as-root Throw caution to the wind and allow this script"
echo " to be run as root."
echo ""
echo "--branch The git branch you'd like the AppImage to be"
echo " built from. (Default: develop)"
echo ""
echo "--monkey-repo A directory containing the Infection Monkey git"
echo " repository. If the directory is empty or does"
echo " not exist, a new repo will be cloned from GitHub."
echo " If the directory is already a valid GitHub repo,"
echo " it will be used as-is and the --branch parameter"
echo " will have no effect."
echo " (Default: $DEFAULT_REPO_MONKEY_HOME)"
echo ""
echo "--version A version number for the AppImage package."
echo " (Default: dev)"
exit 0
}
is_root() {
return "$(id -u)"
}
has_sudo() {
# 0 true, 1 false
sudo -nv > /dev/null 2>&1
return $?
}
handle_error() {
echo "Fix the errors above and rerun the script"
exit 1
}
log_message() {
echo -e "\n\n"
echo -e "APPIMAGE BUILDER: $1"
}
install_nodejs() {
log_message "Installing nodejs"
curl -sL $NODE_SRC | sudo -E bash -
sudo apt-get install -y nodejs
}
install_build_prereqs() {
sudo apt-get update
sudo apt-get upgrade -y
# monkey island prereqs
sudo apt-get install -y curl libcurl4 openssl git build-essential moreutils
install_nodejs
}
install_appimage_tool() {
log_message "Installing appimagetool"
APP_TOOL_BIN=$WORKSPACE/bin/appimagetool
mkdir -p "$WORKSPACE"/bin
curl -L -o "$APP_TOOL_BIN" "$APP_TOOL_URL"
chmod u+x "$APP_TOOL_BIN"
PATH=$PATH:$WORKSPACE/bin
}
is_valid_git_repo() {
pushd "$1" 2>/dev/null || return 1
git status >/dev/null 2>&1
success="$?"
popd || exit 1
return $success
}
clone_monkey_repo() {
local repo_dir=$1
local branch=$2
if [[ ! -d "$repo_dir" ]]; then
mkdir -p "$repo_dir"
fi
log_message "Cloning files from git"
git clone --single-branch --recurse-submodules -b "$branch" "$MONKEY_ORIGIN_URL" "$repo_dir" 2>&1 || handle_error
}
setup_appdir() {
local agent_binary_dir=$1
local monkey_repo=$2
setup_python_37_appdir
copy_monkey_island_to_appdir "$monkey_repo"/monkey
add_agent_binaries_to_appdir "$agent_binary_dir"
install_monkey_island_python_dependencies
install_mongodb
generate_ssl_cert
build_frontend
add_monkey_icon "$monkey_repo"/monkey
add_desktop_file
add_apprun
}
setup_python_37_appdir() {
PYTHON_APPIMAGE="python${PYTHON_VERSION}_x86_64.AppImage"
rm -rf "$APPDIR" || true
log_message "downloading Python3.7 Appimage"
curl -L -o "$PYTHON_APPIMAGE" "$PYTHON_APPIMAGE_URL"
chmod u+x "$PYTHON_APPIMAGE"
./"$PYTHON_APPIMAGE" --appimage-extract
rm "$PYTHON_APPIMAGE"
mkdir -p "$INSTALL_DIR"
}
copy_monkey_island_to_appdir() {
cp "$1"/__init__.py "$INSTALL_DIR"
cp "$1"/monkey_island.py "$INSTALL_DIR"
cp -r "$1"/common "$INSTALL_DIR/"
cp -r "$1"/monkey_island "$INSTALL_DIR/"
cp ./server_config.json.standard "$INSTALL_DIR"/monkey_island/cc/
# TODO: This is a workaround that may be able to be removed after PR #848 is
# merged. See monkey_island/cc/environment_singleton.py for more information.
cp ./server_config.json.standard "$INSTALL_DIR"/monkey_island/cc/server_config.json
}
install_monkey_island_python_dependencies() {
log_message "Installing island requirements"
log_message "Installing pipenv"
"$APPDIR"/AppRun -m pip install pipenv || handle_error
requirements_island="$ISLAND_PATH/requirements.txt"
generate_requirements_from_pipenv_lock "$requirements_island"
log_message "Installing island python requirements"
"$APPDIR"/AppRun -m pip install -r "${requirements_island}" --ignore-installed || handle_error
}
generate_requirements_from_pipenv_lock () {
log_message "Generating a requirements.txt file with 'pipenv lock -r'"
cd "$ISLAND_PATH" || exit 1
"$APPDIR"/AppRun -m pipenv --python "$APPDIR/AppRun" lock -r > "$1" || handle_error
cd - || exit 1
}
add_agent_binaries_to_appdir() {
if [ -z "$1" ]; then
download_monkey_agent_binaries_to_appdir
else
copy_agent_binaries_to_appdir "$1"
fi
make_linux_binaries_executable
}
download_monkey_agent_binaries_to_appdir() {
log_message "Downloading monkey agent binaries to ${ISLAND_BINARIES_PATH}"
load_monkey_binary_config
mkdir -p "${ISLAND_BINARIES_PATH}" || handle_error
curl -L -o "${ISLAND_BINARIES_PATH}/${LINUX_32_BINARY_NAME}" "${LINUX_32_BINARY_URL}"
curl -L -o "${ISLAND_BINARIES_PATH}/${LINUX_64_BINARY_NAME}" "${LINUX_64_BINARY_URL}"
curl -L -o "${ISLAND_BINARIES_PATH}/${WINDOWS_32_BINARY_NAME}" "${WINDOWS_32_BINARY_URL}"
curl -L -o "${ISLAND_BINARIES_PATH}/${WINDOWS_64_BINARY_NAME}" "${WINDOWS_64_BINARY_URL}"
}
copy_agent_binaries_to_appdir() {
cp "$1"/* "$ISLAND_BINARIES_PATH/"
}
make_linux_binaries_executable() {
chmod a+x "$ISLAND_BINARIES_PATH"/monkey-linux-*
}
load_monkey_binary_config() {
tmpfile=$(mktemp)
log_message "Downloading prebuilt binary configuration"
curl -L -s -o "$tmpfile" "$CONFIG_URL"
log_message "Loading configuration"
source "$tmpfile"
}
install_mongodb() {
log_message "Installing MongoDB"
mkdir -p "$MONGO_PATH"
"${ISLAND_PATH}"/linux/install_mongo.sh "${MONGO_PATH}" || handle_error
}
generate_ssl_cert() {
log_message "Generating certificate"
chmod u+x "${ISLAND_PATH}"/linux/create_certificate.sh
"${ISLAND_PATH}"/linux/create_certificate.sh "${ISLAND_PATH}"/cc
}
build_frontend() {
pushd "$ISLAND_PATH/cc/ui" || handle_error
log_message "Generating front end"
npm ci
npm run dist
popd || handle_error
remove_node_modules
}
remove_node_modules() {
# Node has served its purpose. We don't need to deliver the node modules with
# the AppImage.
rm -rf "$ISLAND_PATH"/cc/ui/node_modules
}
add_monkey_icon() {
unlink "$APPDIR"/python.png
mkdir -p "$APPDIR"/usr/share/icons
cp "$1"/monkey_island/cc/ui/src/images/monkey-icon.svg "$APPDIR"/usr/share/icons/infection-monkey.svg
ln -s "$APPDIR"/usr/share/icons/infection-monkey.svg "$APPDIR"/infection-monkey.svg
}
add_desktop_file() {
unlink "$APPDIR/python${PYTHON_VERSION}.desktop"
cp ./infection-monkey.desktop "$APPDIR"/usr/share/applications
ln -s "$APPDIR"/usr/share/applications/infection-monkey.desktop "$APPDIR"/infection-monkey.desktop
}
add_apprun() {
cp ./AppRun "$APPDIR"
}
build_appimage() {
log_message "Building AppImage"
ARCH="x86_64" appimagetool "$APPDIR"
apply_version_to_appimage "$1"
}
apply_version_to_appimage() {
log_message "Renaming Infection_Monkey-x86_64.AppImage -> Infection_Monkey-$1-x86_64.AppImage"
mv "Infection_Monkey-x86_64.AppImage" "Infection_Monkey-$1-x86_64.AppImage"
}
agent_binary_dir=""
as_root=false
branch="develop"
monkey_repo="$DEFAULT_REPO_MONKEY_HOME"
monkey_version="dev"
while (( "$#" )); do
case "$1" in
--agent-binary-dir)
exit_if_missing_argument "$1" "$2"
agent_binary_dir=$2
shift 2
;;
--as-root)
as_root=true
shift
;;
--branch)
exit_if_missing_argument "$1" "$2"
branch=$2
shift 2
;;
-h|--help)
echo_help
;;
--monkey-repo)
exit_if_missing_argument "$1" "$2"
monkey_repo=$2
shift 2
;;
--version)
exit_if_missing_argument "$1" "$2"
monkey_version=$2
shift 2
;;
*)
echo "Error: Unsupported parameter $1" >&2
exit 1
;;
esac
done
log_message "Building Monkey Island AppImage package."
if ! $as_root && is_root; then
log_message "Please don't run this script as root"
exit 1
fi
if ! has_sudo; then
log_message "You need root permissions for some of this script operations. \
Run \`sudo -v\`, enter your password, and then re-run this script."
exit 1
fi
install_build_prereqs
install_appimage_tool
if ! is_valid_git_repo "$monkey_repo"; then
clone_monkey_repo "$monkey_repo" "$branch"
fi
setup_appdir "$agent_binary_dir" "$monkey_repo"
build_appimage "$monkey_version"
log_message "AppImage build script finished."
exit 0

9
build_scripts/appimage/clean.sh → appimage/clean.sh
View File

@ -3,10 +3,7 @@
# This is a utility script to clean up after a failed or successful AppImage build
# in order to speed up development and debugging.
APPIMAGE_DIR="$(realpath $(dirname $BASH_SOURCE[0]))"
rm -rf "$HOME/git/monkey"
rm -rf "$HOME/.monkey_island"
rm -rf "$APPIMAGE_DIR/squashfs-root"
rm "$APPIMAGE_DIR"/Infection_Monkey*.AppImage
rm "$APPIMAGE_DIR/../dist/InfectionMonkey*.AppImage"
rm -rf "$HOME/appimage/squashfs-root"
rm -rf "$HOME/git/monkey"
rm $HOME/appimage/Infection_Monkey*x86_64.AppImage

4
build_scripts/appimage/infection-monkey.desktop → appimage/infection-monkey.desktop
View File

@ -1,8 +1,8 @@
[Desktop Entry]
Type=Application
Name=InfectionMonkey
Name=Infection Monkey
Exec=bash
Comment=An automated breach and attack simulation platform
Icon=monkey-icon
Icon=infection-monkey
Categories=Development;
Terminal=true

3
build_scripts/appimage/server_config.json.standard → appimage/server_config.json.standard
View File

@ -2,7 +2,8 @@
"data_dir": "~/.monkey_island",
"log_level": "DEBUG",
"environment": {
"server_config": "password"
"server_config": "password",
"deployment": "standard"
},
"mongodb": {
"start_mongodb": true

46
build_scripts/README.md
View File

@ -1,46 +0,0 @@
# Infection Monkey Linux Package Builder
## About
This directory contains the necessary artifacts for building an Infection
Monkey packages for Linux.
## AppImage
### Building an AppImage
1. Create a clean VM or LXC (not docker!) based on Ubuntu 18.04.
1. Copy the `build_scipts/` directory to `$HOME/` in the VM.
1. On the VM, `cd $HOME/build_scripts`
1. Run `sudo -v`.
1. Execute `./build_appimage.sh`. This will pull all necessary dependencies
and build the AppImage.
NOTE: This script is intended to be run from a clean VM. You can also manually
remove build artifacts by running `appimage/clean.sh`
### Running the AppImage
The build script will produce an AppImage executable named
`./dist/Infection_Monkey-x86_64.AppImage`. Simply execute this file and you're off to
the races.
A new directory, `$HOME/.monkey_island` will be created to store runtime
artifacts.
## Docker
### Building a Docker image
1. Create a clean Ubuntu 18.04 VM (not WSL).
1. Copy the `build_scipts/` directory to `$HOME/` in the VM.
1. On the VM, `cd $HOME/build_scripts`
1. Run `sudo -v`.
1. Execute `./build_docker.sh --package docker`. This will pull all necessary dependencies
and build the Docker image.
NOTE: This script is intended to be run from a clean VM. You can also manually
remove build artifacts by running `docker/clean.sh`
### Running the Docker Image
The build script will produce a `.tgz` file in `./dist/`. See
`docker/DOCKER_README.md` for instructions on running the docker image.

