forked from p34709852/monkey
Merge pull request #1655 from guardicore/1648-remove-mysql-fingerprinter
1648 remove mysql fingerprinter
This commit is contained in:
commit
6cd481637d
|
@ -36,6 +36,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- MITRE ATT&CK configuration screen. #1532
|
- MITRE ATT&CK configuration screen. #1532
|
||||||
- Propagation credentials from "GET /api/monkey/<string:guid>" endpoint. #1538
|
- Propagation credentials from "GET /api/monkey/<string:guid>" endpoint. #1538
|
||||||
- "GET /api/monkey_control/check_remote_port/<string:port>" endpoint. #1635
|
- "GET /api/monkey_control/check_remote_port/<string:port>" endpoint. #1635
|
||||||
|
- MySQL fingerprinter. #1648
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- A bug in network map page that caused delay of telemetry log loading. #1545
|
- A bug in network map page that caused delay of telemetry log loading. #1545
|
||||||
|
|
|
@ -29,8 +29,7 @@ The currently implemented Fingerprint modules are:
|
||||||
2. [`SSHFinger`][ssh-finger] - Fingerprints target machines over SSH (port 22) and extracts the computer version and SSH banner.
|
2. [`SSHFinger`][ssh-finger] - Fingerprints target machines over SSH (port 22) and extracts the computer version and SSH banner.
|
||||||
3. [`PingScanner`][ping-scanner] - Fingerprints target machine's TTL to differentiate between Linux and Windows hosts.
|
3. [`PingScanner`][ping-scanner] - Fingerprints target machine's TTL to differentiate between Linux and Windows hosts.
|
||||||
4. [`HTTPFinger`][http-finger] - Detects HTTP/HTTPS services, using the ports listed in `HTTP_PORTS` in the configuration, will return the server type and if it supports SSL.
|
4. [`HTTPFinger`][http-finger] - Detects HTTP/HTTPS services, using the ports listed in `HTTP_PORTS` in the configuration, will return the server type and if it supports SSL.
|
||||||
5. [`MySQLFinger`][mysql-finger] - Fingerprints MySQL (port 3306) and will extract MySQL banner info - version, major/minor/build and capabilities.
|
5. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) and will extract the cluster name, node name and node version.
|
||||||
6. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) will extract the cluster name, node name and node version.
|
|
||||||
|
|
||||||
## Adding a scanner/fingerprinter
|
## Adding a scanner/fingerprinter
|
||||||
|
|
||||||
|
@ -44,7 +43,6 @@ At this point, the Infection Monkey knows how to use the new scanner/fingerprint
|
||||||
[http-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/httpfinger.py
|
[http-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/httpfinger.py
|
||||||
[host-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/__init__.py
|
[host-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/__init__.py
|
||||||
[host-scanner]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/__init__.py
|
[host-scanner]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/__init__.py
|
||||||
[mysql-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/mysqlfinger.py
|
|
||||||
[ping-scanner]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/ping_scanner.py
|
[ping-scanner]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/ping_scanner.py
|
||||||
[smb-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/smbfinger.py
|
[smb-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/smbfinger.py
|
||||||
[ssh-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/sshfinger.py
|
[ssh-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/sshfinger.py
|
||||||
|
|
|
@ -38,7 +38,6 @@
|
||||||
"SSHFinger",
|
"SSHFinger",
|
||||||
"HTTPFinger",
|
"HTTPFinger",
|
||||||
"SMBFinger",
|
"SMBFinger",
|
||||||
"MySQLFinger",
|
|
||||||
"MSSQLFingerprint",
|
"MSSQLFingerprint",
|
||||||
"ElasticFinger"
|
"ElasticFinger"
|
||||||
],
|
],
|
||||||
|
|
|
@ -1,85 +0,0 @@
|
||||||
import logging
|
|
||||||
import socket
|
|
||||||
|
|
||||||
import infection_monkey.config
|
|
||||||
from infection_monkey.network.HostFinger import HostFinger
|
|
||||||
from infection_monkey.network.tools import struct_unpack_tracker, struct_unpack_tracker_string
|
|
||||||
|
|
||||||
MYSQL_PORT = 3306
|
|
||||||
SQL_SERVICE = "mysqld-3306"
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
class MySQLFinger(HostFinger):
|
|
||||||
"""
|
|
||||||
Fingerprints mysql databases, only on port 3306
|
|
||||||
"""
|
|
||||||
|
|
||||||
_SCANNED_SERVICE = "MySQL"
|
|
||||||
SOCKET_TIMEOUT = 0.5
|
|
||||||
HEADER_SIZE = 4 # in bytes
|
|
||||||
|
|
||||||
def __init__(self):
|
|
||||||
self._config = infection_monkey.config.WormConfiguration
|
|
||||||
|
|
||||||
def get_host_fingerprint(self, host):
|
|
||||||
"""
|
|
||||||
Returns mySQLd data using the host header
|
|
||||||
:param host:
|
|
||||||
:return: Success/failure, data is saved in the host struct
|
|
||||||
"""
|
|
||||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
||||||
s.settimeout(self.SOCKET_TIMEOUT)
|
|
||||||
|
|
||||||
try:
|
|
||||||
s.connect((host.ip_addr, MYSQL_PORT))
|
|
||||||
header = s.recv(self.HEADER_SIZE) # max header size?
