From cdfd6284ee51fbe260a872dda4382804c77b7c92 Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Wed, 1 Aug 2018 13:07:18 +0300 Subject: [PATCH] * Added information about what info gathered to the report's issues section --- monkey_island/cc/resources/pthreport.py | 2 +- monkey_island/cc/services/pth_report.py | 51 +++++++++++++++---- monkey_island/cc/services/pth_report_utils.py | 19 +++---- .../cc/ui/src/components/pages/ReportPage.js | 30 ++++++++++- 4 files changed, 80 insertions(+), 22 deletions(-) diff --git a/monkey_island/cc/resources/pthreport.py b/monkey_island/cc/resources/pthreport.py index 31233aa1e..7c4046694 100644 --- a/monkey_island/cc/resources/pthreport.py +++ b/monkey_island/cc/resources/pthreport.py @@ -3,7 +3,7 @@ import flask_restful from cc.auth import jwt_required from cc.services.pth_report import PTHReportService -__author__ = "itay.mizeretz" +__author__ = "maor.rayzin" class PTHReport(flask_restful.Resource): diff --git a/monkey_island/cc/services/pth_report.py b/monkey_island/cc/services/pth_report.py index 45a6e3668..7a615db2d 100644 --- a/monkey_island/cc/services/pth_report.py +++ b/monkey_island/cc/services/pth_report.py @@ -18,7 +18,8 @@ class PTHReportService(object): continue for sid in pth.GetSidsBySecret(secret): usernames_per_sid_list.append(pth.GetUsernameBySid(sid)) - usernames_lists.append(usernames_per_sid_list) + + usernames_lists.append({'cred_group': usernames_per_sid_list}) return usernames_lists @@ -99,24 +100,49 @@ class PTHReportService(object): 'ip': m.GetIp(), 'hostname': m.GetHostName(), 'domain': m.GetDomainName(), - 'services_names': m.GetNonCritialServers(), + 'services_names': [], 'user_count': count, 'threatening_users': threatening_users_attackers_dict } strong_users_non_crit_list.append(machine) return strong_users_non_crit_list + @staticmethod + def get_duplicated_passwords_issues(pth, password_groups): + issues = [] + issues_dict = {} + for group in password_groups: + for username in group['cred_group']: + sid = list(pth.GetSidsByUsername(username.split('\\')[1])) + machine_info = pth.GetSidInfo(sid[0]) + issues.append( + { + 'type': 'shared_password', + 'machine': machine_info.get('hostname').split('.')[0], + 'shared_with': [x for x in group['cred_group'] if x != username], + 'username': username + } + ) + + for issue in issues: + machine = issue['machine'] + if machine not in issues_dict: + issues_dict[machine] = [] + issues_dict[machine].append(issue) + + return issues_dict + @staticmethod def generate_map_nodes(pth): nodes_list = [] for node_id in pth.vertices: machine = Machine(node_id) node = { - "id": str(machine.get_monkey_id()), + "id": str(node_id), "label": '{0} : {1}'.format(machine.GetHostName(), machine.GetIp()), 'group': 'critical' if machine.IsCriticalServer() else 'normal', 'users': list(machine.GetCachedUsernames()), - 'ips': machine.GetIp(), + 'ips': [machine.GetIp()], 'services': machine.GetCriticalServicesInstalled(), 'hostname': machine.GetHostName() } @@ -127,17 +153,23 @@ class PTHReportService(object): @staticmethod def get_report(): pth = PassTheHashReport() + same_password = PTHReportService.get_duplicated_password_nodes(pth) + local_admin_shared = PTHReportService.get_shared_local_admins_nodes(pth) + strong_users_on_crit_services = PTHReportService.get_strong_users_on_crit_services(pth) + strong_users_on_non_crit_services = PTHReportService.get_strong_users_on_non_crit_services(pth) + issues = PTHReportService.get_duplicated_passwords_issues(pth, same_password) report = \ { 'report_info': { - 'same_password': PTHReportService.get_duplicated_password_nodes(pth), - 'local_admin_shared': PTHReportService.get_shared_local_admins_nodes(pth), - 'strong_users_on_crit_services': PTHReportService.get_strong_users_on_crit_services(pth), - 'strong_users_on_non_crit_services': PTHReportService.get_strong_users_on_non_crit_services(pth) + 'same_password': same_password, + 'local_admin_shared': local_admin_shared, + 'strong_users_on_crit_services': strong_users_on_crit_services, + 'strong_users_on_non_crit_services': strong_users_on_non_crit_services, + 'pth_issues': issues }, - 'map': + 'pthmap': { 'nodes': PTHReportService.generate_map_nodes(pth), 'edges': pth.edges @@ -318,4 +350,3 @@ class PTHReportService(object): # for m in pth.GetAttackersBySecret(secret): # print """