135
build_scripts/appimage/appimage.sh
View File

@ -1,135 +0,0 @@
#!/bin/bash
LINUXDEPLOY_URL="https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage"
PYTHON_VERSION="3.7.12"
PYTHON_APPIMAGE_URL="https://github.com/niess/python-appimage/releases/download/python3.7/python${PYTHON_VERSION}-cp37-cp37m-manylinux1_x86_64.AppImage"
APPIMAGE_DIR="$(realpath $(dirname $BASH_SOURCE[0]))"
APPDIR="$APPIMAGE_DIR/squashfs-root"
BUILD_DIR="$APPDIR/usr/src"
ICON_PATH="$BUILD_DIR/monkey_island/cc/ui/src/images/monkey-icon.svg"
MONGO_PATH="$BUILD_DIR/monkey_island/bin/mongodb"
source "$APPIMAGE_DIR/../common.sh"
install_package_specific_build_prereqs() {
log_message "Installing linuxdeploy"
WORKSPACE_BIN_DIR="$1/bin"
LINUXDEPLOY_BIN="$WORKSPACE_BIN_DIR/linuxdeploy"
mkdir -p "$WORKSPACE_BIN_DIR"
curl -L -o "$LINUXDEPLOY_BIN" "$LINUXDEPLOY_URL"
chmod u+x "$LINUXDEPLOY_BIN"
PATH=$PATH:$WORKSPACE_BIN_DIR
}
setup_build_dir() {
local agent_binary_dir=$1
local monkey_repo=$2
local deployment_type=$3
pushd $APPIMAGE_DIR
setup_python_37_appdir
mkdir -p "$BUILD_DIR"
copy_monkey_island_to_build_dir "$monkey_repo/monkey" "$BUILD_DIR"
copy_server_config_to_build_dir
modify_deployment "$deployment_type" "$BUILD_DIR"
add_agent_binaries_to_build_dir "$agent_binary_dir" "$BUILD_DIR"
install_monkey_island_python_dependencies
install_mongodb
generate_ssl_cert "$BUILD_DIR"
build_frontend "$BUILD_DIR"
remove_python_appdir_artifacts
popd
}
setup_python_37_appdir() {
PYTHON_APPIMAGE="python${PYTHON_VERSION}_x86_64.AppImage"
log_message "downloading Python3.7 Appimage"
curl -L -o "$PYTHON_APPIMAGE" "$PYTHON_APPIMAGE_URL"
chmod u+x "$PYTHON_APPIMAGE"
"./$PYTHON_APPIMAGE" --appimage-extract
rm "$PYTHON_APPIMAGE"
}
copy_server_config_to_build_dir() {
cp "$APPIMAGE_DIR"/server_config.json.standard "$BUILD_DIR"/monkey_island/cc/server_config.json
}
install_monkey_island_python_dependencies() {
log_message "Installing island requirements"
log_message "Installing pipenv"
"$APPDIR"/AppRun -m pip install pipenv || handle_error
requirements_island="$BUILD_DIR/monkey_island/requirements.txt"
generate_requirements_from_pipenv_lock "$requirements_island"
log_message "Installing island python requirements"
"$APPDIR"/AppRun -m pip install -r "${requirements_island}" --ignore-installed || handle_error
}
generate_requirements_from_pipenv_lock () {
local requirements_island=$1
log_message "Generating a requirements.txt file with 'pipenv lock -r'"
pushd "$BUILD_DIR/monkey_island"
"$APPDIR"/AppRun -m pipenv --python "$APPDIR/AppRun" lock -r > "$requirements_island" || handle_error
popd
}
install_mongodb() {
log_message "Installing MongoDB"
mkdir -p "$MONGO_PATH"
"$BUILD_DIR/monkey_island/linux/install_mongo.sh" "${MONGO_PATH}" || handle_error
}
remove_python_appdir_artifacts() {
rm "$APPDIR"/python.png
rm "$APPDIR"/python*.desktop
rm "$APPDIR"/AppRun
}
build_package() {
local commit_id=$2
local dist_dir=$3
log_message "Building AppImage"
if [ -n "$1" ]; then
local version="v$1"
else
local version="$commit_id"
fi
pushd "$APPIMAGE_DIR"
ARCH="x86_64" linuxdeploy \
--appdir "$APPIMAGE_DIR/squashfs-root" \
--icon-file "$ICON_PATH" \
--desktop-file "$APPIMAGE_DIR/infection-monkey.desktop" \
--custom-apprun "$APPIMAGE_DIR/AppRun" \
--deploy-deps-only="$MONGO_PATH/bin/mongod"\
--output appimage
dst_name="InfectionMonkey-$version.AppImage"
move_package_to_dist_dir $dist_dir $dst_name
popd
}
move_package_to_dist_dir() {
mv Infection*Monkey*.AppImage "$1/$2"
}

3
build_scripts/build_appimage.sh
View File

@ -1,3 +0,0 @@
#!/bin/bash
./build_package.sh --package appimage $@

3
build_scripts/build_docker.sh
View File

@ -1,3 +0,0 @@
#!/bin/bash
./build_package.sh --package docker $@

205
build_scripts/build_package.sh
View File

@ -1,205 +0,0 @@
WORKSPACE=${WORKSPACE:-$HOME}
DEFAULT_REPO_MONKEY_HOME=$WORKSPACE/git/monkey
MONKEY_ORIGIN_URL="https://github.com/guardicore/monkey.git"
NODE_SRC=https://deb.nodesource.com/setup_12.x
BUILD_SCRIPTS_DIR="$(realpath $(dirname $BASH_SOURCE[0]))"
DIST_DIR="$BUILD_SCRIPTS_DIR/dist"
log_message() {
echo -e "\n\n"
echo -e "MONKEY ISLAND BUILDER: $1"
}
exit_if_missing_argument() {
if [ -z "$2" ] || [ "${2:0:1}" == "-" ]; then
echo "Error: Argument for $1 is missing" >&2
exit 1
fi
}
echo_help() {
echo "usage: build_package.sh [--help] [--agent-binary-dir <PATH>] [--branch <BRANCH>]"
echo " [--monkey-repo <PATH>] [--version <MONKEY_VERSION>]"
echo " [--deployment <DEPLOYMENT_TYPE>]"
echo ""
echo "Creates a package for Infection Monkey."
echo ""
echo "--agent-binary-dir A directory containing the agent binaries that"
echo " you'd like to include with the package. If this"
echo " parameter is unspecified, the latest release"
echo " binaries will be downloaded from GitHub."
echo ""
echo "--as-root Throw caution to the wind and allow this script"
echo " to be run as root."
echo ""
echo "--branch The git branch you'd like the package to be"
echo " built from. (Default: develop)"
echo ""
echo "--monkey-repo A directory containing the Infection Monkey git"
echo " repository. If the directory is empty or does"
echo " not exist, a new repo will be cloned from GitHub."
echo " If the directory is already a valid GitHub repo,"
echo " it will be used as-is and the --branch parameter"
echo " will have no effect."
echo " (Default: $DEFAULT_REPO_MONKEY_HOME)"
echo ""
echo "--version A version number for the package."
echo ""
echo "--deployment A deployment type for the package."
echo " (Default: develop)"
echo ""
echo "--package Which package to build (\"appimage\" or \"docker.\")"
exit 0
}
is_root() {
return "$(id -u)"
}
has_sudo() {
# 0 true, 1 false
sudo -nv > /dev/null 2>&1
return $?
}
handle_error() {
echo "Fix the errors above and rerun the script"
exit 1
}
install_nodejs() {
log_message "Installing nodejs"
curl -sL $NODE_SRC | sudo -E bash -
sudo apt-get install -y nodejs
}
is_valid_git_repo() {
pushd "$1" 2>/dev/null || return 1
git status >/dev/null 2>&1
success="$?"
popd || exit 1
return $success
}
clone_monkey_repo() {
local repo_dir=$1
local branch=$2
if [[ ! -d "$repo_dir" ]]; then
mkdir -p "$repo_dir"
fi
log_message "Cloning files from git"
git clone -c core.autocrlf=false --single-branch --recurse-submodules -b "$branch" "$MONKEY_ORIGIN_URL" "$repo_dir" 2>&1 || handle_error
}
install_build_prereqs() {
sudo apt-get update
sudo apt-get upgrade -y
# monkey island prereqs
sudo apt-get install -y curl libcurl4 openssl git build-essential moreutils
install_nodejs
}
agent_binary_dir=""
as_root=false
branch="develop"
monkey_repo="$DEFAULT_REPO_MONKEY_HOME"
monkey_version=""
package=""
deployment_type=""
while (( "$#" )); do
case "$1" in
--agent-binary-dir)
exit_if_missing_argument "$1" "$2"
agent_binary_dir=$2
shift 2
;;
--as-root)
as_root=true
shift
;;
--branch)
exit_if_missing_argument "$1" "$2"
branch=$2
shift 2
;;
-h|--help)
echo_help
;;
--monkey-repo)
exit_if_missing_argument "$1" "$2"
monkey_repo=$2
shift 2
;;
--version)
exit_if_missing_argument "$1" "$2"
monkey_version=$2
shift 2
;;
--deployment)
exit_if_missing_argument "$1" "$2"
deployment_type=$2
shift 2
;;
--package)
exit_if_missing_argument "$1" "$2"
package=$2
shift 2
;;
*)
echo "Error: Unsupported parameter $1" >&2
exit 1
;;
esac
done
if ! [[ $package =~ ^(appimage|docker)$ ]]; then
log_message "Invalid package: $package."
exit 1
fi
if ! $as_root && is_root; then
log_message "Please don't run this script as root"
exit 1
fi
if ! has_sudo; then
log_message "You need root permissions for some of this script operations. \
Run \`sudo -v\`, enter your password, and then re-run this script."
exit 1
fi
log_message "Building Monkey Island: $package"
source "./$package/$package.sh"
if ! is_valid_git_repo "$monkey_repo"; then
clone_monkey_repo "$monkey_repo" "$branch"
fi
if [ ! -d "$DIST_DIR" ]; then
mkdir "$DIST_DIR"
fi
install_build_prereqs
install_package_specific_build_prereqs "$WORKSPACE"
setup_build_dir "$agent_binary_dir" "$monkey_repo" "$deployment_type"
commit_id=$(get_commit_id "$monkey_repo")
build_package "$monkey_version" "$commit_id" "$DIST_DIR"
log_message "Finished building package: $package"
exit 0

100
build_scripts/common.sh
View File

@ -1,100 +0,0 @@
CONFIG_URL="https://raw.githubusercontent.com/guardicore/monkey/develop/deployment_scripts/config"
copy_monkey_island_to_build_dir() {
local src=$1
local build_dir=$2
cp "$src"/__init__.py "$build_dir"
cp "$src"/monkey_island.py "$build_dir"
cp -r "$src"/common "$build_dir/"
rsync \
-ar \
--exclude=monkey_island/cc/ui/node_modules \
--exclude=monkey_island/cc/ui/.npm \
"$src"/monkey_island "$build_dir/"
}
modify_deployment() {
if [ -n "$1" ]; then
local deployment_file_path="$2/monkey_island/cc/deployment.json"
echo -e "{\n \"deployment\": \"$1\"\n}" > $deployment_file_path
fi
}
add_agent_binaries_to_build_dir() {
local agent_binary_dir=$1
local island_binaries_path="$2/monkey_island/cc/binaries/"
if [ -z "$agent_binary_dir" ]; then
download_monkey_agent_binaries $island_binaries_path
else
copy_agent_binaries_to_build_dir "$agent_binary_dir" "$island_binaries_path"
fi
make_linux_binaries_executable "$island_binaries_path"
}
download_monkey_agent_binaries() {
local island_binaries_path=$1
log_message "Downloading monkey agent binaries to ${island_binaries_path}"
load_monkey_binary_config
mkdir -p "${island_binaries_path}" || handle_error
curl -L -o "${island_binaries_path}/${LINUX_32_BINARY_NAME}" "${LINUX_32_BINARY_URL}"
curl -L -o "${island_binaries_path}/${LINUX_64_BINARY_NAME}" "${LINUX_64_BINARY_URL}"
curl -L -o "${island_binaries_path}/${WINDOWS_32_BINARY_NAME}" "${WINDOWS_32_BINARY_URL}"
curl -L -o "${island_binaries_path}/${WINDOWS_64_BINARY_NAME}" "${WINDOWS_64_BINARY_URL}"
}
load_monkey_binary_config() {
tmpfile=$(mktemp)
log_message "Downloading prebuilt binary configuration"
curl -L -s -o "$tmpfile" "$CONFIG_URL"
log_message "Loading configuration"
source "$tmpfile"
}
copy_agent_binaries_to_build_dir() {
cp "$1"/* "$2/"
}
make_linux_binaries_executable() {
chmod a+x "$1"/monkey-linux-*
}
generate_ssl_cert() {
local island_path="$1/monkey_island"
log_message "Generating certificate"
chmod u+x "$island_path"/linux/create_certificate.sh
"$island_path"/linux/create_certificate.sh "$island_path"/cc
}
build_frontend() {
local ui_dir="$1/monkey_island/cc/ui"
pushd "$ui_dir" || handle_error
log_message "Generating front end"
npm ci
npm run dist
popd || handle_error
remove_node_modules "$ui_dir"
}
remove_node_modules() {
# Node has served its purpose. We don't need to deliver the node modules with
# the package.
rm -rf "$1/node_modules"
rm -rf "$1/.npm"
}
get_commit_id() {
local monkey_repo=$1
echo $(git -C "$monkey_repo" rev-parse --short HEAD)
}

3
build_scripts/docker/.gitignore vendored
View File

@ -1,3 +0,0 @@
dk.monkeyisland*.tar
infection_monkey_docker_*.tgz
tgz/

4
build_scripts/docker/DOCKER_README.md
View File

@ -1,4 +0,0 @@
# Infection Monkey
For instructions on setting up the Infection Monkey Docker container, see
[https://www.guardicore.com/infectionmonkey/docs/setup/docker/](https://www.guardicore.com/infectionmonkey/docs/setup/docker/).

28
build_scripts/docker/Dockerfile
View File

@ -1,28 +0,0 @@
# Install python dependencies using the bitnami/python:3.7 image, which includes
# development dependencies.
FROM bitnami/python:3.7 as builder
COPY ./monkey /monkey
WORKDIR /monkey
RUN virtualenv .
RUN . bin/activate && \
cd monkey_island && \
pip install pipenv && \
pipenv sync
# Build the final application using the bitnami/python:3.7-prod image, which
# does not include development dependencies.
FROM bitnami/python:3.7-prod
RUN apt-get update && apt-get install -y iputils-ping && apt-get clean
COPY --from=builder /monkey /monkey
WORKDIR /monkey
EXPOSE 5000
EXPOSE 5001
ENV MONKEY_DOCKER_CONTAINER=true
RUN groupadd -r monkey-island && useradd --no-log-init -r -g monkey-island monkey-island
RUN chmod 444 /monkey/monkey_island/cc/server.key
RUN chmod 444 /monkey/monkey_island/cc/server.csr
RUN chmod 444 /monkey/monkey_island/cc/server.crt
RUN mkdir /monkey_island_data && chmod 700 /monkey_island_data && chown -R monkey-island:monkey-island /monkey_island_data
USER monkey-island
ENTRYPOINT ["/monkey/entrypoint.sh"]

14
build_scripts/docker/clean.sh
View File

@ -1,14 +0,0 @@
#!/bin/bash
# This is a utility script to clean up after a failed or successful Docker
# image build in order to speed up development and debugging
DOCKER_DIR="$(realpath $(dirname $BASH_SOURCE[0]))"
rm -rf "$HOME/git/monkey"
rm -rf "$DOCKER_DIR/monkey"
rm -rf "$DOCKER_DIR/tgz"
rm "$DOCKER_DIR"/dk.monkeyisland.*.tar
rm "$DOCKER_DIR"/infection_monkey_docker*.tgz
rm "$DOCKER_DIR"/../dist/infection_monkey_docker*.tgz

76
build_scripts/docker/docker.sh
View File

@ -1,76 +0,0 @@
DOCKER_DIR="$(realpath $(dirname $BASH_SOURCE[0]))"
source "$DOCKER_DIR/../common.sh"
install_package_specific_build_prereqs() {
sudo apt-get install -y docker.io
}
setup_build_dir() {
local agent_binary_dir=$1
local monkey_repo=$2
local build_dir=$DOCKER_DIR/monkey
mkdir "$build_dir"
copy_entrypoint_to_build_dir "$build_dir"
copy_monkey_island_to_build_dir "$monkey_repo/monkey" "$build_dir"
copy_server_config_to_build_dir "$build_dir"
modify_deployment "$deployment_type" "$build_dir"
add_agent_binaries_to_build_dir "$agent_binary_dir" "$build_dir"
generate_ssl_cert "$build_dir"
build_frontend "$build_dir"
}
copy_entrypoint_to_build_dir() {
cp "$DOCKER_DIR"/entrypoint.sh "$1"
chmod 755 "$1/entrypoint.sh"
}
copy_server_config_to_build_dir() {
cp "$DOCKER_DIR"/server_config.json "$1"/monkey_island/cc
}
build_package() {
local version=$1
local commit_id=$2
local dist_dir=$3
pushd ./docker
if [ -n "$1" ]; then
version="v$version"
else
version="$commit_id"
fi
docker_image_name="guardicore/monkey-island:$version"
tar_name="$DOCKER_DIR/InfectionMonkey-docker-$version.tar"
build_docker_image_tar "$docker_image_name" "$tar_name"
tgz_name="$DOCKER_DIR/InfectionMonkey-docker-$version.tgz"
build_docker_image_tgz "$tar_name" "$tgz_name"
move_package_to_dist_dir $tgz_name $dist_dir
popd
}
build_docker_image_tar() {
sudo docker build . -t "$1"
sudo docker save "$1" > "$2"
}
build_docker_image_tgz() {
mkdir tgz
mv "$1" ./tgz
cp ./DOCKER_README.md ./tgz/README.md
tar -C ./tgz -cvf "$2" --gzip .
}
move_package_to_dist_dir() {
mv "$1" "$2/"
}