|
|
||||||
|
|
||||||
response, curpos = struct_unpack_tracker(header, 0, "I")
|
|
||||||
response = response[0]
|
|
||||||
response_length = response & 0xFF # first byte is significant
|
|
||||||
data = s.recv(response_length)
|
|
||||||
# now we can start parsing
|
|
||||||
protocol, curpos = struct_unpack_tracker(data, 0, "B")
|
|
||||||
protocol = protocol[0]
|
|
||||||
|
|
||||||
if protocol == 0xFF:
|
|
||||||
# error code, bug out
|
|
||||||
logger.debug("Mysql server returned error")
|
|
||||||
return False
|
|
||||||
|
|
||||||
version, curpos = struct_unpack_tracker_string(
|
|
||||||
data, curpos
|
|
||||||
) # special coded to solve string parsing
|
|
||||||
version = version[0].decode()
|
|
||||||
self.init_service(host.services, SQL_SERVICE, MYSQL_PORT)
|
|
||||||
host.services[SQL_SERVICE]["version"] = version
|
|
||||||
version = version.split("-")[0].split(".")
|
|
||||||
host.services[SQL_SERVICE]["major_version"] = version[0]
|
|
||||||
host.services[SQL_SERVICE]["minor_version"] = version[1]
|
|
||||||
host.services[SQL_SERVICE]["build_version"] = version[2]
|
|
||||||
thread_id, curpos = struct_unpack_tracker(data, curpos, "<I") # ignore thread id
|
|
||||||
# protocol parsing taken from
|
|
||||||
# https://nmap.org/nsedoc/scripts/mysql-info.html
|
|
||||||
if protocol == 10:
|
|
||||||
# new protocol
|
|
||||||
self._parse_protocol_10(curpos, data, host)
|
|
||||||
return True
|
|
||||||
if protocol == 9:
|
|
||||||
return True
|
|
||||||
s.close()
|
|
||||||
|
|
||||||
except Exception as err:
|
|
||||||
logger.debug("Error getting mysql fingerprint: %s", err)
|
|
||||||
|
|
||||||
return False
|
|
||||||
|
|
||||||
def _parse_protocol_10(self, curpos, data, host):
|
|
||||||
salt, curpos = struct_unpack_tracker(data, curpos, "s8B")
|
|
||||||
capabilities, curpos = struct_unpack_tracker(data, curpos, "<H")
|
|
||||||
host.services[SQL_SERVICE]["capabilities"] = capabilities[0]
|
|
||||||
charset, curpos = struct_unpack_tracker(data, curpos, "B")
|
|
||||||
status, curpos = struct_unpack_tracker(data, curpos, "<H")
|
|
||||||
extcapabilities, curpos = struct_unpack_tracker(data, curpos, "<H")
|
|
||||||
host.services[SQL_SERVICE]["extcapabilities"] = extcapabilities[0]
|
|
||||||
# there's more data but it doesn't matter
|
|
|
@ -27,14 +27,6 @@ FINGER_CLASSES = {
|
||||||
"safe": True,
|
"safe": True,
|
||||||
"info": "Checks if host has HTTP/HTTPS ports open.",
|
"info": "Checks if host has HTTP/HTTPS ports open.",
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["MySQLFinger"],
|
|
||||||
"title": "MySQL Fingerprinter",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Checks if MySQL server is running and tries to get it's version.",
|
|
||||||
"attack_techniques": ["T1210"],
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"enum": ["MSSQLFinger"],
|
"enum": ["MSSQLFinger"],
|
||||||
|
|
|
@ -166,7 +166,6 @@ INTERNAL = {
|
||||||
"SMBFinger",
|
"SMBFinger",
|
||||||
"SSHFinger",
|
"SSHFinger",
|
||||||
"HTTPFinger",
|
"HTTPFinger",
|
||||||
"MySQLFinger",
|
|
||||||
"MSSQLFinger",
|
"MSSQLFinger",
|
||||||
"ElasticFinger",
|
"ElasticFinger",
|
||||||
],
|
],
|
||||||
|
|
|
@ -101,7 +101,6 @@
|
||||||
"SMBFinger",
|
"SMBFinger",
|
||||||
"SSHFinger",
|
"SSHFinger",
|
||||||
"HTTPFinger",
|
"HTTPFinger",
|
||||||
"MySQLFinger",
|
|
||||||
"MSSQLFinger",
|
"MSSQLFinger",
|
||||||
"ElasticFinger"
|
"ElasticFinger"
|
||||||
]
|
]
|
||||||
|
|
|
@ -89,7 +89,6 @@ _.do_GET # unused method (monkey/infection_monkey/exploit/weblogic.py:237)
|
||||||
PowerShellExploiter # (monkey\infection_monkey\exploit\powershell.py:27)
|
PowerShellExploiter # (monkey\infection_monkey\exploit\powershell.py:27)
|
||||||
ElasticFinger # unused class (monkey/infection_monkey/network/elasticfinger.py:18)
|
ElasticFinger # unused class (monkey/infection_monkey/network/elasticfinger.py:18)
|
||||||
HTTPFinger # unused class (monkey/infection_monkey/network/httpfinger.py:9)
|
HTTPFinger # unused class (monkey/infection_monkey/network/httpfinger.py:9)
|
||||||
MySQLFinger # unused class (monkey/infection_monkey/network/mysqlfinger.py:13)
|
|
||||||
SSHFinger # unused class (monkey/infection_monkey/network/sshfinger.py:15)
|
SSHFinger # unused class (monkey/infection_monkey/network/sshfinger.py:15)
|
||||||
ClearCommandHistory # unused class (monkey/infection_monkey/post_breach/actions/clear_command_history.py:11)
|
ClearCommandHistory # unused class (monkey/infection_monkey/post_breach/actions/clear_command_history.py:11)
|
||||||
AccountDiscovery # unused class (monkey/infection_monkey/post_breach/actions/discover_accounts.py:8)
|
AccountDiscovery # unused class (monkey/infection_monkey/post_breach/actions/discover_accounts.py:8)
|
||||||
|
@ -187,9 +186,6 @@ WINDOWS_PBA_TYPE # unused variable (monkey/monkey_island/cc/resources/pba_file_
|
||||||
WINDOWS_TTL # unused variable (monkey/infection_monkey/network/ping_scanner.py:17)
|
WINDOWS_TTL # unused variable (monkey/infection_monkey/network/ping_scanner.py:17)
|
||||||
wlist # unused variable (monkey/infection_monkey/transport/tcp.py:28)
|
wlist # unused variable (monkey/infection_monkey/transport/tcp.py:28)
|
||||||
wlist # unused variable (monkey/infection_monkey/transport/http.py:176)
|
wlist # unused variable (monkey/infection_monkey/transport/http.py:176)
|
||||||
charset # unused variable (monkey/infection_monkey/network/mysqlfinger.py:81)
|
|
||||||
salt # unused variable (monkey/infection_monkey/network/mysqlfinger.py:78)
|
|
||||||
thread_id # unused variable (monkey/infection_monkey/network/mysqlfinger.py:61)
|
|
||||||
|
|
||||||
|
|
||||||
# leaving this since there's a TODO related to it
|
# leaving this since there's a TODO related to it
|
||||||
|
|
Loading…
Reference in New Issue