From 5ad54db09786c6d0a0a89c7589950d27d9f54490 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 09:15:13 -0500 Subject: [PATCH 01/24] docs: Update reference/_index.md --- docs/content/reference/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/reference/_index.md b/docs/content/reference/_index.md index 01a3a98f3..356d85312 100644 --- a/docs/content/reference/_index.md +++ b/docs/content/reference/_index.md @@ -9,6 +9,6 @@ tags = ["reference"] # Reference -Find detailed information about Infection Monkey. +Find detailed information about the Infection Monkey. {{% children %}} From 27dae7bd6c3fcf5b41aec8415375fbdb5a13c28f Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 09:19:50 -0500 Subject: [PATCH 02/24] docs: Update mitre_techniques.md --- docs/content/reference/mitre_techniques.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/docs/content/reference/mitre_techniques.md b/docs/content/reference/mitre_techniques.md index 9e528449e..d455d7e90 100644 --- a/docs/content/reference/mitre_techniques.md +++ b/docs/content/reference/mitre_techniques.md @@ -10,12 +10,9 @@ weight: 10 Check out [the documentation for the MITRE ATT&CK report as well](../../usage/reports/mitre). {{% /notice %}} -The Monkey maps its actions to the [MITRE ATT&CK](https://attack.mitre.org/) knowledge base and based on this, - provides a report detailing the techniques it used and recommended mitigations. - The idea is to help you simulate an APT attack on your network and mitigate real attack paths intelligently. - - In the following table we provide the list of all the ATT&CK techniques the Monkey provides info about, - categorized by tactic. You can follow any of the links to learn more about a specific technique or tactic. +The Infection Monkey maps its actions to the [MITRE ATT&CK](https://attack.mitre.org/) knowledge base and, based on this, provides a report detailing the techniques it used along with any recommended mitigations. This helps you simulate an advanced persistent threat (APT) attack on your network and mitigate real attack paths intelligently. + +In the following table, we provide the list of all the MITRE ATT&CK techniques the Monkey provides info about, categorized by the tactic. You can follow any of the links below to learn more about a specific technique or tactic. | TACTIC | TECHNIQUES | From f272e97778ae5c8ad7aa06690569203b48e920ee Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 09:36:41 -0500 Subject: [PATCH 03/24] docs: Update operating_systems_support.md --- .../reference/operating_systems_support.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/content/reference/operating_systems_support.md b/docs/content/reference/operating_systems_support.md index f3b1a44ba..02cefbac0 100644 --- a/docs/content/reference/operating_systems_support.md +++ b/docs/content/reference/operating_systems_support.md @@ -7,15 +7,15 @@ weight: 10 tags: ["setup", "reference", "windows", "linux"] --- -The Infection Monkey project supports many popular OSes (but we can always do more). +The Infection Monkey project supports many popular OSes (but we are always interested in supporting more). -The Monkey itself (the agent) has been tested to run on the following operating systems (on x64 architecture) +The Infection Monkey agent has been tested to run on the following operating systems (on x64 architecture): -### Monkey support +### Agent support #### Linux -Compatibility depends on GLIBC version (2.14+)[^1]. By default these distributions are supported: +Compatibility depends on GLIBC version (2.14+)[^1]. By default, these distributions are supported: - Centos 7+ - Debian 7+ @@ -30,9 +30,9 @@ Compatibility depends on GLIBC version (2.14+)[^1]. By default these distributio - Windows 2012+ - Windows 2012_R2+ - Windows 7/Server 2008_R2 if [KB2999226](https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows) is installed. -- Windows vista/Server 2008 should also work if the same update is installed, but this wasn't tested. +- Windows Vista/Server 2008 should also work if the same update is installed, but this wasn't tested. -### Island support +### Server support **The Monkey Island (control server)** runs out of the box on: @@ -42,13 +42,13 @@ Compatibility depends on GLIBC version (2.14+)[^1]. By default these distributio - Windows Server 2012 R2 - Windows Server 2016 -We provide a dockerfile from our [website](http://infectionmonkey.com/) that lets the Monkey Island run inside a container. +We also provide a Dockerfile on our [website](http://infectionmonkey.com/) that lets the Monkey Island run inside a container. ### Old machine bootloader -Some **Older machines** still get a partial compatibility as in they get exploited and reported, but monkey can't run on them. So instead of monkey, old machine bootloader (small c program) is ran, which reports some minor info like network interface configuration, GLIBC version, OS and so on. +Some **older machines** still have partial compatibility and will be exploited and reported, but the Infection Monkey agent can't run on them. In these cases, old machine bootloader (a small c program) will be run, which reports some minor info like network interface configuration, GLIBC version, OS, etc. -**Old machine bootloader** also has a GLIBC 2.14+ requirement for linux, because bootloader is included into pyinstaller bootloader which uses python3.7, which in turn requires GLIBC 2.14+. If you think partial support for older machines is important, don't hesitate to open a new issue about it. +**Old machine bootloader** also has a GLIBC 2.14+ requirement for Linux because the bootloader is included in the Pyinstaller bootloader, which uses Python 3.7 that in turn requires GLIBC 2.14+. If you think partial support for older machines is important, don't hesitate to open a new issue about it. **Old machine bootloader** runs on machines with: @@ -61,4 +61,4 @@ Some **Older machines** still get a partial compatibility as in they get exploit - Ubuntu 14+ - **Windows XP/Server 2003+** -[^1]: GLIBC >= 2.14 requirement comes from the fact that monkey is built using this GLIBC version and GLIBC is not backwards compatible. We are also limited to the oldest GLIBC version compatible with ptyhon3.7 +[^1]: The GLIBC >= 2.14 requirement exists because the Infection Monkey was built using this GLIBC version, and GLIBC is not backward compatible. We are also limited to the oldest GLIBC version compatible with Ptyhon 3.7. From 1b0ab5555418cc5d1828d56cd22a268ec4c03534 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 09:49:43 -0500 Subject: [PATCH 04/24] docs: Update Drupal.md --- docs/content/reference/exploiters/Drupal.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/reference/exploiters/Drupal.md b/docs/content/reference/exploiters/Drupal.md index df600b2cb..5763b0ca8 100644 --- a/docs/content/reference/exploiters/Drupal.md +++ b/docs/content/reference/exploiters/Drupal.md @@ -18,7 +18,7 @@ This can lead to arbitrary PHP code execution in some cases. ### Affected Versions -* Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. +* Drupal 8.5.x (before 8.5.11) and Drupal 8.6.x (before 8.6.10). One of the following conditions must hold: * The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH @@ -32,4 +32,4 @@ Drupal 8, or Services or RESTful Web Services in Drupal 7. * The Infection Monkey exploiter implementation is based on an open-source [Python implementation](https://gist.github.com/leonjza/d0ab053be9b06fa020b66f00358e3d88/f9f6a5bb6605745e292bee3a4079f261d891738a) of the exploit by @leonjza. -* For the full attack to work, more than one vulnerable URL is required. \ No newline at end of file +* For the full attack to work, more than one vulnerable URL is required. From a483b4aafc7e2330acbd39e57caa8ed0a7726be8 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 09:51:30 -0500 Subject: [PATCH 05/24] docs: Update ElasticGroovy.md --- docs/content/reference/exploiters/ElasticGroovy.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/content/reference/exploiters/ElasticGroovy.md b/docs/content/reference/exploiters/ElasticGroovy.md index 7325ccb86..86ae4247c 100644 --- a/docs/content/reference/exploiters/ElasticGroovy.md +++ b/docs/content/reference/exploiters/ElasticGroovy.md @@ -4,9 +4,10 @@ date: 2020-07-14T08:41:40+03:00 draft: false tags: ["exploit", "windows", "linux"] --- +### Description -CVE-2015-1427. +CVE-2015-1427 -> The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. +> The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x (before 1.4.3) allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. -Logic is based on [Metasploit module](https://github.com/rapid7/metasploit-framework/blob/12198a088132f047e0a86724bc5ebba92a73ac66/modules/exploits/multi/elasticsearch/search_groovy_script.rb). +The logic is based on the [Metasploit module](https://github.com/rapid7/metasploit-framework/blob/12198a088132f047e0a86724bc5ebba92a73ac66/modules/exploits/multi/elasticsearch/search_groovy_script.rb). From f7d9df0e6407a850aeab4b0930a32af764d2a957 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 09:59:16 -0500 Subject: [PATCH 06/24] docs: Update Hadoop.md --- docs/content/reference/exploiters/Hadoop.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/content/reference/exploiters/Hadoop.md b/docs/content/reference/exploiters/Hadoop.md index 7d9de287b..300eb47ad 100644 --- a/docs/content/reference/exploiters/Hadoop.md +++ b/docs/content/reference/exploiters/Hadoop.md @@ -5,4 +5,6 @@ draft: false tags: ["exploit", "linux", "windows"] --- -Remote code execution on HADOOP server with YARN and default settings. Logic based on [this vulhub module](https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn). +### Description + +This exploit consists of remote code execution on HADOOP servers with YARN and default settings. The logic is based on [this vulhub module](https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn). From 77859b86dd2c63a5942c41a09ef3cae9b67d9b13 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:01:47 -0500 Subject: [PATCH 07/24] docs: Update MS08-067.md --- docs/content/reference/exploiters/MS08-067.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/content/reference/exploiters/MS08-067.md b/docs/content/reference/exploiters/MS08-067.md index 3f0c57cc3..d4eb3b807 100644 --- a/docs/content/reference/exploiters/MS08-067.md +++ b/docs/content/reference/exploiters/MS08-067.md @@ -5,6 +5,10 @@ draft: false tags: ["exploit", "windows"] --- +### Description + [MS08-067](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067) is a remote code execution vulnerability. -This exploiter is unsafe. If an exploit attempt fails, this could also lead to a crash in Svchost.exe. If the crash in Svchost.exe occurs, the Server service will be affected. That might cause system crash due to the use of buffer overflow. It's therefore **not** enabled by default. +This exploiter is unsafe. It's therefore **not** enabled by default. + +If an exploit attempt fails, this could also lead to a crash in Svchost.exe. If a crash in Svchost.exe occurs, the server service will be affected. This may cause a system crash due to the use of buffer overflow. From bfff95ce346eb67e8649b86bf1cc1410d8eee01a Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:03:37 -0500 Subject: [PATCH 08/24] docs: Update MsSQL.md --- docs/content/reference/exploiters/MsSQL.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/content/reference/exploiters/MsSQL.md b/docs/content/reference/exploiters/MsSQL.md index 2d664503b..58926addd 100644 --- a/docs/content/reference/exploiters/MsSQL.md +++ b/docs/content/reference/exploiters/MsSQL.md @@ -5,4 +5,6 @@ draft: false tags: ["exploit", "windows"] --- -The Monkey will try to brute force into MsSQL server and uses insecure configuration to execute commands on server. +### Description + +For this exploit, the Infection Monkey will try to brute force into a MsSQL server and use an insecure configuration to execute commands on the server. From 3f255c5626e501fd3d2b7dd3a0ba4c924bda3809 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:04:35 -0500 Subject: [PATCH 09/24] docs: Update SMBExec.md --- docs/content/reference/exploiters/SMBExec.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/reference/exploiters/SMBExec.md b/docs/content/reference/exploiters/SMBExec.md index cccf0596d..dee01c637 100644 --- a/docs/content/reference/exploiters/SMBExec.md +++ b/docs/content/reference/exploiters/SMBExec.md @@ -4,5 +4,6 @@ date: 2020-07-14T08:42:16+03:00 draft: false tags: ["exploit", "windows"] --- +### Description -Brute forces using credentials provided by user (see ["Configuration"](../usage/configuration)) and hashes gathered by Mimikatz. +This exploit brute forces machines using credentials provided by the user (see [configuration](../usage/configuration) for instructions) and hashes gathered by Mimikatz. From 32089018ab3e064a5be88e627549c0ff9c3c8f64 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:07:20 -0500 Subject: [PATCH 10/24] docs: Update SSHExec.md --- docs/content/reference/exploiters/SSHExec.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/reference/exploiters/SSHExec.md b/docs/content/reference/exploiters/SSHExec.md index d90d311cb..9a6fd6537 100644 --- a/docs/content/reference/exploiters/SSHExec.md +++ b/docs/content/reference/exploiters/SSHExec.md @@ -4,5 +4,6 @@ date: 2020-07-14T08:42:21+03:00 draft: false tags: ["exploit", "linux"] --- +### Description -Brute forces using credentials provided by user (see ["Configuration"](../usage/configuration))and SSH keys gathered from systems. +This exploit brute forces machines using credentials provided by the user (see ["configuration"](../usage/configuration) for instructions) and SSH keys gathered from systems. From dbab5abd932cfdb6e57b7c7717281da51ea7e873 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:09:56 -0500 Subject: [PATCH 11/24] docs: Update Sambacry.md --- docs/content/reference/exploiters/Sambacry.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/reference/exploiters/Sambacry.md b/docs/content/reference/exploiters/Sambacry.md index 1187d08ed..1cc804875 100644 --- a/docs/content/reference/exploiters/Sambacry.md +++ b/docs/content/reference/exploiters/Sambacry.md @@ -4,5 +4,6 @@ date: 2020-07-14T08:42:02+03:00 draft: false tags: ["exploit", "linux"] --- +### Description -Bruteforces and searches for anonymous shares. Partially based on [the following implementation](https://github.com/CoreSecurity/impacket/blob/master/examples/sambaPipe.py) by CORE Security Technologies' impacket. +This exploit brute forces machines and searches for anonymous shares. It is partially based on [the following implementation](https://github.com/CoreSecurity/impacket/blob/master/examples/sambaPipe.py) by CORE Security Technologies' impacket. From 1201343ed265b98d015f030abad8339ec7c37f42 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:15:20 -0500 Subject: [PATCH 12/24] docs: Update Struts2.md --- docs/content/reference/exploiters/Struts2.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/reference/exploiters/Struts2.md b/docs/content/reference/exploiters/Struts2.md index a81f61575..5ce1dfe5a 100644 --- a/docs/content/reference/exploiters/Struts2.md +++ b/docs/content/reference/exploiters/Struts2.md @@ -4,5 +4,6 @@ date: 2020-07-14T08:42:30+03:00 draft: false tags: ["exploit", "linux", "windows"] --- +### Description -Exploits struts2 java web framework. CVE-2017-5638. Logic based on [VEX WOO's PoC](https://www.exploit-db.com/exploits/41570). +This exploit, CVE-2017-5638, utilizes the Struts 2 Java web framework. The logic is based on [VEX WOO's PoC](https://www.exploit-db.com/exploits/41570). From 788b9857116a2dafd6ba3278b1ef3cb5b7331a2b Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:16:03 -0500 Subject: [PATCH 13/24] docs: Update VSFTPD.md --- docs/content/reference/exploiters/VSFTPD.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/reference/exploiters/VSFTPD.md b/docs/content/reference/exploiters/VSFTPD.md index ce5a6dcc3..32b3ad96f 100644 --- a/docs/content/reference/exploiters/VSFTPD.md +++ b/docs/content/reference/exploiters/VSFTPD.md @@ -4,5 +4,6 @@ date: 2020-07-14T08:42:39+03:00 draft: false tags: ["exploit", "linux"] --- +### Description -Exploits a malicious backdoor that was added to the VSFTPD download archive. Logic based on [this MetaSploit module](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb). +This exploits a malicious backdoor that was added to the VSFTPD download archive. The logic is based on [this MetaSploit module](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb). From 449cb98de05d5dcffebef0d9c02fbdb2428281c4 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:17:37 -0500 Subject: [PATCH 14/24] docs: Update WMIExec.md --- docs/content/reference/exploiters/WMIExec.