forked from p15670423/monkey
140 lines
8.3 KiB
Markdown
140 lines
8.3 KiB
Markdown
Infected Chaos Monkey
|
||
====================
|
||
|
||
Datacenter Security Tool
|
||
------------------------
|
||
|
||
### http://www.guardicore.com/the-infected-chaos-monkey/
|
||
|
||
The Infected Chaos Monkey is a security tool which tests your Data Center's ability to withstand perimeter breaches and internal server infection. It uses various methods to propagate through a data center, and reports its success to a centralized C&C server.
|
||
|
||
Features include:
|
||
|
||
* Multiple propagation techniques:
|
||
* Predefined passwords
|
||
* Common exploits
|
||
* Multiple propagation protocols:
|
||
* SSH
|
||
* SMB
|
||
* RDP
|
||
* A C&C server with a dedicated UI to visualize the Monkey's progress inside the data center
|
||
|
||
Getting Started
|
||
---------------
|
||
|
||
The Infected Chaos Monkey is comprised of two parts: the Monkey and the C&C server.
|
||
The monkey is the tool which infects other machines and propagates to them, while the C&C server collects all Monkey reports and displays them to the user.
|
||
|
||
### Requirements
|
||
|
||
<Supported OS Versions for monkey>
|
||
<Supported OS Versions for C&C Server>
|
||
|
||
### Installation
|
||
|
||
Usage
|
||
-----
|
||
|
||
### Configuring the Monkey
|
||
|
||
Monkey configuration is stored in two places:
|
||
1. By default, the monkey uses a local configuration file (usually, config.bin). This configuration file must include the address of the Monkey's C&C server.
|
||
2. After successfully connecting to the C&C server, the monkey downloads a new configuration from the server and discards the local configuration. It is possible to change the default configuration from the C&C server's UI.
|
||
|
||
Both configuration options use a JSON format for specifying options; see "Options" below for details.
|
||
|
||
### Running the C&C Server
|
||
|
||
### Unleashing the Monkey
|
||
|
||
Download the latest Monkey binary from <> (alternatively, build it by yourself by following the instructions below).
|
||
The download includes executables for various operating systems, and a default configuration file (config.bin).
|
||
You can edit the configuration file according the the options detailed below; the default configuration assumes <WHAT?>.
|
||
|
||
Once downloaded, run the monkey using ```./monkey-linux-64 m0nk3y -c config.bin```
|
||
|
||
Command line options include:
|
||
* `-c`, `--config`: set configuration file. JSON file with configuration values, will override compiled configuration.
|
||
* `-p`, `--parent`: set monkey’s parent uuid, allows better recognition of exploited monkeys in c&c
|
||
* `-t`, `--tunnel`: ip:port, set default tunnel for monkey when connecting to c&c.
|
||
|
||
|
||
Monkey Modus Operandi
|
||
---------------------
|
||
|
||
1. Wakeup connection to c&c, sends basic info of the current machine and the configuration the monkey uses to the c&c.
|
||
1. First try direct connection to c&c.
|
||
2. If direct connection fails, try connection through a tunnel, a tunnel is found according to specified parameter (the default tunnel) or by sending a multicast query and waiting for another monkey to answer.
|
||
3. If no connection can be made to c&c, continue without it.
|
||
2. If a firewall app is running on the machine (supports Windows Firewall for Win XP and Windows Advanced Firewall for Win 7+), try to add a rule to allow all our traffic.
|
||
3. Startup of tunnel for other monkeys (if connection to c&c works).
|
||
1. firewall is checked to allow listening sockets (if we failed to add a rule to windows firewall for example, the tunnel will not be created)
|
||
2. will answer multicast requests from other monkeys in search of a tunnel.
|
||
4. Running exploitation sessions, will run x sessions according to configuration:
|
||
1. Connect to c&c and get the latest configuration
|
||
2. Scan ip ranges according to configuration.
|
||
3. Try fingerprinting each host that answer, using the classes defined in the configuration (SMBFinger, SSHFinger, etc)
|
||
4. Try exploitation on each host found, for each exploit class in configuration:
|
||
1. check exploit class supports target host (can be disabled by configuration)
|
||
2. each exploitation class will use the data acquired in fingerprinting, or during the exploit, to find the suitable monkey executable for the host from the c&c.
|
||
1. If c&c connection fails, and the source monkey’s executable is suitable, we use it.
|
||
2. If a suitable executable isn’t found, exploitation will fail.
|
||
3. Executables are cached in memory.
|
||
5. will skip hosts that are already exploited in next run
|
||
6. will skip hosts that failed during exploitation in next run (can be disabled by configuration)
|
||
5. Close tunnel before exiting
|
||
Wait for monkeys using the tunnel to unregister for it
|
||
Cleanup
|
||
Remove firewall rules if added
|
||
|
||
Configuration Options
|
||
---------------------
|
||
|
||
Key | Type | Description | Possible Values
|
||
--- | ---- | ----------- | ---------------
|
||
singleton_mutex_name | string | string of the mutex name for single instance | example: {2384ec59-0df8-4ab9-918c-843740924a28}
|
||
alive | bool | sets whether or not the monkey is alive. if false will stop scanning and exploiting.
|
||
self_delete_in_cleanup | bool | sets whether or not to self delete the monkey executable when stopped.
|
||
use_file_logging | bool | sets whether or not to use a log file.
|
||
timeout_between_iterations | int | how long to wait between scan iterations
|
||
max_iterations | int | how many scan iterations to perform on each run
|
||
victims_max_find | int | how many victims to look for in a single scan iteration
|
||
victims_max_exploit | int | how many victims to exploit before stopping
|
||
command_servers | array | addresses of c&c servers to try to connect | example: ["russian-mail-brides.com:5000"]
|
||
serialize_config | bool | sets whether or not to save the monkey to disk when finished (will be loaded in next run), saved next to the monkey exe with the name monkey.bin
|
||
retry_failed_explotation | bool | sets whether or not to retry failed hosts on next scan
|
||
range_class | class name | sets which ip ranges class is used to construct the list of ips to scan | `FixedRange` - scan list is a static ips list, `RelativeRange` - scan list will be constructed according to ip address of the machine and size of the scan, `ClassCRange` - will scan the entire class c the machine is in.
|
||
scanner_class | class name | sets which scan class to use when scanning for hosts to exploit | `TCPScanner` - searches for hosts according to open tcp ports, `PingScanner` - searches for hosts according to ping scan
|
||
finger_classes | tuple of class names | sets which fingerprinting classes to use. | in the list: `SMBFinger` - get host os info by checking smb info, `SSHFinger` - get host os info by checking ssh banner, `PingScanner` - get host os type by checking ping ttl. For example: `(SMBFinger, SSHFinger, PingScanner)`
|
||
exploiter_classes | tuple of class names | | `SmbExploiter` - exploit using smb connection, `WmiExploiter` - exploit using wmi connection, `RdpExploiter` - exploit using rdp connection, `Ms08_067_Exploiter` - exploit using ms08_067 smb exploit, `SSHExploiter` - exploit using ssh connection
|
||
range_fixed | tuple of strings | list of ips to scan
|
||
RelativeRange range_size | int | number of hosts to scan in relative range.
|
||
TCPScanner tcp_target_ports | list of int | which ports to scan using tcp scan.
|
||
tcp_scan_timeout | int | timeout for tcp connection in tcp scan (in milliseconds).
|
||
tcp_scan_interval | int | time to wait between ports in the tcp scan (in milliseconds).
|
||
tcp_scan_get_banner | bool | sets whether or not to read a banner from the tcp ports when scanning
|
||
PingScanner ping_scan_timeout | int | timeout for the ping command (in milliseconds).
|
||
SmbExploiter/WmiExploiter/RdpExploiter psexec_user | string | user to use for connection
|
||
psexec_passwords | list of strings | list of passwords to use when trying to exploit
|
||
SmbExploiter skip_exploit_if_file_exist | bool | sets whether or not to abort exploit if the monkey already exists in target.
|
||
RdpExploiter rdp_use_vbs_download | bool | sets whether to use vbs payload for rdp exploitation. If false, bits payload is used (will fail if bitsadmin.exe doesn’t exist).
|
||
Ms08_067_Exploiter ms08_067_exploit_attempt | int | number of times to try and exploit using ms08_067 exploit.
|
||
ms08_067_remote_user_add | string | user to add to target when using ms08_067 exploit
|
||
ms08_067_remote_user_pass | string | password of the user the exploit will add
|
||
SSHExploiter ssh_user | string | user to use for ssh connection
|
||
ssh_passwords | list of strings | list of passwords to use when trying to exploit
|
||
|
||
|
||
|
||
|
||
|
||
Building the Monkey from source
|
||
-------------------------------
|
||
<how to build the monkey>
|
||
|
||
|
||
License
|
||
=======
|
||
|
||
|