Merge remote-tracking branch 'origin/develop' into develop

monkey/infection_monkey/exploit/mssqlexec.py

@@ -21,7 +21,6 @@ class MSSQLExploiter(HostExploiter):
 
     def __init__(self, host):
         super(MSSQLExploiter, self).__init__(host)
-        self._config = __import__('config').WormConfiguration
         self.attacks_list = [mssqlexec_utils.CmdShellAttack]
 
     def create_payload_file(self, payload_path=DEFAULT_PAYLOAD_PATH):

monkey/infection_monkey/exploit/web_rce.py

@@ -54,7 +54,7 @@ class WebRCE(HostExploiter):
         exploit_config['upload_commands'] = None
 
         # url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"]
-        exploit_config['url_extensions'] = None
+        exploit_config['url_extensions'] = []
 
         # stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable.
         exploit_config['stop_checking_urls'] = False

monkey/infection_monkey/exploit/weblogic.py

@@ -13,13 +13,16 @@ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
 
 import threading
 import logging
+import time
 
 __author__ = "VakarisZ"
 
 LOG = logging.getLogger(__name__)
 # How long server waits for get request in seconds
 SERVER_TIMEOUT = 4
-# How long to wait for a request to go to vuln machine and then to our server from there. In seconds
+# How long should be wait after each request in seconds
+REQUEST_DELAY = 0.0001
+# How long to wait for a sign(request from host) that server is vulnerable. In seconds
 REQUEST_TIMEOUT = 2
 # How long to wait for response in exploitation. In seconds
 EXECUTION_TIMEOUT = 15
@@ -66,18 +69,41 @@ class WebLogicExploiter(WebRCE):
             print(e)
         return True
 
-    def check_if_exploitable(self, url):
+    def add_vulnerable_urls(self, urls, stop_checking=False):
+        """
+        Overrides parent method to use listener server
+        """
         # Server might get response faster than it starts listening to it, we need a lock
         httpd, lock = self._start_http_server()
-        payload = self.get_test_payload(ip=httpd._local_ip, port=httpd._local_port)
+        exploitable = False
+
+        for url in urls:
+            if self.check_if_exploitable_weblogic(url, httpd):
+                exploitable = True
+                break
+
+        if not exploitable and httpd.get_requests < 1:
+            # Wait for responses
+            time.sleep(REQUEST_TIMEOUT)
+
+        if httpd.get_requests > 0:
+            # Add all urls because we don't know which one is vulnerable
+            self.vulnerable_urls.extend(urls)
+            self._exploit_info['vulnerable_urls'] = self.vulnerable_urls
+        else:
+            LOG.info("No vulnerable urls found, skipping.")
+
+        self._stop_http_server(httpd, lock)
+
+    def check_if_exploitable_weblogic(self, url, httpd):
+        payload = self.get_test_payload(ip=httpd.local_ip, port=httpd.local_port)
         try:
-            post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False)
+            post(url, data=payload, headers=HEADERS, timeout=REQUEST_DELAY, verify=False)
         except exceptions.ReadTimeout:
-            # Our request does not get response thus we get ReadTimeout error
+            # Our request will not get response thus we get ReadTimeout error
             pass
         except Exception as e:
             LOG.error("Something went wrong: %s" % e)
-        self._stop_http_server(httpd, lock)
         return httpd.get_requests > 0
 
     def _start_http_server(self):
@@ -94,7 +120,8 @@ class WebLogicExploiter(WebRCE):
         lock.acquire()
         return httpd, lock
 
-    def _stop_http_server(self, httpd, lock):
+    @staticmethod
+    def _stop_http_server(httpd, lock):
         lock.release()
         httpd.join(SERVER_TIMEOUT)
         httpd.stop()
@@ -168,8 +195,8 @@ class WebLogicExploiter(WebRCE):
         we determine if we can exploit by either getting a GET request from host or not.
         """
         def __init__(self, local_ip, local_port, lock, max_requests=1):
-            self._local_ip = local_ip
-            self._local_port = local_port
+            self.local_ip = local_ip
+            self.local_port = local_port
             self.get_requests = 0
             self.max_requests = max_requests
             self._stopped = False
@@ -184,7 +211,7 @@ class WebLogicExploiter(WebRCE):
                     LOG.info('Server received a request from vulnerable machine')
                     self.get_requests += 1
             LOG.info('Server waiting for exploited machine request...')
-            httpd = HTTPServer((self._local_ip, self._local_port), S)
+            httpd = HTTPServer((self.local_ip, self.local_port), S)
             httpd.daemon = True
             self.lock.release()
             while not self._stopped and self.get_requests < self.max_requests:

monkey/infection_monkey/readme.txt

@@ -1,5 +1,5 @@
 To get development versions of Monkey Island and Monkey look into deployment scripts folder.
-If you only want to monkey from scratch you may refer to the instructions below.
+If you only want to build monkey from scratch you may reference instructions below.
 
 The monkey is composed of three separate parts.
 * The Infection Monkey itself - PyInstaller compressed python archives
@@ -76,4 +76,4 @@ Alternatively, if you build Mimikatz, put each version in a zip file.
 1. The zip should contain only the Mimikatz DLL named tmpzipfile123456.dll
 2. It should be protected using the password 'VTQpsJPXgZuXhX6x3V84G'.
 3. The zip file should be named mk32.zip/mk64.zip accordingly.
-4. Zipping with 7zip has been tested. Other zipping software may not work.
+4. Zipping with 7zip has been tested. Other zipping software may not work.

monkey/monkey_island/cc/resources/telemetry.py

@@ -149,8 +149,7 @@ class Telemetry(flask_restful.Resource):
         new_scan = \
             {
                 "timestamp": telemetry_json["timestamp"],
-                "data": data,
-                "scanner": telemetry_json['data']['scanner']
+                "data": data
             }
         mongo.db.edge.update(
             {"_id": edge["_id"]},
@@ -160,16 +159,15 @@ class Telemetry(flask_restful.Resource):
 
         node = mongo.db.node.find_one({"_id": edge["to"]})
         if node is not None:
-            if new_scan["scanner"] == "TcpScanner":
-                scan_os = new_scan["data"]["os"]
-                if "type" in scan_os:
-                    mongo.db.node.update({"_id": node["_id"]},
-                                         {"$set": {"os.type": scan_os["type"]}},
-                                         upsert=False)
-                if "version" in scan_os:
-                    mongo.db.node.update({"_id": node["_id"]},
-                                         {"$set": {"os.version": scan_os["version"]}},
-                                         upsert=False)
+            scan_os = new_scan["data"]["os"]
+            if "type" in scan_os:
+                mongo.db.node.update({"_id": node["_id"]},
+                                     {"$set": {"os.type": scan_os["type"]}},
+                                     upsert=False)
+            if "version" in scan_os:
+                mongo.db.node.update({"_id": node["_id"]},
+                                     {"$set": {"os.version": scan_os["version"]}},
+                                     upsert=False)
 
     @staticmethod
     def process_system_info_telemetry(telemetry_json):