forked from p15670423/monkey
Merge pull request #354 from VakarisZ/attack_private_keys
T1145 Private Keys
This commit is contained in:
Itay Mizeretz
GitHub
commit
45bda21fc8
|
|
@ -1,6 +1,7 @@
|
|||
import logging
|
||||
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086
|
||||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082, T1145
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
|
|
@ -15,7 +16,9 @@ TECHNIQUES = {'T1210': T1210.T1210,
|
|||
'T1075': T1075.T1075,
|
||||
'T1003': T1003.T1003,
|
||||
'T1059': T1059.T1059,
|
||||
'T1086': T1086.T1086}
|
||||
'T1086': T1086.T1086,
|
||||
'T1082': T1082.T1082,
|
||||
'T1145': T1145.T1145}
|
||||
|
||||
REPORT_NAME = 'new_report'
|
||||
|
||||
|
|
|
|||
|
|
@ -67,6 +67,16 @@ SCHEMA = {
|
|||
"information, normally in the form of a hash or a clear text password, "
|
||||
"from the operating system and software.",
|
||||
"depends_on": ["T1078"]
|
||||
},
|
||||
"T1145": {
|
||||
"title": "T1145 Private keys",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"description": "Adversaries may gather private keys from compromised systems for use in "
|
||||
"authenticating to Remote Services like SSH or for use in decrypting "
|
||||
"other collected files such as email.",
|
||||
"depends_on": ["T1110", "T1210"]
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
@ -106,5 +116,20 @@ SCHEMA = {
|
|||
}
|
||||
}
|
||||
},
|
||||
"discovery": {
|
||||
"title": "Discovery",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"T1082": {
|
||||
"title": "T1082 System information discovery",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"description": "An adversary may attempt to get detailed information about the "
|
||||
"operating system and hardware, including version, patches, hotfixes, "
|
||||
"service packs, and architecture."
|
||||
}
|
||||
}
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,47 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1082(AttackTechnique):
|
||||
|
||||
tech_id = "T1082"
|
||||
unscanned_msg = "Monkey didn't gather any system info on the network."
|
||||
scanned_msg = ""
|
||||
used_msg = "Monkey gathered system info from machines in the network."
|
||||
|
||||
query = [{'$match': {'telem_category': 'system_info_collection'}},
|
||||
{'$project': {'machine': {'hostname': '$data.hostname', 'ips': '$data.network_info.networks'},
|
||||
'aws': '$data.aws',
|
||||
'netstat': '$data.network_info.netstat',
|
||||
'process_list': '$data.process_list',
|
||||
'ssh_info': '$data.ssh_info',
|
||||
'azure_info': '$data.Azure'}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': 1,
|
||||
'collections': [
|
||||
{'used': {'$and': [{'$ifNull': ['$netstat', False]}, {'$gt': ['$aws', {}]}]},
|
||||
'name': {'$literal': 'Amazon Web Services info'}},
|
||||
{'used': {'$and': [{'$ifNull': ['$process_list', False]}, {'$gt': ['$process_list', {}]}]},
|
||||
'name': {'$literal': 'Running process list'}},
|
||||
{'used': {'$and': [{'$ifNull': ['$netstat', False]}, {'$ne': ['$netstat', []]}]},
|
||||
'name': {'$literal': 'Network connections'}},
|
||||
{'used': {'$and': [{'$ifNull': ['$ssh_info', False]}, {'$ne': ['$ssh_info', []]}]},
|
||||
'name': {'$literal': 'SSH info'}},
|
||||
{'used': {'$and': [{'$ifNull': ['$azure_info', False]}, {'$ne': ['$azure_info', []]}]},
|
||||
'name': {'$literal': 'Azure info'}}
|
||||
]}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1082.technique_title()}
|
||||
system_info = list(mongo.db.telemetry.aggregate(T1082.query))
|
||||
data.update({'system_info': system_info})
|
||||
if system_info:
|
||||
status = ScanStatus.USED
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
data.update(T1082.get_message_and_status(status))
|
||||
return data
|
||||
|
|
@ -40,11 +40,11 @@ class T1110(AttackTechnique):
|
|||
status = ScanStatus.SCANNED
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
data = T1110.get_message_and_status(status)
|
||||
data = T1110.get_base_data_by_status(status)
|
||||
# Remove data with no successful brute force attempts
|
||||
attempts = [attempt for attempt in attempts if attempt['attempts']]
|
||||
|
||||
data.update({'services': attempts, 'title': T1110.technique_title()})
|
||||
data.update({'services': attempts})
|
||||
return data
|
||||
|
||||
@staticmethod
|
||||
|
|
|
|||
|
|
@ -0,0 +1,31 @@
|
|||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1145(AttackTechnique):
|
||||
tech_id = "T1145"
|
||||
unscanned_msg = "Monkey didn't find any shh keys."
|
||||
scanned_msg = ""
|
||||
used_msg = "Monkey found ssh keys on machines in the network."
|
||||
|
||||
# Gets data about ssh keys found
|
||||
query = [{'$match': {'telem_category': 'system_info_collection',
|
||||
'data.ssh_info': {'$elemMatch': {'private_key': {'$exists': True}}}}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': '$data.hostname', 'ips': '$data.network_info.networks'},
|
||||
'ssh_info': '$data.ssh_info'}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
ssh_info = list(mongo.db.telemetry.aggregate(T1145.query))
|
||||
|
||||
if ssh_info:
|
||||
status = ScanStatus.USED
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
data = T1145.get_base_data_by_status(status)
|
||||
data.update({'ssh_info': ssh_info})
|
||||
return data
|
||||
|
|
@ -106,3 +106,9 @@ class AttackTechnique(object):
|
|||
'title': title,
|
||||
'message': cls.get_message_by_status(status)})
|
||||
return data
|
||||
|
||||
@classmethod
|
||||
def get_base_data_by_status(cls, status):
|
||||
data = cls.get_message_and_status(status)
|
||||
data.update({'title': cls.technique_title()})
|
||||
return data
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ SCHEMA = {
|
|||
"SSHExploiter"
|
||||
],
|
||||
"title": "SSH Exploiter",
|
||||
"attack_techniques": ["T1110"]
|
||||
"attack_techniques": ["T1110", "T1145"]
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
|
|
@ -422,6 +422,7 @@ SCHEMA = {
|
|||
"title": "Collect system info",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"attack_techniques": ["T1082"],
|
||||
"description": "Determines whether to collect system info"
|
||||
},
|
||||
"should_use_mimikatz": {
|
||||
|
|
|
|||
|
|
@ -8563,7 +8563,7 @@
|
|||
"dev": true,
|
||||
"optional": true,
|
||||
"requires": {
|
||||
"minimatch": "^3.0.4"
|
||||
"minimatch": "3.0.4"
|
||||
}
|
||||
},
|
||||
"inflight": {
|
||||
|
|
@ -8614,8 +8614,7 @@
|
|||
"minimist": {
|
||||
"version": "0.0.8",
|
||||
"bundled": true,
|
||||
"dev": true,
|
||||
"optional": true
|
||||
"dev": true
|
||||
},
|
||||
"minipass": {
|
||||
"version": "2.2.4",
|
||||
|
|
|
|||
|
|
@ -4,4 +4,14 @@ export function renderMachine(val){
|
|||
return (
|
||||
<span>{val.ip_addr} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")}</span>
|
||||
)
|
||||
};
|
||||
}
|
||||
|
||||
/* Function takes data gathered from system info collector and creates a
|
||||
string representation of machine from that data. */
|
||||
export function renderMachineFromSystemData(data) {
|
||||
let machineStr = data['hostname'] + " ( ";
|
||||
data['ips'].forEach(function(ipInfo){
|
||||
machineStr += ipInfo['addr'] + " ";
|
||||
});
|
||||
return machineStr + ")"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,48 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachineFromSystemData } from "./Helpers"
|
||||
|
||||
|
||||
class T1082 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static renderCollections(collections){
|
||||
let output = [];
|
||||
collections.forEach(function(collection){
|
||||
if(collection['used']){
|
||||
output.push(<div key={collection['name']}>{collection['name']}</div>)
|
||||
}
|
||||
});
|
||||
return (<div>{output}</div>);
|
||||
}
|
||||
|
||||
static getSystemInfoColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{Header: 'Machine', id: 'machine', accessor: x => renderMachineFromSystemData(x.machine), style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Gathered info', id: 'info', accessor: x => T1082.renderCollections(x.collections), style: { 'whiteSpace': 'unset' }},
|
||||
]
|
||||
}])};
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
<ReactTable
|
||||
columns={T1082.getSystemInfoColumns()}
|
||||
data={this.props.data.system_info}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.system_info.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1082;
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachineFromSystemData } from "./Helpers"
|
||||
|
||||
|
||||
class T1145 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static renderSSHKeys(keys){
|
||||
let output = [];
|
||||
keys.forEach(function(keyInfo){
|
||||
output.push(<div key={keyInfo['name']+keyInfo['home_dir']}>
|
||||
SSH key pair used by <b>{keyInfo['name']}</b> user found in {keyInfo['home_dir']}</div>)
|
||||
});
|
||||
return (<div>{output}</div>);
|
||||
}
|
||||
|
||||
static getKeysInfoColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{Header: 'Machine',
|
||||
id: 'machine',
|
||||
accessor: x => renderMachineFromSystemData(x.machine),
|
||||
style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Keys found',
|
||||
id: 'keys',
|
||||
accessor: x => T1145.renderSSHKeys(x.ssh_info),
|
||||
style: { 'whiteSpace': 'unset' }},
|
||||
]
|
||||
}])};
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
<ReactTable
|
||||
columns={T1145.getKeysInfoColumns()}
|
||||
data={this.props.data.ssh_info}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.ssh_info.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1145;
|
||||
|
|
@ -12,6 +12,8 @@ import T1075 from "../attack/techniques/T1075";
|
|||
import T1003 from "../attack/techniques/T1003";
|
||||
import T1059 from "../attack/techniques/T1059";
|
||||
import T1086 from "../attack/techniques/T1086";
|
||||
import T1082 from "../attack/techniques/T1082";
|
||||
import T1145 from "../attack/techniques/T1145";
|
||||
|
||||
const tech_components = {
|
||||
'T1210': T1210,
|
||||
|
|
@ -20,7 +22,9 @@ const tech_components = {
|
|||
'T1075': T1075,
|
||||
'T1003': T1003,
|
||||
'T1059': T1059,
|
||||
'T1086': T1086
|
||||
'T1086': T1086,
|
||||
'T1082': T1082,
|
||||
'T1145': T1145
|
||||
};
|
||||
|
||||
const classNames = require('classnames');
|
||||
|
|
|
|||
Loading…
Reference in New Issue