forked from p15670423/monkey
Merge remote-tracking branch 'origin/develop' into bugfix/various-island-fixes
# Conflicts: # monkey_island/cc/services/config.py
This commit is contained in:
commit
9b6c008330
|
@ -173,6 +173,8 @@ class Configuration(object):
|
||||||
# addresses of internet servers to ping and check if the monkey has internet acccess.
|
# addresses of internet servers to ping and check if the monkey has internet acccess.
|
||||||
internet_services = ["monkey.guardicore.com", "www.google.com"]
|
internet_services = ["monkey.guardicore.com", "www.google.com"]
|
||||||
|
|
||||||
|
keep_tunnel_open_time = 60
|
||||||
|
|
||||||
###########################
|
###########################
|
||||||
# scanners config
|
# scanners config
|
||||||
###########################
|
###########################
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
"monkey.guardicore.com",
|
"monkey.guardicore.com",
|
||||||
"www.google.com"
|
"www.google.com"
|
||||||
],
|
],
|
||||||
|
"keep_tunnel_open_time": 60,
|
||||||
"range_class": "RelativeRange",
|
"range_class": "RelativeRange",
|
||||||
"range_fixed": [
|
"range_fixed": [
|
||||||
""
|
""
|
||||||
|
|
|
@ -100,7 +100,6 @@ class SambaCryExploiter(HostExploiter):
|
||||||
smb_client = self.connect_to_server(host.ip_addr, creds)
|
smb_client = self.connect_to_server(host.ip_addr, creds)
|
||||||
self.upload_module(smb_client, host, share, depth)
|
self.upload_module(smb_client, host, share, depth)
|
||||||
self.trigger_module(smb_client, share)
|
self.trigger_module(smb_client, share)
|
||||||
smb_client.close()
|
|
||||||
except (impacket.smbconnection.SessionError, SessionError):
|
except (impacket.smbconnection.SessionError, SessionError):
|
||||||
LOG.debug(
|
LOG.debug(
|
||||||
"Exception trying to exploit host: %s, share: %s, with creds: %s." % (host.ip_addr, share, str(creds)))
|
"Exception trying to exploit host: %s, share: %s, with creds: %s." % (host.ip_addr, share, str(creds)))
|
||||||
|
@ -125,7 +124,6 @@ class SambaCryExploiter(HostExploiter):
|
||||||
# Ignore exception to try and delete as much as possible
|
# Ignore exception to try and delete as much as possible
|
||||||
pass
|
pass
|
||||||
smb_client.disconnectTree(tree_id)
|
smb_client.disconnectTree(tree_id)
|
||||||
smb_client.close()
|
|
||||||
|
|
||||||
def get_trigger_result(self, ip, share, creds):
|
def get_trigger_result(self, ip, share, creds):
|
||||||
"""
|
"""
|
||||||
|
@ -147,7 +145,6 @@ class SambaCryExploiter(HostExploiter):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
smb_client.disconnectTree(tree_id)
|
smb_client.disconnectTree(tree_id)
|
||||||
smb_client.close()
|
|
||||||
return file_content
|
return file_content
|
||||||
|
|
||||||
def get_writable_shares_creds_dict(self, ip):
|
def get_writable_shares_creds_dict(self, ip):
|
||||||
|
@ -159,6 +156,8 @@ class SambaCryExploiter(HostExploiter):
|
||||||
writable_shares_creds_dict = {}
|
writable_shares_creds_dict = {}
|
||||||
credentials_list = self.get_credentials_list()
|
credentials_list = self.get_credentials_list()
|
||||||
|
|
||||||
|
LOG.debug("SambaCry credential list: %s" % str(credentials_list))
|
||||||
|
|
||||||
for credentials in credentials_list:
|
for credentials in credentials_list:
|
||||||
try:
|
try:
|
||||||
smb_client = self.connect_to_server(ip, credentials)
|
smb_client = self.connect_to_server(ip, credentials)
|
||||||
|
@ -169,7 +168,6 @@ class SambaCryExploiter(HostExploiter):
|
||||||
if self.is_share_writable(smb_client, share):
|
if self.is_share_writable(smb_client, share):
|
||||||
writable_shares_creds_dict[share] = credentials
|
writable_shares_creds_dict[share] = credentials
|
||||||
|
|
||||||
smb_client.close()
|
|
||||||
except (impacket.smbconnection.SessionError, SessionError):
|
except (impacket.smbconnection.SessionError, SessionError):
