From 93fee0d2c528e8bc450ce3ef95f991ae2b6aec5a Mon Sep 17 00:00:00 2001 From: Daniel Goldberg Date: Sun, 25 Mar 2018 11:27:57 +0300 Subject: [PATCH] Add Azure password stealing to the report. --- infection_monkey/system_info/__init__.py | 2 + monkey_island/cc/services/report.py | 41 ++++++++++++++++++- .../cc/ui/src/components/pages/ReportPage.js | 28 ++++++++++++- 3 files changed, 68 insertions(+), 3 deletions(-) diff --git a/infection_monkey/system_info/__init__.py b/infection_monkey/system_info/__init__.py index 0d2828d88..52848673a 100644 --- a/infection_monkey/system_info/__init__.py +++ b/infection_monkey/system_info/__init__.py @@ -126,5 +126,7 @@ class InfoCollector(object): # we might be losing passwords in case of multiple reset attempts on same username # or in case another collector already filled in a password for this user self.info["credentials"][username]['Password'] = password + self.info["credentials"][username]['Azure'] = True + if len(azure_creds) != 0: self.info["Azure"] = True diff --git a/monkey_island/cc/services/report.py b/monkey_island/cc/services/report.py index cbef9d973..2b9e2eccc 100644 --- a/monkey_island/cc/services/report.py +++ b/monkey_island/cc/services/report.py @@ -33,6 +33,7 @@ class ReportService: SAMBACRY = 3 SHELLSHOCK = 4 CONFICKER = 5 + AZURE = 6 class WARNINGS_DICT(Enum): CROSS_SEGMENT = 0 @@ -71,6 +72,19 @@ class ReportService: } for tunnel in mongo.db.monkey.find({'tunnel': {'$exists': True}}, {'tunnel': 1})] + @staticmethod + def get_azure_issues(): + creds = ReportService.get_azure_creds() + machines = set([instance['origin'] for instance in creds]) + + return [ + { + 'type': 'azure_password', + 'machine': machine, + 'users': set([instance['username'] for instance in creds if instance['origin']==machine]) + } + for machine in machines] + @staticmethod def get_scanned(): nodes = \ @@ -135,6 +149,26 @@ class ReportService: ) return creds + @staticmethod + def get_azure_creds(): + """ + Recover all credentials marked as being from an Azure machine + :return: List of credentials. + """ + creds = [] + for telem in mongo.db.telemetry.find( + {'telem_type': 'system_info_collection', 'data.Azure': {'$exists': True}}, + {'data.credentials': 1, 'monkey_guid': 1} + ): + monkey_creds = telem['data']['credentials'] + if len(monkey_creds) == 0: + continue + origin = NodeService.get_monkey_by_guid(telem['monkey_guid'])['hostname'] + new_creds = [{'username': user.replace(',', '.'), 'type': 'Clear Password', + 'origin': origin} for user in monkey_creds if 'Azure' in user] + creds.extend(new_creds) + return creds + @staticmethod def process_general_exploit(exploit): ip_addr = exploit['data']['machine']['ip_addr'] @@ -277,7 +311,7 @@ class ReportService: @staticmethod def get_issues(): - issues = ReportService.get_exploits() + ReportService.get_tunnels() + ReportService.get_cross_segment_issues() + issues = ReportService.get_exploits() + ReportService.get_tunnels() + ReportService.get_cross_segment_issues() + ReportService.get_azure_issues() issues_dict = {} for issue in issues: machine = issue['machine'] @@ -337,6 +371,8 @@ class ReportService: issues_byte_array[ReportService.ISSUES_DICT.SHELLSHOCK.value] = True elif issue['type'] == 'conficker': issues_byte_array[ReportService.ISSUES_DICT.CONFICKER.value] = True + elif issue['type'] == 'azure_password': + issues_byte_array[ReportService.ISSUES_DICT.AZURE.value] = True elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \ issue['username'] in config_users: issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True @@ -397,7 +433,8 @@ class ReportService: { 'scanned': ReportService.get_scanned(), 'exploited': ReportService.get_exploited(), - 'stolen_creds': ReportService.get_stolen_creds() + 'stolen_creds': ReportService.get_stolen_creds(), + 'azure_passwords': ReportService.get_azure_creds(), }, 'recommendations': { diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index 56c2c3881..2a13e46dd 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -21,7 +21,8 @@ class ReportPageComponent extends AuthComponent { ELASTIC: 2, SAMBACRY: 3, SHELLSHOCK: 4, - CONFICKER: 5 + CONFICKER: 5, + AZURE: 6 }; Warning = @@ -313,6 +314,11 @@ class ReportPageComponent extends AuthComponent { {this.state.report.overview.issues[this.Issue.WEAK_PASSWORD] ?
  • Machines are accessible using passwords supplied by the user during the Monkey’s configuration.
  • : null} + {this.state.report.overview.issues[this.Issue.AZURE] ? +
  • Machines contained plain text passwords accessible to attackers. For more info see Harvesting Azure Passwords.
  • : null} + : @@ -587,6 +593,21 @@ class ReportPageComponent extends AuthComponent { ); } + generateAzureIssue(issue) { + return ( +
  • + Azure VM Access configuration files should be deleted after use to avoid credential leakage. + + VM Access plugin configuration files were left on the machine. Credentials could be stolen from {issue.machine} for the following users{issue.users}. Read more about the security issue and remediation here. + +
  • + ); + } + generateConfickerIssue(issue) { return (
  • @@ -631,6 +652,8 @@ class ReportPageComponent extends AuthComponent { ); } + + generateIssue = (issue) => { let data; switch (issue.type) { @@ -670,6 +693,9 @@ class ReportPageComponent extends AuthComponent { case 'tunnel': data = this.generateTunnelIssue(issue); break; + case 'azure_password': + data = this.generateAzureIssue(issue); + break; } return data; };