From 3c40fd7cc3775ec3ad2bdf64a09fb0b6a0e3c6bb Mon Sep 17 00:00:00 2001 From: "maor.rayzin" Date: Wed, 8 Aug 2018 16:03:16 +0300 Subject: [PATCH] * Added warnings and threats comments about pth findings --- monkey_island/cc/services/pth_report.py | 25 +++++++++---------- monkey_island/cc/services/report.py | 19 +++++++++++--- .../cc/ui/src/components/pages/ReportPage.js | 22 ++++++++++------ 3 files changed, 42 insertions(+), 24 deletions(-) diff --git a/monkey_island/cc/services/pth_report.py b/monkey_island/cc/services/pth_report.py index 6f244e09b..3640e29e2 100644 --- a/monkey_island/cc/services/pth_report.py +++ b/monkey_island/cc/services/pth_report.py @@ -118,17 +118,16 @@ class PTHReportService(object): def get_duplicated_passwords_issues(pth, password_groups): issues = [] for group in password_groups: - for username in group['cred_group']: - sid = list(pth.GetSidsByUsername(username.split('\\')[1])) - machine_info = pth.GetSidInfo(sid[0]) - issues.append( - { - 'type': 'shared_password', - 'machine': machine_info.get('hostname').split('.')[0], - 'shared_with': [x for x in group['cred_group'] if x != username], - 'username': username - } - ) + username = group['cred_group'][0] + sid = list(pth.GetSidsByUsername(username.split('\\')[1])) + machine_info = pth.GetSidInfo(sid[0]) + issues.append( + { + 'type': 'shared_passwords', + 'machine': machine_info.get('hostname').split('.')[0], + 'shared_with': group['cred_group'] + } + ) return issues @@ -207,7 +206,7 @@ class PTHReportService(object): issues += PTHReportService.get_duplicated_passwords_issues(pth, same_password) issues += PTHReportService.get_shared_local_admins_issues(local_admin_shared) issues += PTHReportService.strong_users_on_crit_issues(strong_users_on_crit_services) - formated_issues = PTHReportService.get_issues_list(issues) + #formated_issues = PTHReportService.get_issues_list(issues) report = \ { @@ -217,7 +216,7 @@ class PTHReportService(object): 'local_admin_shared': local_admin_shared, 'strong_users_on_crit_services': strong_users_on_crit_services, 'strong_users_on_non_crit_services': strong_users_on_non_crit_services, - 'pth_issues': formated_issues + 'pth_issues': issues }, 'pthmap': { diff --git a/monkey_island/cc/services/report.py b/monkey_island/cc/services/report.py index 369b29c25..6a89afa58 100644 --- a/monkey_island/cc/services/report.py +++ b/monkey_island/cc/services/report.py @@ -9,6 +9,7 @@ from cc.services.config import ConfigService from cc.services.edge import EdgeService from cc.services.node import NodeService from cc.utils import local_ip_addresses, get_subnets +from pth_report import PTHReportService __author__ = "itay.mizeretz" @@ -43,10 +44,14 @@ class ReportService: AZURE = 6 STOLEN_SSH_KEYS = 7 STRUTS2 = 8 + PTH_CRIT_SERVICES_ACCESS = 10 + class WARNINGS_DICT(Enum): CROSS_SEGMENT = 0 TUNNEL = 1 + SHARED_LOCAL_ADMIN = 2 + SHARED_PASSWORDS = 3 @staticmethod def get_first_monkey_time(): @@ -365,7 +370,8 @@ class ReportService: @staticmethod def get_issues(): issues = ReportService.get_exploits() + ReportService.get_tunnels() +\ - ReportService.get_cross_segment_issues() + ReportService.get_azure_issues() + ReportService.get_cross_segment_issues() + ReportService.get_azure_issues() + \ + PTHReportService.get_report().get('report_info').get('pth_issues', []) issues_dict = {} for issue in issues: machine = issue['machine'] @@ -430,7 +436,9 @@ class ReportService: issues_byte_array[ReportService.ISSUES_DICT.STOLEN_SSH_KEYS.value] = True elif issue['type'] == 'struts2': issues_byte_array[ReportService.ISSUES_DICT.STRUTS2.value] = True - elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \ + elif issue['type'] == 'strong_users_on_crit': + issues_byte_array[ReportService.ISSUES_DICT.PTH_CRIT_SERVICES_ACCESS.value] = True + elif issue['type'].endswith('_password') and issue.get('password', None) in config_passwords and \ issue['username'] in config_users or issue['type'] == 'ssh': issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True elif issue['type'].endswith('_pth') or issue['type'].endswith('_password'): @@ -440,7 +448,7 @@ class ReportService: @staticmethod def get_warnings_overview(issues): - warnings_byte_array = [False] * 2 + warnings_byte_array = [False] * len(ReportService.WARNINGS_DICT) for machine in issues: for issue in issues[machine]: @@ -448,6 +456,10 @@ class ReportService: warnings_byte_array[ReportService.WARNINGS_DICT.CROSS_SEGMENT.value] = True elif issue['type'] == 'tunnel': warnings_byte_array[ReportService.WARNINGS_DICT.TUNNEL.value] = True + elif issue['type'] == 'shared_admins': + warnings_byte_array[ReportService.WARNINGS_DICT.SHARED_LOCAL_ADMIN.value] = True + elif issue['type'] == 'shared_passwords': + warnings_byte_array[ReportService.WARNINGS_DICT.SHARED_PASSWORDS.value] = True return warnings_byte_array @@ -472,6 +484,7 @@ class ReportService: config_users = ReportService.get_config_users() config_passwords = ReportService.get_config_passwords() + report = \ { 'overview': diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index 5db48036b..400381c8a 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -28,13 +28,16 @@ class ReportPageComponent extends AuthComponent { CONFICKER: 5, AZURE: 6, STOLEN_SSH_KEYS: 7, - STRUTS2: 8 + STRUTS2: 8, + PTH_CRIT_SERVICES_ACCESS: 10 }; Warning = { CROSS_SEGMENT: 0, - TUNNEL: 1 + TUNNEL: 1, + SHARED_LOCAL_ADMIN: 2, + SHARED_PASSWORDS: 3 }; constructor(props) { @@ -345,6 +348,9 @@ class ReportPageComponent extends AuthComponent {
  • Struts2 servers are vulnerable to remote code execution. ( CVE-2017-5638)
    • : null } + {this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] ? +
  • Credentials of strong users was found on machines and can give access to critical servers + (DC, MSSQL, etc..)
    • : null } : @@ -370,6 +376,10 @@ class ReportPageComponent extends AuthComponent { communicate. : null} {this.state.report.overview.warnings[this.Warning.TUNNEL] ?
  • Weak segmentation - Machines were able to communicate over unused ports.
    • : null} + {this.state.report.overview.warnings[this.Warning.SHARED_LOCAL_ADMIN] ? +
  • The monkey has found that some users have administrative rights on several machines.
    • : null} + {this.state.report.overview.warnings[this.Warning.SHARED_PASSWORDS] ? +
  • The monkey has found that some users are sharing passwords.
    • : null} : @@ -390,7 +400,6 @@ class ReportPageComponent extends AuthComponent {
    {this.generateIssues(this.state.report.recommendations.issues)} - {this.generateIssues(this.state.pthreport.pth_issues)}
    ); @@ -448,9 +457,6 @@ class ReportPageComponent extends AuthComponent {
    -
    - -
    @@ -744,7 +750,7 @@ class ReportPageComponent extends AuthComponent {
  • Some users are sharing passwords, this should be fixed by changing passwords. - The user {issue.username} is sharing access password with: + These users are sharing access password: {this.generateInfoBadges(issue.shared_with)}.
    • @@ -849,7 +855,7 @@ class ReportPageComponent extends AuthComponent { case 'cross_segment': data = this.generateCrossSegmentIssue(issue); break; - case 'shared_password': + case 'shared_passwords': data = this.generateSharedCredsIssue(issue); break; case 'shared_admins':