|
||||||
# If failed using some credentials, try others.
|
# If failed using some credentials, try others.
|
||||||
pass
|
pass
|
||||||
|
|
|
@ -1,17 +1,18 @@
|
||||||
import sys
|
|
||||||
import os
|
|
||||||
import time
|
|
||||||
import logging
|
|
||||||
import tunnel
|
|
||||||
import argparse
|
import argparse
|
||||||
|
import logging
|
||||||
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
from system_singleton import SystemSingleton
|
import sys
|
||||||
from network.firewall import app as firewall
|
import time
|
||||||
from control import ControlClient
|
|
||||||
|
import tunnel
|
||||||
from config import WormConfiguration
|
from config import WormConfiguration
|
||||||
from network.network_scanner import NetworkScanner
|
from control import ControlClient
|
||||||
from model import DELAY_DELETE_CMD
|
from model import DELAY_DELETE_CMD
|
||||||
|
from network.firewall import app as firewall
|
||||||
|
from network.network_scanner import NetworkScanner
|
||||||
from system_info import SystemInfoCollector
|
from system_info import SystemInfoCollector
|
||||||
|
from system_singleton import SystemSingleton
|
||||||
|
|
||||||
__author__ = 'itamar'
|
__author__ = 'itamar'
|
||||||
|
|
||||||
|
@ -80,8 +81,6 @@ class ChaosMonkey(object):
|
||||||
if monkey_tunnel:
|
if monkey_tunnel:
|
||||||
monkey_tunnel.start()
|
monkey_tunnel.start()
|
||||||
|
|
||||||
last_exploit_time = None
|
|
||||||
|
|
||||||
ControlClient.send_telemetry("state", {'done': False})
|
ControlClient.send_telemetry("state", {'done': False})
|
||||||
|
|
||||||
self._default_server = WormConfiguration.current_server
|
self._default_server = WormConfiguration.current_server
|
||||||
|
@ -101,7 +100,7 @@ class ChaosMonkey(object):
|
||||||
else:
|
else:
|
||||||
LOG.debug("Running with depth: %d" % WormConfiguration.depth)
|
LOG.debug("Running with depth: %d" % WormConfiguration.depth)
|
||||||
|
|
||||||
for _ in xrange(WormConfiguration.max_iterations):
|
for iteration_index in xrange(WormConfiguration.max_iterations):
|
||||||
ControlClient.keepalive()
|
ControlClient.keepalive()
|
||||||
ControlClient.load_control_config()
|
ControlClient.load_control_config()
|
||||||
|
|
||||||
|
@ -146,7 +145,6 @@ class ChaosMonkey(object):
|
||||||
LOG.debug("Skipping %r - exploitation failed before", machine)
|
LOG.debug("Skipping %r - exploitation failed before", machine)
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
|
||||||
if monkey_tunnel:
|
if monkey_tunnel:
|
||||||
monkey_tunnel.set_tunnel_for_host(machine)
|
monkey_tunnel.set_tunnel_for_host(machine)
|
||||||
if self._default_server:
|
if self._default_server:
|
||||||
|
@ -172,15 +170,14 @@ class ChaosMonkey(object):
|
||||||
'exploiter': exploiter.__class__.__name__})
|
'exploiter': exploiter.__class__.__name__})
|
||||||
|
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
LOG.error("Exception while attacking %s using %s: %s",
|
LOG.exception("Exception while attacking %s using %s: %s",
|
||||||
machine, exploiter.__class__.__name__, exc)
|
machine, exploiter.__class__.__name__, exc)
|
||||||
ControlClient.send_telemetry('exploit', {'result': False, 'machine': machine.__dict__,
|
ControlClient.send_telemetry('exploit', {'result': False, 'machine': machine.__dict__,
|
||||||
'exploiter': exploiter.__class__.__name__})
|
'exploiter': exploiter.__class__.__name__})
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if successful_exploiter:
|
if successful_exploiter:
|
||||||
self._exploited_machines.add(machine)
|
self._exploited_machines.add(machine)
|
||||||
last_exploit_time = time.time()
|
|
||||||
ControlClient.send_telemetry('exploit', {'result': True, 'machine': machine.__dict__,