6
build_scripts/docker/entrypoint.sh
View File

@ -1,6 +0,0 @@
#!/bin/bash
echo "$@"
source /monkey/bin/activate
python /monkey/monkey_island.py "$@"

10
build_scripts/docker/server_config.json
View File

@ -1,10 +0,0 @@
{
"data_dir": "/monkey_island_data",
"log_level": "DEBUG",
"environment": {
"server_config": "password"
},
"mongodb": {
"start_mongodb": false
}
}

4
deployment_scripts/config
View File

@ -37,6 +37,10 @@ export WINDOWS_32_BINARY_URL="https://github.com/guardicore/monkey/releases/down
export WINDOWS_64_BINARY_NAME="monkey-windows-64.exe"
export WINDOWS_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/monkey-windows-64.exe"
# Other binaries for monkey
export TRACEROUTE_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/traceroute64"
export TRACEROUTE_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/traceroute32"
export SAMBACRY_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/sc_monkey_runner64.so"
export SAMBACRY_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/sc_monkey_runner32.so"

2
deployment_scripts/config.ps1
View File

@ -24,6 +24,8 @@ $SAMBA_32_BINARY_URL = $MONKEY_DOWNLOAD_URL + "sc_monkey_runner32.so"
$SAMBA_32_BINARY_NAME = "sc_monkey_runner32.so"
$SAMBA_64_BINARY_URL = $MONKEY_DOWNLOAD_URL + "sc_monkey_runner64.so"
$SAMBA_64_BINARY_NAME = "sc_monkey_runner64.so"
$TRACEROUTE_64_BINARY_URL = $MONKEY_DOWNLOAD_URL + "traceroute64"
$TRACEROUTE_32_BINARY_URL = $MONKEY_DOWNLOAD_URL + "traceroute32"
# Other directories and paths ( most likely you dont need to configure)
$MONKEY_ISLAND_DIR = Join-Path "\monkey" -ChildPath "monkey_island"

10
deployment_scripts/deploy_linux.sh
View File

@ -227,6 +227,16 @@ else
curl -o ${MONKEY_BIN_DIR}/sc_monkey_runner64.so ${SAMBACRY_64_BINARY_URL}
curl -o ${MONKEY_BIN_DIR}/sc_monkey_runner32.so ${SAMBACRY_32_BINARY_URL}
fi
# Download traceroute binaries
log_message "Downloading traceroute binaries"
# shellcheck disable=SC2086
if exists wget; then
wget -c -N -P "${MONKEY_BIN_DIR}" ${TRACEROUTE_64_BINARY_URL}
wget -c -N -P "${MONKEY_BIN_DIR}" ${TRACEROUTE_32_BINARY_URL}
else
curl -o ${MONKEY_BIN_DIR}/traceroute64 ${TRACEROUTE_64_BINARY_URL}
curl -o ${MONKEY_BIN_DIR}/traceroute32 ${TRACEROUTE_32_BINARY_URL}
fi
# Download Swimm
log_message "Downloading swimm"

65
deployment_scripts/dump_attack_mitigations/attack_mitigations.py
View File

@ -1,65 +0,0 @@
from typing import Dict
from mongoengine import Document, EmbeddedDocument, EmbeddedDocumentField, ListField, StringField
from stix2 import AttackPattern, CourseOfAction
class Mitigation(EmbeddedDocument):
name = StringField(required=True)
description = StringField(required=True)
url = StringField()
@staticmethod
def get_from_stix2_data(mitigation: CourseOfAction):
name = mitigation["name"]
description = mitigation["description"]
url = get_stix2_external_reference_url(mitigation)
return Mitigation(name=name, description=description, url=url)
class AttackMitigations(Document):
technique_id = StringField(required=True, primary_key=True)
mitigations = ListField(EmbeddedDocumentField("Mitigation"))
def add_mitigation(self, mitigation: CourseOfAction):
mitigation_external_ref_id = get_stix2_external_reference_id(mitigation)
if mitigation_external_ref_id.startswith("M"):
self.mitigations.append(Mitigation.get_from_stix2_data(mitigation))
def add_no_mitigations_info(self, mitigation: CourseOfAction):
mitigation_external_ref_id = get_stix2_external_reference_id(mitigation)
if mitigation_external_ref_id.startswith("T") and len(self.mitigations) == 0:
mitigation_mongo_object = Mitigation.get_from_stix2_data(mitigation)
mitigation_mongo_object["description"] = mitigation_mongo_object[
"description"
].splitlines()[0]
mitigation_mongo_object["url"] = ""
self.mitigations.append(mitigation_mongo_object)
@staticmethod
def dict_from_stix2_attack_patterns(stix2_dict: Dict[str, AttackPattern]):
return {
key: AttackMitigations.mitigations_from_attack_pattern(attack_pattern)
for key, attack_pattern in stix2_dict.items()
}
@staticmethod
def mitigations_from_attack_pattern(attack_pattern: AttackPattern):
return AttackMitigations(
technique_id=get_stix2_external_reference_id(attack_pattern),
mitigations=[],
)
def get_stix2_external_reference_url(stix2_data) -> str:
for reference in stix2_data["external_references"]:
if "url" in reference:
return reference["url"]
return ""
def get_stix2_external_reference_id(stix2_data) -> str:
for reference in stix2_data["external_references"]:
if reference["source_name"] == "mitre-attack" and "external_id" in reference:
return reference["external_id"]
return ""

184
deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py
View File

@ -1,184 +0,0 @@
import argparse
import json
import subprocess
import time
from pathlib import Path
from typing import Dict, List
import mongoengine
import pymongo
from attack_mitigations import AttackMitigations
from bson import json_util
from stix2 import AttackPattern, CourseOfAction, FileSystemSource, Filter
COLLECTION_NAME = "attack_mitigations"
def main():
args = parse_args()
set_default_mongo_connection(args.database_name, args.mongo_host, args.mongo_port)
mongo_client = pymongo.MongoClient(host=args.mongo_host, port=args.mongo_port)
database = mongo_client.get_database(args.database_name)
clean_collection(database)
populate_attack_mitigations(database, Path(args.cti_repo))
dump_attack_mitigations(database, Path(args.cti_repo), Path(args.dump_file_path))
def parse_args():
parser = argparse.ArgumentParser(
description="Export attack mitigations from a database",
formatter_class=argparse.ArgumentDefaultsHelpFormatter,
)
parser.add_argument(
"--mongo_host", default="localhost", help="URL for mongo database.", required=False
)
parser.add_argument(
"--mongo-port",
action="store",
default=27017,
type=int,
help="Port for mongo database.",
required=False,
)
parser.add_argument(
"--database-name",
action="store",
default="monkeyisland",
help="Database name inside of mongo.",
required=False,
)
parser.add_argument(
"--cti-repo",
action="store",
default="attack_mitigations",
help="The path to the Cyber Threat Intelligence Repository.",
required=True,
)
parser.add_argument(
"--dump-file-path",
action="store",
default="./attack_mitigations.json",
help="A file path where the database dump will be saved.",
required=False,
)
return parser.parse_args()
def set_default_mongo_connection(database_name: str, host: str, port: int):
mongoengine.connect(db=database_name, host=host, port=port)
def clean_collection(database: pymongo.database.Database):
if collection_exists(database, COLLECTION_NAME):
database.drop_collection(COLLECTION_NAME)
def collection_exists(database: pymongo.database.Database, collection_name: str) -> bool:
return collection_name in database.list_collection_names()
def populate_attack_mitigations(database: pymongo.database.Database, cti_repo: Path):
database.create_collection(COLLECTION_NAME)
attack_data_path = cti_repo / "enterprise-attack"
stix2_mitigations = get_all_mitigations(attack_data_path)
mongo_mitigations = AttackMitigations.dict_from_stix2_attack_patterns(
get_all_attack_techniques(attack_data_path)
)
mitigation_technique_relationships = get_technique_and_mitigation_relationships(
attack_data_path
)
for relationship in mitigation_technique_relationships:
mongo_mitigations[relationship["target_ref"]].add_mitigation(
stix2_mitigations[relationship["source_ref"]]
)
for relationship in mitigation_technique_relationships:
mongo_mitigations[relationship["target_ref"]].add_no_mitigations_info(
stix2_mitigations[relationship["source_ref"]]
)
for key, mongo_object in mongo_mitigations.items():
mongo_object.save()
def get_all_mitigations(attack_data_path: Path) -> Dict[str, CourseOfAction]:
file_system = FileSystemSource(attack_data_path)
mitigation_filter = [Filter("type", "=", "course-of-action")]
all_mitigations = file_system.query(mitigation_filter)
all_mitigations = {mitigation["id"]: mitigation for mitigation in all_mitigations}
return all_mitigations
def get_all_attack_techniques(attack_data_path: Path) -> Dict[str, AttackPattern]:
file_system = FileSystemSource(attack_data_path)
technique_filter = [Filter("type", "=", "attack-pattern")]
all_techniques = file_system.query(technique_filter)
all_techniques = {technique["id"]: technique for technique in all_techniques}
return all_techniques
def get_technique_and_mitigation_relationships(attack_data_path: Path) -> List[CourseOfAction]:
file_system = FileSystemSource(attack_data_path)
technique_filter = [
Filter("type", "=", "relationship"),
Filter("relationship_type", "=", "mitigates"),
]
all_techniques = file_system.query(technique_filter)
return all_techniques
def dump_attack_mitigations(
database: pymongo.database.Database, cti_repo: Path, dump_file_path: Path
):
if not collection_exists(database, COLLECTION_NAME):
raise Exception(f"Could not find collection: {COLLECTION_NAME}")
metadata = get_metadata(cti_repo)
data = get_data_from_database(database)
json_output = f'{{"metadata":{json.dumps(metadata)},"data":{json_util.dumps(data)}}}'
with open(dump_file_path, "wb") as jsonfile:
jsonfile.write(json_output.encode())
def get_metadata(cti_repo: Path) -> dict:
timestamp = str(time.time())
commit_hash = get_commit_hash(cti_repo)
origin_url = get_origin_url(cti_repo)
return {"timestamp": timestamp, "commit_hash": commit_hash, "origin_url": origin_url}
def get_commit_hash(cti_repo: Path) -> str:
return run_command(["git", "rev-parse", "--short", "HEAD"], cti_repo).strip()
def get_origin_url(cti_repo: Path) -> str:
return run_command(["git", "remote", "get-url", "origin"], cti_repo).strip()
def run_command(cmd: List, cwd: Path = None) -> str:
cp = subprocess.run(cmd, capture_output=True, cwd=cwd, encoding="utf-8")
if cp.returncode != 0:
raise Exception(
f"Error running command -- Command: {cmd} -- Return Code: {cp.returncode} -- stderr: "
f"{cp.stderr}"
)
return cp.stdout
def get_data_from_database(database: pymongo.database.Database) -> pymongo.cursor.Cursor:
collection = database.get_collection(COLLECTION_NAME)
collection_contents = collection.find()
return collection_contents
if __name__ == "__main__":
main()

13
deployment_scripts/dump_attack_mitigations/requirements.txt
View File

@ -1,13 +0,0 @@
antlr4-python3-runtime==4.8
certifi==2021.5.30
charset-normalizer==2.0.6
idna==3.2
mongoengine==0.23.1
pymongo==3.12.0
pytz==2021.1
requests==2.26.0
simplejson==3.17.5
six==1.16.0
stix2==3.0.1
stix2-patterns==1.3.2
urllib3==1.26.7

