p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1655 from guardicore/1648-remove-mysql-fingerprinter 

1648 remove mysql fingerprinter
This commit is contained in:
Mike Salvatore 2021-12-14 09:58:41 -05:00 committed by GitHub
parent 7b2756bab0 beb74ef060
commit 6cd481637d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 2 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -36,6 +36,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
- MITRE ATT&CK configuration screen. #1532
- Propagation credentials from "GET /api/monkey/<string:guid>" endpoint. #1538
- "GET /api/monkey_control/check_remote_port/<string:port>" endpoint. #1635
- MySQL fingerprinter. #1648
### Fixed
- A bug in network map page that caused delay of telemetry log loading. #1545

4
docs/content/reference/scanners/_index.md
View File

@ -29,8 +29,7 @@ The currently implemented Fingerprint modules are:
2. [`SSHFinger`][ssh-finger] - Fingerprints target machines over SSH (port 22) and extracts the computer version and SSH banner.
3. [`PingScanner`][ping-scanner] - Fingerprints target machine's TTL to differentiate between Linux and Windows hosts.
4. [`HTTPFinger`][http-finger] - Detects HTTP/HTTPS services, using the ports listed in `HTTP_PORTS` in the configuration, will return the server type and if it supports SSL.
5. [`MySQLFinger`][mysql-finger] - Fingerprints MySQL (port 3306) and will extract MySQL banner info - version, major/minor/build and capabilities.
6. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) will extract the cluster name, node name and node version.
5. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) and will extract the cluster name, node name and node version.
## Adding a scanner/fingerprinter
@ -44,7 +43,6 @@ At this point, the Infection Monkey knows how to use the new scanner/fingerprint
[http-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/httpfinger.py
[host-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/__init__.py
[host-scanner]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/__init__.py
[mysql-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/mysqlfinger.py
[ping-scanner]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/ping_scanner.py
[smb-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/smbfinger.py
[ssh-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/sshfinger.py

1
monkey/infection_monkey/example.conf
View File

@ -38,7 +38,6 @@
"SSHFinger",
"HTTPFinger",
"SMBFinger",
"MySQLFinger",
"MSSQLFingerprint",
"ElasticFinger"
],

85
monkey/infection_monkey/network/mysqlfinger.py
View File

@ -1,85 +0,0 @@
import logging
import socket
import infection_monkey.config
from infection_monkey.network.HostFinger import HostFinger
from infection_monkey.network.tools import struct_unpack_tracker, struct_unpack_tracker_string
MYSQL_PORT = 3306
SQL_SERVICE = "mysqld-3306"
logger = logging.getLogger(__name__)
class MySQLFinger(HostFinger):
"""
Fingerprints mysql databases, only on port 3306
"""
_SCANNED_SERVICE = "MySQL"
SOCKET_TIMEOUT = 0.5
HEADER_SIZE = 4 # in bytes
def __init__(self):
self._config = infection_monkey.config.WormConfiguration
def get_host_fingerprint(self, host):
"""
Returns mySQLd data using the host header
:param host:
:return: Success/failure, data is saved in the host struct
"""
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(self.SOCKET_TIMEOUT)
try:
s.connect((host.ip_addr, MYSQL_PORT))
header = s.recv(self.HEADER_SIZE) # max header size?
response, curpos = struct_unpack_tracker(header, 0, "I")
response = response[0]
response_length = response & 0xFF # first byte is significant
data = s.recv(response_length)
# now we can start parsing
protocol, curpos = struct_unpack_tracker(data, 0, "B")
protocol = protocol[0]
if protocol == 0xFF:
# error code, bug out
logger.debug("Mysql server returned error")
return False
version, curpos = struct_unpack_tracker_string(
data, curpos
) # special coded to solve string parsing
version = version[0].decode()
self.init_service(host.services, SQL_SERVICE, MYSQL_PORT)
host.services[SQL_SERVICE]["version"] = version
version = version.split("-")[0].split(".")
host.services[SQL_SERVICE]["major_version"] = version[0]
host.services[SQL_SERVICE]["minor_version"] = version[1]
host.services[SQL_SERVICE]["build_version"] = version[2]
thread_id, curpos = struct_unpack_tracker(data, curpos, "<I") # ignore thread id
# protocol parsing taken from
# https://nmap.org/nsedoc/scripts/mysql-info.html
if protocol == 10:
# new protocol
self._parse_protocol_10(curpos, data, host)
return True
if protocol == 9:
return True
s.close()
except Exception as err:
logger.debug("Error getting mysql fingerprint: %s", err)
return False
def _parse_protocol_10(self, curpos, data, host):
salt, curpos = struct_unpack_tracker(data, curpos, "s8B")
capabilities, curpos = struct_unpack_tracker(data, curpos, "<H")
host.services[SQL_SERVICE]["capabilities"] = capabilities[0]
charset, curpos = struct_unpack_tracker(data, curpos, "B")
status, curpos = struct_unpack_tracker(data, curpos, "<H")
extcapabilities, curpos = struct_unpack_tracker(data, curpos, "<H")
host.services[SQL_SERVICE]["extcapabilities"] = extcapabilities[0]
# there's more data but it doesn't matter

8
monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py
View File

@ -27,14 +27,6 @@ FINGER_CLASSES = {
"safe": True,
"info": "Checks if host has HTTP/HTTPS ports open.",
},
{
"type": "string",
"enum": ["MySQLFinger"],
"title": "MySQL Fingerprinter",
"safe": True,
"info": "Checks if MySQL server is running and tries to get it's version.",
"attack_techniques": ["T1210"],
},
{
"type": "string",
"enum": ["MSSQLFinger"],

1
monkey/monkey_island/cc/services/config_schema/internal.py
View File

@ -166,7 +166,6 @@ INTERNAL = {
"SMBFinger",
"SSHFinger",
"HTTPFinger",
"MySQLFinger",
"MSSQLFinger",
"ElasticFinger",
],

1
monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json
View File

@ -101,7 +101,6 @@
"SMBFinger",
"SSHFinger",
"HTTPFinger",
"MySQLFinger",
"MSSQLFinger",
"ElasticFinger"
]

4
vulture_allowlist.py
View File

@ -89,7 +89,6 @@ _.do_GET # unused method (monkey/infection_monkey/exploit/weblogic.py:237)
PowerShellExploiter # (monkey\infection_monkey\exploit\powershell.py:27)
ElasticFinger # unused class (monkey/infection_monkey/network/elasticfinger.py:18)
HTTPFinger # unused class (monkey/infection_monkey/network/httpfinger.py:9)
MySQLFinger # unused class (monkey/infection_monkey/network/mysqlfinger.py:13)
SSHFinger # unused class (monkey/infection_monkey/network/sshfinger.py:15)
ClearCommandHistory # unused class (monkey/infection_monkey/post_breach/actions/clear_command_history.py:11)
AccountDiscovery # unused class (monkey/infection_monkey/post_breach/actions/discover_accounts.py:8)
@ -187,9 +186,6 @@ WINDOWS_PBA_TYPE # unused variable (monkey/monkey_island/cc/resources/pba_file_
WINDOWS_TTL # unused variable (monkey/infection_monkey/network/ping_scanner.py:17)
wlist # unused variable (monkey/infection_monkey/transport/tcp.py:28)
wlist # unused variable (monkey/infection_monkey/transport/http.py:176)
charset # unused variable (monkey/infection_monkey/network/mysqlfinger.py:81)
salt # unused variable (monkey/infection_monkey/network/mysqlfinger.py:78)
thread_id # unused variable (monkey/infection_monkey/network/mysqlfinger.py:61)
# leaving this since there's a TODO related to it