forked from p15670423/monkey
Island: Export AWS findings without report_exporter_manager.py
This commit is contained in:
parent
f83832dc3c
commit
7ed7164a03
|
@ -3,7 +3,6 @@ import json
|
|||
import logging
|
||||
import sys
|
||||
from pathlib import Path
|
||||
from threading import Thread
|
||||
|
||||
import gevent.hub
|
||||
from gevent.pywsgi import WSGIServer
|
||||
|
@ -29,7 +28,6 @@ from monkey_island.cc.server_utils.consts import ( # noqa: E402
|
|||
)
|
||||
from monkey_island.cc.server_utils.island_logger import reset_logger, setup_logging # noqa: E402
|
||||
from monkey_island.cc.services.initialize import initialize_services # noqa: E402
|
||||
from monkey_island.cc.services.reporting.exporter_init import populate_exporter_list # noqa: E402
|
||||
from monkey_island.cc.services.utils.network_utils import local_ip_addresses # noqa: E402
|
||||
from monkey_island.cc.setup import island_config_options_validator # noqa: E402
|
||||
from monkey_island.cc.setup.data_dir import IncompatibleDataDirectory, setup_data_dir # noqa: E402
|
||||
|
@ -132,8 +130,6 @@ def _configure_gevent_exception_handling(data_dir):
|
|||
def _start_island_server(
|
||||
should_setup_only: bool, config_options: IslandConfigOptions, container: DIContainer
|
||||
):
|
||||
# AWS exporter takes a long time to load
|
||||
Thread(target=populate_exporter_list, name="Report exporter list", daemon=True).start()
|
||||
app = init_app(mongo_setup.MONGO_URL, container)
|
||||
|
||||
if should_setup_only:
|
||||
|
|
|
@ -7,6 +7,7 @@ from monkey_island.cc.services.post_breach_files import PostBreachFilesService
|
|||
from monkey_island.cc.services.run_local_monkey import LocalMonkeyRunService
|
||||
|
||||
from . import AuthenticationService, JsonFileUserDatastore
|
||||
from .reporting.report import ReportService
|
||||
|
||||
|
||||
def initialize_services(data_dir: Path) -> DIContainer:
|
||||
|
@ -22,5 +23,6 @@ def initialize_services(data_dir: Path) -> DIContainer:
|
|||
PostBreachFilesService.initialize(container.resolve(IFileStorageService))
|
||||
LocalMonkeyRunService.initialize(data_dir)
|
||||
AuthenticationService.initialize(data_dir, JsonFileUserDatastore(data_dir))
|
||||
ReportService.initialize(container.resolve(AWSService))
|
||||
|
||||
return container
|
||||
|
|
|
@ -1,21 +1,15 @@
|
|||
import logging
|
||||
import uuid
|
||||
from datetime import datetime
|
||||
from typing import Mapping
|
||||
|
||||
import boto3
|
||||
from botocore.exceptions import UnknownServiceError
|
||||
|
||||
from monkey_island.cc.services import aws_service
|
||||
from monkey_island.cc.services.reporting.exporter import Exporter
|
||||
|
||||
__authors__ = ["maor.rayzin", "shay.nehmad"]
|
||||
|
||||
|
||||
from common.aws import AWSInstance
|
||||
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.exploiter_descriptor_enum import ( # noqa:E501 (Long import)
|
||||
ExploiterDescriptorEnum,
|
||||
)
|
||||
|
||||
# noqa:E501 (Long import)
|
||||
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.exploiter_report_info import ( # noqa:E501 (Long import)
|
||||
CredentialType,
|
||||
)
|
||||
|
@ -25,376 +19,351 @@ logger = logging.getLogger(__name__)
|
|||
INFECTION_MONKEY_ARN = "324264561773:product/guardicore/aws-infection-monkey"
|
||||
|
||||
|
||||
class AWSExporter(Exporter):
|
||||
@staticmethod
|
||||
def handle_report(report_json):
|
||||
|
||||
findings_list = []
|
||||
issues_list = report_json["recommendations"]["issues"]
|
||||
if not issues_list:
|
||||
logger.info("No issues were found by the monkey, no need to send anything")
|
||||
return True
|
||||
|
||||
current_aws_region = aws_service.get_region()
|
||||
|
||||
for machine in issues_list:
|
||||
for issue in issues_list[machine]:
|
||||
try:
|
||||
if "aws_instance_id" in issue:
|
||||
findings_list.append(
|
||||
AWSExporter._prepare_finding(issue, current_aws_region)
|
||||
)
|
||||
except AWSExporter.FindingNotFoundError as e:
|
||||
logger.error(e)
|
||||
|
||||
if not AWSExporter._send_findings(findings_list, current_aws_region):
|
||||
logger.error("Exporting findings to aws failed")
|
||||
return False
|
||||
|
||||
def handle_report(report_json: Mapping, aws_instance: AWSInstance):
|
||||
findings_list = []
|
||||
issues_list = report_json["recommendations"]["issues"]
|
||||
if not issues_list:
|
||||
logger.info("No issues were found by the monkey, no need to send anything")
|
||||
return True
|
||||
|
||||
@staticmethod
|
||||
def merge_two_dicts(x, y):
|
||||
z = x.copy() # start with x's keys and values
|
||||
z.update(y) # modifies z with y's keys and values & returns None
|
||||
return z
|
||||
for machine in issues_list:
|
||||
for issue in issues_list[machine]:
|
||||
try:
|
||||
if "aws_instance_id" in issue:
|
||||
findings_list.append(_prepare_finding(issue, aws_instance))
|
||||
except FindingNotFoundError as e:
|
||||
logger.error(e)
|
||||
|
||||
@staticmethod
|
||||
def _prepare_finding(issue, region):
|
||||
findings_dict = {
|
||||
"island_cross_segment": AWSExporter._handle_island_cross_segment_issue,
|
||||
ExploiterDescriptorEnum.SSH.value.class_name: {
|
||||
CredentialType.PASSWORD.value: AWSExporter._handle_ssh_issue,
|
||||
CredentialType.KEY.value: AWSExporter._handle_ssh_key_issue,
|
||||
},
|
||||
"tunnel": AWSExporter._handle_tunnel_issue,
|
||||
ExploiterDescriptorEnum.SMB.value.class_name: {
|
||||
CredentialType.PASSWORD.value: AWSExporter._handle_smb_password_issue,
|
||||
CredentialType.HASH.value: AWSExporter._handle_smb_pth_issue,
|
||||
},
|
||||
"shared_passwords": AWSExporter._handle_shared_passwords_issue,
|
||||
ExploiterDescriptorEnum.WMI.value.class_name: {
|
||||
CredentialType.PASSWORD.value: AWSExporter._handle_wmi_password_issue,
|
||||
CredentialType.HASH.value: AWSExporter._handle_wmi_pth_issue,
|
||||
},
|
||||
"shared_passwords_domain": AWSExporter._handle_shared_passwords_domain_issue,
|
||||
"shared_admins_domain": AWSExporter._handle_shared_admins_domain_issue,
|
||||
"strong_users_on_crit": AWSExporter._handle_strong_users_on_crit_issue,
|
||||
ExploiterDescriptorEnum.HADOOP.value.class_name: AWSExporter._handle_hadoop_issue,
|
||||
}
|
||||
if not _send_findings(findings_list, aws_instance.region):
|
||||
logger.error("Exporting findings to aws failed")
|
||||
return False
|
||||
|
||||
configured_product_arn = INFECTION_MONKEY_ARN
|
||||
product_arn = "arn:aws:securityhub:{region}:{arn}".format(
|
||||
region=region, arn=configured_product_arn
|
||||
)
|
||||
instance_arn = "arn:aws:ec2:" + str(region) + ":instance:{instance_id}"
|
||||
# Not suppressing error here on purpose.
|
||||
account_id = aws_service.get_account_id()
|
||||
logger.debug("aws account id acquired: {}".format(account_id))
|
||||
return True
|
||||
|
||||
aws_finding = {
|
||||
"SchemaVersion": "2018-10-08",
|
||||
"Id": uuid.uuid4().hex,
|
||||
"ProductArn": product_arn,
|
||||
"GeneratorId": issue["type"],
|
||||
"AwsAccountId": account_id,
|
||||
"RecordState": "ACTIVE",
|
||||
"Types": ["Software and Configuration Checks/Vulnerabilities/CVE"],
|
||||
"CreatedAt": datetime.now().isoformat() + "Z",
|
||||
"UpdatedAt": datetime.now().isoformat() + "Z",
|
||||
}
|
||||
|
||||
processor = AWSExporter._get_issue_processor(findings_dict, issue)
|
||||
def merge_two_dicts(x, y):
|
||||
z = x.copy() # start with x's keys and values
|
||||
z.update(y) # modifies z with y's keys and values & returns None
|
||||
return z
|
||||
|
||||
return AWSExporter.merge_two_dicts(aws_finding, processor(issue, instance_arn))
|
||||
|
||||
@staticmethod
|
||||
def _get_issue_processor(finding_dict, issue):
|
||||
try:
|
||||
processor = finding_dict[issue["type"]]
|
||||
if type(processor) == dict:
|
||||
processor = processor[issue["credential_type"]]
|
||||
return processor
|
||||
except KeyError:
|
||||
raise AWSExporter.FindingNotFoundError(
|
||||
f"Finding {issue['type']} not added as AWS exportable finding"
|
||||
)
|
||||
def _prepare_finding(issue, aws_instance: AWSInstance):
|
||||
findings_dict = {
|
||||
"island_cross_segment": _handle_island_cross_segment_issue,
|
||||
ExploiterDescriptorEnum.SSH.value.class_name: {
|
||||
CredentialType.PASSWORD.value: _handle_ssh_issue,
|
||||
CredentialType.KEY.value: _handle_ssh_key_issue,
|
||||
},
|
||||
"tunnel": _handle_tunnel_issue,
|
||||
ExploiterDescriptorEnum.SMB.value.class_name: {
|
||||
CredentialType.PASSWORD.value: _handle_smb_password_issue,
|
||||
CredentialType.HASH.value: _handle_smb_pth_issue,
|
||||
},
|
||||
"shared_passwords": _handle_shared_passwords_issue,
|
||||
ExploiterDescriptorEnum.WMI.value.class_name: {
|
||||
CredentialType.PASSWORD.value: _handle_wmi_password_issue,
|
||||
CredentialType.HASH.value: _handle_wmi_pth_issue,
|
||||
},
|
||||
"shared_passwords_domain": _handle_shared_passwords_domain_issue,
|
||||
"shared_admins_domain": _handle_shared_admins_domain_issue,
|
||||
"strong_users_on_crit": _handle_strong_users_on_crit_issue,
|
||||
ExploiterDescriptorEnum.HADOOP.value.class_name: _handle_hadoop_issue,
|
||||
}
|
||||
|
||||
class FindingNotFoundError(Exception):
|
||||
pass
|
||||
configured_product_arn = INFECTION_MONKEY_ARN
|
||||
product_arn = "arn:aws:securityhub:{region}:{arn}".format(
|
||||
region=aws_instance.region, arn=configured_product_arn
|
||||
)
|
||||
instance_arn = "arn:aws:ec2:" + str(aws_instance.region) + ":instance:{instance_id}"
|
||||
account_id = aws_instance.account_id
|
||||
logger.debug("aws account id acquired: {}".format(account_id))
|
||||
|
||||
@staticmethod
|
||||
def _send_findings(findings_list, region):
|
||||
try:
|
||||
logger.debug("Trying to acquire securityhub boto3 client in " + region)
|
||||
security_hub_client = boto3.client("securityhub", region_name=region)
|
||||
logger.debug("Client acquired: {0}".format(repr(security_hub_client)))
|
||||
aws_finding = {
|
||||
"SchemaVersion": "2018-10-08",
|
||||
"Id": uuid.uuid4().hex,
|
||||
"ProductArn": product_arn,
|
||||
"GeneratorId": issue["type"],
|
||||
"AwsAccountId": account_id,
|
||||
"RecordState": "ACTIVE",
|
||||
"Types": ["Software and Configuration Checks/Vulnerabilities/CVE"],
|
||||
"CreatedAt": datetime.now().isoformat() + "Z",
|
||||
"UpdatedAt": datetime.now().isoformat() + "Z",
|
||||
}
|
||||
|
||||
# Assumes the machine has the correct IAM role to do this, @see
|
||||
# https://github.com/guardicore/monkey/wiki/Monkey-Island:-Running-the-monkey-on-AWS
|
||||
# -EC2-instances
|
||||
import_response = security_hub_client.batch_import_findings(Findings=findings_list)
|
||||
logger.debug("Import findings response: {0}".format(repr(import_response)))
|
||||
processor = _get_issue_processor(findings_dict, issue)
|
||||
|
||||
if import_response["ResponseMetadata"]["HTTPStatusCode"] == 200:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
except UnknownServiceError as e:
|
||||
logger.warning(
|
||||
"AWS exporter called but AWS-CLI security hub service is not installed. "
|
||||
"Error: {}".format(e)
|
||||
)
|
||||
return False
|
||||
except Exception as e:
|
||||
logger.exception("AWS security hub findings failed to send. Error: {}".format(e))
|
||||
return False
|
||||
return merge_two_dicts(aws_finding, processor(issue, instance_arn))
|
||||
|
||||
@staticmethod
|
||||
def _get_finding_resource(instance_id, instance_arn):
|
||||
if instance_id:
|
||||
return [{"Type": "AwsEc2Instance", "Id": instance_arn.format(instance_id=instance_id)}]
|
||||
|
||||
def _get_issue_processor(finding_dict, issue):
|
||||
try:
|
||||
processor = finding_dict[issue["type"]]
|
||||
if type(processor) == dict:
|
||||
processor = processor[issue["credential_type"]]
|
||||
return processor
|
||||
except KeyError:
|
||||
raise FindingNotFoundError(f"Finding {issue['type']} not added as AWS exportable finding")
|
||||
|
||||
|
||||
class FindingNotFoundError(Exception):
|
||||
pass
|
||||
|
||||
|
||||
def _send_findings(findings_list, region):
|
||||
try:
|
||||
logger.debug("Trying to acquire securityhub boto3 client in " + region)
|
||||
security_hub_client = boto3.client("securityhub", region_name=region)
|
||||
logger.debug("Client acquired: {0}".format(repr(security_hub_client)))
|
||||
|
||||
# Assumes the machine has the correct IAM role to do this, @see
|
||||
# https://github.com/guardicore/monkey/wiki/Monkey-Island:-Running-the-monkey-on-AWS
|
||||
# -EC2-instances
|
||||
import_response = security_hub_client.batch_import_findings(Findings=findings_list)
|
||||
logger.debug("Import findings response: {0}".format(repr(import_response)))
|
||||
|
||||
if import_response["ResponseMetadata"]["HTTPStatusCode"] == 200:
|
||||
return True
|
||||
else:
|
||||
return [{"Type": "Other", "Id": "None"}]
|
||||
|
||||
@staticmethod
|
||||
def _build_generic_finding(
|
||||
severity, title, description, recommendation, instance_arn, instance_id=None
|
||||
):
|
||||
finding = {
|
||||
"Severity": {"Product": severity, "Normalized": 100},
|
||||
"Resources": AWSExporter._get_finding_resource(instance_id, instance_arn),
|
||||
"Title": title,
|
||||
"Description": description,
|
||||
"Remediation": {"Recommendation": {"Text": recommendation}},
|
||||
}
|
||||
|
||||
return finding
|
||||
|
||||
@staticmethod
|
||||
def _handle_tunnel_issue(issue, instance_arn):
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=5,
|
||||
title="Weak segmentation - Machines were able to communicate over unused ports.",
|
||||
description="Use micro-segmentation policies to disable communication other than "
|
||||
"the required.",
|
||||
recommendation="Machines are not locked down at port level. "
|
||||
"Network tunnel was set up from {0} to {1}".format(issue["machine"], issue["dest"]),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
return False
|
||||
except UnknownServiceError as e:
|
||||
logger.warning(
|
||||
"AWS exporter called but AWS-CLI security hub service is not installed. "
|
||||
"Error: {}".format(e)
|
||||
)
|
||||
return False
|
||||
except Exception as e:
|
||||
logger.exception("AWS security hub findings failed to send. Error: {}".format(e))
|
||||
return False
|
||||
|
||||
@staticmethod
|
||||
def _handle_smb_pth_issue(issue, instance_arn):
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=5,
|
||||
title="Machines are accessible using passwords supplied by the user during the "
|
||||
"Monkey's configuration.",
|
||||
description="Change {0}'s password to a complex one-use password that is not "
|
||||
"shared with other computers on the "
|
||||
"network.".format(issue["username"]),
|
||||
recommendation="The machine {0}({1}) is vulnerable to a SMB attack. The Monkey "
|
||||
"used a pass-the-hash attack over "
|
||||
"SMB protocol with user {2}.".format(
|
||||
issue["machine"], issue["ip_address"], issue["username"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
def _get_finding_resource(instance_id, instance_arn):
|
||||
if instance_id:
|
||||
return [{"Type": "AwsEc2Instance", "Id": instance_arn.format(instance_id=instance_id)}]
|
||||
else:
|
||||
return [{"Type": "Other", "Id": "None"}]
|
||||
|
||||
@staticmethod
|
||||
def _handle_ssh_issue(issue, instance_arn):
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=1,
|
||||
title="Machines are accessible using SSH passwords supplied by the user during "
|
||||
"the Monkey's configuration.",
|
||||
description="Change {0}'s password to a complex one-use password that is not "
|
||||
"shared with other computers on the "
|
||||
"network.".format(issue["username"]),
|
||||
recommendation="The machine {0} ({1}) is vulnerable to a SSH attack. The Monkey "
|
||||
"authenticated over the SSH"
|
||||
" protocol with user {2} and its "
|
||||
"password.".format(issue["machine"], issue["ip_address"], issue["username"]),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
def _build_generic_finding(
|
||||
severity, title, description, recommendation, instance_arn, instance_id=None
|
||||
):
|
||||
finding = {
|
||||
"Severity": {"Product": severity, "Normalized": 100},
|
||||
"Resources": _get_finding_resource(instance_id, instance_arn),
|
||||
"Title": title,
|
||||
"Description": description,
|
||||
"Remediation": {"Recommendation": {"Text": recommendation}},
|
||||
}
|
||||
|
||||
@staticmethod
|
||||
def _handle_ssh_key_issue(issue, instance_arn):
|
||||
return finding
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=1,
|
||||
title="Machines are accessible using SSH passwords supplied by the user during "
|
||||
"the Monkey's configuration.",
|
||||
description="Protect {ssh_key} private key with a pass phrase.".format(
|
||||
ssh_key=issue["ssh_key"]
|
||||
),
|
||||
recommendation="The machine {machine} ({ip_address}) is vulnerable to a SSH "
|
||||
"attack. The Monkey authenticated "
|
||||
"over the SSH protocol with private key {ssh_key}.".format(
|
||||
machine=issue["machine"], ip_address=issue["ip_address"], ssh_key=issue["ssh_key"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_island_cross_segment_issue(issue, instance_arn):
|
||||
def _handle_tunnel_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=5,
|
||||
title="Weak segmentation - Machines were able to communicate over unused ports.",
|
||||
description="Use micro-segmentation policies to disable communication other than "
|
||||
"the required.",
|
||||
recommendation="Machines are not locked down at port level. "
|
||||
"Network tunnel was set up from {0} to {1}".format(issue["machine"], issue["dest"]),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=1,
|
||||
title="Weak segmentation - Machines from different segments are able to "
|
||||
"communicate.",
|
||||
description="Segment your network and make sure there is no communication between "
|
||||
"machines from different "
|
||||
"segments.",
|
||||
recommendation="The network can probably be segmented. A monkey instance on \
|
||||
{0} in the networks {1} \
|
||||
could directly access the Monkey Island server in the networks {2}.".format(
|
||||
issue["machine"], issue["networks"], issue["server_networks"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_shared_passwords_issue(issue, instance_arn):
|
||||
def _handle_smb_pth_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=5,
|
||||
title="Machines are accessible using passwords supplied by the user during the "
|
||||
"Monkey's configuration.",
|
||||
description="Change {0}'s password to a complex one-use password that is not "
|
||||
"shared with other computers on the "
|
||||
"network.".format(issue["username"]),
|
||||
recommendation="The machine {0}({1}) is vulnerable to a SMB attack. The Monkey "
|
||||
"used a pass-the-hash attack over "
|
||||
"SMB protocol with user {2}.".format(
|
||||
issue["machine"], issue["ip_address"], issue["username"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=1,
|
||||
title="Multiple users have the same password",
|
||||
description="Some users are sharing passwords, this should be fixed by changing "
|
||||
"passwords.",
|
||||
recommendation="These users are sharing access password: {0}.".format(
|
||||
issue["shared_with"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_smb_password_issue(issue, instance_arn):
|
||||
def _handle_ssh_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=1,
|
||||
title="Machines are accessible using SSH passwords supplied by the user during "
|
||||
"the Monkey's configuration.",
|
||||
description="Change {0}'s password to a complex one-use password that is not "
|
||||
"shared with other computers on the "
|
||||
"network.".format(issue["username"]),
|
||||
recommendation="The machine {0} ({1}) is vulnerable to a SSH attack. The Monkey "
|
||||
"authenticated over the SSH"
|
||||
" protocol with user {2} and its "
|
||||
"password.".format(issue["machine"], issue["ip_address"], issue["username"]),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=1,
|
||||
title="Machines are accessible using passwords supplied by the user during the "
|
||||
"Monkey's configuration.",
|
||||
description="Change {0}'s password to a complex one-use password that is not "
|
||||
"shared with other computers on the "
|
||||
"network.".format(issue["username"]),
|
||||
recommendation="The machine {0} ({1}) is vulnerable to a SMB attack. The Monkey "
|
||||
"authenticated over the SMB "
|
||||
"protocol with user {2} and its password.".format(
|
||||
issue["machine"], issue["ip_address"], issue["username"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_wmi_password_issue(issue, instance_arn):
|
||||
def _handle_ssh_key_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=1,
|
||||
title="Machines are accessible using SSH passwords supplied by the user during "
|
||||
"the Monkey's configuration.",
|
||||
description="Protect {ssh_key} private key with a pass phrase.".format(
|
||||
ssh_key=issue["ssh_key"]
|
||||
),
|
||||
recommendation="The machine {machine} ({ip_address}) is vulnerable to a SSH "
|
||||
"attack. The Monkey authenticated "
|
||||
"over the SSH protocol with private key {ssh_key}.".format(
|
||||
machine=issue["machine"], ip_address=issue["ip_address"], ssh_key=issue["ssh_key"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=1,
|
||||
title="Machines are accessible using passwords supplied by the user during the "
|
||||
"Monkey's configuration.",
|
||||
description="Change {0}'s password to a complex one-use password that is not "
|
||||
"shared with other computers on the "
|
||||
"network.",
|
||||
recommendation="The machine {machine} ({ip_address}) is vulnerable to a WMI "
|
||||
"attack. The Monkey authenticated over "
|
||||
"the WMI protocol with user {username} and its password.".format(
|
||||
machine=issue["machine"], ip_address=issue["ip_address"], username=issue["username"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_wmi_pth_issue(issue, instance_arn):
|
||||
def _handle_island_cross_segment_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=1,
|
||||
title="Weak segmentation - Machines from different segments are able to " "communicate.",
|
||||
description="Segment your network and make sure there is no communication between "
|
||||
"machines from different "
|
||||
"segments.",
|
||||
recommendation="The network can probably be segmented. A monkey instance on \
|
||||
{0} in the networks {1} \
|
||||
could directly access the Monkey Island server in the networks {2}.".format(
|
||||
issue["machine"], issue["networks"], issue["server_networks"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=1,
|
||||
title="Machines are accessible using passwords supplied by the user during the "
|
||||
"Monkey's configuration.",
|
||||
description="Change {0}'s password to a complex one-use password that is not "
|
||||
"shared with other computers on the "
|
||||
"network.".format(issue["username"]),
|
||||
recommendation="The machine {machine} ({ip_address}) is vulnerable to a WMI "
|
||||
"attack. The Monkey used a "
|
||||
"pass-the-hash attack over WMI protocol with user {username}".format(
|
||||
machine=issue["machine"], ip_address=issue["ip_address"], username=issue["username"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_shared_passwords_domain_issue(issue, instance_arn):
|
||||
def _handle_shared_passwords_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=1,
|
||||
title="Multiple users have the same password",
|
||||
description="Some users are sharing passwords, this should be fixed by changing "
|
||||
"passwords.",
|
||||
recommendation="These users are sharing access password: {0}.".format(issue["shared_with"]),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=1,
|
||||
title="Multiple users have the same password.",
|
||||
description="Some domain users are sharing passwords, this should be fixed by "
|
||||
"changing passwords.",
|
||||
recommendation="These users are sharing access password: {shared_with}.".format(
|
||||
shared_with=issue["shared_with"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_shared_admins_domain_issue(issue, instance_arn):
|
||||
def _handle_smb_password_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=1,
|
||||
title="Machines are accessible using passwords supplied by the user during the "
|
||||
"Monkey's configuration.",
|
||||
description="Change {0}'s password to a complex one-use password that is not "
|
||||
"shared with other computers on the "
|
||||
"network.".format(issue["username"]),
|
||||
recommendation="The machine {0} ({1}) is vulnerable to a SMB attack. The Monkey "
|
||||
"authenticated over the SMB "
|
||||
"protocol with user {2} and its password.".format(
|
||||
issue["machine"], issue["ip_address"], issue["username"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=1,
|
||||
title="Shared local administrator account - Different machines have the same "
|
||||
"account as a local administrator.",
|
||||
description="Make sure the right administrator accounts are managing the right "
|
||||
"machines, and that there isn't "
|
||||
"an unintentional local admin sharing.",
|
||||
recommendation="Here is a list of machines which the account {username} is "
|
||||
"defined as an administrator: "
|
||||
"{shared_machines}".format(
|
||||
username=issue["username"], shared_machines=issue["shared_machines"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_strong_users_on_crit_issue(issue, instance_arn):
|
||||
def _handle_wmi_password_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=1,
|
||||
title="Machines are accessible using passwords supplied by the user during the "
|
||||
"Monkey's configuration.",
|
||||
description="Change {0}'s password to a complex one-use password that is not "
|
||||
"shared with other computers on the "
|
||||
"network.",
|
||||
recommendation="The machine {machine} ({ip_address}) is vulnerable to a WMI "
|
||||
"attack. The Monkey authenticated over "
|
||||
"the WMI protocol with user {username} and its password.".format(
|
||||
machine=issue["machine"], ip_address=issue["ip_address"], username=issue["username"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=1,
|
||||
title="Mimikatz found login credentials of a user who has admin access to a "
|
||||
"server defined as critical.",
|
||||
description="This critical machine is open to attacks via strong users with "
|
||||
"access to it.",
|
||||
recommendation="The services: {services} have been found on the machine thus "
|
||||
"classifying it as a critical "
|
||||
"machine. These users has access to it:{threatening_users}.".format(
|
||||
services=issue["services"], threatening_users=issue["threatening_users"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_hadoop_issue(issue, instance_arn):
|
||||
def _handle_wmi_pth_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=1,
|
||||
title="Machines are accessible using passwords supplied by the user during the "
|
||||
"Monkey's configuration.",
|
||||
description="Change {0}'s password to a complex one-use password that is not "
|
||||
"shared with other computers on the "
|
||||
"network.".format(issue["username"]),
|
||||
recommendation="The machine {machine} ({ip_address}) is vulnerable to a WMI "
|
||||
"attack. The Monkey used a "
|
||||
"pass-the-hash attack over WMI protocol with user {username}".format(
|
||||
machine=issue["machine"], ip_address=issue["ip_address"], username=issue["username"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=10,
|
||||
title="Hadoop/Yarn servers are vulnerable to remote code execution.",
|
||||
description="Run Hadoop in secure mode, add Kerberos authentication.",
|
||||
recommendation="The Hadoop server at {machine} ({ip_address}) is vulnerable to "
|
||||
"remote code execution attack."
|
||||
"The attack was made possible due to default Hadoop/Yarn "
|
||||
"configuration being insecure.",
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
def _handle_shared_passwords_domain_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=1,
|
||||
title="Multiple users have the same password.",
|
||||
description="Some domain users are sharing passwords, this should be fixed by "
|
||||
"changing passwords.",
|
||||
recommendation="These users are sharing access password: {shared_with}.".format(
|
||||
shared_with=issue["shared_with"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
|
||||
def _handle_shared_admins_domain_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=1,
|
||||
title="Shared local administrator account - Different machines have the same "
|
||||
"account as a local administrator.",
|
||||
description="Make sure the right administrator accounts are managing the right "
|
||||
"machines, and that there isn't "
|
||||
"an unintentional local admin sharing.",
|
||||
recommendation="Here is a list of machines which the account {username} is "
|
||||
"defined as an administrator: "
|
||||
"{shared_machines}".format(
|
||||
username=issue["username"], shared_machines=issue["shared_machines"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
|
||||
def _handle_strong_users_on_crit_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=1,
|
||||
title="Mimikatz found login credentials of a user who has admin access to a "
|
||||
"server defined as critical.",
|
||||
description="This critical machine is open to attacks via strong users with "
|
||||
"access to it.",
|
||||
recommendation="The services: {services} have been found on the machine thus "
|
||||
"classifying it as a critical "
|
||||
"machine. These users has access to it:{threatening_users}.".format(
|
||||
services=issue["services"], threatening_users=issue["threatening_users"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
|
||||
def _handle_hadoop_issue(issue, instance_arn):
|
||||
return _build_generic_finding(
|
||||
severity=10,
|
||||
title="Hadoop/Yarn servers are vulnerable to remote code execution.",
|
||||
description="Run Hadoop in secure mode, add Kerberos authentication.",
|
||||
recommendation="The Hadoop server at {machine} ({ip_address}) is vulnerable to "
|
||||
"remote code execution attack."
|
||||
"The attack was made possible due to default Hadoop/Yarn "
|
||||
"configuration being insecure.",
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
|
|
@ -26,7 +26,6 @@ from monkey_island.cc.services.reporting.exploitations.monkey_exploitation impor
|
|||
get_monkey_exploited,
|
||||
)
|
||||
from monkey_island.cc.services.reporting.pth_report import PTHReportService
|
||||
from monkey_island.cc.services.reporting.report_exporter_manager import ReportExporterManager
|
||||
from monkey_island.cc.services.reporting.report_generation_synchronisation import (
|
||||
safe_generate_regular_report,
|
||||
)
|
||||
|
@ -36,6 +35,8 @@ from monkey_island.cc.services.reporting.stolen_credentials import (
|
|||
)
|
||||
from monkey_island.cc.services.utils.network_utils import get_subnets, local_ip_addresses
|
||||
|
||||
from .. import AWSService
|
||||
from . import aws_exporter
|
||||
from .issue_processing.exploit_processing.exploiter_descriptor_enum import ExploiterDescriptorEnum
|
||||
from .issue_processing.exploit_processing.processors.cred_exploit import CredentialType
|
||||
from .issue_processing.exploit_processing.processors.exploit import ExploiterReportInfo
|
||||
|
@ -44,11 +45,18 @@ logger = logging.getLogger(__name__)
|
|||
|
||||
|
||||
class ReportService:
|
||||
|
||||
_aws_service = None
|
||||
|
||||
class DerivedIssueEnum:
|
||||
WEAK_PASSWORD = "weak_password"
|
||||
STOLEN_CREDS = "stolen_creds"
|
||||
ZEROLOGON_PASS_RESTORE_FAILED = "zerologon_pass_restore_failed"
|
||||
|
||||
@classmethod
|
||||
def initialize(cls, aws_service: AWSService):
|
||||
cls._aws_service = aws_service
|
||||
|
||||
@staticmethod
|
||||
def get_first_monkey_time():
|
||||
return (
|
||||
|
@ -488,8 +496,8 @@ class ReportService:
|
|||
"recommendations": {"issues": issues, "domain_issues": domain_issues},
|
||||
"meta_info": {"latest_monkey_modifytime": monkey_latest_modify_time},
|
||||
}
|
||||
ReportExporterManager().export(report)
|
||||
save_report(report)
|
||||
aws_exporter.handle_report(report, ReportService._aws_service.island_aws_instance())
|
||||
return report
|
||||
|
||||
@staticmethod
|
||||
|
|
Loading…
Reference in New Issue