177 lines
10 KiB
Markdown
177 lines
10 KiB
Markdown
Infected Chaos Monkey
|
||
====================
|
||
|
||
Datacenter Security Tool
|
||
------------------------
|
||
|
||
### http://www.guardicore.com/the-infected-chaos-monkey/
|
||
|
||
The Infected Chaos Monkey is a security tool which tests your Data Center's ability to withstand perimeter breaches and internal server infection. It uses various methods to propagate through a data center, and reports its success to a centralized C&C server.
|
||
|
||
Features include:
|
||
|
||
* Multiple propagation techniques:
|
||
* Predefined passwords
|
||
* Common exploits
|
||
* Multiple propagation protocols:
|
||
* SSH
|
||
* SMB
|
||
* RDP
|
||
* A C&C server with a dedicated UI to visualize the Monkey's progress inside the data center
|
||
|
||
Getting Started
|
||
---------------
|
||
|
||
The Infected Chaos Monkey is comprised of two parts: the Monkey and the C&C server.
|
||
The monkey is the tool which infects other machines and propagates to them, while the C&C server collects all Monkey reports and displays them to the user.
|
||
|
||
### Requirements
|
||
|
||
|
||
The C&C Server has been tested on Ubuntu 14.04.
|
||
The Monkey itself has been tested on Windows XP, 7, 8.1 and 10. The Linux build has been tested on Ubuntu server 14.04 and 15.10.
|
||
|
||
### Installation
|
||
|
||
For off the shelf use, download our pre-compiled binaries from our website, to setup the C&C server follow the instructions in [Monkey Island readme](monkey_island/readme.txt). If you with to compile the binaries yourself, follow the build instructions in the appropiate [readme](build_env/readme.txt).
|
||
Usage
|
||
-----
|
||
|
||
### Configuring the Monkey
|
||
|
||
Monkey configuration is stored in two places:
|
||
1. By default, the monkey uses a local configuration file (usually, config.bin). This configuration file must include the address of the Monkey's C&C server.
|
||
2. After successfully connecting to the C&C server, the monkey downloads a new configuration from the server and discards the local configuration. It is possible to change the default configuration from the C&C server's UI.
|
||
|
||
Both configuration options use a JSON format for specifying options; see "Options" below for details.
|
||
|
||
### Running the C&C Server
|
||
|
||
Running the C&C Server is as simple as installing our infected monkey debian package on a specific server. The initial infected machine doesn not require a direct link to this server.
|
||
|
||
### Unleashing the Monkey
|
||
|
||
Download the latest Monkey binary from <> (alternatively, build it by yourself by following the instructions below).
|
||
The download includes executables for various operating systems, and a default configuration file (config.bin).
|
||
You can edit the configuration file according the the options detailed below; the default configuration assumes <WHAT?>.
|
||
|
||
Once downloaded, run the monkey using ```./monkey-linux-64 m0nk3y -c config.bin```
|
||
|
||
Command line options include:
|
||
* `-c`, `--config`: set configuration file. JSON file with configuration values, will override compiled configuration.
|
||
* `-p`, `--parent`: set monkey’s parent uuid, allows better recognition of exploited monkeys in c&c
|
||
* `-t`, `--tunnel`: ip:port, set default tunnel for monkey when connecting to c&c.
|
||
|
||
|
||
Monkey Modus Operandi
|
||
---------------------
|
||
|
||
1. Wakeup connection to c&c, sends basic info of the current machine and the configuration the monkey uses to the c&c.
|
||
1. First try direct connection to c&c.
|
||
2. If direct connection fails, try connection through a tunnel, a tunnel is found according to specified parameter (the default tunnel) or by sending a multicast query and waiting for another monkey to answer.
|
||
3. If no connection can be made to c&c, continue without it.
|
||
2. If a firewall app is running on the machine (supports Windows Firewall for Win XP and Windows Advanced Firewall for Win 7+), try to add a rule to allow all our traffic.
|
||
3. Startup of tunnel for other monkeys (if connection to c&c works).
|
||
1. firewall is checked to allow listening sockets (if we failed to add a rule to windows firewall for example, the tunnel will not be created)
|
||
2. will answer multicast requests from other monkeys in search of a tunnel.
|
||
4. Running exploitation sessions, will run x sessions according to configuration:
|
||
1. Connect to c&c and get the latest configuration
|
||
2. Scan ip ranges according to configuration.
|
||
3. Try fingerprinting each host that answer, using the classes defined in the configuration (SMBFinger, SSHFinger, etc)
|
||
4. Try exploitation on each host found, for each exploit class in configuration:
|
||
1. check exploit class supports target host (can be disabled by configuration)
|
||
2. each exploitation class will use the data acquired in fingerprinting, or during the exploit, to find the suitable monkey executable for the host from the c&c.
|
||
1. If c&c connection fails, and the source monkey’s executable is suitable, we use it.
|
||
2. If a suitable executable isn’t found, exploitation will fail.
|
||
3. Executables are cached in memory.
|
||
5. will skip hosts that are already exploited in next run
|
||
6. will skip hosts that failed during exploitation in next run (can be disabled by configuration)
|
||
5. Close tunnel before exiting
|
||
Wait for monkeys using the tunnel to unregister for it
|
||
Cleanup
|
||
Remove firewall rules if added
|
||
|
||
Configuration Options
|
||
---------------------
|
||
|
||
Key | Type | Description | Possible Values
|
||
--- | ---- | ----------- | ---------------
|
||
singleton_mutex_name | string | string of the mutex name for single instance | example: {2384ec59-0df8-4ab9-918c-843740924a28}
|
||
alive | bool | sets whether or not the monkey is alive. if false will stop scanning and exploiting.