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/reference/exploiters/WMIExec.md b/docs/content/reference/exploiters/WMIExec.md index 346bc6eed..d60b3c612 100644 --- a/docs/content/reference/exploiters/WMIExec.md +++ b/docs/content/reference/exploiters/WMIExec.md @@ -4,5 +4,6 @@ date: 2020-07-14T08:43:12+03:00 draft: false tags: ["exploit", "windows"] --- +### Description -Brute forces WMI (Windows Management Instrumentation) using credentials provided by user (see ["Configuration"](../usage/configuration)) and hashes gathered by mimikatz. +This exploit brute forces WMI (Windows Management Instrumentation) using credentials provided by the user (see ["configuration"](../usage/configuration) for instructions) and hashes gathered by mimikatz. From cc17be612ee62609d4e65bc862f0d0d5fc1e4290 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:18:09 -0500 Subject: [PATCH 15/24] docs: Update WebLogic.md --- docs/content/reference/exploiters/WebLogic.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/reference/exploiters/WebLogic.md b/docs/content/reference/exploiters/WebLogic.md index 051fa4732..0e803641a 100644 --- a/docs/content/reference/exploiters/WebLogic.md +++ b/docs/content/reference/exploiters/WebLogic.md @@ -4,5 +4,6 @@ date: 2020-07-14T08:42:46+03:00 draft: false tags: ["exploit", "linux", "windows"] --- +### Description -Exploits CVE-2017-10271 and CVE-2019-2725 vulnerabilities on a vulnerable WebLogic server. +This exploits CVE-2017-10271 and CVE-2019-2725 vulnerabilities on a vulnerable WebLogic server. From 381dea0e545508a279045b3886d058f2b640c07f Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:23:08 -0500 Subject: [PATCH 16/24] docs: Update exploiters/_index.md --- docs/content/reference/exploiters/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/reference/exploiters/_index.md b/docs/content/reference/exploiters/_index.md index 4624081d8..618fea0d0 100644 --- a/docs/content/reference/exploiters/_index.md +++ b/docs/content/reference/exploiters/_index.md @@ -9,8 +9,8 @@ tags = ["reference", "exploit"] # Exploiters -Infection Monkey uses various RCE exploiters. Most of these, in our knowledge, pose no risk to performance or services on victim machines. This documentation serves as a quick introduction to the exploiters currently implemented and vulnerabilities used by them. +The Infection Monkey uses various remote code execution (RCE) exploiters. To our best knowledge, most of these pose no risk to performance or services on victim machines. This documentation serves as a quick introduction to the exploiters currently implemented and the vulnerabilities they use. {{% children %}} -You can check out the Exploiters' implementation yourself [in the Monkey's GitHub repository](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/exploit). +You can check out the exploiters' implementation yourself [in the Infection Monkey's GitHub repository](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/exploit). From 02acab704793a6f7e6702aa17d4c3ed44c7ff169 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:31:44 -0500 Subject: [PATCH 17/24] docs: Update shellshock.md --- docs/content/reference/exploiters/shellshock.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/content/reference/exploiters/shellshock.md b/docs/content/reference/exploiters/shellshock.md index c220ae24f..20aee282f 100644 --- a/docs/content/reference/exploiters/shellshock.md +++ b/docs/content/reference/exploiters/shellshock.md @@ -4,7 +4,8 @@ date: 2020-07-14T08:41:32+03:00 draft: false tags: ["exploit", "linux"] --- +### Description -CVE-2014-6271, based on [logic in NCC group's GitHub](https://github.com/nccgroup/shocker/blob/master/shocker.py). +This exploit, CVE-2014-6271, is based on the [logic in NCC group's GitHub](https://github.com/nccgroup/shocker/blob/master/shocker.py). -> GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." +> In GNU Bash (through 4.3), processes trailing strings after function definitions in the values of environment variables allow remote attackers to execute arbitrary code via a crafted environment. This is demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients and other situations in which setting the environment occurs across a privilege boundary from Bash execution, AKA "ShellShock." From 2defdeffbaa71edcdff82bbcac8a75b7799f6333 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:44:48 -0500 Subject: [PATCH 18/24] docs: Update scanners/_index.md --- docs/content/reference/scanners/_index.md | 30 +++++++++++------------ 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/content/reference/scanners/_index.md b/docs/content/reference/scanners/_index.md index cf047bb3b..d600d8d09 100644 --- a/docs/content/reference/scanners/_index.md +++ b/docs/content/reference/scanners/_index.md @@ -7,38 +7,38 @@ pre: ' ' tags: ["reference"] --- -The Infection Monkey agent has two steps before attempting to exploit a victim, scanning and fingerprinting, it's possible to customize both steps in the configuration files. +The Infection Monkey agent takes two steps before attempting to exploit a victim, scanning and fingerprinting. It's possible to customize both steps in the configuration files. ## Scanning -Currently there are two scanners, [`PingScanner`][ping-scanner] and [`TcpScanner`][tcp-scanner] both inheriting from [`HostScanner`][host-scanner]. +Currently there are two scanners, [`PingScanner`][ping-scanner] and [`TcpScanner`][tcp-scanner], both inheriting from [`HostScanner`][host-scanner]. The sole interface required is the `is_host_alive` interface, which needs to return True/False. -[`TcpScanner`][tcp-scanner] is the default scanner and it checks for open ports based on the `tcp_target_ports` configuration setting. +[`TcpScanner`][tcp-scanner] is the default scanner. It checks for open ports based on the `tcp_target_ports` configuration setting. -[`PingScanner`][ping-scanner] sends a ping message using the host OS utility `ping`. +[`PingScanner`][ping-scanner] sends a ping message using the host OS utility `ping.` ## Fingerprinting -Fingerprinters are modules that collect server information from a specific victim. They inherit from the [`HostFinger`][host-finger] class and are listed under `finger_classes` configuration option. +Fingerprinters are modules that collect server information from a specific victim. They inherit from the [`HostFinger`][host-finger] class and are listed under the `finger_classes` configuration option. -Currently implemented Fingerprint modules are: +The currently implemented Fingerprint modules are: -1. [`SMBFinger`][smb-finger] - Fingerprints target machines over SMB. Extracts computer name and OS version. -2. [`SSHFinger`][ssh-finger] - Fingerprints target machines over SSH (port 22). Extracts the computer version and SSH banner. -3. [`PingScanner`][ping-scanner] - Fingerprints using the machines TTL, to differentiate between Linux and Windows hosts. -4. [`HTTPFinger`][http-finger] - Fingerprints over HTTP/HTTPS, using the ports listed in `HTTP_PORTS` in the configuration. Returns the server type and if it supports SSL. -5. [`MySQLFinger`][mysql-finger] - Fingerprints over MySQL (port 3306). Extracts MySQL banner info - Version, Major/Minor/Build and capabilities. -6. [`ElasticFinger`][elastic-finger] - Fingerprints over ElasticSearch (port 9200). Extracts the cluster name, node name and node version. +1. [`SMBFinger`][smb-finger] - Fingerprints will target machines over SMB and extract the computer name and OS version. +2. [`SSHFinger`][ssh-finger] - Fingerprints will target machines over SSH (port 22) and extract the computer version and SSH banner. +3. [`PingScanner`][ping-scanner] - Fingerprints will use the machine's TTL to differentiate between Linux and Windows hosts. +4. [`HTTPFinger`][http-finger] - Fingerprints over HTTP/HTTPS, using the ports listed in `HTTP_PORTS` in the configuration, will return the server type and if it supports SSL. +5. [`MySQLFinger`][mysql-finger] - Fingerprints over MySQL (port 3306) will extract MySQL banner info - version, major/minor/build and capabilities. +6. [`ElasticFinger`][elastic-finger] - Fingerprints over ElasticSearch (port 9200) will extract the cluster name, node name and node version. ## Adding a scanner/fingerprinter -To add a new scanner/fingerprinter, create a new class that inherits from [`HostScanner`][host-scanner] or [`HostFinger`][host-finger] (depending on the interface). The class should be under the network module and should be imported under [`network/__init__.py`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/network/__init__.py). +To add a new scanner/fingerprinter, create a new class that inherits from [`HostScanner`][host-scanner] or [`HostFinger`][host-finger] (depending on the interface). The class should be under the network module and imported under [`network/__init__.py`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/network/__init__.py). -To be used by default, two files need to be changed - [`infection_monkey/config.py`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/config.py) and [`infection_monkey/example.conf`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/example.conf) to add references to the new class. +To use the new scanner/fingerprinter by default, two files need to be changed - [`infection_monkey/config.py`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/config.py) and [`infection_monkey/example.conf`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/example.conf) to add references to the new class. -At this point, the Monkey knows how to use the new scanner/fingerprinter but to make it easy to use, the UI needs to be updated. The relevant UI file is [`monkey_island/cc/services/config.py`](https://github.com/guardicore/monkey/blob/master/monkey/monkey_island/cc/services/config.py). +At this point, the Infection Monkey knows how to use the new scanner/fingerprinter but to make it easy to use, the UI needs to be updated. The relevant UI file is [`monkey_island/cc/services/config.py`](https://github.com/guardicore/monkey/blob/master/monkey/monkey_island/cc/services/config.py). [elastic-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/elasticfinger.py [http-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/httpfinger.py From 43951aa8c5e8db2dd689badeaa38e3daedad02c7 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:50:46 -0500 Subject: [PATCH 19/24] docs: Update FAQ/_index.md --- docs/content/FAQ/_index.md | 126 ++++++++++++++++++------------------- 1 file changed, 62 insertions(+), 64 deletions(-) diff --git a/docs/content/FAQ/_index.md b/docs/content/FAQ/_index.md index 89bbf8aba..3785a9017 100644 --- a/docs/content/FAQ/_index.md +++ b/docs/content/FAQ/_index.md @@ -5,44 +5,42 @@ draft: false pre: " " --- -Here are some of the most common questions we receive about the Infection Monkey. If the answer you're looking for isn't here, talk with us [on our Slack channel](https://infectionmonkey.slack.com/join/shared_invite/enQtNDU5MjAxMjg1MjU1LWM0NjVmNWE2ZTMzYzAxOWJiYmMxMzU0NWU3NmUxYjcyNjk0YWY2MDkwODk4NGMyNDU4NzA4MDljOWNmZWViNDU), email us at [support@infectionmonkey.com](mailto:support@infectionmonkey.com) or [open an issue on GitHub](https://github.com/guardicore/monkey). +Below are some of the most common questions we receive about the Infection Monkey. If the answer you're looking for isn't here, talk with us [on our Slack channel](https://infectionmonkey.slack.com/join/shared_invite/enQtNDU5MjAxMjg1MjU1LWM0NjVmNWE2ZTMzYzAxOWJiYmMxMzU0NWU3NmUxYjcyNjk0YWY2MDkwODk4NGMyNDU4NzA4MDljOWNmZWViNDU), email us at [support@infectionmonkey.com](mailto:support@infectionmonkey.com) or [open an issue on GitHub](https://github.com/guardicore/monkey). -- [Where can I get the latest Monkey version? 📰](#where-can-i-get-the-latest-monkey-version) -- [How long does a single Monkey run for? Is there a time limit?](#how-long-does-a-single-monkey-run-for-is-there-a-time-limit) -- [How to reset the password?](#how-to-reset-the-password) -- [Should I run the Monkey continuously?](#should-i-run-the-monkey-continuously) - - [Which queries does Monkey perform to the Internet exactly?](#which-queries-does-monkey-perform-to-the-internet-exactly) -- [Where can I find the log files of the Monkey and the Monkey Island, and how can I read them?](#where-can-i-find-the-log-files-of-the-monkey-and-the-monkey-island-and-how-can-i-read-them) +- [Where can I get the latest version of the Infection Monkey? 📰](#where-can-i-get-the-latest-version-of-the-infection-monkey-) +- [How long does a single Infection Monkey agent run? Is there a time limit?](#how-long-does-a-single-infection-monkey-agent-run-is-there-a-time-limit) +- [How do I reset the Monkey Island password?](#how-do-i-reset-the-monkey-island-password) +- [Should I run the Infection Monkey continuously?](#should-i-run-the-infection-monkey-continuously) + - [Which queries does the Infection Monkey perform to the internet exactly?](#which-queries-does-the-infection-monkey-perform-to-the-internet-exactly) +- [Where can I find the log files of the Infection Monkey agent and the Monkey Island server, and how can I read them?](#where-can-i-find-the-log-files-of-the-infection-monkey-agent-and-the-monkey-island-and-how-can-i-read-them) - [Monkey Island](#monkey-island) - [Monkey agent](#monkey-agent) -- [Running the Monkey in a production environment](#running-the-monkey-in-a-production-environment) - - [How much of a footprint does the Monkey leave?](#how-much-of-a-footprint-does-the-monkey-leave) - - [What's the Monkey's impact on system resources usage?](#whats-the-monkeys-impact-on-system-resources-usage) - - [Is it safe to use real passwords and usernames in the Monkey's configuration?](#is-it-safe-to-use-real-passwords-and-usernames-in-the-monkeys-configuration) +- [Running the Infection Monkey in a production environment](#running-the-infection-monkey-in-a-production-environment) + - [How much of a footprint does the Infection Monkey leave?](#how-much-of-a-footprint-does-the-infection-monkey-leave) + - [What's the Infection Monkey's impact on system resources usage?](#whats-the-infection-monkeys-impact-on-system-resources-usage) + - [Is it safe to use real passwords and usernames in the Infection Monkey's configuration?](#is-it-safe-to-use-real-passwords-and-usernames-in-the-infection-monkeys-configuration) - [How do you store sensitive information on Monkey Island?](#how-do-you-store-sensitive-information-on-monkey-island) - - [How stable are the exploitations used by the Monkey? Will the Monkey crash my systems with its exploits?](#how-stable-are-the-exploitations-used-by-the-monkey-will-the-monkey-crash-my-systems-with-its-exploits) -- [After I've set up Monkey Island, how can I execute the Monkey?](#after-ive-set-up-monkey-island-how-can-i-execute-the-monkey) -- [How can I make the monkey propagate “deeper” into the network?](#how-can-i-make-the-monkey-propagate-deeper-into-the-network) -- [The report returns a blank screen](#the-report-returns-a-blank-screen) -- [How can I get involved with the project? 👩‍💻👨‍💻](#how-can-i-get-involved-with-the-project) + - [How stable are the exploitations used by the Infection Monkey? Will the Infection Monkey crash my systems with its exploits?](#how-stable-are-the-exploitations-used-by-the-infection-monkey-will-the-infection-monkey-crash-my-systems-with-its-exploits) +- [After I've set up Monkey Island, how can I execute the Infection Monkey?](#after-ive-set-up-monkey-island-how-can-i-execute-the-infection-monkey-agent) +- [How can I make the Infection Monkey agents propagate “deeper” into the network?](#how-can-i-make-the-infection-monkey-agent-propagate-deeper-into-the-network) +- [What if the report returns a blank screen?](#what-if-the-report-returns-a-blank-screen) +- [How can I get involved with the project? 👩‍💻👨‍💻](#how-can-i-get-involved-with-the-project-) -## Where can I get the latest Monkey version? 📰 +## Where can I get the latest version of the Infection Monkey? 