|
ControlClient.send_telemetry('exploit', {'result': True, 'machine': machine.__dict__,
|
||||||
'exploiter': successful_exploiter.__class__.__name__})
|
'exploiter': successful_exploiter.__class__.__name__})
|
||||||
|
|
||||||
|
@ -196,8 +193,10 @@ class ChaosMonkey(object):
|
||||||
else:
|
else:
|
||||||
self._fail_exploitation_machines.add(machine)
|
self._fail_exploitation_machines.add(machine)
|
||||||
|
|
||||||
if not is_empty:
|
if (not is_empty) and (WormConfiguration.max_iterations > iteration_index + 1):
|
||||||
time.sleep(WormConfiguration.timeout_between_iterations)
|
time_to_sleep = WormConfiguration.timeout_between_iterations
|
||||||
|
LOG.info("Sleeping %d seconds before next life cycle iteration", time_to_sleep)
|
||||||
|
time.sleep(time_to_sleep)
|
||||||
|
|
||||||
if self._keep_running and WormConfiguration.alive:
|
if self._keep_running and WormConfiguration.alive:
|
||||||
LOG.info("Reached max iterations (%d)", WormConfiguration.max_iterations)
|
LOG.info("Reached max iterations (%d)", WormConfiguration.max_iterations)
|
||||||
|
@ -206,8 +205,10 @@ class ChaosMonkey(object):
|
||||||
|
|
||||||
# if host was exploited, before continue to closing the tunnel ensure the exploited host had its chance to
|
# if host was exploited, before continue to closing the tunnel ensure the exploited host had its chance to
|
||||||
# connect to the tunnel
|
# connect to the tunnel
|
||||||
if last_exploit_time and (time.time() - last_exploit_time < 60):
|
if len(self._exploited_machines) > 0:
|
||||||
time.sleep(time.time() - last_exploit_time)
|
time_to_sleep = WormConfiguration.keep_tunnel_open_time
|
||||||
|
LOG.info("Sleeping %d seconds for exploited machines to connect to tunnel", time_to_sleep)
|
||||||
|
time.sleep(time_to_sleep)
|
||||||
|
|
||||||
if monkey_tunnel:
|
if monkey_tunnel:
|
||||||
monkey_tunnel.stop()
|
monkey_tunnel.stop()
|
||||||
|
@ -242,7 +243,7 @@ class ChaosMonkey(object):
|
||||||
close_fds=True, startupinfo=startupinfo)
|
close_fds=True, startupinfo=startupinfo)
|
||||||
else:
|
else:
|
||||||
os.remove(sys.executable)
|
os.remove(sys.executable)
|
||||||
except Exception, exc:
|
except Exception as exc:
|
||||||
LOG.error("Exception in self delete: %s", exc)
|
LOG.error("Exception in self delete: %s", exc)
|
||||||
|
|
||||||
LOG.info("Monkey is shutting down")
|
LOG.info("Monkey is shutting down")
|
||||||
|
|
|
@ -29,6 +29,8 @@ def get_host_subnets():
|
||||||
for network in ipv4_nets:
|
for network in ipv4_nets:
|
||||||
if 'broadcast' in network:
|
if 'broadcast' in network:
|
||||||
network.pop('broadcast')
|
network.pop('broadcast')
|
||||||
|
for attr in network:
|
||||||
|
network[attr] = network[attr].encode('utf-8').strip()
|
||||||
return ipv4_nets
|
return ipv4_nets
|
||||||
|
|
||||||
|
|
||||||
|
@ -47,8 +49,7 @@ else:
|
||||||
|
|
||||||
|
|
||||||
def local_ips():
|
def local_ips():
|
||||||
ipv4_nets = get_host_subnets()
|
valid_ips = [network['addr'] for network in get_host_subnets()]
|
||||||
valid_ips = [network['addr'] for network in ipv4_nets]
|
|
||||||
return valid_ips
|
return valid_ips
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,35 +1,58 @@
|
||||||
How to create a monkey build environment:
|
How to build a monkey binary from scratch.
|
||||||
|
|
||||||
|
The monkey is composed of three seperate parts.
|
||||||
|
* The Infection Monkey itself - PyInstaller compressed python archives
|
||||||
|
* Sambacry binaries - Two linux binaries, 32/64 bit.
|
||||||
|
* Mimikatz binaries - Two windows binaries, 32/64 bit.
|
||||||
|
|
||||||
|
--- Windows ---
|
||||||
|
|
||||||
Windows:
|
|
||||||
1. Install python 2.7. Preferably you should use ActiveState Python which includes pywin32 built in.
|
1. Install python 2.7. Preferably you should use ActiveState Python which includes pywin32 built in.
|
||||||
You must use an up to date version, atleast version 2.7.10
|
You must use an up to date version, at least version 2.7.10
|
||||||
http://www.activestate.com/activepython/downloads
|
http://www.activestate.com/activepython/downloads
|
||||||
https://www.python.org/downloads/release/python-2712/
|
https://www.python.org/downloads/release/python-2712/
|
||||||
2. install pywin32-219.win32-py2.7.exe at least
|
If not using ActiveState, install pywin32, minimum build 219
|
||||||
http://sourceforge.net/projects/pywin32/files/pywin32/Build%20219/
|
http://sourceforge.net/projects/pywin32/files/pywin32
|
||||||
3. a. install VCForPython27.msi
|
3. a. install VCForPython27.msi
|
||||||
http://www.microsoft.com/en-us/download/details.aspx?id=44266
|
https://aka.ms/vcpython27
|
||||||
b. if not installed, install Microsoft Visual C++ 2010 SP1 Redistributable Package
|
b. if not installed, install Microsoft Visual C++ 2010 SP1 Redistributable Package
|
||||||
32bit: http://www.microsoft.com/en-us/download/details.aspx?id=8328
|
32bit: http://www.microsoft.com/en-us/download/details.aspx?id=8328
|
||||||
64bit: http://www.microsoft.com/en-us/download/details.aspx?id=13523
|
64bit: http://www.microsoft.com/en-us/download/details.aspx?id=13523
|
||||||
4. Download & Run get-pip.py
|
4. Download the dependent python packages using
|
||||||
https://bootstrap.pypa.io/get-pip.py
|
pip install -r requirements.txt
|
||||||
5. Run:
|
5. Download and extract UPX binary to [source-path]\monkey\chaos_monkey\bin\upx.exe:
|
||||||
Install the python packages listed in requirements.txt. Using pip install -r requirements.txt
|
https://github.com/upx/upx/releases/download/v3.94/upx394w.zip
|
||||||
7. Download and extract UPX binary to [source-path]\monkey\chaos_monkey\bin\upx.exe:
|
6. To build the final exe:
|
||||||
http://upx.sourceforge.net/download/upx391w.zip
|
1 cd [code location]/chaos_monkey
|
||||||
8. Run [source-path]\monkey\chaos_monkey\build_windows.bat to build, output is in dist\monkey.exe
|
build_windows.bat
|
||||||
|
output is in dist\monkey.exe
|
||||||
|
|
||||||
|
--- Linux ---
|
||||||
|
|
||||||
|
Tested on Ubuntu 16.04 and 17.04.
|
||||||
|
|
||||||
Linux (Tested on Ubuntu 12.04):
|
|
||||||
1. Run:
|
1. Run:
|
||||||
sudo apt-get update
|
sudo apt-get update
|
||||||
sudo apt-get install python-pip python-dev libffi-dev upx libssl-dev libc++1
|
sudo apt-get install python-pip python-dev libffi-dev upx libssl-dev libc++1
|
||||||
Install the python packages listed in requirements.txt.
|
Install the python packages listed in requirements.txt.
|
||||||
Using pip install -r requirements.txt
|
Using pip install -r requirements.txt
|
||||||
sudo apt-get install winbind
|
sudo apt-get install winbind dnet-common
|
||||||
2. Put source code in /home/user/Code/monkey/chaos_monkey
|
2. Put source code in Code/monkey/chaos_monkey
|
||||||
3. To build, run in terminal:
|
3. To build, run in terminal:
|
||||||
cd /home/user/Code/monkey/chaos_monkey
|
cd [code location]/chaos_monkey
|
||||||
chmod +x build_linux.sh
|
chmod +x build_linux.sh
|
||||||
./build_linux.sh
|
./build_linux.sh
|
||||||
output is in dist/monkey
|
output is in dist/monkey
|
||||||
|
|
||||||
|
-- Sambacry --
|
||||||
|
|
||||||
|
Sambacry requires two standalone binaries to execute remotely.
|
||||||
|
Compiling them requires gcc
|
||||||
|
cd [code location]/chaos_monkey/monkey_utils/sambacry_monkey_runner
|
||||||
|
./build.sh
|
||||||
|
|
||||||
|
-- Mimikatz --
|
||||||
|
|
||||||
|
Mimikatz is required for the Monkey to be able to steal credentials on Windows. It's possible to either compile from sources (requires Visual Studio 2013 and up) or download the binaries from
|
||||||
|
https://github.com/guardicore/mimikatz/releases/tag/1.0.0
|
||||||
|
Download both 32 and 64 bit DLLs and place them under [code location]\chaos_monkey\bin
|
||||||
|
|
|
@ -350,6 +350,12 @@ SCHEMA = {
|
||||||
"type": "boolean",
|
"type": "boolean",
|
||||||
"default": True,
|
"default": True,
|
||||||
"description": "Determines whether to collect system info"
|
"description": "Determines whether to collect system info"
|
||||||
|
},
|
||||||
|
"keep_tunnel_open_time": {
|
||||||
|
"title": "Keep tunnel open time",
|
||||||
|
"type": "integer",
|
||||||
|
"default": 60,
|
||||||
|
"description": "Time to keep tunnel open before going down after last exploit (in seconds)"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in New Issue