205
docs/content/FAQ/_index.md
View File

@ -8,10 +8,7 @@ pre: "<i class='fas fa-question'></i> "
Below are some of the most common questions we receive about the Infection Monkey. If the answer you're looking for isn't here, talk with us [on our Slack channel](https://infectionmonkey.slack.com/join/shared_invite/enQtNDU5MjAxMjg1MjU1LWM0NjVmNWE2ZTMzYzAxOWJiYmMxMzU0NWU3NmUxYjcyNjk0YWY2MDkwODk4NGMyNDU4NzA4MDljOWNmZWViNDU), email us at [support@infectionmonkey.com](mailto:support@infectionmonkey.com) or [open an issue on GitHub](https://github.com/guardicore/monkey).
- [Where can I get the latest version of the Infection Monkey?](#where-can-i-get-the-latest-version-of-the-infection-monkey)
- [I updated to a new version of the Infection Monkey and I'm being asked to delete my existing data directory. Why?](#i-updated-to-a-new-version-of-the-infection-monkey-and-im-being-asked-to-delete-my-existing-data-directory-why)
- [How can I use an old data directory?](#how-can-i-use-an-old-data-directory)
- [How long does a single Infection Monkey agent run? Is there a time limit?](#how-long-does-a-single-infection-monkey-agent-run-is-there-a-time-limit)
- [Is the Infection Monkey a malware/virus?](#is-the-infection-monkey-a-malwarevirus)
- [Reset/enable the Monkey Island password](#resetenable-the-monkey-island-password)
- [Should I run the Infection Monkey continuously?](#should-i-run-the-infection-monkey-continuously)
- [Which queries does the Infection Monkey perform to the internet exactly?](#which-queries-does-the-infection-monkey-perform-to-the-internet-exactly)
@ -28,7 +25,6 @@ Below are some of the most common questions we receive about the Infection Monke
- [After I've set up Monkey Island, how can I execute the Infection Monkey?](#after-ive-set-up-monkey-island-how-can-i-execute-the-infection-monkey-agent)
- [How can I make the Infection Monkey agents propagate “deeper” into the network?](#how-can-i-make-the-infection-monkey-agent-propagate-deeper-into-the-network)
- [What if the report returns a blank screen?](#what-if-the-report-returns-a-blank-screen)
- [Can I limit how the Infection Monkey propagates through my network?](#can-i-limit-how-the-infection-monkey-propagates-through-my-network)
- [How can I get involved with the project?](#how-can-i-get-involved-with-the-project)
## Where can I get the latest version of the Infection Monkey?
@ -37,127 +33,50 @@ For the latest **stable** release, visit [our downloads page](https://www.guardi
If you want to see what has changed between versions, refer to the [releases page on GitHub](https://github.com/guardicore/monkey/releases). For the latest development version, visit the [develop version on GitHub](https://github.com/guardicore/monkey/tree/develop).
## I updated to a new version of the Infection Monkey and I'm being asked to delete my existing data directory. Why?
The [data directory]({{< ref "/reference/data_directory" >}}) contains the
Infection Monkey's database and other internal
data. For the new version of Infection Monkey to work flawlessly, a data
directory with a compatible structure needs to be set up.
If you would like to save the data gathered from the Monkey's previous runs,
you can make a backup of your [existing data directory]({{< ref
"/reference/data_directory" >}}) before deleting it.
## How can I use an old data directory?
To use the data stored in a data directory from an older version, reinstall the
version of the Monkey Island which matches your data directory's version. Then,
copy the backup of your old data directory to the [appropriate location]({{<
ref "/reference/data_directory" >}}).
## How long does a single Infection Monkey agent run? Is there a time limit?
The Infection Monkey agent shuts off either when it can't find new victims or it has exceeded the quota of victims as defined in the configuration.
## Is the Infection Monkey a malware/virus?
The Infection Monkey is not malware, but it uses similar techniques to safely
simulate malware on your network.
Because of this, the Infection Monkey gets flagged as malware by some antivirus
solutions during installation. If this happens, [verify the integrity of the
downloaded installer](/usage/file-checksums) first. Then, create a new folder
and disable antivirus scan for that folder. Lastly, re-install the Infection
Monkey in the newly created folder.
## Reset/enable the Monkey Island password
{{% notice warning %}}
If you reset the credentials, the database will be cleared. Any findings of the Infection Monkey from previous runs will be lost. <br/><br/>
However, you can save the Monkey's existing configuration by logging in with your current credentials and clicking on the **Export config** button on the configuration page.
{{% /notice %}}
### On Windows and Linux (AppImage)
When you first access the Monkey Island server, you'll be prompted to create an account.
To reset the credentials, edit the `server_config.json` file manually
(located in the [data directory]({{< ref "/reference/data_directory" >}})).
To reset the credentials or enable/disable the authentication,
edit the `server_config.json` file manually
(located in the [data directory](/reference/data_directory)).
In order to reset the credentials, the following edits need to be made:
1. Delete the `user` field. It will look like this:
```json
{
...
"user": "username",
...
}
```
1. Delete the `password_hash` field. It will look like this:
```json
{
...
"password_hash": "$2b$12$d050I/MsR5.F5E15Sm7EkunmmwMkUKaZE0P0tJXG.M9tF.Kmkd342",
...
}
```
1. Delete the `user` field if one exists. It will look like this:
```json
{
...
"user": "username",
...
}
```
1. Delete the `password_hash` field if one exists. It will look like this:
```json
{
...
"password_hash": "$2b$12$d050I/MsR5.F5E15Sm7EkunmmwMkUKaZE0P0tJXG.M9tF.Kmkd342",
...
}
```
1. Set `server_config` to `password`. It should look like this:
```json
{
...
"environment": {
...
"server_config": "password",
...
},
...
}
```
1. Restart the Monkey Island process:
* On Linux, simply kill the Monkey Island process and execute the AppImage.
* On Windows, restart the program.
1. Go to the Monkey Island's URL and create a new account.
If you are still unable to log into Monkey Island after following the above
steps, you can perform a complete factory reset by removing the entire [data
directory]({{< ref "/reference/data_directory" >}}) and then restarting the
Monkey Island process.
### On Docker
When you first access the Monkey Island server, you'll be prompted to create an account.
To reset the credentials, you'll need to perform a complete factory reset:
1. Kill the Monkey Island container:
```bash
sudo docker kill monkey-island
```
1. Kill the MongoDB container:
```bash
sudo docker kill monkey-mongo
```
1. Remove the MongoDB volume:
```bash
sudo docker volume rm db
```
1. Restart the MongoDB container:
```bash
sudo docker run \
--name monkey-mongo \
--network=host \
--volume db:/data/db \
--detach \
mongo:4.2
```
1. Restart the Monkey Island container
```bash
sudo docker run \
--name monkey-island \
--network=host \
guardicore/monkey-island:VERSION
```
1. Go to the Monkey Island's URL and create a new account.
```json
{
...
"environment": {
...
"server_config": "password",
...
},
...
}
```
Then, reset the Monkey Island process.
On Linux, use `sudo systemctl restart monkey-island.service`.
On Windows, restart the program.
Finally, go to the Monkey Island's URL and create a new account.
## Should I run the Infection Monkey continuously?
@ -188,7 +107,7 @@ You can download the Monkey Island's log file directly from the UI. Click the "l
![How to download Monkey Island internal log file](/images/faq/download_log_monkey_island.png "How to download Monkey Island internal log file")
It can also be found as a local file on the Monkey Island server system in the specified
[data directory]({{< ref "/reference/data_directory" >}}).
[data directory](/reference/data_directory).
The log enables you to see which requests were requested from the server and extra logs from the backend logic. The log will contain entries like these:
@ -224,7 +143,7 @@ The logs contain information about the internals of the Infection Monkey agent's
### How do I change the log level of the Monkey Island logger?
The log level of the Monkey Island logger is set in the `log_level` field
in the `server_config.json` file (located in the [data directory]({{< ref "/reference/data_directory" >}})).
in the `server_config.json` file (located in the [data directory](/reference/data_directory)).
Make sure to leave everything else in `server_config.json` unchanged:
```json
@ -294,58 +213,6 @@ This is sometimes caused when Monkey Island is installed with an old version of
- **Linux**: First, uninstall the current version with `sudo apt uninstall mongodb` and then install the latest version using the [official MongoDB manual](https://docs.mongodb.com/manual/administration/install-community/).
- **Windows**: First, remove the MongoDB binaries from the `monkey\monkey_island\bin\mongodb` folder. Download and install the latest version of MongoDB using the [official MongoDB manual](https://docs.mongodb.com/manual/administration/install-community/). After installation is complete, copy the files from the `C:\Program Files\MongoDB\Server\4.2\bin` folder to the `monkey\monkey_island\bin\mongodb folder`. Try to run the Monkey Island again and everything should work.
## Can I limit how the Infection Monkey propagates through my network?
Yes! To limit how the Infection Monkey propagates through your network, you can:
#### Adjust the scan depth
The scan depth limits the number of hops that the Infection Monkey agent will
spread from patient zero. If you set the scan depth to one, the agent will only
reach a single hop from the initially infected machine. Scan depth does not
limit the number of devices, just the number of hops.
- **Example**: In this example, the scan depth is set to two. _Host A_ scans the
network and finds hosts _B, C, D_ and _E_. The Infection Monkey agent
successfully propagates from _Host A_ to _Host C_. Since the scan depth is 2,
the agent will pivot from _Host C_ and continue to scan other machines on the
network. However, if _Host C_ successfully breaches _Host E_, it will not pivot
further nor continue to scan or propagate.
![What is scan depth](/images/faq/propagation_depth_diagram.png "What is scan
depth")
#### Enable or disable scanning the local subnet
You can find the settings that define how the Infection Monkey will scan your
network in `Configuration -> Network`. Each agent will scan its entire local
subnet by default, but you can disable this behavior by unchecking the `Local
network scan` button.
#### Add IPs to the IP allow list
You can specify which hosts you want the Infection Monkey agents to attempt to
scan in the `Configuration -> Network -> Scan target list` section.
#### Add IPs to the IP block list
If there are any hosts on your network that you would like to prevent the
Infection Monkey from scanning or exploiting, you can add them to the list of
"Blocked IPs" in `Configuration -> Network -> Blocked IPs`.
#### Specify max number of victims to find/exploit
Two settings in `Configuration -> Internal -> Monkey` allow you to further
limit the Infection Monkey's propagation:
- **Max victims to find**: This limits the total number of machines that the
Infection Monkey is allowed to scan.
- **Max victims to exploit**: This limits the total number of machines that the
Infection Monkey is allowed to successfully exploit.
## How can I get involved with the project?
Infection Monkey is an open-source project, and we welcome contributions and contributors. Check out the [contribution documentation]({{< ref "/development" >}}) for more information.

2
docs/content/development/_index.md
View File

@ -24,7 +24,7 @@ You can take a look at [our roadmap](https://github.com/guardicore/monkey/projec
### More exploits! 💥
The best way to find weak spots in a network is by attacking it. The [*Adding Exploits*](./adding-exploits/) page will help you add exploits.
The best way to find weak spots in a network is by attacking it. The [exploit template](https://github.com/guardicore/monkey/wiki/Exploit-templates) page will help you add exploits.
It's important to note that the Infection Monkey must be absolutely reliable. Otherwise, no one will use it, so avoid memory corruption exploits unless they're rock solid and focus on the logical vulns such as Shellshock.

105
docs/content/development/adding-exploits.md
View File

@ -1,110 +1,7 @@
---
title: "Adding Exploits"
date: 2020-06-08T19:53:00+03:00
draft: false
draft: true
tags: ["contribute"]
weight: 50
---
## What does this guide cover?
This guide will show you how to add a new _Exploit_ to the Infection Monkey.
An exploit is a sequence of commands that takes advantage of a security vulnerability to gain unauthorized access to a system on your network. If successful, an Infection Monkey agent is released on the exploited system. The result of an attempted exploit is sent back to the Monkey Island as part of the telemetry.
### Do I need a new Exploit?
If all you want to do is execute a shell command, configure the required commands in the Monkey Island's post-breach action (PBA) configuration section or [add a new PBA](../adding-post-breach-actions/). If you would like the Infection Monkey agent to collect specific information, [add a new System Info Collector](../adding-system-info-collectors/).
However, if you have your eye on an interesting CVE that you would like the Infection Monkey to support, you must add a new exploit. Keep reading to learn how to add a new exploit.
## How to add a new Exploit
### Modify the Infection Monkey Agent
The Infection Monkey exploiters are all built in a similar way. Each exploiter class inherits from the [`HostExploiter`](https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/exploit/HostExploiter.py) class, which exposes two interface functions:
* `is_os_supported` - Returns a boolean value denoting whether the victim machine is supported by the exploiter (for example, returns `False` on Windows victim machines for the `SSHExploiter`). This can be used to thoroughly inspect a potential victim machine and decide whether to attempt the exploit on that particular machine (for example, by checking for open services matching specific versions).
* `exploit_host` - Exploits the host and returns a boolean value indicating whether or not the exploit was successful.
#### Adding a new exploiter
In the [Infection Monkey's exploit directory](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/exploit), add the **exploit's logic** by defining a new class that inherits from [`HostExploiter`](https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/exploit/HostExploiter.py). If your new exploit is a web RCE (remote code execution) exploit, inherit from [`WebRCE`](https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/exploit/web_rce.py).
```py
from infection_monkey.exploit.HostExploiter import HostExploiter
class MyNewExploiter(HostExploiter):
...
```
A good example of an exploiter class is the [`SSHExploiter`](https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/exploit/sshexec.py). The [Drupal exploiter is a recently added web RCE exploit](https://github.com/guardicore/monkey/pull/808) that is a good reference as well.
### Modify the Monkey Island
#### Configuration
1. Add your **exploiter's description** to the [configuration schema](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py).
```py
...
{
"type": "string",
"enum": ["SmbExploiter"],
"title": "SMB Exploiter",
"safe": True,
"attack_techniques": ["T1110", "T1075", "T1035"],
"info": "Brute forces using credentials provided by user and hashes gathered by mimikatz.",
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/smbexec/",
},
{
"type": "string", <=================================
"enum": ["MyNewExploiter"], <=================================
"title": "My New Exploiter", <=================================
"safe": True, <=================================
"attack_techniques": [], <=================================
"info": "Information about your new exploiter.", <=================================
"link": "Link to the documentation page explaining your new exploiter.", <=================================
},
...
```
2. Update the default **list of exploiters** in the [configuration schema](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/services/config_schema/basic.py) by adding your new exploiter's class name.
```py
...
"exploiter_classes": {
"title": "Exploiters",
"type": "array",
"uniqueItems": True,
"items": {"$ref": "#/definitions/exploiter_classes"},
"default": [
"SmbExploiter",
...
"DrupalExploiter",
"MyNewExploiter", <=================================
],
}
...
```
#### Reporting
1. In the [report generation pipeline](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py), define how your **exploiter's data** should be processed and displayed in the report. Use the default `ExploitProcessor` or create a custom exploit processor if needed.
```py
class ExploiterDescriptorEnum(Enum):
SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter", CredExploitProcessor)
...
ZEROLOGON = ExploiterDescriptor("ZerologonExploiter", "Zerologon Exploiter", ZerologonExploitProcessor)
MYNEWEXPLOITER = ExploitDescriptor("MyNewExploiter", "My New Eexploiter", ExploitProcessor) <=================================
```
2. Describe how the Monkey Island should **display your exploiter's results** by defining the UI contents in the [security report](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js).
### Documentation
**Update the documentation** to explain what your exploiter does in the [documentation framework](https://github.com/guardicore/monkey/blob/develop/docs/content/reference/exploiters/).

10
docs/content/development/adding-post-breach-actions.md
View File

@ -16,7 +16,7 @@ If all you want to do is execute shell commands, then there's no need to add a n
## How to add a new PBA
### Modify the Infection Monkey Agent
### From the Infection Monkey Side
#### Framework
@ -39,11 +39,11 @@ class MyNewPba(PBA):
#### Implementation
If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `account_discovery.py` PBA for reference.
If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `add_user.py` PBA for reference.
Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_backdoor_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.
Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_new_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.
### Modify the Monkey Island
### From the Monkey Island Side
#### Configuration
@ -73,4 +73,4 @@ Now you can choose your PBA when configuring the Infection Monkey on the Monkey
#### Telemetry processing
If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_backdoor_user_telemetry` method as an example.
If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_new_user_telemetry` method as an example.

6
docs/content/development/adding-system-info-collectors.md
View File

@ -14,9 +14,9 @@ This guide will show you how to create a new _System Info Collector_ for the Inf
If all you want to do is execute a shell command, then there's no need to add a new System Info Collector - just configure the required commands in the Monkey Island's post-breach action (PBA) section! Also, if there is a relevant System Info Collector and you only need to add more information to it, simply expand the existing one. Otherwise, you must add a new System Info Collector.
## How to add a new System Info Collector
## How to add a new System Info Collector
### Modify the Infection Monkey Agent
### From the Monkey Island Side
#### Framework
@ -41,7 +41,7 @@ class MyNewCollector(SystemInfoCollector):
Override the `collect` method with your own implementation. See the `EnvironmentCollector.py` System Info Collector for reference. You can log during collection as well.
### Modify the Monkey Island
### From the Monkey Island Side
#### Configuration

39
docs/content/development/attack_mitigations.md
View File

@ -1,39 +0,0 @@
---
title: "MITRE ATT&CK Mitigations"
date: 2021-09-30T08:18:37+03:00
draft: true
weight: 10
---
{{% notice info %}}
Check out [the documentation for the MITRE ATT&CK techniques as well]({{< ref "/reports/mitre" >}}).
{{% /notice %}}
## Summary
Attack Mitigations are presented in MITRE ATT&CK report. They appear next to
descriptions of attack techniques and suggest steps that can be taken to reduce
the risk of that particular technique being successful in a network. They also
provide links for further reading on https://attack.mitre.org/
The Infection Monkey is shipped with pre-processed information about MITRE
ATT&CK mitigations located at
`monkey/monkey_island/cc/setup/mongo/attack_mitigations.json`. This may need to
be periodically updated as the MITRE ATT&CK framework evolves.
## Updating the MITRE ATT&CK mitigations data
1. Clone the [MITRE Cyber Threat Intelligence
Repository](https://github.com/mitre/cti) or the [Guardicore
fork](https://github.com/guardicore/cti):
```
$ CTI_REPO=$PWD/cti
$ git clone <REPO> $CTI_REPO
```
2. Start a MongoDB v4.2 server.
3. Run the script to generate the `attack_mitigations.json` file:
```
$ cd monkey/deployment_scripts/dump_attack_mitigations
$ pip install -r requirements.txt
$ python dump_attack_mitigations.py --cti-repo $CTI_REPO --dump-file-path ../../monkey/monkey_island/cc/setup/mongo/attack_mitigations.json
```

2
docs/content/development/setup-development-environment.md
View File

@ -10,7 +10,7 @@ tags: ["contribute"]
To set up a development environment using scripts, look at the readme under [`/deployment_scripts`](https://github.com/guardicore/monkey/blob/develop/deployment_scripts). If you want to set it up manually or run into problems, keep reading.
## The Infection Monkey Agent
## Agent
The agent (which we sometimes refer to as the Infection Monkey) is a single Python project under the [`infection_monkey`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey) folder. The Infection Monkey agent was built for Python 3.7. You can get it up and running by setting up a [virtual environment](https://docs.python-guide.org/dev/virtualenvs/) and installing the requirements listed in the [`requirements.txt`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/requirements.txt) inside it.

27
docs/content/reference/data_directory.md
View File

@ -16,30 +16,3 @@ configuration files, etc.
On Linux, the default path is `$HOME/.monkey_island`.
On Windows, the default path is `%AppData%\monkey_island`.
## How do I configure the location of the data directory on Linux?
The location of the data directory is set in the `data_dir` field in the
`server_config.json` file.
1. Create a custom `server_config.json` file and set the `data_dir` field. Its
contents will look like:
```json
{
"log_level": "DEBUG",
"environment": {
"server_config": "password"
},
"mongodb": {
"start_mongodb": true
},
"data_dir": "<PATH_TO_DATA_DIR>"
}
```
1. Start the Infection Monkey with the `--server-config` parameter.
```bash
$ InfectionMonkey-VERSION.AppImage --server-config <PATH_TO_SERVER_CONFIG>
```

37
docs/content/reference/exploiters/Log4Shell.md
View File

@ -1,37 +0,0 @@
---
title: "Log4Shell"
date: 2022-01-12T14:07:23+05:30
draft: false
tags: ["exploit", "linux", "windows"]
---
The Log4Shell exploiter exploits
[CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
### Description
Some versions of Apache Log4j, a Java logging framework, have a logging feature
called "Message Lookup Substitution" enabled by default. This allows replacing
certain special strings by dynamically-generated strings at the time of
logging. If log messages or log message parameters can be controlled by an
attacker, arbitrary code can be executed. The Log4Shell exploiter takes
advantage of this vulnerability to propagate to a victim machine.
You can learn more about this vulnerability and potential mitigations
[here](https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0_.28Java_8.29).
### Services exploited
The Infection Monkey will attempt to exploit the Log4Shell vulnerability in the
following services:
- Apache Solr
- Apache Tomcat
- Logstash
**Note**: Even if none of these services are running in your environment,
running the Log4Shell exploiter can be a good way to test your IDS/IPS or EDR
solutions. These solutions should detect that the Infection Monkey is attempting
to exploit the Log4Shell vulnerability and raise an appropriate alert.

66
docs/content/reference/exploiters/PowerShell.md
View File

@ -1,66 +0,0 @@
---
title: "PowerShell"
date: 2021-08-24T12:19:21+03:00
draft: false
tags: ["exploit", "windows"]
---
### Description
This exploiter uses brute-force to propagate to a victim through PowerShell
Remoting using Windows Remote Management (WinRM).
See Microsoft's documentation for more on [PowerShell Remoting
Protocol](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1)
and [Windows Remote
Management](https://docs.microsoft.com/en-us/windows/win32/winrm/portal).
##### Credentials used
The PowerShell exploiter can be run from both Linux and Windows attackers. On
Windows attackers, the exploiter has the ability to use the cached username
and/or password from the current user. On both Linux and Windows attackers, the
exploiter uses all combinations of the [user-configured usernames and
passwords]({{< ref "/usage/configuration/basic-credentials" >}}), as well as
and LM or NT hashes that have been collected. Different combinations of
credentials are attempted in the following order:
1. **Cached username and password (Windows attacker only)** - The exploiter will
use the stored credentials of the current user to attempt to log into the
victim machine.
1. **Brute force usernames with blank passwords** - Windows allows you to
configure a user with a blank/empty password. The exploiter will attempt to
log into the victim machine using each username set in the
[configuration]({{< ref "/usage/configuration/basic-credentials" >}}) with a
blank password.
In order for the attacker to connect with a blank password, the victim must
have enabled basic authentication, http and no encryption.
1. **Brute force usernames with cached password (Windows attacker only)** - The
exploiter will attempt to log into the victim machine using each username
set in the [configuration]({{< ref "/usage/configuration/basic-credentials"
>}}) and the current user's cached password.
1. **Brute force usernames and passwords** - The exploiter will attempt to use
all combinations of usernames and passwords that were set in the
[configuration.]({{< ref "/usage/configuration/basic-credentials" >}})
1. **Brute force usernames and LM hashes** - The exploiter will attempt to use
all combinations of usernames that were set in the [configuration]({{< ref
"/usage/configuration/basic-credentials" >}}) and LM hashes that were
collected from any other victims.
1. **Brute force usernames and NT hashes** - The exploiter will attempt to use
all combinations of usernames that were set in the [configuration]({{< ref
"/usage/configuration/basic-credentials" >}}) and NT hashes that were
collected from any other victims.
#### Securing PowerShell Remoting
Information about how to remediate security concerns related to PowerShell
Remoting can be found
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).

2
docs/content/reference/exploiters/Zerologon.md
View File

@ -10,7 +10,7 @@ The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/c
### Description
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). The Zerologon exploiter takes advantage of this vulnerability to steal credentials from the domain controller. This allows the Infection Monkey to propagate to the machine using one of the brute force exploiters (for example, the SMB Exploiter).
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).
To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).

1
docs/content/reference/mitre_techniques.md
View File

@ -18,6 +18,7 @@ In the following table, we list all the MITRE ATT&CK techniques the Infection Mo
| TACTIC | TECHNIQUES |
|--- |--- |
| [Execution](https://attack.mitre.org/tactics/TA0002/) | [Command-line Interface](https://attack.mitre.org/techniques/T1059/) |
| | [Execution Through Module Load](https://attack.mitre.org/techniques/T1129/) |
| | [Execution Through API](https://attack.mitre.org/techniques/T1106/) |
| | [Powershell](https://attack.mitre.org/techniques/T1086/) |
| | [Scripting](https://attack.mitre.org/techniques/T1064/) |

1
docs/content/reports/mitre.md
View File

@ -2,7 +2,6 @@
title: "MITRE ATT&CK report"
description: "Maps the Monkey's actions to the MITRE ATT&CK knowledge base"
date: 2020-06-24T21:17:18+03:00
weight: 3
draft: false
---

49
docs/content/reports/ransomware.md
View File

@ -1,49 +0,0 @@
---
title: "Ransomware report"
date: 2021-08-05T13:23:10+03:00
weight: 4
draft: false
description: "Provides information about ransomware simulation on your network"
---
{{% notice info %}}
Check out [the Infection Monkey's ransomware simulation documentation]({{< ref
"/usage/scenarios/ransomware-simulation" >}}) and [the documentation for other
available reports]({{< ref "/reports" >}}).
{{% /notice %}}
The Infection Monkey can be configured to [simulate a ransomware
attack](/usage/scenarios/ransomware-simulation) on your network. After running,
it generates a **Ransomware Report** that provides you with insight into how
ransomware might behave within your environment.
The report is split into three sections:
- [Breach](#breach)
- [Lateral Movement](#lateral-movement)
- [Attack](#attack)
## Breach
The breach section shows when and where the ransomware infection began.
![Breach](/images/usage/reports/ransomware_report_1_breach.png "Breach")
## Lateral movement
The lateral movement section provides information about how the simulated
ransomware was able to propagate through your network.
![Lateral
Movement](/images/usage/reports/ransomware_report_2_lateral_movement.png
"Lateral Movement")
## Attack
The attack section shows the details of what the simulated ransomware
successfully encrypted, including a list of specific files.
![Attack](/images/usage/reports/ransomware_report_3_attack.png "Attack")

1
docs/content/reports/security.md
View File

@ -1,7 +1,6 @@
---
title: "Security report"
date: 2020-06-24T21:16:10+03:00
weight: 1
draft: false
description: "Provides actionable recommendations and insight into an attacker's view of your network"
---

3
docs/content/reports/zero-trust.md
View File

@ -1,7 +1,6 @@
---
title: "Zero Trust report"
date: 2020-06-24T21:16:18+03:00
weight: 2
draft: false
description: "Generates a status report with detailed explanations of Zero Trust security gaps and prescriptive instructions on how to rectify them"
---
@ -29,7 +28,7 @@ This diagram provides you with a quick glance at how your organization scores on
## Test Results
This section shows how your network fared against each of the tests the Infection Monkey ran. The tests are ordered by Zero Trust pillar, so you can quickly navigate to the category you want to prioritize.
This section shows how your network fared against each of the tests the Infection Monkey ran. The tests are ordered by Zero Trust pillar, so you can quickly navigate to the category you want to prioritize.
![Zero Trust Report test results](/images/usage/reports/ztreport2.png "Zero Trust Report test results")

2
docs/content/setup/accounts-and-security.md
View File

@ -11,6 +11,8 @@ tags: ["usage", "password"]
The first time you launch Monkey Island (the Infection Monkey C&C server), you'll be prompted to create an account and secure your island. After account creation, the server will only be accessible via the credentials you entered.
If you want an island to be accessible without credentials, press *I want anyone to access the island*. Please note that this option is insecure, and you should only use it in development environments.
## Resetting your account credentials
This procedure is documented in [the FAQ]({{< ref "/faq/#how-do-i-reset-the-monkey-island-password" >}}).

7
docs/content/setup/aws.md
View File

@ -24,7 +24,12 @@ When ready, you can browse to the Infection Monkey running on the fresh deployme
`https://{public-ip}:5000`
To login to the machine, use *ubuntu* username.
You will be presented with a login page. Enter the username **monkey**, and the
new EC2 instance's **instance ID** for your password. To find your instance ID,
go to the EC2 console and select your instance. It should appear in the details
pane below.
![AWS instance ID](../../images/setup/aws/aws-instance-id.png "AWS instance ID")
## Integration with AWS services

35
docs/content/setup/docker.md
View File

@ -23,20 +23,16 @@ The Infection Monkey Docker container works on Linux only. It is not compatible
1. Extract the Monkey Island Docker tarball:
```bash
tar -xvzf InfectionMonkey-docker-v1.13.0.tgz
tar -xvzf monkey-island-docker.tar.gz
```
1. Load the Monkey Island Docker image:
```bash
sudo docker load -i InfectionMonkey-docker-v1.13.0.tar
sudo docker load -i dk.monkeyisland.1.10.0.tar
```
### 2. Start MongoDB
{{% notice info %}}
If you are upgrading the Infection Monkey to a new version, be sure to remove
any MongoDB containers or volumes associated with the previous version.
{{% /notice %}}
1. Start a MongoDB Docker container:
@ -60,22 +56,16 @@ been signed by a private certificate authority.
1. Run the Monkey Island server
```bash
sudo docker run \
--tty \
--interactive \
--name monkey-island \
--network=host \
guardicore/monkey-island:v1.13.0
guardicore/monkey-island:1.10.0
```
### 3b. Start Monkey Island with user-provided certificate
{{% notice info %}}
If you are upgrading the Infection Monkey to a new version, be sure to remove
any volumes associated with the previous version.
{{% /notice %}}
1. Create a directory named `monkey_island_data`. If you already have it,
**make sure it's empty**. This will serve as the location where Infection
Monkey stores its configuration and runtime artifacts.
1. Create a directory named `monkey_island_data`. This will serve as the
location where Infection Monkey stores its configuration and runtime
artifacts.
```bash
mkdir ./monkey_island_data
@ -91,7 +81,7 @@ any volumes associated with the previous version.
--network=host \
--user "$(id -u ${USER}):$(id -g ${USER})" \
--volume "$(realpath ./monkey_island_data)":/monkey_island_data \
guardicore/monkey-island:v1.13.0 --setup-only
guardicore/monkey-island:1.10.0 --setup-only
```
1. Move your `.crt` and `.key` files to `./monkey_island_data`.
@ -128,13 +118,11 @@ any volumes associated with the previous version.
```bash
sudo docker run \
--tty \
--interactive \
--name monkey-island \
--network=host \
--user "$(id -u ${USER}):$(id -g ${USER})" \
--volume "$(realpath ./monkey_island_data)":/monkey_island_data \
guardicore/monkey-island:v1.13.0
guardicore/monkey-island:1.10.0
```
### 4. Accessing Monkey Island
@ -144,9 +132,8 @@ After the Monkey Island docker container starts, you can access Monkey Island by
## Upgrading
Currently, there's no "upgrade-in-place" option when a new version is released.
To get an updated version, download it, stop and remove the current Monkey
Island and MongoDB containers and volumes, and run the installation commands
again with the new file.
To get an updated version, download it, stop the current container and run the
installation commands again with the new file.
If you'd like to keep your existing configuration, you can export it to a file
using the *Export config* button and then import it to the new Monkey Island.
@ -165,7 +152,7 @@ to store data in the `monkey-mongo` container.
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xee in position 0: invalid continuation byte
```
Starting a new container from the `guardicore/monkey-island:VERSION` image
Starting a new container from the `guardicore/monkey-island:1.10.0` image
generates a new secret key for storing sensitive information in MongoDB. If you
have an old database instance running (from a previous instance of Infection
Monkey), the data stored in the `monkey-mongo` container has been encrypted

