forked from p15670423/monkey
Merge pull request #342 from VakarisZ/attack_comand_line_interface
T1059 Comand line interface and T1003 Credential dumping
This commit is contained in:
Itay Mizeretz
GitHub
commit
1ebcfd8ba6
|
|
@ -24,7 +24,8 @@ class HostExploiter(object):
|
|||
'started': '',
|
||||
'finished': '',
|
||||
'vulnerable_urls': [],
|
||||
'vulnerable_ports': []}
|
||||
'vulnerable_ports': [],
|
||||
'executed_cmds': []}
|
||||
self._exploit_attempts = []
|
||||
self.host = host
|
||||
|
||||
|
|
@ -70,6 +71,14 @@ class HostExploiter(object):
|
|||
def add_vuln_port(self, port):
|
||||
self._exploit_info['vulnerable_ports'].append(port)
|
||||
|
||||
def add_executed_cmd(self, cmd):
|
||||
"""
|
||||
Appends command to exploiter's info.
|
||||
:param cmd: String of executed command. e.g. 'echo Example'
|
||||
"""
|
||||
command = {'cmd': cmd}
|
||||
self._exploit_info['executed_cmds'].append(command)
|
||||
|
||||
|
||||
from infection_monkey.exploit.win_ms08_067 import Ms08_067_Exploiter
|
||||
from infection_monkey.exploit.wmiexec import WmiExploiter
|
||||
|
|
|
|||
|
|
@ -49,6 +49,7 @@ class HadoopExploiter(WebRCE):
|
|||
return False
|
||||
http_thread.join(self.DOWNLOAD_TIMEOUT)
|
||||
http_thread.stop()
|
||||
self.add_executed_cmd(command)
|
||||
return True
|
||||
|
||||
def exploit(self, url, command):
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ class MSSQLExploiter(HostExploiter):
|
|||
commands.extend(monkey_args)
|
||||
MSSQLExploiter.execute_command(cursor, commands)
|
||||
MSSQLExploiter.run_file(cursor, tmp_file_path)
|
||||
|
||||
self.add_executed_cmd(commands[-1])
|
||||
return True
|
||||
|
||||
@staticmethod
|
||||
|
|
|
|||
|
|
@ -343,5 +343,5 @@ class RdpExploiter(HostExploiter):
|
|||
|
||||
LOG.info("Executed monkey '%s' on remote victim %r",
|
||||
os.path.basename(src_path), self.host)
|
||||
|
||||
self.add_executed_cmd(command)
|
||||
return True
|
||||
|
|
|
|||
|
|
@ -144,6 +144,7 @@ class ShellShockExploiter(HostExploiter):
|
|||
if not (self.check_remote_file_exists(url, header, exploit, self._config.monkey_log_path_linux)):
|
||||
LOG.info("Log file does not exist, monkey might not have run")
|
||||
continue
|
||||
self.add_executed_cmd(cmdline)
|
||||
return True
|
||||
|
||||
return False
|
||||
|
|
|
|||
|
|
@ -178,6 +178,7 @@ class SSHExploiter(HostExploiter):
|
|||
self._config.dropper_target_path_linux, self.host, cmdline)
|
||||
|
||||
ssh.close()
|
||||
self.add_executed_cmd(cmdline)
|
||||
return True
|
||||
|
||||
except Exception as exc:
|
||||
|
|
|
|||
|
|
@ -138,6 +138,7 @@ class VSFTPDExploiter(HostExploiter):
|
|||
if backdoor_socket.send(run_monkey):
|
||||
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)", self._config.dropper_target_path_linux,
|
||||
self.host, run_monkey)
|
||||
self.add_executed_cmd(run_monkey)
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
|
|
|||
|
|
@ -408,6 +408,7 @@ class WebRCE(HostExploiter):
|
|||
# If exploiter returns True / False
|
||||
if type(resp) is bool:
|
||||
LOG.info("Execution attempt successfully finished")
|
||||
self.add_executed_cmd(command)
|
||||
return resp
|
||||
# If exploiter returns command output, we can check for execution errors
|
||||
if 'is not recognized' in resp or 'command not found' in resp:
|
||||
|
|
@ -420,6 +421,8 @@ class WebRCE(HostExploiter):
|
|||
LOG.error("Something went wrong when trying to execute remote monkey: %s" % e)
|
||||
return False
|
||||
LOG.info("Execution attempt finished")
|
||||
|
||||
self.add_executed_cmd(command)
|
||||
return resp
|
||||
|
||||
def get_monkey_upload_path(self, url_to_monkey):
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@ class WmiExploiter(HostExploiter):
|
|||
|
||||
result.RemRelease()
|
||||
wmi_connection.close()
|
||||
|
||||
self.add_executed_cmd(cmdline)
|
||||
return success
|
||||
|
||||
return False
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
import logging
|
||||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075
|
||||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
|
|
@ -11,7 +11,9 @@ LOG = logging.getLogger(__name__)
|
|||
TECHNIQUES = {'T1210': T1210.T1210,
|
||||
'T1197': T1197.T1197,
|
||||
'T1110': T1110.T1110,
|
||||
'T1075': T1075.T1075}
|
||||
'T1075': T1075.T1075,
|
||||
'T1003': T1003.T1003,
|
||||
'T1059': T1059.T1059}
|
||||
|
||||
REPORT_NAME = 'new_report'
|
||||
|
||||
|
|
|
|||
|
|
@ -84,5 +84,19 @@ SCHEMA = {
|
|||
}
|
||||
}
|
||||
},
|
||||
"execution": {
|
||||
"title": "Execution",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"T1059": {
|
||||
"title": "T1059 Command line interface",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": True,
|
||||
"description": "Adversaries may use command-line interfaces to interact with systems "
|
||||
"and execute other software during the course of an operation.",
|
||||
}
|
||||
}
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,27 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1003(AttackTechnique):
|
||||
|
||||
tech_id = "T1003"
|
||||
unscanned_msg = "Monkey tried to obtain credentials from systems in the network but didn't find any or failed."
|
||||
scanned_msg = ""
|
||||
used_msg = "Monkey successfully obtained some credentials from systems on the network."
|
||||
|
||||
query = {'telem_category': 'system_info_collection', '$and': [{'data.credentials': {'$exists': True}},
|
||||
# $gt: {} checks if field is not an empty object
|
||||
{'data.credentials': {'$gt': {}}}]}
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1003.technique_title()}
|
||||
if mongo.db.telemetry.count_documents(T1003.query):
|
||||
status = ScanStatus.USED
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
data.update(T1003.get_message_and_status(status))
|
||||
return data
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1059(AttackTechnique):
|
||||
|
||||
tech_id = "T1059"
|
||||
unscanned_msg = "Monkey didn't exploit any machines to run commands at."
|
||||
scanned_msg = ""
|
||||
used_msg = "Monkey successfully ran commands on exploited machines in the network."
|
||||
|
||||
query = [{'$match': {'telem_category': 'exploit',
|
||||
'data.info.executed_cmds': {'$exists': True, '$ne': []}}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': '$data.machine',
|
||||
'info': '$data.info'}},
|
||||
{'$group': {'_id': '$machine', 'data': {'$push': '$$ROOT'}}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
cmd_data = list(mongo.db.telemetry.aggregate(T1059.query))
|
||||
data = {'title': T1059.technique_title(), 'cmds': cmd_data}
|
||||
if cmd_data:
|
||||
status = ScanStatus.USED
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
data.update(T1059.get_message_and_status(status))
|
||||
return data
|
||||
|
|
@ -13,7 +13,7 @@ class T1110(AttackTechnique):
|
|||
used_msg = "Monkey successfully used brute force in the network."
|
||||
|
||||
# Gets data about brute force attempts
|
||||
query = [{'$match': {'telem_type': 'exploit',
|
||||
query = [{'$match': {'telem_category': 'exploit',
|
||||
'data.attempts': {'$not': {'$size': 0}}}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': '$data.machine',
|
||||
|
|
|
|||
|
|
@ -13,13 +13,15 @@ class T1197(AttackTechnique):
|
|||
@staticmethod
|
||||
def get_report_data():
|
||||
data = T1197.get_tech_base_data()
|
||||
bits_results = mongo.db.telemetry.aggregate([{'$match': {'telem_category': 'attack', 'data.technique': T1197.tech_id}},
|
||||
{'$group': {'_id': {'ip_addr': '$data.machine.ip_addr', 'usage': '$data.usage'},
|
||||
'ip_addr': {'$first': '$data.machine.ip_addr'},
|
||||
'domain_name': {'$first': '$data.machine.domain_name'},
|
||||
'usage': {'$first': '$data.usage'},
|
||||
'time': {'$first': '$timestamp'}}
|
||||
}])
|
||||
bits_results = mongo.db.telemetry.aggregate([{'$match': {'telem_category': 'attack',
|
||||
'data.technique': T1197.tech_id}},
|
||||
{'$group': {'_id': {'ip_addr': '$data.machine.ip_addr',
|
||||
'usage': '$data.usage'},
|
||||
'ip_addr': {'$first': '$data.machine.ip_addr'},
|
||||
'domain_name': {'$first': '$data.machine.domain_name'},
|
||||
'usage': {'$first': '$data.usage'},
|
||||
'time': {'$first': '$timestamp'}}
|
||||
}])
|
||||
bits_results = list(bits_results)
|
||||
data.update({'bits_jobs': bits_results})
|
||||
return data
|
||||
|
|
|
|||
|
|
@ -0,0 +1,26 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import '../../report-components/StolenPasswords'
|
||||
import StolenPasswordsComponent from "../../report-components/StolenPasswords";
|
||||
|
||||
|
||||
class T1003 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
<StolenPasswordsComponent data={this.props.reportData.glance.stolen_creds.concat(this.props.reportData.glance.ssh_keys)}/>
|
||||
: ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1003;
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine } from "./Helpers"
|
||||
|
||||
|
||||
class T1059 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static getCommandColumns() {
|
||||
return ([{
|
||||
Header: 'Example commands used',
|
||||
columns: [
|
||||
{Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.data[0].machine), style: { 'whiteSpace': 'unset'}, width: 160 },
|
||||
{Header: 'Approx. Time', id: 'time', accessor: x => x.data[0].info.finished, style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Command', id: 'command', accessor: x => x.data[0].info.executed_cmds[0].cmd, style: { 'whiteSpace': 'unset' }},
|
||||
]
|
||||
}])};
|
||||
|
||||
render() {
|
||||
console.log(this.props.data);
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
<ReactTable
|
||||
columns={T1059.getCommandColumns()}
|
||||
data={this.props.data.cmds}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.cmds.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1059;
|
||||
|
|
@ -24,8 +24,8 @@ class T1075 extends React.Component {
|
|||
columns: [
|
||||
{Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.machine), style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Username', id: 'attempts', accessor: x => x.attempts[0].user, style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Hash type', id: 'credentials', accessor: x => x.attempts[0].hashType, style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Username', id: 'username', accessor: x => x.attempts[0].user, style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Hash type', id: 'hash', accessor: x => x.attempts[0].hashType, style: { 'whiteSpace': 'unset' }},
|
||||
]
|
||||
}])};
|
||||
|
||||
|
|
|
|||
|
|
@ -518,7 +518,7 @@ class ReportPageComponent extends AuthComponent {
|
|||
This report shows information about ATT&CK techniques used by Infection Monkey.
|
||||
</p>
|
||||
<div>
|
||||
<AttackReport/>
|
||||
<AttackReport reportData={this.state.report}/>
|
||||
</div>
|
||||
<br />
|
||||
</div>)
|
||||
|
|
|
|||
|
|
@ -9,12 +9,16 @@ import T1210 from '../attack/techniques/T1210';
|
|||
import T1197 from '../attack/techniques/T1197';
|
||||
import T1110 from '../attack/techniques/T1110';
|
||||
import T1075 from "../attack/techniques/T1075";
|
||||
import T1003 from "../attack/techniques/T1003";
|
||||
import T1059 from "../attack/techniques/T1059";
|
||||
|
||||
const tech_components = {
|
||||
'T1210': T1210,
|
||||
'T1197': T1197,
|
||||
'T1110': T1110,
|
||||
'T1075': T1075
|
||||
'T1075': T1075,
|
||||
'T1003': T1003,
|
||||
'T1059': T1059
|
||||
};
|
||||
|
||||
const classNames = require('classnames');
|
||||
|
|
@ -101,7 +105,7 @@ class AttackReportPageComponent extends AuthComponent {
|
|||
const TechniqueComponent = tech_components[technique];
|
||||
return (
|
||||
<div className={`content ${collapseState}`}>
|
||||
<TechniqueComponent data={this.state.report[technique]} />
|
||||
<TechniqueComponent data={this.state.report[technique]} reportData={this.props.reportData}/>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue