This document describes Infection Monkey’s test network, how to deploy and use it.
[Warning\!](#warning)
[Introduction](#introduction)
[Getting started](#getting-started)
[Using islands](#using-islands)
[Running tests](#running-tests)
[Machines’ legend](#machines-legend)
[Machines](#machines)
[Nr. 2 Hadoop](#_Toc526517182)
[Nr. 3 Hadoop](#_Toc526517183)
[Nr. 4 Elastic](#_Toc526517184)
[Nr. 5 Elastic](#_Toc526517185)
[Nr. 6 Sambacry](#_Toc536021459)
[Nr. 7 Sambacry](#_Toc536021460)
[Nr. 8 Shellshock](#_Toc536021461)
[Nr. 9 Tunneling M1](#_Toc536021462)
[Nr. 10 Tunneling M2](#_Toc536021463)
[Nr. 11 SSH key steal](#_Toc526517190)
[Nr. 12 SSH key steal](#_Toc526517191)
[Nr. 13 RDP grinder](#_Toc526517192)
[Nr. 14 Mimikatz](#_Toc536021467)
[Nr. 15 Mimikatz](#_Toc536021468)
[Nr. 16 MsSQL](#_Toc536021469)
[Nr. 17 Upgrader](#_Toc536021470)
[Nr. 18 WebLogic](#_Toc526517180)
[Nr. 19 WebLogic](#_Toc526517181)
[Nr. 20 SMB](#_Toc536021473)
[Nr. 21 Scan](#_Toc526517196)
[Nr. 22 Scan](#_Toc526517197)
[Nr. 23 Struts2](#_Toc536021476)
[Nr. 24 Struts2](#_Toc536021477)
[Nr. 25 Zerologon](#_Toc536021478)
[Nr. 3-45 Powershell](#_Toc536021479)
[Nr. 3-46 Powershell](#_Toc536021480)
[Nr. 3-47 Powershell](#_Toc536021481)
[Nr. 3-48 Powershell](#_Toc536021482)
[Nr. 250 MonkeyIsland](#_Toc536021483)
[Nr. 251 MonkeyIsland](#_Toc536021484)
[Network topography](#network-topography)
# Warning\!
This project builds an intentionally
vulnerable network. Make sure not to add
production servers to the same network and leave it closed to the
public.
# Introduction:
MonkeyZoo is a Google Cloud Platform network deployed with terraform.
Terraform scripts allows you to quickly setup a network that’s full of
vulnerable machines to regression test monkey’s exploiters, evaluate
scanning times in a real-world scenario and many more.
# Getting started:
Requirements:
1. Have terraform installed.
2. Have a Google Cloud Platform account (upgraded if you want to test
whole network at once).
To deploy:
1. Configure service account for your project:
a. Create a service account (GCP website -> IAM & Admin -> Service Accounts -> + CREATE SERVICE ACCOUNT) and name it “your\_name-monkeyZoo-user”
b. Give these permissions to your service account:
**Compute Engine -> Compute Network Admin**
and
**Compute Engine -> Compute Instance Admin (v1)**
and
**Compute Engine -> Compute Security Admin**
and
**Service Account User**
or
**Project -> Owner**
c. Create and download its **Service account key** in JSON and place it in **monkey_zoo/gcp_keys** as **gcp_key.json**.
2. Get these permissions in the monkeyZoo project (guardicore-22050661) for your service account (ask monkey developers to add them):
a. **Compute Engine -\> Compute image user**
3. Change configurations located in the
../monkey/envs/monkey\_zoo/terraform/config.tf file (don’t forget to
link to your service account key file):
provider "google" {
project = "test-000000" // Change to your project id
region = "europe-west3" // Change to your desired region or leave default
zone = "europe-west3-b" // Change to your desired zone or leave default
credentials = "${file("../gcp_keys/gcp_key.json")}" // Change to the location and name of the service key.
// If you followed instruction above leave it as is
}
locals {
resource_prefix = "" // All of the resources will have this prefix.
// Only change if you want to have multiple zoo's in the same project
service_account_email="tester-monkeyZoo-user@testproject-000000.iam.gserviceaccount.com" // Service account email
monkeyzoo_project="guardicore-22050661" // Project where monkeyzoo images are kept. Leave as is.
}
4. Run terraform init
To deploy the network run:
`terraform plan` (review the changes it will make on GCP)
`terraform apply` (creates 2 networks for machines)
`terraform apply` (adds machines to these networks)
# Using islands:
### How to get into the islands:
**island-linux-250:** SSH from GCP
**island-windows-251:** In GCP/VM instances page click on
island-windows-251. Set password for your account and then RDP into
the island.
### These are most common steps on monkey islands:
### For users
Upload the AppImage deployment option and run it in island-linux-250.
Or upload the MSI deployment option, install it and run it in island-windows-251.
After that use the Monkey as you would on local network.
### For developers
#### island-linux-250:
To run monkey island from source:
`sudo /usr/run\_island.sh`
To run monkey from source:
`sudo /usr/run\_monkey.sh`
To update repository:
`git pull /usr/infection_monkey`
Update all requirements using deployment script:
1\. `cd /usr/infection_monkey/deployment_scripts`
2\. `./deploy_linux.sh "/usr/infection_monkey" "develop"`
#### island-windows-251:
To run monkey island from source:
Execute C:\\run\_monkey\_island.bat as administrator
To run monkey from source:
Execute C:\\run\_monkey.bat as administrator
To update repository:
1\. Open cmd as an administrator
2\. `cd C:\infection_monkey`
3\. `git pull` (updates develop branch)
Update all requirements using deployment script:
1\. `cd C:\infection_monkey\deployment_scripts`
2\. `./run_script.bat "C:\infection_monkey" "develop"`
# Machines:
Nr. 2 Hadoop (10.2.2.2) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | JDK, |
Default server’s port: | 8020 |
Server’s config: | Single node cluster |
Scan results: | Machine exploited using Hadoop exploiter |
Notes: |
Nr. 3 Hadoop (10.2.2.3) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | JDK, |
Default server’s port: | 8020 |
Server’s config: | Single node cluster |
Scan results: | Machine exploited using Hadoop exploiter |
Notes: |
Nr. 4 Elastic (10.2.2.4) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | JDK, |
Default server’s port: | 9200 |
Server’s config: | Default |
Scan results: | Machine exploited using Elastic exploiter |
Notes: | Quick tutorial on how to add entries (was useful when setting up). |
Nr. 5 Elastic (10.2.2.5) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | JDK, |
Default server’s port: | 9200 |
Server’s config: | Default |
Scan results: | Machine exploited using Elastic exploiter |
Notes: | Quick tutorial on how to add entries (was useful when setting up). |
Nr. 6 Sambacry (10.2.2.6) |
(Not implemented) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | Samba > 3.5.0 and < 4.6.4, 4.5.10 and 4.4.14 |
Default server’s port: | - |
Root password: | ;^TK`9XN_x^ |
Server’s config: | |
Scan results: | Machine exploited using Sambacry exploiter |
Notes: |
Nr. 7 Sambacry (10.2.2.7) |
(Not implemented) |
---|---|
OS: | Ubuntu 16.04.05 x32 |
Software: | Samba > 3.5.0 and < 4.6.4, 4.5.10 and 4.4.14 |
Default server’s port: | - |
Root password: | *.&A7/W}Rc$ |
Server’s config: | |
Scan results: | Machine exploited using Sambacry exploiter |
Notes: |
Nr. 8 Shellshock (10.2.2.8) |
(Vulnerable) |
---|---|
OS: | Ubuntu 12.04 LTS x64 |
Software: | Apache2, bash 4.2. |
Default server’s port: | 80 |
Scan results: | Machine exploited using Shellshock exploiter |
Notes: | Vulnerable app is under /cgi-bin/test.cgi |
Nr. 9 Tunneling M1 (10.2.2.9, 10.2.1.9) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | OpenSSL |
Default service’s port: | 22 |
Root password: | `))jU7L(w} |
Server’s config: | Default |
Notes: |
Nr. 10 Tunneling M2 (10.2.1.10) |
(Exploitable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | OpenSSL |
Default service’s port: | 22 |
Root password: | 3Q=(Ge(+&w]* |
Server’s config: | Default |
Notes: | Accessible only trough Nr.9 |
Nr. 11 Tunneling M3 (10.2.0.11) |
(Exploitable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | OpenSSL |
Default service’s port: | 22 |
Root password: | 3Q=(Ge(+&w]* |
Server’s config: | Default |
Notes: | Accessible only trough Nr.10 |
Nr. 12 Tunneling M4 (10.2.0.12) |
(Exploitable) |
---|---|
OS: | Windows server 2019 x64 |
Default service’s port: | 445 |
Root password: | t67TC5ZDmz |
Server’s config: | Default |
Notes: | Accessible only trough Nr.10 |
Nr. 11 SSH key steal. (10.2.2.11) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | OpenSSL |
Default connection port: | 22 |
Root password: | ^NgDvY59~8 |
Server’s config: | SSH keys to connect to NR. 11 |
Notes: |
Nr. 12 SSH key steal. (10.2.2.12) |
(Exploitable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | OpenSSL |
Default connection port: | 22 |
Root password: | u?Sj5@6(-C |
Server’s config: | SSH configured to allow connection from NR.10 |
Notes: | Don’t add this machine’s credentials to exploit configuration. |
Nr. 13 RDP grinder (10.2.2.13) |
(Not implemented) |
---|---|
OS: | Windows 10 x64 |
Software: | - |
Default connection port: | 3389 |
Root password: | 2}p}aR]&=M |
Server’s config: | Remote desktop enabled Admin user’s credentials: m0nk3y, 2}p}aR]&=M |
Notes: |
Nr. 14 Mimikatz (10.2.2.14) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | - |
Admin password: | Ivrrw5zEzs |
Server’s config: | Has cached mimikatz-15 RDP credentials SMB turned on |
Notes: |
Nr. 15 Mimikatz (10.2.2.15) |
(Exploitable) |
---|---|
OS: | Windows 10 x64 |
Software: | - |
Admin password: | pAJfG56JX>< |
Server’s config: | It’s credentials are cashed at mimikatz-14 SMB turned on |
Notes: | If you change this machine’s IP it won’t get exploited. |
Nr. 16 MsSQL (10.2.2.16) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | MSSQL Server |
Default service port: | 1433 |
Server’s config: | xp_cmdshell feature enabled in MSSQL server |
SQL server auth. creds: | m0nk3y : Xk8VDTsC |
Notes: | Enabled SQL server browser service |
Nr. 17 Upgrader (10.2.2.17) |
(Not implemented) |
---|---|
OS: | Windows 10 x64 |
Default service port: | 445 |
Root password: | U??7ppG_ |
Server’s config: | Turn on SMB |
Notes: |
Nr. 18 WebLogic (10.2.2.18) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | JDK, |
Default server’s port: | 7001 |
Admin domain credentials: | weblogic : B74Ot0c4 |
Server’s config: | Default |
Notes: |
Nr. 19 WebLogic (10.2.2.19) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | JDK, |
Default server’s port: | 7001 |
Admin servers credentials: | weblogic : =ThS2d=m(`B |
Server’s config: | Default |
Notes: |
Nr. 20 SMB (10.2.2.20) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | - |
Default service’s port: | 445 |
Root password: | YbS,<tpS.2av |
Server’s config: | SMB turned on |
Notes: |
Nr. 21 Scan (10.2.2.21) |
(Secure) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | Apache tomcat 7.0.92 |
Default server’s port: | 8080 |
Server’s config: | Default |
Notes: | Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.) |
Nr. 22 Scan (10.2.2.22) |
(Secure) |
---|---|
OS: | Windows 10 x64 |
Software: | Apache tomcat 7.0.92 |
Default server’s port: | 8080 |
Server’s config: | Default |
Notes: | Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.) |
Nr. 23 Struts2 (10.2.2.23) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | JDK, struts2 2.3.15.1, tomcat 9.0.0.M9 |
Default server’s port: | 8080 |
Server’s config: | Default |
Notes: |
Nr. 24 Struts2 (10.2.2.24) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | JDK, struts2 2.3.15.1, tomcat 9.0.0.M9 |
Default server’s port: | 8080 |
Server’s config: | Default |
Notes: |
Nr. 25 ZeroLogon (10.2.2.25) |
(Vulnerable) |
---|---|
OS: | Server 2016 |
Default server’s port: | 135 |
Nr. 3-45 Powershell (10.2.3.45) |
(Vulnerable) |
---|---|
OS: | Windows Server 2016 x64 |
Software: | WinRM service |
Default server’s port: | - |
Notes: | User: m0nk3y, Password: Passw0rd! User: m0nk3y-user, No Password. |
Nr. 3-46 Powershell (10.2.3.46) |
(Vulnerable) |
---|---|
OS: | Windows Server 2016 x64 |
Software: | WinRM service |
Default server’s port: | - |
Notes: | User: m0nk3y, Password: Passw0rd! |
Nr. 3-47 Powershell (10.2.3.47) |
(Vulnerable) |
---|---|
OS: | Windows Server 2016 x64 |
Software: | WinRM service |
Default server’s port: | - |
Notes: | User: m0nk3y, Password: Xk8VDTsC |
Nr. 3-48 Powershell (10.2.3.48) |
(Vulnerable) |
---|---|
OS: | Windows Server 2019 x64 |
Software: | WinRM service |
Default server’s port: | - |
Notes: | User: m0nk3y, Password: Passw0rd! |
Nr. 250 MonkeyIsland (10.2.2.250) |
|
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | MonkeyIsland server, git, mongodb etc. |
Default server’s port: | 22, 443 |
Private key passphrase: | - |
Notes: | Only accessible trough GCP |
Nr. 251 MonkeyIsland (10.2.2.251) |
|
---|---|
OS: | Windows Server 2016 x64 |
Software: | MonkeyIsland server, git, mongodb etc. |
Default server’s port: | 3389, 443 |
Private key passphrase: | - |
Notes: | Only accessible trough GCP |