diff --git a/infection_monkey/system_info/__init__.py b/infection_monkey/system_info/__init__.py index 0d2828d88..52848673a 100644 --- a/infection_monkey/system_info/__init__.py +++ b/infection_monkey/system_info/__init__.py @@ -126,5 +126,7 @@ class InfoCollector(object): # we might be losing passwords in case of multiple reset attempts on same username # or in case another collector already filled in a password for this user self.info["credentials"][username]['Password'] = password + self.info["credentials"][username]['Azure'] = True + if len(azure_creds) != 0: self.info["Azure"] = True diff --git a/monkey_island/cc/services/report.py b/monkey_island/cc/services/report.py index cbef9d973..2b9e2eccc 100644 --- a/monkey_island/cc/services/report.py +++ b/monkey_island/cc/services/report.py @@ -33,6 +33,7 @@ class ReportService: SAMBACRY = 3 SHELLSHOCK = 4 CONFICKER = 5 + AZURE = 6 class WARNINGS_DICT(Enum): CROSS_SEGMENT = 0 @@ -71,6 +72,19 @@ class ReportService: } for tunnel in mongo.db.monkey.find({'tunnel': {'$exists': True}}, {'tunnel': 1})] + @staticmethod + def get_azure_issues(): + creds = ReportService.get_azure_creds() + machines = set([instance['origin'] for instance in creds]) + + return [ + { + 'type': 'azure_password', + 'machine': machine, + 'users': set([instance['username'] for instance in creds if instance['origin']==machine]) + } + for machine in machines] + @staticmethod def get_scanned(): nodes = \ @@ -135,6 +149,26 @@ class ReportService: ) return creds + @staticmethod + def get_azure_creds(): + """ + Recover all credentials marked as being from an Azure machine + :return: List of credentials. + """ + creds = [] + for telem in mongo.db.telemetry.find( + {'telem_type': 'system_info_collection', 'data.Azure': {'$exists': True}}, + {'data.credentials': 1, 'monkey_guid': 1} + ): + monkey_creds = telem['data']['credentials'] + if len(monkey_creds) == 0: + continue + origin = NodeService.get_monkey_by_guid(telem['monkey_guid'])['hostname'] + new_creds = [{'username': user.replace(',', '.'), 'type': 'Clear Password', + 'origin': origin} for user in monkey_creds if 'Azure' in user] + creds.extend(new_creds) + return creds + @staticmethod def process_general_exploit(exploit): ip_addr = exploit['data']['machine']['ip_addr'] @@ -277,7 +311,7 @@ class ReportService: @staticmethod def get_issues(): - issues = ReportService.get_exploits() + ReportService.get_tunnels() + ReportService.get_cross_segment_issues() + issues = ReportService.get_exploits() + ReportService.get_tunnels() + ReportService.get_cross_segment_issues() + ReportService.get_azure_issues() issues_dict = {} for issue in issues: machine = issue['machine'] @@ -337,6 +371,8 @@ class ReportService: issues_byte_array[ReportService.ISSUES_DICT.SHELLSHOCK.value] = True elif issue['type'] == 'conficker': issues_byte_array[ReportService.ISSUES_DICT.CONFICKER.value] = True + elif issue['type'] == 'azure_password': + issues_byte_array[ReportService.ISSUES_DICT.AZURE.value] = True elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \ issue['username'] in config_users: issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True @@ -397,7 +433,8 @@ class ReportService: { 'scanned': ReportService.get_scanned(), 'exploited': ReportService.get_exploited(), - 'stolen_creds': ReportService.get_stolen_creds() + 'stolen_creds': ReportService.get_stolen_creds(), + 'azure_passwords': ReportService.get_azure_creds(), }, 'recommendations': { diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index 56c2c3881..2a13e46dd 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -21,7 +21,8 @@ class ReportPageComponent extends AuthComponent { ELASTIC: 2, SAMBACRY: 3, SHELLSHOCK: 4, - CONFICKER: 5 + CONFICKER: 5, + AZURE: 6 }; Warning = @@ -313,6 +314,11 @@ class ReportPageComponent extends AuthComponent { {this.state.report.overview.issues[this.Issue.WEAK_PASSWORD] ?