📰 -For the latest **stable** release for users, visit [our downloads page](https://www.guardicore.com/infectionmonkey/#download). **This is the recommended and supported version**! +For the latest **stable** release, visit [our downloads page](https://www.guardicore.com/infectionmonkey/#download). **This is the recommended and supported version**! If you want to see what has changed between versions, refer to the [releases page on GitHub](https://github.com/guardicore/monkey/releases). For the latest development version, visit the [develop version on GitHub](https://github.com/guardicore/monkey/tree/develop). -## How long does a single Monkey run for? Is there a time limit? +## How long does a single Infection Monkey agent run? Is there a time limit? -The Monkey shuts off either when it can't find new victims, or when it has exceeded the quota of victims as defined in the configuration. +The Infection Monkey agent shuts off either when it can't find new victims or it exceeded the quota of victims as defined in the configuration. -## How to reset the password? +## How do I reset the Monkey Island password? -On your first access of Monkey Island server, you'll be prompted to create an account. If you forgot the credentials you - entered or just want to change them, you need to manually alter the `server_config.json` file. On Linux, this file is - located on `/var/monkey/monkey_island/cc/server_config.json`. On windows, it's based on your install directory (typically - `C:\Program Files\Guardicore\Monkey Island\monkey_island\cc\server_config.json`). Reset the contents of this file - leaving the **deployment option unchanged** (it might be "vmware" or "linux" in your case): +When you first access the Monkey Island server, you'll be prompted to create an account. If you forgot the credentials you entered, or just want to change them, you need to alter the `server_config.json` file manually. + +On Linux, this file is located in `/var/monkey/monkey_island/cc/server_config.json`. On Windows, it's based on your install directory (typically it is `C:\Program Files\Guardicore\Monkey Island\monkey_island\cc\server_config.json`). Reset the contents of this file leaving the **deployment option unchanged** (it might be "VMware" or "Linux" in your case): ```json { @@ -50,40 +48,40 @@ On your first access of Monkey Island server, you'll be prompted to create an ac "deployment": "windows" } ``` - Then reset the Island process (`sudo systemctl restart monkey-island.service` for linux, restart program for windows). - Finally, go to the Island's URL and create a new account. + Then, reset the Monkey Island process. Use `sudo systemctl restart monkey-island.service` on Linux or, on Windows, restart program. + Finally, go to the Monkey Island's URL and create a new account. -## Should I run the Monkey continuously? +## Should I run the Infection Monkey continuously? -Yes! This will allow you to verify that no new security issues were identified by the Monkey since the last time you ran it. +Yes! This will allow you to verify that the Infection Monkey identified no new security issues since the last time you ran it. -Does the Infection Monkey require a connection to the Internet? +Does the Infection Monkey require a connection to the internet? The Infection Monkey does not require internet access to function. -If internet access is available, the Monkey will use the Internet for two purposes: +If internet access is available, the Infection Monkey will use the internet for two purposes: - To check for updates. - To check if machines can reach the internet. -### Which queries does Monkey perform to the Internet exactly? +### Which queries does the Infection Monkey perform to the internet exactly? The Monkey performs queries out to the Internet on two separate occasions: -1. The Infection Monkey agent checks if it has internet access by performing requests to pre-configured domains. By default, these domains are `updates.infectionmonkey.com` and `www.google.com`. The request doesn't include any extra information - it's a GET request with no extra parameters. Since the Infection Monkey is 100% open-source, you can find the domains in the configuration [here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/infection_monkey/config.py#L152) and the code that performs the internet check [here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/infection_monkey/network/info.py#L123). This **IS NOT** used for statistics collection. -1. After installation of the Monkey Island, the Monkey Island sends a request to check for updates. The request doesn't include any PII other than the IP address of the request. It also includes the server's deployment type (e.g. Windows Server, Debian Package, AWS Marketplace, etc.) and the server's version (e.g. "1.6.3"), so we can check if we have an update available for this type of deployment. Since the Infection Monkey is 100% open-source, you can inspect the code that performs this [here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/monkey_island/cc/services/version_update.py#L37). This **IS** used for statistics collection. However due to the anonymous nature of this data we use this to get an aggregate assumption as to how many deployments we see over a specific time period - no "personal" tracking. +1. The Infection Monkey agent checks if it has internet access by performing requests to pre-configured domains. By default, these domains are `updates.infectionmonkey.com` and `www.google.com.` The request doesn't include any extra information - it's a GET request with no extra parameters. Since the Infection Monkey is 100% open-source, you can find the domains in the configuration [here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/infection_monkey/config.py#L152) and the code that performs the internet check [here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/infection_monkey/network/info.py#L123). This **IS NOT** used for statistics collection. +1. After installing the Monkey Island, it sends a request to check for updates. The request doesn't include any PII other than the IP address of the request. It also includes the server's deployment type (e.g., Windows Server, Debian Package, AWS Marketplace) and the server's version (e.g., "1.6.3"), so we can check if we have an update available for this type of deployment. Since the Infection Monkey is 100% open-source, you can inspect the code that performs this [here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/monkey_island/cc/services/version_update.py#L37). This **IS** used for statistics collection. However, due to this data's anonymous nature, we use this to get an aggregate assumption of how many deployments we see over a specific time period - it's not used for "personal" tracking. -## Where can I find the log files of the Monkey and the Monkey Island, and how can I read them? +## Where can I find the log files of the Infection Monkey agent and the Monkey Island, and how can I read them? -### Monkey Island +### Monkey Island server -The Monkey Island's log file can be downloaded directly from the UI. Click the “log” section and choose “Download Monkey Island internal logfile”, like so: +You can download the Monkey Island's log file directly from the UI. Click the "log" section and choose **Download Monkey Island internal logfile**, like so: ![How to download Monkey Island internal log file](/images/faq/download_log_monkey_island.png "How to download Monkey Island internal log file") It can also be found as a local file on the Monkey Island server, where the Monkey Island was executed, called `info.log`. -The log enables you to see which requests were requested from the server, and extra logs from the backend logic. The log will contain entries like these ones for example: +The log enables you to see which requests were requested from the server and extra logs from the backend logic. The log will contain entries like these: ```log 2019-07-23 10:52:23,927 - wsgi.py:374 - _log() - INFO - 200 GET /api/local-monkey (10.15.1.75) 17.54ms @@ -91,14 +89,14 @@ The log enables you to see which requests were requested from the server, and ex 2019-07-23 10:52:24,027 - report.py:580 - get_domain_issues() - INFO - Domain issues generated for reporting ``` -### Monkey agent +### The Infection Monkey agent -The Monkey log file can be found in the following paths on machines where it was executed: +The Infection Monkey agent log file can be found in the following paths on machines where it was executed: - Path on Linux: `/tmp/user-1563` - Path on Windows: `%temp%\\~df1563.tmp` -The logs contain information about the internals of the Monkey's execution. The log will contain entries like these ones for example: +The logs contain information about the internals of the Infection Monkey agent's execution. The log will contain entries like these: ```log 2019-07-22 19:16:44,228 [77598:140654230214464:INFO] main.main.116: >>>>>>>>>> Initializing monkey (InfectionMonkey): PID 77598 <<<<<<<<<< @@ -114,58 +112,58 @@ The logs contain information about the internals of the Monkey's execution. The 2019-07-22 19:16:45,013 [77598:140654230214464:DEBUG] connectionpool._make_request.396: https://updates.infectionmonkey.com:443 "GET / HTTP/1.1" 200 61 ``` -## Running the Monkey in a production environment +## Running the Infection Monkey in a production environment -### How much of a footprint does the Monkey leave? +### How much of a footprint does the Infection Monkey leave? -The Monkey leaves hardly any trace on the target system. It will leave: +The Infection Monkey leaves hardly any trace on the target system. It will leave: - Log files in the following locations: - Path on Linux: `/tmp/user-1563` - Path