|
||
self_delete_in_cleanup | bool | sets whether or not to self delete the monkey executable when stopped.
|
||
use_file_logging | bool | sets whether or not to use a log file.
|
||
timeout_between_iterations | int | how long to wait between scan iterations
|
||
max_iterations | int | how many scan iterations to perform on each run
|
||
victims_max_find | int | how many victims to look for in a single scan iteration
|
||
victims_max_exploit | int | how many victims to exploit before stopping
|
||
command_servers | array | addresses of c&c servers to try to connect | example: ["russian-mail-brides.com:5000"]
|
||
serialize_config | bool | sets whether or not to save the monkey to disk when finished (will be loaded in next run), saved next to the monkey exe with the name monkey.bin
|
||
retry_failed_explotation | bool | sets whether or not to retry failed hosts on next scan
|
||
range_class | class name | sets which ip ranges class is used to construct the list of ips to scan | `FixedRange` - scan list is a static ips list, `RelativeRange` - scan list will be constructed according to ip address of the machine and size of the scan, `ClassCRange` - will scan the entire class c the machine is in.
|
||
scanner_class | class name | sets which scan class to use when scanning for hosts to exploit | `TCPScanner` - searches for hosts according to open tcp ports, `PingScanner` - searches for hosts according to ping scan
|
||
finger_classes | tuple of class names | sets which fingerprinting classes to use. | in the list: `SMBFinger` - get host os info by checking smb info, `SSHFinger` - get host os info by checking ssh banner, `PingScanner` - get host os type by checking ping ttl. For example: `(SMBFinger, SSHFinger, PingScanner)`
|
||
exploiter_classes | tuple of class names | | `SmbExploiter` - exploit using smb connection, `WmiExploiter` - exploit using wmi connection, `RdpExploiter` - exploit using rdp connection, `Ms08_067_Exploiter` - exploit using ms08_067 smb exploit, `SSHExploiter` - exploit using ssh connection
|
||
range_fixed | tuple of strings | list of ips to scan
|
||
RelativeRange range_size | int | number of hosts to scan in relative range.
|
||
TCPScanner tcp_target_ports | list of int | which ports to scan using tcp scan.
|
||
tcp_scan_timeout | int | timeout for tcp connection in tcp scan (in milliseconds).
|
||
tcp_scan_interval | int | time to wait between ports in the tcp scan (in milliseconds).
|
||
tcp_scan_get_banner | bool | sets whether or not to read a banner from the tcp ports when scanning
|
||
PingScanner ping_scan_timeout | int | timeout for the ping command (in milliseconds).
|
||
SmbExploiter/WmiExploiter/RdpExploiter psexec_user | string | user to use for connection
|
||
psexec_passwords | list of strings | list of passwords to use when trying to exploit
|
||
SmbExploiter skip_exploit_if_file_exist | bool | sets whether or not to abort exploit if the monkey already exists in target.
|
||
RdpExploiter rdp_use_vbs_download | bool | sets whether to use vbs payload for rdp exploitation. If false, bits payload is used (will fail if bitsadmin.exe doesn’t exist).
|
||
Ms08_067_Exploiter ms08_067_exploit_attempt | int | number of times to try and exploit using ms08_067 exploit.
|
||
ms08_067_remote_user_add | string | user to add to target when using ms08_067 exploit
|
||
ms08_067_remote_user_pass | string | password of the user the exploit will add
|
||
SSHExploiter ssh_user | string | user to use for ssh connection
|
||
ssh_passwords | list of strings | list of passwords to use when trying to exploit
|
||
|
||
|
||
Building the Monkey from source
|
||
-------------------------------
|
||
If you want to build the monkey from source and not use our provided packages, look at the readme files under [chaos_monkey](chaos_monkey) and [monkey_island](monkey_island).
|
||
|
||
|
||
License
|
||
=======
|
||
Copyright (c) 2016 Guardicore Ltd
|
||
|
||
See the [LICENSE](LICENSE) file for license rights and limitations (GPLv3).
|
||
|
||
Dependent packages
|
||
---------------------
|
||
|
||
Dependency | License |
|
||
----------------------------|----------------------------
|
||
libffi-dev | https://github.com/atgreen/libffi/blob/master/LICENSE
|
||
PyCrypto | Public domain
|
||
upx | Custom license, http://upx.sourceforge.net/upx-license.html, according to it (IANL) we're fine as long as we're not modifying UPX
|
||
bson | BSD
|
||
enum34 | BSD
|
||
pyasn1 | BSD
|
||
psutil | BSD
|
||
flask | BSD
|
||
flask-Pymongo | BSD
|
||
Flask-Restful | BSD
|
||
python-dateutil | Simplified BSD
|
||
zope | ZPL 2.1
|
||
Bootstrap | MIT
|
||
JSON Editor | MIT
|
||
Datatables | MIT
|
||
jQuery | MIT
|
||
cffi | MIT
|
||
twisted | MIT
|
||
typeahead.js | MIT
|
||
Font Awesome | MIT
|
||
vis.js | MIT/Apache 2.0
|
||
impacket | Apache Modified
|
||
Start Bootstrap (UI Theme) | Apache 2.0
|
||
requests | Apache 2.0
|
||
odict | Python Software Foundation License
|
||
paramiko | LGPL
|
||
rdpy | GPL-3
|
||
winbind | GPL-3
|
||
pyinstaller | GPL
|