31
docs/content/setup/linux.md
View File

@ -14,38 +14,25 @@ package that contains an application and everything that it may need to run.
The Infection Monkey AppImage package should run on most modern Linux distros that have FUSE
installed, but the ones that we've tested are:
- BlackArch 2020.12.01
- Kali 2021.2
- Parrot 4.11
- Rocky 8
- openSUSE Leap 15.3
- Ubuntu Bionic 18.04
- Ubuntu Focal 20.04
- Ubuntu Hirsute 21.04
On Windows, AppImage can be run in WSL 2.
- CentOS
- Debian
- Kali
- Ubuntu 18.04
- Ubuntu 20.04
## Deployment
1. Make the AppImage package executable:
```bash
chmod u+x InfectionMonkey-v1.13.0.AppImage
chmod u+x Infection_Monkey_v1.11.0.AppImage
```
1. Start Monkey Island by running the Infection Monkey AppImage package:
```bash
./InfectionMonkey-v1.13.0.AppImage
./Infection_Monkey_v1.11.0.AppImage
```
1. Access the Monkey Island web UI by pointing your browser at
`https://localhost:5000`.
{{% notice info %}}
If you're prompted to delete your data directory and you're not sure what to
do, see the [FAQ]({{< ref
"/faq/#i-updated-to-a-new-version-of-the-infection-monkey-and-im-being-asked-to-delete-my-existing-data-directory-why"
>}}) for more information.
{{% /notice %}}
### Start Monkey Island with user-provided certificate
By default, Infection Monkey comes with a [self-signed SSL
@ -59,7 +46,7 @@ private certificate authority.
`server_config.json` file.
```bash
./InfectionMonkey-v1.13.0.AppImage --setup-only
./Infection_Monkey_v1.11.0.AppImage --setup-only
```
1. (Optional but recommended) Move your `.crt` and `.key` files to
@ -95,7 +82,7 @@ private certificate authority.
1. Start Monkey Island by running the Infection Monkey AppImage package:
```bash
./InfectionMonkey-v1.13.0.AppImage
./Infection_Monkey_v1.11.0.AppImage
```
1. Access the Monkey Island web UI by pointing your browser at

75
docs/content/setup/vmware.md Normal file
View File

@ -0,0 +1,75 @@
---
title: "VMware"
date: 2020-05-26T20:57:14+03:00
draft: false
pre: '<i class="fas fa-laptop-code"></i> '
weight: 3
tags: ["setup", "vmware"]
---
## Deployment
1. Deploy the Infection Monkey OVA by choosing **Deploy OVF Template** and
following the wizard instructions. *Note: make sure ports 5000 and 5001 on
the machine are accessible for inbound TCP traffic.*
1. Turn on the Infection Monkey VM.
1. Log in to the machine with the following credentials:
1. Username: **monkeyuser**
1. Password: **Noon.Earth.Always**
1. For security purposes, it's recommended that you change the machine
passwords by running the following commands: `sudo passwd monkeyuser`, `sudo
passwd root`.
## OVA network modes
You can use the OVA in one of two modes:
1. In a network with the DHCP configured — In this case, the Monkey Island will
automatically query and receive an IP address from the network.
1. With a static IP address — In this case, you should log in to the VM console
with the username `monkeyuser` and the password `Noon.Earth.Always`. After logging
in, edit the Netplan configuration by entering the following command in the
prompt:
```sh
sudo nano /etc/netplan/00-installer-config.yaml
```
Make the following changes:
```diff
# This is the network config written by 'subiquity'
network:
ethernets:
ens160:
- dhcp4: true
+ dhcp4: false
+ addresses: [XXX.XXX.XXX.XXX/24]
+ gateway4: YYY.YYY.YYY.YYY
+ nameservers:
+ addresses: [1.1.1.1]
version: 2
```
Replace `XXX.XXX.XXX.XXX` with the desired IP addess of the VM. Replace
`YYY.YYY.YYY.YYY` with the default gateway.
Save the changes then run the command:
```sh
sudo netplan apply
```
If this configuration does not suit your needs, see
https://netplan.io/examples/ for more information about how to configure
Netplan.
## Upgrading
Currently, there's no "upgrade-in-place" option when a new version is released.
To get an updated version, download the updated OVA file.
If you'd like to keep your existing configuration, you can export it to a file
using the *Export config* button and then import it to the new Monkey Island.
![Export configuration](../../images/setup/export-configuration.png "Export configuration")

16
docs/content/setup/windows.md
View File

@ -9,10 +9,6 @@ tags: ["setup", "windows"]
## Deployment
{{% notice tip %}}
Don't get scared if the Infection Monkey gets [flagged as malware during the installation](/faq/#is-the-infection-monkey-a-malwarevirus).
{{% /notice %}}
After running the installer, the following prompt should appear on the screen:
![Windows installer screenshot](../../images/setup/windows/installer-screenshot-1.png "Windows installer screenshot")
@ -20,14 +16,7 @@ After running the installer, the following prompt should appear on the screen:
1. Follow the steps to complete the installation.
1. Run the Monkey Island by clicking on the desktop shortcut.
{{% notice info %}}
If you're prompted to delete your data directory and you're not sure what to
do, see the [FAQ]({{< ref
"/faq/#i-updated-to-a-new-version-of-the-infection-monkey-and-im-being-asked-to-delete-my-existing-data-directory-why"
>}}) for more information.
{{% /notice %}}
### Start Monkey Island with user-provided certificate
### Start Monkey Island with user-provided certificcate
By default, Infection Monkey comes with a [self-signed SSL certificate](https://aboutssl.org/what-is-self-sign-certificate/). In
enterprise or other security-sensitive environments, it is recommended that the
@ -60,9 +49,6 @@ private certificate authority.
```
1. Run the Monkey Island by clicking on the desktop shortcut.
1. Access the Monkey Island web UI by pointing your browser at
`https://localhost:5000`.
## Troubleshooting
### Support

35
docs/content/usage/file-checksums.md
View File

@ -37,45 +37,24 @@ $ sha256sum monkey-linux-64
| Filename | Type | Version | SHA256 |
|------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
| monkey-windows-64.exe | Windows Agent | 1.13.0 | `3EDD20DE2247047C8A822C84145981936CE2FD0BDF843EB5CA777CA4D2478B35` |
| monkey-windows-32.exe | Windows Agent | 1.13.0 | `7497907E3CF4FFEB121A7795BFA16709800E6E0F99770F64AF7FFF684ECBA6D6` |
| monkey-linux-64 | Linux Agent | 1.13.0 | `F21E709CB7BA8DAF90B908AF5FE485BA43866C325D3C7CE1EB07E8A2323E07C1` |
| monkey-linux-32 | Linux Agent | 1.13.0 | `24C5779825F26C76A8910794836647096F4BB4B47CFD6AD213CC48116D140FAB` |
| InfectionMonkey-v1.13.0.AppImage | Linux Package | 1.13.0 | `CDED4E8394A4D2A809BA9B74B924AEA590317515B9B032BA8005A93DFCE1C861` |
| InfectionMonkey-docker-v1.13.0.tgz | Docker | 1.13.0 | `342701BA8EC5B754C59685896FC3DCDBB93362FFFAD0EC7F9E2E5B99DA26F5EC` |
| InfectionMonkey-v1.13.0.exe | Windows Installer | 1.13.0 | `D35ED6CAF21AC786D9A438510282FA07AEF812590A5E6405A01F2B06661B33B9` |
## Older checksums
| Filename | Type | Version | SHA256 |
|------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
| monkey-windows-64.exe | Windows Agent | 1.12.0 | `02e5e051a96e2ca61ae8e661b3a5828ee53a0fc00aca6502d5c73a46754f0d07` |
| monkey-windows-32.exe | Windows Agent | 1.12.0 | `3c10f610f47c4fd227cf85f6bf800d66ed31fe37dc2e2ed408860483685ba504` |
| monkey-linux-64 | Linux Agent | 1.12.0 | `1ad52eabd704a9b0fbf642fa552629f30d3c5c27e431a687bd4cba4e0104d3f7` |
| monkey-linux-32 | Linux Agent | 1.12.0 | `d941943046db48cf0eb7f11e144a79749848ae6b50014833c5390936e829f6c3` |
| InfectionMonkey-v1.12.0.AppImage | Linux Package | 1.12.0 | `1325f2aa1d0c27aec2e2f9864ed53c53c524bd208313f87ea6606f59c90ff310` |
| InfectionMonkey-docker-v1.12.0.tgz | Docker | 1.12.0 | `dcaf669411d55ea6883920597af4a35f3735a286801e08b6ef047cc91ff32769` |
| InfectionMonkey-v1.12.0.exe | Windows Installer | 1.12.0 | `4d6e0373be3615a4b97721a07d2a854f6316d1ce8c4ff6d6495aac3a8f2c6a69` |
| monkey-windows-64.exe | Windows Agent | 1.11.0 | `12c55377381a8fc7d8ff731db52302ef2f8bb894d8712769e5a91a140ba22b0a` |
| monkey-windows-32.exe | Windows Agent | 1.11.0 | `e006b26663f59b92bad8d49b034cd8101dd481f881e3c4839a9c1e64fd99e849` |
| monkey-linux-64 | Linux Agent | 1.11.0 | `fb4c979ce6c29bb458be50a44cc6839650826b831da849da69a05dfefdc66462` |
| monkey-linux-32 | Linux Agent | 1.11.0 | `88d6d717f99047ae6f8ff9527b41ff004217c99b1b027f112d062dd9e66d11ab` |
| Infection_Monkey-1.11.0-x86_64.AppImage | Linux Package | 1.11.0 | `6312b6bff18c11c7db694f42cf5a41e894786c39e3e093b6b15abcbff80337f2` |
| infection_monkey_docker_20210811_211212.tgz | Docker | 1.11.0 | `40f203387cadd153f97c6a21dfdddacd4d4eeea334a9300d862bfb4ba528e2e6` |
| Monkey Island v1.11.0_3789.exe | Windows Installer | 1.11.0 | `20633c1993ea5f86b57b3a48d6875e8f72881f856f4713d747f07a559da05ccc` |
| monkey-windows-64.exe | Windows Agent | 1.10.0 | `3b499a4cf1a67a33a91c73b05884e4d6749e990e444fa1d2a3281af4db833fa1` |
| monkey-windows-32.exe | Windows Agent | 1.10.0 | `8e891e90b11b97fbbef27f1408c1fcad486b19c612773f2d6a9edac5d4cdb47f` |
| monkey-linux-64 | Linux Agent | 1.10.0 | `932f703510b6484c3824fc797f90f99722e38a7f8956cf6fa58fdecb3790ab93` |
| monkey-linux-32 | Linux Agent | 1.10.0 | `a6de7d571051292b9db966afe025413dc20b214c4aab53e48d90d8e04264f4f5` |
| infection_monkey_deb.tgz | Debian Package | 1.10.0 | `534d85c4abc78e2c86a74d8b88759b091b62077dd9e32f02eeb43d716d359ff6` |
| infection_monkey_debzt.tgz | Debian Package | 1.10.0 | `bd01d8482f80990e6cc0ed654c07dbd80da71eebe3dd244365e9bc00f86b1c03` |
| Monkey Island v1.10.0_3593_windows.exe | Windows Installer | 1.10.0 | `ebd2c5627d21dd8670def02c3a5a995f9e799ba567cf4caacd702654264ddf06` |
| Monkey Island v1.10.0_3593_windows.exe | Windows Installer | 1.10.0 | `ebd2c5627d21dd8670def02c3a5a995f9e799ba567cf4caacd702654264ddf06` |
| Monkey Island v1.10.0_3593_windowszt.exe | Windows Installer | 1.10.0 | `60aaf3b32e5d06c91fe0d4f1b950529517ac33796f67e9ccfef0e8ce1c5372d8` |
| infection_monkey_docker_docker_20210326_171631.tgz | Docker | 1.10.0 | `e4f9c7c5aafe7e38b33d2927a9c0cf6a3ac27858d3d0e3f2252c2e91809a78db` |
| infection_monkey_docker_dockerzt_20210326_172035.tgz | Docker | 1.10.0 | `248640e9eaa18e4c27f67237f0594d9533732f372ba4674d5d1bea43ab498cf5` |
| monkey-island-vmware.ova | OVA | 1.10.0 | `3472ad4ae557ddad7d7db8fbbfcfd33c4f2d95d870b18fa4cab49af6b562009c` |
| monkey-island-vmwarezt.ova | OVA | 1.10.0 | `3472ad4ae557ddad7d7db8fbbfcfd33c4f2d95d870b18fa4cab49af6b562009c` |
## Older checksums
| Filename | Type | Version | SHA256 |
|------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
| monkey-windows-64.exe | Windows Agent | 1.9.0 | `24622cb8dbabb0cf4b25ecd3c13800c72ec5b59b76895b737ece509640d4c068` |
| monkey-windows-32.exe | Windows Agent | 1.9.0 | `67f12171c3859a21fc8f54c5b2299790985453e9ac028bb80efc7328927be3d8` |
| monkey-linux-64 | Linux Agent | 1.9.0 | `aec6b14dc2bea694eb01b517cca70477deeb695f39d40b1d9e5ce02a8075c956` |

29
docs/content/usage/scenarios/_index.md
View File

@ -1,29 +0,0 @@
+++
title = "Scenarios"
date = 2020-08-12T12:52:59+03:00
weight = 3
chapter = true
pre = "<i class='fas fa-map-marked-alt'></i> "
+++
# Scenarios
This section describes the different attack scenarios that the Infection Monkey can simulate.
{{% notice note %}}
Don't worry! The Infection Monkey uses safe exploiters and does not cause any permanent system modifications that could impact security or operations.
{{% /notice %}}
The Infection Monkey has pre-built scenarios to simulate common types of attacks that take place. These scenarios, when selected, manipulate the configuration to only show you what you need to see for that scenario. This makes it possible for you to quickly run the Monkey on your network in order to accomplish a specific objective.
Choosing the "Custom" scenario will allow you to fine-tune your simulation and access all available features. [Read more about configuring a custom simulation.](/custom-scenario/_index.md)
![Choose scenario](/images/usage/scenarios/choose-scenario.png "Choose a scenario")
To exit a scenario and select another one, click on "Start Over".
![Start over](/images/usage/scenarios/start-over.png "Start over")
## Section contents
{{% children description=True style="p"%}}

18
docs/content/usage/scenarios/custom-scenario/_index.md
View File

@ -1,18 +0,0 @@
---
title: " Custom"
date: 2021-07-28T14:36:02+05:30
description: "Configure a custom scenario to test your network's defenses."
weight: 100
pre: "<i class='fas fa-edit'></i>"
chapter: true
---
# Custom
The Infection Monkey is a versatile breach and attack simulation tool. Choosing the "Custom" scenario will allow you to access all of its capabilities and configure the simulation exactly according to your needs. You can enhance, optimize, and fine-tune the Monkey's behavior.
![Custom scenario](/images/usage/scenarios/custom-scenario.png "Custom scenario")
Below are some examples with instructions on how to configure them.
{{% children description=True style="p"%}}

20
docs/content/usage/use-cases/_index.md Normal file
View File

@ -0,0 +1,20 @@
+++
title = "Use Cases"
date = 2020-08-12T12:52:59+03:00
weight = 3
chapter = true
pre = "<i class='fas fa-map-marked-alt'></i> "
+++
# Use cases
This section describes possible use cases for the Infection Monkey and how you can configure the tool.
You can also refer to [our FAQ](../../faq) for more specific questions and answers.
{{% notice note %}}
Don't worry! The Infection Monkey uses safe exploiters and does not cause any permanent system modifications that could impact security or operations.
{{% /notice %}}
## Section contents
{{% children description=True style="p"%}}

4
docs/content/usage/scenarios/custom-scenario/attack.md → docs/content/usage/use-cases/attack.md
View File

@ -6,14 +6,14 @@ description: "Assess your network security detection and prevention capabilities
weight: 2
---
## Overview
## Overview
The Infection Monkey can simulate various [ATT&CK](https://attack.mitre.org/matrices/enterprise/) techniques on the network. Use it to assess your security solutions' detection and prevention capabilities. The Infection Monkey will help you find which ATT&CK techniques go unnoticed and provide specific details along with suggested mitigations.
## Configuration
- **ATT&CK matrix** You can use the ATT&CK configuration section to select which techniques you want the Infection Monkey to simulate.
- **ATT&CK matrix** You can use the ATT&CK configuration section to select which techniques you want the Infection Monkey to simulate.
For the full simulation, use the default settings.
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. The Infection Monkey uses the most popular default passwords and usernames, but feel free to adjust it according to the default passwords common in your network. Keep in mind a longer list means longer scanning times.
- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in the “Scan target list”.

14
docs/content/usage/scenarios/custom-scenario/credential-leak.md → docs/content/usage/use-cases/credential-leak.md
View File

@ -6,30 +6,30 @@ description: "Assess the impact of a successful phishing attack, insider threat,
weight: 5
---
## Overview
## Overview
Numerous attack techniques (from phishing to dumpster diving) might result in a credential leak,
Numerous attack techniques (from phishing to dumpster diving) might result in a credential leak,
which can be **extremely costly** as demonstrated in our report [IResponse to IEncrypt](https://www.guardicore.com/2019/04/iresponse-to-iencrypt/).
The Infection Monkey can help you assess the impact of stolen credentials by automatically searching
The Infection Monkey can help you assess the impact of stolen credentials by automatically searching
where bad actors can reuse these credentials in your network.
## Configuration
- **Exploits -> Credentials** After setting up the Monkey Island, add your users' **real** credentials
- **Exploits -> Credentials** After setting up the Monkey Island, add your users' **real** credentials
(usernames and passwords) here. Don't worry; this sensitive data is not accessible, distributed or used in any way other than being sent to the Infection Monkey agents. You can easily eliminate it by resetting the configuration of your Monkey Island.
- **Internal -> Exploits -> SSH keypair list** When enabled, the Infection Monkey automatically gathers SSH keys on the current system.
- **Internal -> Exploits -> SSH keypair list** When enabled, the Infection Monkey automatically gathers SSH keys on the current system.
For this to work, the Monkey Island or initial agent needs to access SSH key files.
To make sure SSH keys were gathered successfully, refresh the page and check this configuration value after you run the Infection Monkey
(content of keys will not be displayed, it will appear as `<Object>`).
## Suggested run mode
Execute the Infection Monkey on a chosen machine in your network using the “Manual” run option.
Execute the Infection Monkey on a chosen machine in your network using the “Manual” run option.
Run the Infection Monkey as a privileged user to make sure it gathers as many credentials from the system as possible.
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
## Assessing results
To assess the impact of leaked credentials see the Security report. Examine **Security report -> Stolen credentials** to confirm.
To assess the impact of leaked credentials see the Security report. Examine **Security report -> Stolen credentials** to confirm.

22
docs/content/usage/scenarios/custom-scenario/network-breach.md → docs/content/usage/use-cases/network-breach.md
View File

@ -6,7 +6,7 @@ description: "Simulate an internal network breach and assess the potential impac
weight: 3
---
## Overview
## Overview
From the [Hex-Men campaign](https://www.guardicore.com/2017/12/beware-the-hex-men/) that hit
internet-facing DB servers to a [cryptomining operation that attacks WordPress sites](https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining-2/) or any other malicious campaign attackers are now trying to go deeper into your network.
@ -15,15 +15,15 @@ Infection Monkey will help you assess the impact of a future breach by attemptin
## Configuration
- **Exploits -> Exploits** Here you can review the exploits the Infection Monkey will be using. By default all
- **Exploits -> Exploits** Here you can review the exploits the Infection Monkey will be using. By default all
safe exploiters are selected.
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. The Infection Monkey uses the most popular default passwords and usernames, but feel free to adjust it according to the default passwords common in your network. Keep in mind a longer list means longer scanning times.
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select **Local network scan**
and allow Monkey to propagate until maximum **Scan depth**(hop count) is reached, or you can fine tune it by providing
specific network ranges in **Scan target list**. Scanning a local network is more realistic, but providing specific
and allow Monkey to propagate until maximum **Scan depth**(hop count) is reached, or you can fine tune it by providing
specific network ranges in **Scan target list**. Scanning a local network is more realistic, but providing specific
targets will make the scanning process substantially faster.
- **(Optional) Internal -> Network -> TCP scanner** Here you can add custom ports your organization is using.
- **(Optional) Monkey -> Post-Breach Actions** If you only want to test propagation in the network, you can turn off
- **(Optional) Monkey -> Post-Breach Actions** If you only want to test propagation in the network, you can turn off
all post-breach actions. These actions simulate an attacker's behavior after getting access to a new system but in no
way helps the Infection Monkey exploit new machines.
@ -31,17 +31,17 @@ all post-breach actions. These actions simulate an attacker's behavior after get
## Suggested run mode
Decide which machines you want to simulate a breach on and use the “Manual” run option to start the Infection Monkey on them.
Use administrative privileges to run the Infection Monkey to simulate an attacker that was able to elevate their privileges.
You could also simulate an attack initiated from an unidentified machine connected to the network (e.g., a technician
laptop or third-party vendor machine) by running the Infection Monkey on a dedicated machine with an IP in the network you
Decide which machines you want to simulate a breach on and use the “Manual” run option to start the Infection Monkey on them.
Use administrative privileges to run the Infection Monkey to simulate an attacker that was able to elevate their privileges.
You could also simulate an attack initiated from an unidentified machine connected to the network (e.g., a technician
laptop or third-party vendor machine) by running the Infection Monkey on a dedicated machine with an IP in the network you
wish to test.
## Assessing results
Check the infection map and Security report to see how far The Infection Monkey managed to propagate in your network and which
vulnerabilities it successfully exploited. If you left post-breach actions selected, you should also check the MITRE ATT&CK and
Check the infection map and Security report to see how far The Infection Monkey managed to propagate in your network and which
vulnerabilities it successfully exploited. If you left post-breach actions selected, you should also check the MITRE ATT&CK and
Zero Trust reports for more details.
![Map](/images/usage/use-cases/map-full-cropped.png "Map")

8
docs/content/usage/scenarios/custom-scenario/network-segmentation.md → docs/content/usage/use-cases/network-segmentation.md
View File

@ -6,7 +6,7 @@ description: "Verify your network is properly segmented."
weight: 4
---
## Overview
## Overview
Segmentation is a method of creating secure zones in data centers and cloud deployments. It allows organizations to isolate workloads from one another and secure them individually, typically using policies. A useful way to test your company's segmentation effectiveness is to ensure that your network segments are properly separated (e.g., your development environment is isolated from your production environment and your applications are isolated from one another).
@ -18,15 +18,15 @@ You can use the Infection Monkey's cross-segment traffic feature to verify that
## Configuration
- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define
subnets that should be segregated from each other. If any of the provided networks can reach each other, you'll see it
subnets that should be segregated from each other. If any of the provided networks can reach each other, you'll see it
in the security report.
- **(Optional) Network -> Scope** You can disable **Local network scan** and leave all other options at the default setting if you only want to test for network segmentation without any lateral movement.
- **(Optional) Monkey -> Post-Breach Actions** If you only want to test segmentation in the network, you can turn off all post-breach actions. These actions simulate an attacker's behavior after getting access to a new system, so they might trigger your defense solutions and interrupt the segmentation test.
## Suggested run mode
Execute The Infection Monkey on machines in different subnetworks using the “Manual” run option.
Execute The Infection Monkey on machines in different subnetworks using the “Manual” run option.
Note that if the Infection Monkey can't communicate to the Monkey Island, it will
not be able to send scan results, so make sure all machines can reach the the Monkey Island.

18
docs/content/usage/scenarios/custom-scenario/other.md → docs/content/usage/use-cases/other.md
View File

@ -6,23 +6,23 @@ description: "Tips and tricks about configuring Monkeys for your needs."
weight: 100
---
## Overview
## Overview
This page provides additional information about configuring the Infection Monkey, tips and tricks and creative usage scenarios.
## Custom behaviour
If you want the Infection Monkey to run a specific script or tool after it breaches a machine, you can configure it in
**Configuration -> Monkey -> Post-breach**. Input commands you want to execute in the corresponding fields.
If you want the Infection Monkey to run a specific script or tool after it breaches a machine, you can configure it in
**Configuration -> Monkey -> Post-breach**. Input commands you want to execute in the corresponding fields.
You can also upload files and call them through the commands you entered.
## Accelerate the test
To improve scanning speed you could **specify a subnet instead of scanning all of the local network**.
To improve scanning speed you could **specify a subnet instead of scanning all of the local network**.
The following configuration values also have an impact on scanning speed:
- **Credentials** - The more usernames and passwords you input, the longer it will take the Infection Monkey to scan machines that have
remote access services. The Infection Monkey agents try to stay elusive and leave a low impact, and thus brute-forcing takes longer than with loud conventional tools.
- **Network scope** - Scanning large networks with a lot of propagations can become unwieldy. Instead, try to scan your
- **Network scope** - Scanning large networks with a lot of propagations can become unwieldy. Instead, try to scan your
networks bit by bit with multiple runs.
- **Post-breach actions** - If you only care about propagation, you can disable most of these.
- **Internal -> TCP scanner** - Here you can trim down the list of ports the Infection Monkey tries to scan, improving performance.
@ -37,7 +37,7 @@ Use **Monkey -> Persistent** scanning configuration section to either run period
## Credentials
Every network has its old "skeleton keys" that it should have long discarded. Configuring the Infection Monkey with old and stale passwords will enable you to ensure they were really discarded.
Every network has its old "skeleton keys" that it should have long discarded. Configuring the Infection Monkey with old and stale passwords will enable you to ensure they were really discarded.
To add the old passwords, go to the Monkey Island's **Exploit password list** under **Basic - Credentials** and use the "+" button to add the old passwords to the configuration. For example, here we added a few extra passwords (and a username as well) to the configuration:
@ -45,9 +45,9 @@ To add the old passwords, go to the Monkey Island's **Exploit password list** un
## Check logged and monitored terminals
To see the Infection Monkey executing in real-time on your servers, add the **post-breach action** command:
`wall “Infection Monkey was here”`. This post-breach command will broadcast a message across all open terminals on the servers the Infection Monkey breached to achieve the following:
- Let you know the Monkey ran successfully on the server.
To see the Infection Monkey executing in real-time on your servers, add the **post-breach action** command:
`wall “Infection Monkey was here”`. This post-breach command will broadcast a message across all open terminals on the servers the Infection Monkey breached to achieve the following:
- Let you know the Monkey ran successfully on the server.
- Let you follow the breach “live” alongside the infection map.
- Check which terminals are logged and monitored inside your network.

43
docs/content/usage/scenarios/ransomware-simulation.md → docs/content/usage/use-cases/ransomware-simulation.md
View File

@ -1,15 +1,33 @@
---
title: " Ransomware Simulation"
title: "Ransomware Simulation"
date: 2021-06-23T18:13:59+05:30
draft: false
description: "Simulate a ransomware attack on your network and assess the potential damage."
weight: 1
pre: "<i class='fa fa-lock'></i>"
draft: true
weight: 10
---
The Infection Monkey is capable of simulating a ransomware attack on your
network using a set of configurable behaviors.
## Leaving a README.txt file
Many ransomware packages leave a README.txt file on the victim machine with an
explanation of what has occurred and instructions for paying the attacker.
The Infection Monkey can also leave a README.txt file in the target directory on
the victim machine in order to replicate this behavior. This can be enabled or
disabled by checking the box on the configuration screen. Note that if no
target directory is specified for encryption, the Infection Monkey will not
leave a README.txt file.
<!-- add screenshot highlighting readme option -->
The README.txt file informs the user that a ransomware simulation has taken
place and that they should contact their administrator. The contents of the
file can be found
[here](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/ransomware/ransomware_readme.txt).
<!-- add config screenshot here -->
## Encryption
@ -37,7 +55,7 @@ To ensure minimum interference and easy recoverability, the ransomware
simulation will only encrypt files contained in a user-specified directory. If
no directory is specified, no files will be encrypted.
![Ransomware configuration](/images/usage/scenarios/ransomware-config.png "Ransomware configuration")
<!-- add screenshot highlighting encryption options -->
### How are the files encrypted?
@ -146,16 +164,3 @@ BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-gold
- .xlsx
- .xvd
- .zip
## Leaving a README.txt file
Many ransomware packages leave a README.txt file on the victim machine with an
explanation of what has occurred and instructions for paying the attacker.
The Infection Monkey will also leave a README.txt file in the target directory on
the victim machine in order to replicate this behavior.
The README.txt file informs the user that a ransomware simulation has taken
place and that they should contact their administrator. The contents of the
file can be found
[here](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/ransomware/ransomware_readme.txt).

0
docs/content/usage/scenarios/custom-scenario/zero-trust.md → docs/content/usage/use-cases/zero-trust.md
View File

1
docs/layouts/_default/_markup/render-link.html
View File

@ -1 +0,0 @@
<a href="{{ .Destination | safeURL }}"{{ with .Title}} title="{{ . }}"{{ end }}>{{ .Text | safeHTML }}{{ if strings.HasPrefix .Destination "http" }}<span style="white-space: nowrap;">&nbsp;<svg style="height: 0.7em; width: 0.7em;" focusable="false" data-prefix="fas" data-icon="external-link-alt" class="svg-inline--fa fa-external-link-alt fa-w-16" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><title>external link</title><path fill="currentColor" d="M432,320H400a16,16,0,0,0-16,16V448H64V128H208a16,16,0,0,0,16-16V80a16,16,0,0,0-16-16H48A48,48,0,0,0,0,112V464a48,48,0,0,0,48,48H400a48,48,0,0,0,48-48V336A16,16,0,0,0,432,320ZM488,0h-128c-21.37,0-32.05,25.91-17,41l35.73,35.73L135,320.37a24,24,0,0,0,0,34L157.67,377a24,24,0,0,0,34,0L435.28,133.32,471,169c15,15,41,4.5,41-17V24A24,24,0,0,0,488,0Z"></path></svg></span>{{ end }}</a>

6
docs/layouts/shortcodes/homepage_shortcuts.html
View File

@ -74,10 +74,10 @@
</a>
</div>
<div class="col-lg-3 col-sm-6 mb-3">
<a href="usage/scenarios/" class="px-4 py-5 bg-white shadow text-center d-block">
<a href="usage/use-cases" class="px-4 py-5 bg-white shadow text-center d-block">
<i class="fas fa-map-marked-alt d-block mb-4" style="font-size: x-large;"></i>
<h4 class="mb-3 mt-0">Scenarios</h4>
<p class="mb-0">Learn about scenarios of the Infection Monkey.</p>
<h4 class="mb-3 mt-0">Use Cases</h4>
<p class="mb-0">Learn about use cases of the Infection Monkey.</p>
</a>
</div>
<div class="col-lg-3 col-sm-6 mb-3">

BIN
docs/static/images/faq/propagation_depth_diagram.png vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 170 KiB

BIN
docs/static/images/setup/aws/aws-instance-id.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 237 KiB

BIN
docs/static/images/usage/reports/ransomware_report_1_breach.png vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 135 KiB

BIN
docs/static/images/usage/reports/ransomware_report_2_lateral_movement.png vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 138 KiB

BIN
docs/static/images/usage/reports/ransomware_report_3_attack.png vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 257 KiB

BIN
docs/static/images/usage/scenarios/choose-scenario.png vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 278 KiB

BIN
docs/static/images/usage/scenarios/custom-scenario.png vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 283 KiB

BIN
docs/static/images/usage/scenarios/ransomware-config.png vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 140 KiB

BIN
docs/static/images/usage/scenarios/start-over.png vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 104 KiB

2
envs/monkey_zoo/.gitignore vendored
View File

@ -1,2 +1,2 @@
logs/
/blackbox/tests/performance/telemetry_sample
/blackbox/tests/performance/telem_sample

17
envs/monkey_zoo/blackbox/README.md
View File

@ -32,20 +32,19 @@ directory `monkey\envs\monkey_zoo\blackbox`.
**Before running performance test make sure browser is not sending requests to island!**
To run telemetry performance test follow these steps:
0. Set no password protection on the island.
Make sure the island parameter is an IP address(not localhost) as the name resolution will increase the time for requests.
0. Set `server_config.json` to "standard" (no password protection) setting.
1. Gather monkey telemetries.
1. Enable "Export monkey telemetries" in Configuration -> Internal -> Tests if you don't have
exported telemetries already.
2. Run monkey and wait until infection is done.
3. All telemetries are gathered in `monkey/telem_sample`. If not, restart the island process.
3. All telemetries are gathered in `monkey/telem_sample`
2. Run telemetry performance test.
1. Move directory `monkey/telem_sample` to `envs/monkey_zoo/blackbox/tests/performance/telemetry_sample`
2. (Optional) Use `envs/monkey_zoo/blackbox/tests/performance/telem_sample_parsing/sample_multiplier/sample_multiplier.py` to multiply
1. Move directory `monkey/test_telems` to `envs/monkey_zoo/blackbox/tests/performance/test_telems`
2. (Optional) Use `envs/monkey_zoo/blackbox/tests/performance/utils/telem_parser.py` to multiply
telemetries gathered.
1. Run `sample_multiplier.py` script with working directory set to `monkey\envs\monkey_zoo\blackbox`
1. Run `telem_parser.py` script with working directory set to `monkey\envs\monkey_zoo\blackbox`
2. Pass integer to indicate the multiplier. For example running `telem_parser.py 4` will replicate
telemetries 4 times.
3. If you're using pycharm check "Emulate terminal in output console" on debug/run configuration.
3. Add a `--run-performance-tests` flag to blackbox scripts to run performance tests as part of BlackBox tests.
You can run a single test separately by adding `-k 'test_telem_performance'` option.
3. If you're using pycharm check "Emulate terminal in output console" on debug/run configuraion.
3. Performance test will run as part of BlackBox tests or you can run it separately by adding
`-k 'test_telem_performance'` option.

1
envs/monkey_zoo/blackbox/config_templates/base_template.py
View File

@ -7,7 +7,6 @@ class BaseTemplate(ConfigTemplate):
config_values = {
"basic.exploiters.exploiter_classes": [],
"basic_network.scope.local_network_scan": False,
"basic_network.scope.depth": 1,
"internal.classes.finger_classes": ["PingScanner", "HTTPFinger"],
"internal.monkey.system_info.system_info_collector_classes": [
"EnvironmentCollector",

2
envs/monkey_zoo/blackbox/config_templates/drupal.py
View File

@ -12,7 +12,5 @@ class Drupal(ConfigTemplate):
"internal.classes.finger_classes": ["PingScanner", "HTTPFinger"],
"basic.exploiters.exploiter_classes": ["DrupalExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.2.28"],
"internal.network.tcp_scanner.HTTP_PORTS": [80],
"internal.network.tcp_scanner.tcp_target_ports": [],
}
)

2
envs/monkey_zoo/blackbox/config_templates/elastic.py
View File

@ -14,7 +14,5 @@ class Elastic(ConfigTemplate):
"internal.classes.finger_classes": ["PingScanner", "HTTPFinger", "ElasticFinger"],
"basic_network.scope.subnet_scan_list": ["10.2.2.4", "10.2.2.5"],
"basic_network.scope.depth": 1,
"internal.network.tcp_scanner.HTTP_PORTS": [9200],
"internal.network.tcp_scanner.tcp_target_ports": [],
}
)

2
envs/monkey_zoo/blackbox/config_templates/hadoop.py
View File

@ -12,7 +12,5 @@ class Hadoop(ConfigTemplate):
{
"basic.exploiters.exploiter_classes": ["HadoopExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.2.2", "10.2.2.3"],
"internal.network.tcp_scanner.HTTP_PORTS": [],
"internal.network.tcp_scanner.tcp_target_ports": [8088],
}
)

16
envs/monkey_zoo/blackbox/config_templates/log4j_logstash.py
View File

@ -1,16 +0,0 @@
from copy import copy
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
class Log4jLogstash(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
config_values.update(
{
"basic.exploiters.exploiter_classes": ["Log4ShellExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.3.55", "10.2.3.56"],
}
)

16
envs/monkey_zoo/blackbox/config_templates/log4j_solr.py
View File

@ -1,16 +0,0 @@
from copy import copy
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
class Log4jSolr(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
config_values.update(
{
"basic.exploiters.exploiter_classes": ["Log4ShellExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.3.49", "10.2.3.50"],
}
)

16
envs/monkey_zoo/blackbox/config_templates/log4j_tomcat.py
View File

@ -1,16 +0,0 @@
from copy import copy
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
class Log4jTomcat(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
config_values.update(
{
"basic.exploiters.exploiter_classes": ["Log4ShellExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.3.51", "10.2.3.52"],
}
)

3
envs/monkey_zoo/blackbox/config_templates/mssql.py
View File

@ -10,7 +10,6 @@ class Mssql(ConfigTemplate):
config_values.update(
{
"basic.exploiters.exploiter_classes": ["MSSQLExploiter"],
"internal.classes.finger_classes": ["PingScanner"],
"basic_network.scope.subnet_scan_list": ["10.2.2.16"],
"basic.credentials.exploit_password_list": [
"Password1!",
@ -19,7 +18,5 @@ class Mssql(ConfigTemplate):
"12345678",
],
"basic.credentials.exploit_user_list": ["Administrator", "m0nk3y", "user"],
"internal.network.tcp_scanner.HTTP_PORTS": [],
"internal.network.tcp_scanner.tcp_target_ports": [3389],
}
)

8
envs/monkey_zoo/blackbox/config_templates/performance.py
View File

@ -24,9 +24,7 @@ class Performance(ConfigTemplate):
"HadoopExploiter",
"VSFTPDExploiter",
"MSSQLExploiter",
"PowerShellExploiter",
"ZerologonExploiter",
"Log4ShellExploiter",
],
"basic_network.network_analysis.inaccessible_subnets": [
"10.2.2.0/30",
@ -60,11 +58,5 @@ class Performance(ConfigTemplate):
"10.2.2.23",
"10.2.2.24",
"10.2.2.25",
"10.2.3.55",
"10.2.3.56",
"10.2.3.49",
"10.2.3.50",
"10.2.3.51",
"10.2.3.52",
],
}

31
envs/monkey_zoo/blackbox/config_templates/powershell.py
View File

@ -1,31 +0,0 @@
from copy import copy
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
class PowerShell(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
# TODO: Remove .\\ from exploit user list when DC name is added,
# for more context see https://github.com/guardicore/monkey/issues/1486
config_values.update(
{
"basic.exploiters.exploiter_classes": ["PowerShellExploiter"],
"basic_network.scope.subnet_scan_list": [
"10.2.3.45",
"10.2.3.46",
"10.2.3.47",
"10.2.3.48",
],
"basic.credentials.exploit_password_list": ["Passw0rd!"],
"basic_network.scope.depth": 2,
"basic.credentials.exploit_user_list": ["m0nk3y", "m0nk3y-user"],
"internal.classes.finger_classes": ["PingScanner"],
"internal.network.tcp_scanner.HTTP_PORTS": [],
"internal.network.tcp_scanner.tcp_target_ports": [],
"internal.exploits.exploit_ntlm_hash_list": [
"d0f0132b308a0c4e5d1029cc06f48692",
],
}
)

21
envs/monkey_zoo/blackbox/config_templates/powershell_credentials_reuse.py
View File

@ -1,21 +0,0 @@
from copy import copy
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
class PowerShellCredentialsReuse(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
config_values.update(
{
"basic.exploiters.exploiter_classes": ["PowerShellExploiter"],
"basic_network.scope.subnet_scan_list": [
"10.2.3.46",
],
"basic_network.scope.depth": 2,
"internal.classes.finger_classes": ["PingScanner"],
"internal.network.tcp_scanner.HTTP_PORTS": [],
"internal.network.tcp_scanner.tcp_target_ports": [],
}
)

2
envs/monkey_zoo/blackbox/config_templates/shellshock.py
View File

@ -11,7 +11,5 @@ class ShellShock(ConfigTemplate):
{
"basic.exploiters.exploiter_classes": ["ShellShockExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.2.8"],
"internal.network.tcp_scanner.HTTP_PORTS": [80, 8080],
"internal.network.tcp_scanner.tcp_target_ports": [],
}
)

2
envs/monkey_zoo/blackbox/config_templates/smb_mimikatz.py
View File

@ -14,8 +14,6 @@ class SmbMimikatz(ConfigTemplate):
"basic.credentials.exploit_password_list": ["Password1!", "Ivrrw5zEzs"],
"basic.credentials.exploit_user_list": ["Administrator", "m0nk3y", "user"],
"internal.classes.finger_classes": ["SMBFinger", "PingScanner", "HTTPFinger"],
"internal.network.tcp_scanner.HTTP_PORTS": [],
"internal.network.tcp_scanner.tcp_target_ports": [445],
"monkey.system_info.system_info_collector_classes": [
"EnvironmentCollector",
"HostnameCollector",

26
envs/monkey_zoo/blackbox/config_templates/smb_pth.py
View File

@ -7,18 +7,14 @@ from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemp
class SmbPth(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
config_values.update(
{
"basic.exploiters.exploiter_classes": ["SmbExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.2.15"],
"basic.credentials.exploit_password_list": ["Password1!", "Ivrrw5zEzs"],
"basic.credentials.exploit_user_list": ["Administrator", "m0nk3y", "user"],
"internal.classes.finger_classes": ["SMBFinger", "PingScanner", "HTTPFinger"],
"internal.network.tcp_scanner.HTTP_PORTS": [],
"internal.network.tcp_scanner.tcp_target_ports": [445],
"internal.classes.exploits.exploit_ntlm_hash_list": [
"5da0889ea2081aa79f6852294cba4a5e",
"50c9987a6bf1ac59398df9f911122c9b",
],
}
)
config_value_list = {
"basic.exploiters.exploiter_classes": ["SmbExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.2.15"],
"basic.credentials.exploit_password_list": ["Password1!", "Ivrrw5zEzs"],
"basic.credentials.exploit_user_list": ["Administrator", "m0nk3y", "user"],
"internal.classes.finger_classes": ["SMBFinger", "PingScanner", "HTTPFinger"],
"internal.classes.exploits.exploit_ntlm_hash_list": [
"5da0889ea2081aa79f6852294cba4a5e",
"50c9987a6bf1ac59398df9f911122c9b",
],
}

5
envs/monkey_zoo/blackbox/config_templates/ssh.py
View File

@ -12,10 +12,7 @@ class Ssh(ConfigTemplate):
"basic.exploiters.exploiter_classes": ["SSHExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.2.11", "10.2.2.12"],
"basic.credentials.exploit_password_list": ["Password1!", "12345678", "^NgDvY59~8"],
"basic_network.scope.depth": 2,
"basic.credentials.exploit_user_list": ["Administrator", "m0nk3y", "user"],
"internal.classes.finger_classes": ["SSHFinger", "PingScanner"],
"internal.network.tcp_scanner.HTTP_PORTS": [],
"internal.network.tcp_scanner.tcp_target_ports": [22],
"internal.classes.finger_classes": ["SSHFinger", "PingScanner", "HTTPFinger"],
}
)

3
envs/monkey_zoo/blackbox/config_templates/struts2.py
View File

@ -11,9 +11,6 @@ class Struts2(ConfigTemplate):
config_values.update(
{
"basic.exploiters.exploiter_classes": ["Struts2Exploiter"],
"basic_network.scope.depth": 2,
"basic_network.scope.subnet_scan_list": ["10.2.2.23", "10.2.2.24"],
"internal.network.tcp_scanner.HTTP_PORTS": [80, 8080],
"internal.network.tcp_scanner.tcp_target_ports": [80, 8080],
}
)

4
envs/monkey_zoo/blackbox/config_templates/tunneling.py
View File

@ -13,11 +13,11 @@ class Tunneling(ConfigTemplate):
"basic_network.scope.subnet_scan_list": [
"10.2.2.9",
"10.2.1.10",
"10.2.0.12",
"10.2.0.11",
"10.2.0.12",
],
"basic_network.scope.depth": 3,
"internal.general.keep_tunnel_open_time": 150,
"internal.general.keep_tunnel_open_time": 180,
"basic.credentials.exploit_password_list": [
"Password1!",
"3Q=(Ge(+&w]*",

Some files were not shown because too many files have changed in this diff Show More