From f2e6600d8854a763bae04513601c28b6eabf1f65 Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Tue, 14 Nov 2017 14:48:36 +0200 Subject: [PATCH] Add Stolen Passwords section Add example of every security issue (both overview and recommendation sections) Add 'Generating Report' waiting text --- .../cc/ui/src/components/pages/ReportPage.js | 266 +++++++++++++----- .../report-components/StolenPasswords.js | 34 +++ 2 files changed, 222 insertions(+), 78 deletions(-) create mode 100644 monkey_island/cc/ui/src/components/report-components/StolenPasswords.js diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index 81aceeaac..b5e808e0e 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -4,11 +4,18 @@ import BreachedServers from 'components/report-components/BreachedServers'; import ScannedServers from 'components/report-components/ScannedServers'; import {ReactiveGraph} from 'components/reactive-graph/ReactiveGraph'; import {options, edgeGroupToColor} from 'components/map/MapOptions'; +import StolenPasswords from 'components/report-components/StolenPasswords'; class ReportPageComponent extends React.Component { constructor(props) { super(props); - + this.stolen_passwords = + [ + {username: 'admin', password: 'secretpassword', type: 'password', origin: 'Monkey-SMB'}, + {username: 'user', password: 'my_password', type: 'password', origin: 'Monkey-SMB2'}, + {username: 'dan', password: '066DDFD4EF0E9CD7C256FE77191EF43C', type: 'NTLM', origin: 'Monkey-RDP'}, + {username: 'joe', password: 'FDA95FBECA288D44AAD3B435B51404EE', type: 'LM', origin: 'Monkey-RDP'} + ]; this.state = { report: {}, graph: {nodes: [], edges: []} @@ -48,89 +55,192 @@ class ReportPageComponent extends React.Component { } render() { + let content; + if (Object.keys(this.state.report).length === 0) { - return (
); + content = (

Generating Report...

); + } else { + content = + ( +
+
+

+ Overview +

+

+ {/* TODO: Replace 01/02/2017 21:45, 23:12 with data */} + The monkey run was started on 01/02/2017 21:45. After 23:12 minutes, all monkeys finished propagation attempts. +

+

+ From the attacker's point of view, the network looks like this: +

+
+ +
+
+ {/* TODO: Replace 3 with data */} + During this simulated attack the Monkey uncovered 6 issues, detailed below. The security issues uncovered included: +
    + {/* TODO: Replace lis with data */} +
  • Weak user/passwords combinations.
    • +
  • Stolen passwords/hashes used to exploit other machines.
    • +
  • Elastic Search servers not patched for CVE-2015-1427 bug.
    • +
  • Samba servers not patched for ‘SambaCry’ bug.
    • +
  • Machines not patched for the ‘Shellshock’ bug.
    • +
  • Machines not patched for the ‘Conficker’ bug.
    • +
+
+
+ In addition, the monkey uncovered the following possible set of issues: +
    + {/* TODO: Replace lis with data */} +
  • Machines freely accessed the Monkey Island despite being on different networks.
    • +
  • Machines are not locked down at port level, tunnels between network segments were setup successfully.
    • +
+
+

+ A full report of the Monkeys activities follows. +

+
+
+

+ Network Overview +

+

+ {/* TODO: Replace 6,2 with data */} + During the current run, the Monkey discovered 6 machines and successfully breached 2 of them. + In addition, it attempted to exploit the rest, any security software installed in the network should have picked up the attack attempts and logged them. +

+
+ Detailed recommendations in the next part of the report. +

Breached Servers

+ +
+
+

Scanned Servers

+ + {/* TODO: Add table of scanned servers */} +
+
+
+

+ Stolen Credentials +

+ +
+
+

+ Recommendations +

+
+
+

Issue #1

+

+ The machine Monkey-SMB with the following IP addresses 192.168.0.1 10.0.0.18 was vulnerable to a SMB attack. +
+ The attack succeeded by authenticating over SMB protocol with user Administrator and its password. +

+
+
+

Issue #2

+

+ The machine Monkey-SMB2 with the following IP address 192.168.0.2 was vulnerable to a SMB attack. +
+ The attack succeeded by using a pass-the-hash attack over SMB protocol with user temp. +

+
+
+

Issue #3

+

+ The machine Monkey-WMI with the following IP address 192.168.0.3 was vulnerable to a WMI attack. +
+ The attack succeeded by authenticating over WMI protocol with user Administrator and its password. +

+
+
+

Issue #4

+

+ The machine Monkey-WMI2 with the following IP address 192.168.0.4 was vulnerable to a WMI attack. +
+ The attack succeeded by using a pass-the-hash attack over WMI protocol with user Administrator. +

+
+
+

Issue #5

+

+ The machine Monkey-SSH with the following IP address 192.168.0.5 was vulnerable to a SSH attack. +
+ The attack succeeded by authenticating over SSH protocol with user user and its password. +

+
+
+

Issue #6

+

+ The machine Monkey-RDP with the following IP address 192.168.0.6 was vulnerable to a RDP attack. +
+ The attack succeeded by authenticating over RDP protocol with user Administrator and its password. +

+
+
+

Issue #7

+

+ The machine Monkey-SambaCry with the following IP address 192.168.0.7 was vulnerable to a SambaCry attack. +
+ The attack succeeded by authenticating over SMB protocol with user user and its password, and by using the SambaCry vulnerability. +

+
+
+

Issue #8

+

+ The machine Monkey-Elastic with the following IP address 192.168.0.8 was vulnerable to an Elastic Groovy attack. +
+ The attack succeeded because the Elastic Search server was not parched against the CVE-2015-1427 bug. +

+
+
+

Issue #9

+

+ The machine Monkey-Shellshock with the following IP address 192.168.0.9 was vulnerable to a ShellShock attack. +
+ The attack succeeded because the HTTP server running on port 8080 was vulnerable to a shell injection attack on the paths: /cgi/backserver.cgi /cgi/login.cgi. +

+
+
+

Issue #10

+

+ The machine Monkey-Conficker with the following IP address 192.168.0.10 was vulnerable to a Conficker attack. +
+ The attack succeeded because the target machine uses an outdated and unpatched operating system. +

+
+
+

Issue #11

+

+ The network can probably be segmented. A monkey instance on Monkey-SMB in the 192.168.0.0/24 network could directly access the Monkey Island C&C server in the 172.168.0.0/24 network. +

+
+
+

Issue #12

+

+ The network can probably be segmented. A monkey instance on Monkey-SSH in the 192.168.0.0/24 network could directly access the Monkey Island C&C server in the 172.168.0.0/24 network. +

+
+
+

Issue #13

+

+ Machines are not locked down at port level. Network tunnel was set up from Monkey-SSH to Monkey-SambaCry. +

+
+
+
+
+ ); } return (

4. Security Report

-
-

- Overview -

-

- {/* TODO: Replace 01/02/2017 21:45, 23:12 with data */} - The monkey run was started on 01/02/2017 21:45. After 23:12 minutes, all monkeys finished propagation attempts. -

-

- From the attacker's point of view, the network looks like this: -

-
- -
-
- {/* TODO: Replace 3 with data */} - During this simulated attack the Monkey uncovered 3 issues, detailed below. The security issues uncovered included: -
    - {/* TODO: Replace lis with data */} -
  • Weak user/passwords combinations
    • -
  • Machines not patched for the ‘Shellshock’ bug
    • -
-
-
- In addition, the monkey uncovered the following possible set of issues: -
    - {/* TODO: Replace lis with data */} -
  • Machines from another segment accessed the Monkey Island
    • -
  • Network tunnels were created successfully
    • -
-
-

- A full report of the Monkeys activities follows. -

-
-
-

- Network Overview -

-

- {/* TODO: Replace 6,2 with data */} - During the current run, the Monkey discovered 6 machines and successfully breached 2 of them. - In addition, it attempted to exploit the rest, any security software installed in the network should have picked up the attack attempts and logged them. -

-
- Detailed recommendations in the next part of the report. -

Breached Servers

- -
-
-

Scanned Servers

- - {/* TODO: Add table of scanned servers */} -
-
-
-

- Recommendations -

-
-
-

Issue #1

-

- The machine Monkey-SMB with the following IP addresses 192.168.0.1 10.0.0.18 was vulnerable to a SmbExploiter attack. - The attack succeeded because weak/stolen password was used over SMB protocol. -

-
-
-

Issue #2

-

- The network can probably be segmented. A monkey instance on Monkey-SMB in the 192.168.0.0/24 network could directly access the Monkey Island C&C server in the 172.168.0.0/24 network. -

-
-
- {/* TODO: Entire part */} -
+ {content}
); diff --git a/monkey_island/cc/ui/src/components/report-components/StolenPasswords.js b/monkey_island/cc/ui/src/components/report-components/StolenPasswords.js new file mode 100644 index 000000000..c34d51bed --- /dev/null +++ b/monkey_island/cc/ui/src/components/report-components/StolenPasswords.js @@ -0,0 +1,34 @@ +import React from 'react'; +import ReactTable from 'react-table' + +const columns = [ + { Header: 'Username', accessor: 'username'}, + { Header: 'Password/Hash', accessor: 'password'}, + { Header: 'Type', accessor: 'type'}, + { Header: 'Origin', accessor: 'origin'} +]; + +const pageSize = 10; + +class StolenPasswordsComponent extends React.Component { + constructor(props) { + super(props); + } + + render() { + let defaultPageSize = this.props.data.length > pageSize ? pageSize : this.props.data.length; + let showPagination = this.props.data.length > pageSize; + return ( +
+ +
+ ); + } +} + +export default StolenPasswordsComponent;