on Windows: `%temp%\\~df1563.tmp` -### What's the Monkey's impact on system resources usage? +### What's the Infection Monkey's impact on system resources usage? -The Infection Monkey uses less than single-digit percent of CPU time and very low RAM usage. For example, on a single-core Windows Server machine, the Monkey consistently uses 0.06% CPU, less than 80MB of RAM and a small amount of I/O periodically. +The Infection Monkey uses less than a single-digit percent of CPU time and very low RAM usage. For example, on a single-core Windows Server machine, the Infection Monkey consistently uses 0.06% CPU, less than 80MB of RAM and a small amount of I/O periodically. -If you do experience any performance issues please let us know on [our Slack channel](https://infectionmonkey.slack.com/) or via [opening an issue on GitHub](https://github.com/guardicore/monkey). +If you do experience any performance issues please let us know on [our Slack channel](https://infectionmonkey.slack.com/) or [open an issue on GitHub](https://github.com/guardicore/monkey). -### Is it safe to use real passwords and usernames in the Monkey's configuration? +### Is it safe to use real passwords and usernames in the Infection Monkey's configuration? -Absolutely! User credentials are stored encrypted in the Monkey Island server. This information is then accessible only to users that have access to the Island. +Absolutely! User credentials are stored encrypted in the Monkey Island server. This information is accessible only to users that have access to the specific Monkey Island. -We advise to limit access to the Monkey Island server by following our [password protection guide](../usage/island/password-guide). +We advise users to limit access to the Monkey Island server by following our [password protection guide](../usage/island/password-guide). ### How do you store sensitive information on Monkey Island? -Sensitive data such as passwords, SSH keys and hashes are stored on the Monkey Island's database in an encrypted fashion. This data is transmitted to the Infection Monkeys in an encrypted fashion (HTTPS) and is not stored locally on the victim machines. +Sensitive data such as passwords, SSH keys and hashes are stored on the Monkey Island's database in an encrypted fashion. This data is transmitted to the Infection Monkey agents in an encrypted fashion (HTTPS) and is not stored locally on victim machines. When you reset the Monkey Island configuration, the Monkey Island wipes the information. -### How stable are the exploitations used by the Monkey? Will the Monkey crash my systems with its exploits? +### How stable are the exploitations used by the Infection Monkey? Will the Infection Monkey crash my systems with its exploits? -The Monkey does not use any exploits or attacks that may impact the victim system. +The Infection Monkey does not use any exploits or attacks that may impact the victim system. -This means we avoid using some very strong (and famous) exploits such as [EternalBlue](https://www.guardicore.com/2017/05/detecting-mitigating-wannacry-copycat-attacks-using-guardicore-centra-platform/). This exploit was used in WannaCry and NotPetya with huge impact. But because it may crash a production system, we aren't using it. +This means we avoid using some powerful (and famous) exploits such as [EternalBlue](https://www.guardicore.com/2017/05/detecting-mitigating-wannacry-copycat-attacks-using-guardicore-centra-platform/). This exploit was used in WannaCry and NotPetya with huge impact, but, because it may crash a production system, we aren't using it. -## After I've set up Monkey Island, how can I execute the Monkey? +## After I've set up Monkey Island, how can I execute the Infection Monkey agent? See our detailed [getting started](../content/usage/getting-started) guide. -## How can I make the monkey propagate “deeper” into the network? +## How can I make the Infection Monkey agent propagate “deeper” into the network? -If you wish to simulate a very “deep” attack into your network, you can try to increase the *propagation depth* parameter in the configuration. This parameter tells the Monkey how far to propagate into your network from the “patient zero” machine in which it was launched manually. +If you wish to simulate a very “deep” attack into your network, you can increase the *propagation depth* parameter in the configuration. This parameter tells the Infection Monkey how far to propagate into your network from the “patient zero” machine, from which it was launched manually. -To do this, change the “Distance from Island” parameter in the “Basic - Network” tab of the configuration: +To do this, change the *Distance from Island* parameter in the “Basic - Network” tab of the configuration: ![How to increase propagation depth](/images/faq/prop_depth.png "How to increase propagation depth") -## The report returns a blank screen +## What if the report returns a blank screen? This is sometimes caused when Monkey Island is installed with an old version of MongoDB. Make sure your MongoDB version is up to date using the `mongod --version` command on Linux or the `mongod -version` command on Windows. If your version is older than **4.0.10**, this might be the problem. To update your Mongo version: -- **Linux**: First, uninstall the current version with `sudo apt uninstall mongodb` and then install the latest version using the [official mongodb manual](https://docs.mongodb.com/manual/administration/install-community/). -- **Windows**: First, remove the MongoDB binaries from the `monkey\monkey_island\bin\mongodb` folder. Download and install the latest version of mongodb using the [official mongodb manual](https://docs.mongodb.com/manual/administration/install-community/). After installation is complete, copy the files from the `C:\Program Files\MongoDB\Server\4.2\bin` folder to the `monkey\monkey_island\bin\mongodb folder`. Try to run the Island again and everything should work. +- **Linux**: First, uninstall the current version with `sudo apt uninstall mongodb` and then install the latest version using the [official MongoDB manual](https://docs.mongodb.com/manual/administration/install-community/). +- **Windows**: First, remove the MongoDB binaries from the `monkey\monkey_island\bin\mongodb` folder. Download and install the latest version of MongoDB using the [official MongoDB manual](https://docs.mongodb.com/manual/administration/install-community/). After installation is complete, copy the files from the `C:\Program Files\MongoDB\Server\4.2\bin` folder to the `monkey\monkey_island\bin\mongodb folder`. Try to run the Monkey Island again and everything should work. ## How can I get involved with the project? 👩‍💻👨‍💻 @@ -175,6 +173,6 @@ The Monkey is an open-source project, and we weclome contributions and contribut ### How did you come up with the Infection Monkey? -Oddly enough, the idea of proactively breaking the network to test its survival wasn't born in the security industry. In 2011, the streaming giant Netflix released Chaos Monkey, a tool that was designed to randomly disable the company's production servers to verify they could survive network failures without any customer impact. Netflix's Chaos Monkey became a popular network resilience tool, breaking the network in a variety of failure modes, including connectivity issues, invalid SSL certificates and randomly deleting VMs. +Oddly enough, the idea of proactively breaking a network to test its survival wasn't born in the security industry. In 2011, the streaming giant Netflix released Chaos Monkey, a tool designed to randomly disable the company's production servers to verify that they could survive network failures without any customer impact. Netflix's Chaos Monkey became a popular network resilience tool, breaking the network in a variety of failure modes, including connectivity issues, invalid SSL certificates and randomly deleting VMs. -Inspired by this concept, Guardicore Labs developed its own attack simulator - Infection Monkey - to run non-intrusively within existing production environments. The idea was to test the resiliency of modern data centers against attack and give security teams the insights they need to make informed decisions and enforce tighter security policies. Since its launch in 2017 (?) the Infection Monkey has been used by hundreds of information technology teams from across the world to find weaknesses in their on-premises and cloud-based data centers. +Inspired by this concept, Guardicore Labs developed its own attack simulator - the Infection Monkey - to run non-intrusively within existing production environments. The idea was to test the resiliency of modern data centers against attacks and give security teams the insights they need to make informed decisions and enforce tighter security policies. Since its launch in 2017, the Infection Monkey has been used by hundreds of information technology teams from across the world to find weaknesses in their on-premises and cloud-based data centers. From 781eb1b76badcb4e202e26528e98236b7a1423a4 Mon Sep 17 00:00:00 2001 From: MarketingYeti <77474444+MarketingYeti@users.noreply.github.com> Date: Fri, 26 Feb 2021 12:28:44 -0500 Subject: [PATCH 20/24] docs: Update mitre_techniques.md --- docs/content/reference/mitre_techniques.