This document describes Infection Monkey’s test network, how to deploy and use it. [Warning\!](#warning)
[Introduction](#introduction)
[Getting started](#getting-started)
[Using islands](#using-islands)
[Running tests](#running-tests)
[Machines’ legend](#machines-legend)
[Machines](#machines)
[Nr. 2 Hadoop](#_Toc526517182)
[Nr. 3 Hadoop](#_Toc526517183)
[Nr. 4 Elastic](#_Toc526517184)
[Nr. 5 Elastic](#_Toc526517185)
[Nr. 6 Sambacry](#_Toc536021459)
[Nr. 7 Sambacry](#_Toc536021460)
[Nr. 8 Shellshock](#_Toc536021461)
[Nr. 9 Tunneling M1](#_Toc536021462)
[Nr. 10 Tunneling M2](#_Toc536021463)
[Nr. 11 SSH key steal](#_Toc526517190)
[Nr. 12 SSH key steal](#_Toc526517191)
[Nr. 13 RDP grinder](#_Toc526517192)
[Nr. 14 Mimikatz](#_Toc536021467)
[Nr. 15 Mimikatz](#_Toc536021468)
[Nr. 16 MsSQL](#_Toc536021469)
[Nr. 17 Upgrader](#_Toc536021470)
[Nr. 18 WebLogic](#_Toc526517180)
[Nr. 19 WebLogic](#_Toc526517181)
[Nr. 20 SMB](#_Toc536021473)
[Nr. 21 Scan](#_Toc526517196)
[Nr. 22 Scan](#_Toc526517197)
[Nr. 23 Struts2](#_Toc536021476)
[Nr. 24 Struts2](#_Toc536021477)
[Nr. 25 Zerologon](#_Toc536021478)
[Nr. 3-45 Powershell](#_Toc536021479)
[Nr. 3-46 Powershell](#_Toc536021480)
[Nr. 3-47 Powershell](#_Toc536021481)
[Nr. 3-48 Powershell](#_Toc536021482)
[Nr. 3-49 Log4j Solr](#_Toc536021483)
[Nr. 3-50 Log4j Solr](#_Toc536021484)
[Nr. 3-51 Log4j Tomcat](#_Toc536021485)
[Nr. 3-52 Log4j Tomcat](#_Toc536021486)
[Nr. 250 MonkeyIsland](#_Toc536021487)
[Nr. 251 MonkeyIsland](#_Toc536021488)
[Network topography](#network-topography)
# Warning\! This project builds an intentionally vulnerable network. Make sure not to add production servers to the same network and leave it closed to the public. # Introduction: MonkeyZoo is a Google Cloud Platform network deployed with terraform. Terraform scripts allows you to quickly setup a network that’s full of vulnerable machines to regression test monkey’s exploiters, evaluate scanning times in a real-world scenario and many more. # Getting started: Requirements: 1. Have terraform installed. 2. Have a Google Cloud Platform account (upgraded if you want to test whole network at once). To deploy: 1. Configure service account for your project: a. Create a service account (GCP website -> IAM & Admin -> Service Accounts -> + CREATE SERVICE ACCOUNT) and name it “your\_name-monkeyZoo-user” b. Give these permissions to your service account: **Compute Engine -> Compute Network Admin** and **Compute Engine -> Compute Instance Admin (v1)** and **Compute Engine -> Compute Security Admin** and **Service Account User** or **Project -> Owner** c. Create and download its **Service account key** in JSON and place it in **monkey_zoo/gcp_keys** as **gcp_key.json**. 2. Get these permissions in the monkeyZoo project (guardicore-22050661) for your service account (ask monkey developers to add them): a. **Compute Engine -\> Compute image user** 3. Change configurations located in the ../monkey/envs/monkey\_zoo/terraform/config.tf file (don’t forget to link to your service account key file): provider "google" { project = "test-000000" // Change to your project id region = "europe-west3" // Change to your desired region or leave default zone = "europe-west3-b" // Change to your desired zone or leave default credentials = "${file("../gcp_keys/gcp_key.json")}" // Change to the location and name of the service key. // If you followed instruction above leave it as is } locals { resource_prefix = "" // All of the resources will have this prefix. // Only change if you want to have multiple zoo's in the same project service_account_email="tester-monkeyZoo-user@testproject-000000.iam.gserviceaccount.com" // Service account email monkeyzoo_project="guardicore-22050661" // Project where monkeyzoo images are kept. Leave as is. } 4. Run terraform init To deploy the network run:
`terraform plan` (review the changes it will make on GCP)
`terraform apply` (creates 2 networks for machines)
`terraform apply` (adds machines to these networks) # Using islands: ### How to get into the islands: **island-linux-250:** SSH from GCP **island-windows-251:** In GCP/VM instances page click on island-windows-251. Set password for your account and then RDP into the island. ### These are most common steps on monkey islands: ### For users Upload the AppImage deployment option and run it in island-linux-250. Or upload the MSI deployment option, install it and run it in island-windows-251. After that use the Monkey as you would on local network. ### For developers #### island-linux-250: To run monkey island from source:
`sudo /usr/run\_island.sh`
To run monkey from source:
`sudo /usr/run\_monkey.sh`
To update repository:
`git pull /usr/infection_monkey`
Update all requirements using deployment script:
1\. `cd /usr/infection_monkey/deployment_scripts`
2\. `./deploy_linux.sh "/usr/infection_monkey" "develop"`
#### island-windows-251: To run monkey island from source:
Execute C:\\run\_monkey\_island.bat as administrator To run monkey from source:
Execute C:\\run\_monkey.bat as administrator To update repository:
1\. Open cmd as an administrator
2\. `cd C:\infection_monkey`
3\. `git pull` (updates develop branch)
Update all requirements using deployment script:
1\. `cd C:\infection_monkey\deployment_scripts`
2\. `./run_script.bat "C:\infection_monkey" "develop"`
# Machines:

Nr. 2 Hadoop (10.2.2.2)	(Vulnerable)
OS:	Ubuntu 16.04.05 x64
Software:	JDK, Hadoop 2.9.1
Default server’s port:	8020
Server’s config:	Single node cluster
Scan results:	Machine exploited using Hadoop exploiter
Notes:

Nr. 3 Hadoop (10.2.2.3)	(Vulnerable)
OS:	Windows 10 x64
Software:	JDK, Hadoop 2.9.1
Default server’s port:	8020
Server’s config:	Single node cluster
Scan results:	Machine exploited using Hadoop exploiter
Notes:

Nr. 4 Elastic (10.2.2.4)	(Vulnerable)
OS:	Ubuntu 16.04.05 x64
Software:	JDK, Elastic 1.4.2
Default server’s port:	9200
Server’s config:	Default
Scan results:	Machine exploited using Elastic exploiter
Notes:	Quick tutorial on how to add entries (was useful when setting up).

Nr. 5 Elastic (10.2.2.5)	(Vulnerable)
OS:	Windows 10 x64
Software:	JDK, Elastic 1.4.2
Default server’s port:	9200
Server’s config:	Default
Scan results:	Machine exploited using Elastic exploiter
Notes:	Quick tutorial on how to add entries (was useful when setting up).

Nr. 6 Sambacry (10.2.2.6)	(Not implemented)
OS:	Ubuntu 16.04.05 x64
Software:	Samba > 3.5.0 and < 4.6.4, 4.5.10 and 4.4.14
Default server’s port:	-
Root password:	;^TK`9XN_x^
Server’s config:
Scan results:	Machine exploited using Sambacry exploiter
Notes:

Nr. 7 Sambacry (10.2.2.7)	(Not implemented)
OS:	Ubuntu 16.04.05 x32
Software:	Samba > 3.5.0 and < 4.6.4, 4.5.10 and 4.4.14
Default server’s port:	-
Root password:	*.&A7/W}Rc$
Server’s config:
Scan results:	Machine exploited using Sambacry exploiter
Notes:

Nr. 8 Shellshock (10.2.2.8)	(Vulnerable)
OS:	Ubuntu 12.04 LTS x64
Software:	Apache2, bash 4.2.
Default server’s port:	80
Scan results:	Machine exploited using Shellshock exploiter
Notes:	Vulnerable app is under /cgi-bin/test.cgi

Nr. 9 Tunneling M1 (10.2.2.9, 10.2.1.9)	(Vulnerable)
OS:	Ubuntu 16.04.05 x64
Software:	OpenSSL
Default service’s port:	22
Root password:	`))jU7L(w}
Server’s config:	Default
Notes:

Nr. 10 Tunneling M2 (10.2.1.10)	(Exploitable)
OS:	Ubuntu 16.04.05 x64
Software:	OpenSSL
Default service’s port:	22
Root password:	3Q=(Ge(+&w]*
Server’s config:	Default
Notes:	Accessible only trough Nr.9

Nr. 11 Tunneling M3 (10.2.0.11)	(Exploitable)
OS:	Ubuntu 16.04.05 x64
Software:	OpenSSL
Default service’s port:	22
Root password:	3Q=(Ge(+&w]*
Server’s config:	Default
Notes:	Accessible only trough Nr.10

Nr. 12 Tunneling M4 (10.2.0.12)	(Exploitable)
OS:	Windows server 2019 x64
Default service’s port:	445
Root password:	t67TC5ZDmz
Server’s config:	Default
Notes:	Accessible only trough Nr.10

Nr. 11 SSH key steal. (10.2.2.11)	(Vulnerable)
OS:	Ubuntu 16.04.05 x64
Software:	OpenSSL
Default connection port:	22
Root password:	^NgDvY59~8
Server’s config:	SSH keys to connect to NR. 11
Notes:

Nr. 12 SSH key steal. (10.2.2.12)	(Exploitable)
OS:	Ubuntu 16.04.05 x64
Software:	OpenSSL
Default connection port:	22
Root password:	u?Sj5@6(-C
Server’s config:	SSH configured to allow connection from NR.10
Notes:	Don’t add this machine’s credentials to exploit configuration.

Nr. 13 RDP grinder (10.2.2.13)	(Not implemented)
OS:	Windows 10 x64
Software:	-
Default connection port:	3389
Root password:	2}p}aR]&=M
Server’s config:	Remote desktop enabled Admin user’s credentials: m0nk3y, 2}p}aR]&=M
Notes:

Nr. 14 Mimikatz (10.2.2.14)	(Vulnerable)
OS:	Windows 10 x64
Software:	-
Admin password:	Ivrrw5zEzs
Server’s config:	Has cached mimikatz-15 RDP credentials SMB turned on
Notes:

Nr. 15 Mimikatz (10.2.2.15)	(Exploitable)
OS:	Windows 10 x64
Software:	-
Admin password:	pAJfG56JX><
Server’s config:	It’s credentials are cashed at mimikatz-14 SMB turned on
Notes:	If you change this machine’s IP it won’t get exploited.

Nr. 16 MsSQL (10.2.2.16)	(Vulnerable)
OS:	Windows 10 x64
Software:	MSSQL Server
Default service port:	1433
Server’s config:	xp_cmdshell feature enabled in MSSQL server
SQL server auth. creds:	m0nk3y : Xk8VDTsC
Notes:	Enabled SQL server browser service Enabled remote connections Changed default password

Nr. 17 Upgrader (10.2.2.17)	(Not implemented)
OS:	Windows 10 x64
Default service port:	445
Root password:	U??7ppG_
Server’s config:	Turn on SMB
Notes:

Nr. 18 WebLogic (10.2.2.18)	(Vulnerable)
OS:	Ubuntu 16.04.05 x64
Software:	JDK, Oracle WebLogic server 12.2.1.2
Default server’s port:	7001
Admin domain credentials:	weblogic : B74Ot0c4
Server’s config:	Default
Notes:

Nr. 19 WebLogic (10.2.2.19)	(Vulnerable)
OS:	Windows 10 x64
Software:	JDK, Oracle WebLogic server 12.2.1.2
Default server’s port:	7001
Admin servers credentials:	weblogic : =ThS2d=m(`B
Server’s config:	Default
Notes:

Nr. 20 SMB (10.2.2.20)	(Vulnerable)
OS:	Windows 10 x64
Software:	-
Default service’s port:	445
Root password:	YbS,<tpS.2av
Server’s config:	SMB turned on
Notes:

Nr. 21 Scan (10.2.2.21)	(Secure)
OS:	Ubuntu 16.04.05 x64
Software:	Apache tomcat 7.0.92
Default server’s port:	8080
Server’s config:	Default
Notes:	Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.)

Nr. 22 Scan (10.2.2.22)	(Secure)
OS:	Windows 10 x64
Software:	Apache tomcat 7.0.92
Default server’s port:	8080
Server’s config:	Default
Notes:	Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.)

Nr. 23 Struts2 (10.2.2.23)	(Vulnerable)
OS:	Ubuntu 16.04.05 x64
Software:	JDK, struts2 2.3.15.1, tomcat 9.0.0.M9
Default server’s port:	8080
Server’s config:	Default
Notes:

Nr. 24 Struts2 (10.2.2.24)	(Vulnerable)
OS:	Windows 10 x64
Software:	JDK, struts2 2.3.15.1, tomcat 9.0.0.M9
Default server’s port:	8080
Server’s config:	Default
Notes:

Nr. 25 ZeroLogon (10.2.2.25)	(Vulnerable)
OS:	Server 2016
Default server’s port:	135

OS:

Server 2016

Default server’s port:

135

Nr. 3-45 Powershell (10.2.3.45)	(Vulnerable)
OS:	Windows Server 2016 x64
Software:	WinRM service
Default server’s port:	-
Notes:	User: m0nk3y, Password: Passw0rd! User: m0nk3y-user, No Password.

Nr. 3-46 Powershell (10.2.3.46)	(Vulnerable)
OS:	Windows Server 2016 x64
Software:	WinRM service
Default server’s port:	-
Notes:	User: m0nk3y, Password: Passw0rd!

Nr. 3-47 Powershell (10.2.3.47)	(Vulnerable)
OS:	Windows Server 2016 x64
Software:	WinRM service
Default server’s port:	-
Notes:	User: m0nk3y, Password: Xk8VDTsC

Nr. 3-48 Powershell (10.2.3.48)	(Vulnerable)
OS:	Windows Server 2019 x64
Software:	WinRM service
Default server’s port:	-
Notes:	User: m0nk3y, Password: Passw0rd!

Nr. 3-49 Log4j Solr (10.2.3.49)	(Vulnerable)
OS:	Ubuntu 18.04LTS
Software:	Apache Solr 8.11.0
Default server’s port:	8983
Notes:	User: m0nk3y, Password: m0nk3y

Nr. 3-50 Log4j Solr (10.2.3.50)	(Vulnerable)
OS:	Windows Server 2016 x64
Software:	Apache solr 8.11.0
Default server’s port:	8983
Notes:	User: m0nk3y, Password: Passw0rd!

Nr. 3-51 Log4j Tomcat (10.2.3.51)	(Vulnerable)
OS:	Ubuntu 18.04LTS
Software:	Apache Tomcat 8.0.36
Default server’s port:	8080
Notes:

Nr. 3-52 Log4j-tomcat (10.2.3.52)	(Vulnerable)
OS:	Windows Server 2016 x64
Software:	Apache Tomcat 8.0.36
Default server’s port:	8080
Notes:	User: m0nk3y, Password: Tomcat@22

Nr. 3-55 Log4j Logstash (10.2.3.55)	(Vulnerable)
OS:	Ubuntu 18.04LTS
Software:	Logstash 5.5.0	Java 1.8.0
Default server’s port:	9600
Notes:	User: logstash

Nr. 3-56 Log4j-logstash (10.2.3.56)	(Vulnerable)
OS:	Windows Server 2016 x64
Software:	Logstash 5.5.0	Java 1.8.0
Default server’s port:	9600
Notes:	User: m0nk3y, Password: 7;@K"kPTM

Nr. 250 MonkeyIsland (10.2.2.250)
OS:	Ubuntu 16.04.05 x64
Software:	MonkeyIsland server, git, mongodb etc.
Default server’s port:	22, 443
Private key passphrase:	-
Notes:	Only accessible trough GCP

Nr. 251 MonkeyIsland (10.2.2.251)
OS:	Windows Server 2016 x64
Software:	MonkeyIsland server, git, mongodb etc.
Default server’s port:	3389, 443
Private key passphrase:	-
Notes:	Only accessible trough GCP

# Network topography: