p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #354 from VakarisZ/attack_private_keys 

T1145 Private Keys
This commit is contained in:
Itay Mizeretz 2019-07-07 16:04:56 +03:00 committed by GitHub
parent 9ac23731c7 efcb8669bd
commit 45bda21fc8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 237 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
monkey/monkey_island/cc/services/attack/attack_report.py
View File

@ -1,6 +1,7 @@
import logging import logging
from monkey_island.cc.models import Monkey from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086 from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082, T1145
from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
@ -15,7 +16,9 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1075': T1075.T1075, 'T1075': T1075.T1075,
'T1003': T1003.T1003, 'T1003': T1003.T1003,
'T1059': T1059.T1059, 'T1059': T1059.T1059,
'T1086': T1086.T1086} 'T1086': T1086.T1086,
'T1082': T1082.T1082,
'T1145': T1145.T1145}
REPORT_NAME = 'new_report' REPORT_NAME = 'new_report'

25
monkey/monkey_island/cc/services/attack/attack_schema.py
View File

@ -67,6 +67,16 @@ SCHEMA = {
"information, normally in the form of a hash or a clear text password, " "information, normally in the form of a hash or a clear text password, "
"from the operating system and software.", "from the operating system and software.",
"depends_on": ["T1078"] "depends_on": ["T1078"]
},
"T1145": {
"title": "T1145 Private keys",
"type": "bool",
"value": True,
"necessary": False,
"description": "Adversaries may gather private keys from compromised systems for use in "
"authenticating to Remote Services like SSH or for use in decrypting "
"other collected files such as email.",
"depends_on": ["T1110", "T1210"]
} }
} }
}, },
@ -106,5 +116,20 @@ SCHEMA = {
} }
} }
}, },
"discovery": {
"title": "Discovery",
"type": "object",
"properties": {
"T1082": {
"title": "T1082 System information discovery",
"type": "bool",
"value": True,
"necessary": False,
"description": "An adversary may attempt to get detailed information about the "
"operating system and hardware, including version, patches, hotfixes, "
"service packs, and architecture."
}
}
},
} }
} }

47
monkey/monkey_island/cc/services/attack/technique_reports/T1082.py Normal file
View File

@ -0,0 +1,47 @@
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo
__author__ = "VakarisZ"
class T1082(AttackTechnique):
tech_id = "T1082"
unscanned_msg = "Monkey didn't gather any system info on the network."
scanned_msg = ""
used_msg = "Monkey gathered system info from machines in the network."
query = [{'$match': {'telem_category': 'system_info_collection'}},
{'$project': {'machine': {'hostname': '$data.hostname', 'ips': '$data.network_info.networks'},
'aws': '$data.aws',
'netstat': '$data.network_info.netstat',
'process_list': '$data.process_list',
'ssh_info': '$data.ssh_info',
'azure_info': '$data.Azure'}},
{'$project': {'_id': 0,
'machine': 1,
'collections': [
{'used': {'$and': [{'$ifNull': ['$netstat', False]}, {'$gt': ['$aws', {}]}]},
'name': {'$literal': 'Amazon Web Services info'}},
{'used': {'$and': [{'$ifNull': ['$process_list', False]}, {'$gt': ['$process_list', {}]}]},
'name': {'$literal': 'Running process list'}},
{'used': {'$and': [{'$ifNull': ['$netstat', False]}, {'$ne': ['$netstat', []]}]},
'name': {'$literal': 'Network connections'}},
{'used': {'$and': [{'$ifNull': ['$ssh_info', False]}, {'$ne': ['$ssh_info', []]}]},
'name': {'$literal': 'SSH info'}},
{'used': {'$and': [{'$ifNull': ['$azure_info', False]}, {'$ne': ['$azure_info', []]}]},
'name': {'$literal': 'Azure info'}}
]}}]
@staticmethod
def get_report_data():
data = {'title': T1082.technique_title()}
system_info = list(mongo.db.telemetry.aggregate(T1082.query))
data.update({'system_info': system_info})
if system_info:
status = ScanStatus.USED
else:
status = ScanStatus.UNSCANNED
data.update(T1082.get_message_and_status(status))
return data

4
monkey/monkey_island/cc/services/attack/technique_reports/T1110.py
View File

@ -40,11 +40,11 @@ class T1110(AttackTechnique):
status = ScanStatus.SCANNED status = ScanStatus.SCANNED
else: else:
status = ScanStatus.UNSCANNED status = ScanStatus.UNSCANNED
data = T1110.get_message_and_status(status) data = T1110.get_base_data_by_status(status)
# Remove data with no successful brute force attempts # Remove data with no successful brute force attempts
attempts = [attempt for attempt in attempts if attempt['attempts']] attempts = [attempt for attempt in attempts if attempt['attempts']]
data.update({'services': attempts, 'title': T1110.technique_title()}) data.update({'services': attempts})
return data return data
@staticmethod @staticmethod

31
monkey/monkey_island/cc/services/attack/technique_reports/T1145.py Normal file
View File

@ -0,0 +1,31 @@
from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from common.utils.attack_utils import ScanStatus
__author__ = "VakarisZ"
class T1145(AttackTechnique):
tech_id = "T1145"
unscanned_msg = "Monkey didn't find any shh keys."
scanned_msg = ""
used_msg = "Monkey found ssh keys on machines in the network."
# Gets data about ssh keys found
query = [{'$match': {'telem_category': 'system_info_collection',
'data.ssh_info': {'$elemMatch': {'private_key': {'$exists': True}}}}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname', 'ips': '$data.network_info.networks'},
'ssh_info': '$data.ssh_info'}}]
@staticmethod
def get_report_data():
ssh_info = list(mongo.db.telemetry.aggregate(T1145.query))
if ssh_info:
status = ScanStatus.USED
else:
status = ScanStatus.UNSCANNED
data = T1145.get_base_data_by_status(status)
data.update({'ssh_info': ssh_info})
return data

6
monkey/monkey_island/cc/services/attack/technique_reports/__init__.py
View File

@ -106,3 +106,9 @@ class AttackTechnique(object):
'title': title, 'title': title,
'message': cls.get_message_by_status(status)}) 'message': cls.get_message_by_status(status)})
return data return data
@classmethod
def get_base_data_by_status(cls, status):
data = cls.get_message_and_status(status)
data.update({'title': cls.technique_title()})
return data

3
monkey/monkey_island/cc/services/config_schema.py
View File

@ -54,7 +54,7 @@ SCHEMA = {
"SSHExploiter" "SSHExploiter"
], ],
"title": "SSH Exploiter", "title": "SSH Exploiter",
"attack_techniques": ["T1110"] "attack_techniques": ["T1110", "T1145"]
}, },
{ {
"type": "string", "type": "string",
@ -422,6 +422,7 @@ SCHEMA = {
"title": "Collect system info", "title": "Collect system info",
"type": "boolean", "type": "boolean",
"default": True, "default": True,
"attack_techniques": ["T1082"],
"description": "Determines whether to collect system info" "description": "Determines whether to collect system info"
}, },
"should_use_mimikatz": { "should_use_mimikatz": {

5
monkey/monkey_island/cc/ui/package-lock.json generated
View File

@ -8563,7 +8563,7 @@
"dev": true, "dev": true,
"optional": true, "optional": true,
"requires": { "requires": {
"minimatch": "^3.0.4" "minimatch": "3.0.4"
} }
}, },
"inflight": { "inflight": {
@ -8614,8 +8614,7 @@
"minimist": { "minimist": {
"version": "0.0.8", "version": "0.0.8",
"bundled": true, "bundled": true,
"dev": true, "dev": true
"optional": true
}, },
"minipass": { "minipass": {
"version": "2.2.4", "version": "2.2.4",

12
monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js
View File

@ -4,4 +4,14 @@ export function renderMachine(val){
return ( return (
<span>{val.ip_addr} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")}</span> <span>{val.ip_addr} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")}</span>
) )
}; }
/* Function takes data gathered from system info collector and creates a
string representation of machine from that data. */
export function renderMachineFromSystemData(data) {
let machineStr = data['hostname'] + " ( ";
data['ips'].forEach(function(ipInfo){
machineStr += ipInfo['addr'] + " ";
});
return machineStr + ")"
}

48
monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js Normal file
View File

@ -0,0 +1,48 @@
import React from 'react';
import '../../../styles/Collapse.scss'
import ReactTable from "react-table";
import { renderMachineFromSystemData } from "./Helpers"
class T1082 extends React.Component {
constructor(props) {
super(props);
}
static renderCollections(collections){
let output = [];
collections.forEach(function(collection){
if(collection['used']){
output.push(<div key={collection['name']}>{collection['name']}</div>)
}
});
return (<div>{output}</div>);
}
static getSystemInfoColumns() {
return ([{
columns: [
{Header: 'Machine', id: 'machine', accessor: x => renderMachineFromSystemData(x.machine), style: { 'whiteSpace': 'unset' }},
{Header: 'Gathered info', id: 'info', accessor: x => T1082.renderCollections(x.collections), style: { 'whiteSpace': 'unset' }},
]
}])};
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.status === 'USED' ?
<ReactTable
columns={T1082.getSystemInfoColumns()}
data={this.props.data.system_info}
showPagination={false}
defaultPageSize={this.props.data.system_info.length}
/> : ""}
</div>
);
}
}
export default T1082;

53
monkey/monkey_island/cc/ui/src/components/attack/techniques/T1145.js Normal file
View File

@ -0,0 +1,53 @@
import React from 'react';
import '../../../styles/Collapse.scss'
import ReactTable from "react-table";
import { renderMachineFromSystemData } from "./Helpers"
class T1145 extends React.Component {
constructor(props) {
super(props);
}
static renderSSHKeys(keys){
let output = [];
keys.forEach(function(keyInfo){
output.push(<div key={keyInfo['name']+keyInfo['home_dir']}>
SSH key pair used by <b>{keyInfo['name']}</b> user found in {keyInfo['home_dir']}</div>)
});
return (<div>{output}</div>);
}
static getKeysInfoColumns() {
return ([{
columns: [
{Header: 'Machine',
id: 'machine',
accessor: x => renderMachineFromSystemData(x.machine),
style: { 'whiteSpace': 'unset' }},
{Header: 'Keys found',
id: 'keys',
accessor: x => T1145.renderSSHKeys(x.ssh_info),
style: { 'whiteSpace': 'unset' }},
]
}])};
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.status === 'USED' ?
<ReactTable
columns={T1145.getKeysInfoColumns()}
data={this.props.data.ssh_info}
showPagination={false}
defaultPageSize={this.props.data.ssh_info.length}
/> : ""}
</div>
);
}
}
export default T1145;

6
monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
View File

@ -12,6 +12,8 @@ import T1075 from "../attack/techniques/T1075";
import T1003 from "../attack/techniques/T1003"; import T1003 from "../attack/techniques/T1003";
import T1059 from "../attack/techniques/T1059"; import T1059 from "../attack/techniques/T1059";
import T1086 from "../attack/techniques/T1086"; import T1086 from "../attack/techniques/T1086";
import T1082 from "../attack/techniques/T1082";
import T1145 from "../attack/techniques/T1145";
const tech_components = { const tech_components = {
'T1210': T1210, 'T1210': T1210,
@ -20,7 +22,9 @@ const tech_components = {
'T1075': T1075, 'T1075': T1075,
'T1003': T1003, 'T1003': T1003,
'T1059': T1059, 'T1059': T1059,
'T1086': T1086 'T1086': T1086,
'T1082': T1082,
'T1145': T1145
}; };
const classNames = require('classnames'); const classNames = require('classnames');