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/reference/mitre_techniques.md b/docs/content/reference/mitre_techniques.md index d455d7e90..c0b787bae 100644 --- a/docs/content/reference/mitre_techniques.md +++ b/docs/content/reference/mitre_techniques.md @@ -12,7 +12,7 @@ Check out [the documentation for the MITRE ATT&CK report as well](../../usage/re The Infection Monkey maps its actions to the [MITRE ATT&CK](https://attack.mitre.org/) knowledge base and, based on this, provides a report detailing the techniques it used along with any recommended mitigations. This helps you simulate an advanced persistent threat (APT) attack on your network and mitigate real attack paths intelligently. -In the following table, we provide the list of all the MITRE ATT&CK techniques the Monkey provides info about, categorized by the tactic. You can follow any of the links below to learn more about a specific technique or tactic. +In the following table, we list all the MITRE ATT&CK techniques the Infection Monkey provides info about, categorized by the tactic. You can follow any of the links below to learn more about a specific technique or tactic. | TACTIC | TECHNIQUES | From 9e92ba02483b22e4a55284237cc623cfc6a2c120 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 24 Mar 2021 10:24:01 -0400 Subject: [PATCH 21/24] docs: Copyedits to FAQ/_index.md --- docs/content/FAQ/_index.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/content/FAQ/_index.md b/docs/content/FAQ/_index.md index 3785a9017..959f1d9da 100644 --- a/docs/content/FAQ/_index.md +++ b/docs/content/FAQ/_index.md @@ -7,14 +7,14 @@ pre: " " Below are some of the most common questions we receive about the Infection Monkey. If the answer you're looking for isn't here, talk with us [on our Slack channel](https://infectionmonkey.slack.com/join/shared_invite/enQtNDU5MjAxMjg1MjU1LWM0NjVmNWE2ZTMzYzAxOWJiYmMxMzU0NWU3NmUxYjcyNjk0YWY2MDkwODk4NGMyNDU4NzA4MDljOWNmZWViNDU), email us at [support@infectionmonkey.com](mailto:support@infectionmonkey.com) or [open an issue on GitHub](https://github.com/guardicore/monkey). -- [Where can I get the latest version of the Infection Monkey? 📰](#where-can-i-get-the-latest-version-of-the-infection-monkey-) +- [Where can I get the latest version of the Infection Monkey?](#where-can-i-get-the-latest-version-of-the-infection-monkey) - [How long does a single Infection Monkey agent run? Is there a time limit?](#how-long-does-a-single-infection-monkey-agent-run-is-there-a-time-limit) - [How do I reset the Monkey Island password?](#how-do-i-reset-the-monkey-island-password) - [Should I run the Infection Monkey continuously?](#should-i-run-the-infection-monkey-continuously) - [Which queries does the Infection Monkey perform to the internet exactly?](#which-queries-does-the-infection-monkey-perform-to-the-internet-exactly) - [Where can I find the log files of the Infection Monkey agent and the Monkey Island server, and how can I read them?](#where-can-i-find-the-log-files-of-the-infection-monkey-agent-and-the-monkey-island-and-how-can-i-read-them) - - [Monkey Island](#monkey-island) - - [Monkey agent](#monkey-agent) + - [Monkey Island server](#monkey-island-server) + - [Infection Monkey agent](#infection-monkey-agent) - [Running the Infection Monkey in a production environment](#running-the-infection-monkey-in-a-production-environment) - [How much of a footprint does the Infection Monkey leave?](#how-much-of-a-footprint-does-the-infection-monkey-leave) - [What's the Infection Monkey's impact on system resources usage?](#whats-the-infection-monkeys-impact-on-system-resources-usage) @@ -24,9 +24,9 @@ Below are some of the most common questions we receive about the Infection Monke - [After I've set up Monkey Island, how can I execute the Infection Monkey?](#after-ive-set-up-monkey-island-how-can-i-execute-the-infection-monkey-agent) - [How can I make the Infection Monkey agents propagate “deeper” into the network?](#how-can-i-make-the-infection-monkey-agent-propagate-deeper-into-the-network) - [What if the report returns a blank screen?](#what-if-the-report-returns-a-blank-screen) -- [How can I get involved with the project? 👩‍💻👨‍💻](#how-can-i-get-involved-with-the-project-) +- [How can I get involved with the project?](#how-can-i-get-involved-with-the-project) -## Where can I get the latest version of the Infection Monkey? 📰 +## Where can I get the latest version of the Infection Monkey? For the latest **stable** release, visit [our downloads page](https://www.guardicore.com/infectionmonkey/#download). **This is the recommended and supported version**! @@ -34,13 +34,13 @@ If you want to see what has changed between versions, refer to the [releases pag ## How long does a single Infection Monkey agent run? Is there a time limit? -The Infection Monkey agent shuts off either when it can't find new victims or it exceeded the quota of victims as defined in the configuration. +The Infection Monkey agent shuts off either when it can't find new victims or it has exceeded the quota of victims as defined in the configuration. ## How do I reset the Monkey Island password? -When you first access the Monkey Island server, you'll be prompted to create an account. If you forgot the credentials you entered, or just want to change them, you need to alter the `server_config.json` file manually. +When you first access the Monkey Island server, you'll be prompted to create an account. If you forget the credentials you entered, or just want to change them, you need to alter the `server_config.json` file manually. -On Linux, this file is located in `/var/monkey/monkey_island/cc/server_config.json`. On Windows, it's based on your install directory (typically it is `C:\Program Files\Guardicore\Monkey Island\monkey_island\cc\server_config.json`). Reset the contents of this file leaving the **deployment option unchanged** (it might be "VMware" or "Linux" in your case): +On Linux, this file is located at `/var/monkey/monkey_island/cc/server_config.json`. On Windows, it's based on your install directory (typically it is `C:\Program Files\Guardicore\Monkey Island\monkey_island\cc\server_config.json`). Reset the contents of this file leaving the **deployment option unchanged** (it might be "VMware" or "Linux" in your case): ```json { @@ -64,7 +64,7 @@ If internet access is available, the Infection Monkey will use the internet for - To check for updates. - To check if machines can reach the internet. -### Which queries does the Infection Monkey perform to the internet exactly? +### Exactly what internet queries does the Infection Monkey perform? The Monkey performs queries out to the Internet on two separate occasions: @@ -89,7 +89,7 @@ The log enables you to see which requests were requested from the server and ext 2019-07-23 10:52:24,027 - report.py:580 - get_domain_issues() - INFO - Domain issues generated for reporting ``` -### The Infection Monkey agent +### Infection Monkey agent The Infection Monkey agent log file can be found in the following paths on machines where it was executed: @@ -140,7 +140,7 @@ Sensitive data such as passwords, SSH keys and hashes are stored on the Monkey I When you reset the Monkey Island configuration, the Monkey Island wipes the information. -### How stable are the exploitations used by the Infection Monkey? Will the Infection Monkey crash my systems with its exploits? +### How stable are the exploits used by the Infection Monkey? Will the Infection Monkey crash my systems with its exploits? The Infection Monkey does not use any exploits or attacks that may impact the victim system. @@ -152,7 +152,7 @@ See our detailed [getting started](../content/usage/getting-started) guide. ## How can I make the Infection Monkey agent propagate “deeper” into the network? -If you wish to simulate a very “deep” attack into your network, you can increase the *propagation depth* parameter in the configuration. This parameter tells the Infection Monkey how far to propagate into your network from the “patient zero” machine, from which it was launched manually. +If you wish to simulate a very “deep” attack into your network, you can increase the *propagation depth* parameter in the configuration. This parameter tells the Infection Monkey how far to propagate into your network from the “patient zero” machine. To do this, change the *Distance from Island* parameter in the “Basic - Network” tab of the configuration: @@ -165,9 +165,9 @@ This is sometimes caused when Monkey Island is installed with an old version of - **Linux**: First, uninstall the current version with `sudo apt uninstall mongodb` and then install the latest version using the [official MongoDB manual](https://docs.mongodb.com/manual/administration/install-community/). - **Windows**: First, remove the MongoDB binaries from the `monkey\monkey_island\bin\mongodb` folder. Download and install the latest version of MongoDB using the [official MongoDB manual](https://docs.mongodb.com/manual/administration/install-community/). After installation is complete, copy the files from the `C:\Program Files\MongoDB\Server\4.2\bin` folder to the `monkey\monkey_island\bin\mongodb folder`. Try to run the Monkey Island again and everything should work. -## How can I get involved with the project? 👩‍💻👨‍💻 +## How can I get involved with the project? -The Monkey is an open-source project, and we weclome contributions and contributors. Check out the [contribution documentation](../development) for more information. +The Monkey is an open-source project, and we welcome contributions and contributors. Check out the [contribution documentation](../development) for more information. ## About the project 🐵 From 98ab4eff0520a30da1ec33d55f70db41141ef32c Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 24 Mar 2021 10:29:35 -0400 Subject: [PATCH 22/24] docs: minor copyedits to exploters --- docs/content/reference/exploiters/SMBExec.md | 2 +- docs/content/reference/exploiters/SSHExec.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/reference/exploiters/SMBExec.md b/docs/content/reference/exploiters/SMBExec.md index dee01c637..0e4b8366b 100644 --- a/docs/content/reference/exploiters/SMBExec.md +++ b/docs/content/reference/exploiters/SMBExec.md @@ -6,4 +6,4 @@ tags: ["exploit", "windows"] --- ### Description -This exploit brute forces machines using credentials provided by the user (see [configuration](../usage/configuration) for instructions) and hashes gathered by Mimikatz. +This exploit brute forces machines using credentials provided by the user (see [configuration](../usage/configuration) for instructions) and hashes gathered from infected systems by Mimikatz. diff --git a/docs/content/reference/exploiters/SSHExec.md b/docs/content/reference/exploiters/SSHExec.md index 9a6fd6537..de9f32d35 100644 --- a/docs/content/reference/exploiters/SSHExec.md +++ b/docs/content/reference/exploiters/SSHExec.md @@ -6,4 +6,4 @@ tags: ["exploit", "linux"] --- ### Description -This exploit brute forces machines using credentials provided by the user (see ["configuration"](../usage/configuration) for instructions) and SSH keys gathered from systems. +This exploit brute forces machines using credentials provided by the user (see ["configuration"](../usage/configuration) for instructions) and SSH keys gathered from infected systems. From 6ff26ac989b5786e6dd044d7c5966d7e364228f9 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 24 Mar 2021 10:33:43 -0400 Subject: [PATCH 23/24] docs: copyedits to operating_systems_support.md --- docs/content/reference/operating_systems_support.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/reference/operating_systems_support.md b/docs/content/reference/operating_systems_support.md index 02cefbac0..36caaa25d 100644 --- a/docs/content/reference/operating_systems_support.md +++ b/docs/content/reference/operating_systems_support.md @@ -9,7 +9,7 @@ tags: ["setup", "reference", "windows", "linux"] The Infection Monkey project supports many popular OSes (but we are always interested in supporting more). -The Infection Monkey agent has been tested to run on the following operating systems (on x64 architecture): +The Infection Monkey agent has been tested to run on the following operating systems (on the x86_64 architecture): ### Agent support @@ -46,7 +46,7 @@ We also provide a Dockerfile on our [website](http://infectionmonkey.com/) that ### Old machine bootloader -Some **older machines** still have partial compatibility and will be exploited and reported, but the Infection Monkey agent can't run on them. In these cases, old machine bootloader (a small c program) will be run, which reports some minor info like network interface configuration, GLIBC version, OS, etc. +Some **older machines** still have partial compatibility and will be exploited and reported, but the Infection Monkey agent can't run on them. In these cases, old machine bootloader (a small C program) will be run, which reports some minor info like network interface configuration, GLIBC version, OS, etc. **Old machine bootloader** also has a GLIBC 2.14+ requirement for Linux because the bootloader is included in the Pyinstaller bootloader, which uses Python 3.7 that in turn requires GLIBC 2.14+. If you think partial support for older machines is important, don't hesitate to open a new issue about it. @@ -61,4 +61,4 @@ Some **older machines** still have partial compatibility and will be exploited a - Ubuntu 14+ - **Windows XP/Server 2003+** -[^1]: The GLIBC >= 2.14 requirement exists because the Infection Monkey was built using this GLIBC version, and GLIBC is not backward compatible. We are also limited to the oldest GLIBC version compatible with Ptyhon 3.7. +[^1]: The GLIBC >= 2.14 requirement exists because the Infection Monkey was built using this GLIBC version, and GLIBC is not backward compatible. We are also limited to the oldest GLIBC version compatible with Python 3.7. From 5cbdc7b41f539efe253c1dafc4b4d574804d6a36 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 24 Mar 2021 10:36:16 -0400 Subject: [PATCH 24/24] docs: copyedits to reference/scanners/_index.md --- docs/content/reference/scanners/_index.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/content/reference/scanners/_index.md b/docs/content/reference/scanners/_index.md index d600d8d09..8cca71b21 100644 --- a/docs/content/reference/scanners/_index.md +++ b/docs/content/reference/scanners/_index.md @@ -25,12 +25,12 @@ Fingerprinters are modules that collect server information from a specific victi The currently implemented Fingerprint modules are: -1. [`SMBFinger`][smb-finger] - Fingerprints will target machines over SMB and extract the computer name and OS version. -2. [`SSHFinger`][ssh-finger] - Fingerprints will target machines over SSH (port 22) and extract the computer version and SSH banner. -3. [`PingScanner`][ping-scanner] - Fingerprints will use the machine's TTL to differentiate between Linux and Windows hosts. -4. [`HTTPFinger`][http-finger] - Fingerprints over HTTP/HTTPS, using the ports listed in `HTTP_PORTS` in the configuration, will return the server type and if it supports SSL. -5. [`MySQLFinger`][mysql-finger] - Fingerprints over MySQL (port 3306) will extract MySQL banner info - version, major/minor/build and capabilities. -6. [`ElasticFinger`][elastic-finger] - Fingerprints over ElasticSearch (port 9200) will extract the cluster name, node name and node version. +1. [`SMBFinger`][smb-finger] - Fingerprints target machines over SMB and extracts the computer name and OS version. +2. [`SSHFinger`][ssh-finger] - Fingerprints target machines over SSH (port 22) and extracts the computer version and SSH banner. +3. [`PingScanner`][ping-scanner] - Fingerprints target machine's TTL to differentiate between Linux and Windows hosts. +4. [`HTTPFinger`][http-finger] - Detects HTTP/HTTPS services, using the ports listed in `HTTP_PORTS` in the configuration, will return the server type and if it supports SSL. +5. [`MySQLFinger`][mysql-finger] - Fingerprints MySQL (port 3306) and will extract MySQL banner info - version, major/minor/build and capabilities. +6. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) will extract the cluster name, node name and node version. ## Adding a scanner/fingerprinter