From cb2ca5be46681d7435f6791abb2eae81a3fe3e1a Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Tue, 14 Dec 2021 14:48:44 +0100 Subject: [PATCH 1/7] Agent: Remove MySQL fingerprinter --- monkey/infection_monkey/example.conf | 1 - .../infection_monkey/network/mysqlfinger.py | 85 ------------------- 2 files changed, 86 deletions(-) delete mode 100644 monkey/infection_monkey/network/mysqlfinger.py diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf index 42b37ddf4..8468b1422 100644 --- a/monkey/infection_monkey/example.conf +++ b/monkey/infection_monkey/example.conf @@ -38,7 +38,6 @@ "SSHFinger", "HTTPFinger", "SMBFinger", - "MySQLFinger", "MSSQLFingerprint", "ElasticFinger" ], diff --git a/monkey/infection_monkey/network/mysqlfinger.py b/monkey/infection_monkey/network/mysqlfinger.py deleted file mode 100644 index d0bc14dc6..000000000 --- a/monkey/infection_monkey/network/mysqlfinger.py +++ /dev/null @@ -1,85 +0,0 @@ -import logging -import socket - -import infection_monkey.config -from infection_monkey.network.HostFinger import HostFinger -from infection_monkey.network.tools import struct_unpack_tracker, struct_unpack_tracker_string - -MYSQL_PORT = 3306 -SQL_SERVICE = "mysqld-3306" -logger = logging.getLogger(__name__) - - -class MySQLFinger(HostFinger): - """ - Fingerprints mysql databases, only on port 3306 - """ - - _SCANNED_SERVICE = "MySQL" - SOCKET_TIMEOUT = 0.5 - HEADER_SIZE = 4 # in bytes - - def __init__(self): - self._config = infection_monkey.config.WormConfiguration - - def get_host_fingerprint(self, host): - """ - Returns mySQLd data using the host header - :param host: - :return: Success/failure, data is saved in the host struct - """ - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.settimeout(self.SOCKET_TIMEOUT) - - try: - s.connect((host.ip_addr, MYSQL_PORT)) - header = s.recv(self.HEADER_SIZE) # max header size? - - response, curpos = struct_unpack_tracker(header, 0, "I") - response = response[0] - response_length = response & 0xFF # first byte is significant - data = s.recv(response_length) - # now we can start parsing - protocol, curpos = struct_unpack_tracker(data, 0, "B") - protocol = protocol[0] - - if protocol == 0xFF: - # error code, bug out - logger.debug("Mysql server returned error") - return False - - version, curpos = struct_unpack_tracker_string( - data, curpos - ) # special coded to solve string parsing - version = version[0].decode() - self.init_service(host.services, SQL_SERVICE, MYSQL_PORT) - host.services[SQL_SERVICE]["version"] = version - version = version.split("-")[0].split(".") - host.services[SQL_SERVICE]["major_version"] = version[0] - host.services[SQL_SERVICE]["minor_version"] = version[1] - host.services[SQL_SERVICE]["build_version"] = version[2] - thread_id, curpos = struct_unpack_tracker(data, curpos, " Date: Tue, 14 Dec 2021 14:49:45 +0100 Subject: [PATCH 2/7] Island: Remove MySQL fingerprinter from config schema --- .../services/config_schema/definitions/finger_classes.py | 8 -------- .../monkey_island/cc/services/config_schema/internal.py | 1 - 2 files changed, 9 deletions(-) diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py index 5daa90672..1a983a899 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py @@ -27,14 +27,6 @@ FINGER_CLASSES = { "safe": True, "info": "Checks if host has HTTP/HTTPS ports open.", }, - { - "type": "string", - "enum": ["MySQLFinger"], - "title": "MySQL Fingerprinter", - "safe": True, - "info": "Checks if MySQL server is running and tries to get it's version.", - "attack_techniques": ["T1210"], - }, { "type": "string", "enum": ["MSSQLFinger"], diff --git a/monkey/monkey_island/cc/services/config_schema/internal.py b/monkey/monkey_island/cc/services/config_schema/internal.py index 92bacf669..5b6f44660 100644 --- a/monkey/monkey_island/cc/services/config_schema/internal.py +++ b/monkey/monkey_island/cc/services/config_schema/internal.py @@ -166,7 +166,6 @@ INTERNAL = { "SMBFinger", "SSHFinger", "HTTPFinger", - "MySQLFinger", "MSSQLFinger", "ElasticFinger", ], From 0a44b1f12e5bf4ef8c284159400097d415d8856f Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Tue, 14 Dec 2021 14:50:32 +0100 Subject: [PATCH 3/7] UT: Remove MySQL fingerprinter from monkey test config --- .../data_for_tests/monkey_configs/monkey_config_standard.json | 1 - 1 file changed, 1 deletion(-) diff --git a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json index 107f17e5c..3f875009a 100644 --- a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json +++ b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json @@ -101,7 +101,6 @@ "SMBFinger", "SSHFinger", "HTTPFinger", - "MySQLFinger", "MSSQLFinger", "ElasticFinger" ] From deeb38e551c5231214903b14738553381c1249db Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Tue, 14 Dec 2021 14:51:09 +0100 Subject: [PATCH 4/7] Docs: Remove MySQL fingerprinter --- docs/content/reference/scanners/_index.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/content/reference/scanners/_index.md b/docs/content/reference/scanners/_index.md index 8cca71b21..27d776128 100644 --- a/docs/content/reference/scanners/_index.md +++ b/docs/content/reference/scanners/_index.md @@ -29,8 +29,7 @@ The currently implemented Fingerprint modules are: 2. [`SSHFinger`][ssh-finger] - Fingerprints target machines over SSH (port 22) and extracts the computer version and SSH banner. 3. [`PingScanner`][ping-scanner] - Fingerprints target machine's TTL to differentiate between Linux and Windows hosts. 4. [`HTTPFinger`][http-finger] - Detects HTTP/HTTPS services, using the ports listed in `HTTP_PORTS` in the configuration, will return the server type and if it supports SSL. -5. [`MySQLFinger`][mysql-finger] - Fingerprints MySQL (port 3306) and will extract MySQL banner info - version, major/minor/build and capabilities. -6. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) will extract the cluster name, node name and node version. +5. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) will extract the cluster name, node name and node version. ## Adding a scanner/fingerprinter @@ -44,7 +43,6 @@ At this point, the Infection Monkey knows how to use the new scanner/fingerprint [http-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/httpfinger.py [host-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/__init__.py [host-scanner]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/__init__.py - [mysql-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/mysqlfinger.py [ping-scanner]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/ping_scanner.py [smb-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/smbfinger.py [ssh-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/sshfinger.py From c129e2f4b0c4c86ea624fbc496362f7ff11e5bf5 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Tue, 14 Dec 2021 14:54:20 +0100 Subject: [PATCH 5/7] Project: Remove mysqlfinger references in Vulture --- vulture_allowlist.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/vulture_allowlist.py b/vulture_allowlist.py index 7c9917984..b0700147e 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -89,7 +89,6 @@ _.do_GET # unused method (monkey/infection_monkey/exploit/weblogic.py:237) PowerShellExploiter # (monkey\infection_monkey\exploit\powershell.py:27) ElasticFinger # unused class (monkey/infection_monkey/network/elasticfinger.py:18) HTTPFinger # unused class (monkey/infection_monkey/network/httpfinger.py:9) -MySQLFinger # unused class (monkey/infection_monkey/network/mysqlfinger.py:13) SSHFinger # unused class (monkey/infection_monkey/network/sshfinger.py:15) ClearCommandHistory # unused class (monkey/infection_monkey/post_breach/actions/clear_command_history.py:11) AccountDiscovery # unused class (monkey/infection_monkey/post_breach/actions/discover_accounts.py:8) @@ -187,9 +186,6 @@ WINDOWS_PBA_TYPE # unused variable (monkey/monkey_island/cc/resources/pba_file_ WINDOWS_TTL # unused variable (monkey/infection_monkey/network/ping_scanner.py:17) wlist # unused variable (monkey/infection_monkey/transport/tcp.py:28) wlist # unused variable (monkey/infection_monkey/transport/http.py:176) -charset # unused variable (monkey/infection_monkey/network/mysqlfinger.py:81) -salt # unused variable (monkey/infection_monkey/network/mysqlfinger.py:78) -thread_id # unused variable (monkey/infection_monkey/network/mysqlfinger.py:61) # leaving this since there's a TODO related to it From e73b4af02633efcfd08b5b13eae3340fa36ed8cb Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Tue, 14 Dec 2021 14:54:45 +0100 Subject: [PATCH 6/7] Changelog: Add entry for removing MySQL fingerprinter --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e47936c55..02f2301a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/). - MITRE ATT&CK configuration screen. #1532 - Propagation credentials from "GET /api/monkey/" endpoint. #1538 - "GET /api/monkey_control/check_remote_port/" endpoint. #1635 +- MySQL fingerprinter. #1648 ### Fixed - A bug in network map page that caused delay of telemetry log loading. #1545 From beb74ef06057545d23a8703237cc8c5f5c419fa9 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 14 Dec 2021 09:58:24 -0500 Subject: [PATCH 7/7] Docs: Add missing "and" to ElasticFinger entry Co-authored-by: Shreya Malviya --- docs/content/reference/scanners/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/reference/scanners/_index.md b/docs/content/reference/scanners/_index.md index 27d776128..6de0a8099 100644 --- a/docs/content/reference/scanners/_index.md +++ b/docs/content/reference/scanners/_index.md @@ -29,7 +29,7 @@ The currently implemented Fingerprint modules are: 2. [`SSHFinger`][ssh-finger] - Fingerprints target machines over SSH (port 22) and extracts the computer version and SSH banner. 3. [`PingScanner`][ping-scanner] - Fingerprints target machine's TTL to differentiate between Linux and Windows hosts. 4. [`HTTPFinger`][http-finger] - Detects HTTP/HTTPS services, using the ports listed in `HTTP_PORTS` in the configuration, will return the server type and if it supports SSL. -5. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) will extract the cluster name, node name and node version. +5. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) and will extract the cluster name, node name and node version. ## Adding a scanner/fingerprinter