  • {hostname}
    • """.format(ip=m.GetIp(), hostname=m.GetHostName()) # print """""" - diff --git a/monkey_island/cc/services/pth_report_utils.py b/monkey_island/cc/services/pth_report_utils.py index 06c40f023..b4839f852 100644 --- a/monkey_island/cc/services/pth_report_utils.py +++ b/monkey_island/cc/services/pth_report_utils.py @@ -212,7 +212,8 @@ class Machine(object): "Username": eval(user.get("Name")), "Disabled": user.get("Disabled") == "true", "PasswordRequired": user.get("PasswordRequired") == "true", - "PasswordExpires": user.get("PasswordExpires") == "true", } + "PasswordExpires": user.get("PasswordExpires") == "true", + 'hostname': doc.get('data').get('hostname'), } if not self.IsDomainController(): for dc in self.GetDomainControllers(): @@ -555,6 +556,7 @@ class Machine(object): return names + class PassTheHashReport(object): # _instance = None # def __new__(class_, *args, **kwargs): @@ -570,7 +572,7 @@ class PassTheHashReport(object): self.edges = self.get_edges_by_sid() # Useful for non-cached domain users #self.edges |= self.GetEdgesBySamHash() # This will add edges based only on password hash without caring about username - @cache + def GetAllMachines(self): cur = mongo.db.telemetry.find({"telem_type": "system_info_collection"}) @@ -610,13 +612,12 @@ class PassTheHashReport(object): attacker_monkey = NodeService.get_monkey_by_guid(attacker) victim_monkey = NodeService.get_monkey_by_guid(victim) - attacker_label = NodeService.get_node_label(attacker_monkey) - victim_label = NodeService.get_node_label(victim_monkey) + attacker_label = NodeService.get_monkey_label(attacker_monkey) + victim_label = NodeService.get_monkey_label(victim_monkey) RIGHT_ARROW = u"\u2192" return "%s %s %s" % (attacker_label, RIGHT_ARROW, victim_label) - @cache def get_edges_by_sid(self): edges_list = [] @@ -637,7 +638,7 @@ class PassTheHashReport(object): 'to': victim, 'users': relevant_users_list, '_label': PassTheHashReport.__get_edge_label(attacker, victim), - 'id': uuid.uuid4() + 'id': str(uuid.uuid4()) }) return edges_list @@ -858,9 +859,9 @@ class PassTheHashReport(object): attackers = set() - for atck, vic, _ in self.edges: - if vic == victim: - attackers.add(atck) + for edge in self.edges: + if edge.get('to', None) == victim: + attackers.add(edge.get('from', None)) return set(map(Machine, attackers)) diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index 03939b01d..ed75da059 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -47,6 +47,7 @@ class ReportPageComponent extends AuthComponent { allMonkeysAreDead: false, runStarted: true }; + this.getPth } componentDidMount() { @@ -117,7 +118,7 @@ class ReportPageComponent extends AuthComponent { .then(res => { this.setState({ pthreport: res.report_info, - pthmap: res.map + pthmap: res.pthmap }); }); } @@ -389,6 +390,7 @@ class ReportPageComponent extends AuthComponent {
    {this.generateIssues(this.state.report.recommendations.issues)} + {this.generateIssues(this.state.pthreport.pth_issues)}
    ); @@ -399,6 +401,7 @@ class ReportPageComponent extends AuthComponent { (100 * this.state.report.glance.exploited.length) / this.state.report.glance.scanned.length; return (
    +

    The Network from the Monkey's Eyes

    @@ -452,7 +455,15 @@ class ReportPageComponent extends AuthComponent {
    - + { /* TODO: use dynamic data */} +
    ); @@ -728,6 +739,18 @@ class ReportPageComponent extends AuthComponent { ); } + generateSharedCredsIssue(issue) { + return ( +
  • + Some users are sharing passwords, this should be fixed by changing passwords. + + The user {issue.username} is sharing access password with: + {this.generateInfoBadges(issue.shared_with)}. + +
    • + ); + } + generateTunnelIssue(issue) { return (
  • @@ -800,6 +823,9 @@ class ReportPageComponent extends AuthComponent { case 'cross_segment': data = this.generateCrossSegmentIssue(issue); break; + case 'shared_password': + data = this.generateSharedCredsIssue(issue); + break; case 'tunnel': data = this.generateTunnelIssue(issue); break;