From 7cae4d6dec01653404d062316b3c61e6fa98c18f Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Mon, 7 Mar 2022 08:08:24 -0500 Subject: [PATCH] Agent: Pass depth to exploiters --- .../infection_monkey/exploit/HostExploiter.py | 2 ++ .../exploit/exploiter_wrapper.py | 4 +-- monkey/infection_monkey/exploit/hadoop.py | 3 +- monkey/infection_monkey/exploit/log4shell.py | 3 +- monkey/infection_monkey/exploit/web_rce.py | 6 ++-- monkey/infection_monkey/i_puppet/i_puppet.py | 8 ++++- .../master/automated_master.py | 5 ++-- monkey/infection_monkey/master/exploiter.py | 29 +++++++++++++++---- monkey/infection_monkey/master/mock_master.py | 4 +-- monkey/infection_monkey/master/propagator.py | 6 ++-- monkey/infection_monkey/puppet/mock_puppet.py | 7 ++++- monkey/infection_monkey/puppet/puppet.py | 9 ++++-- .../infection_monkey/master/test_exploiter.py | 6 ++-- .../master/test_propagator.py | 19 ++++++++++-- 14 files changed, 82 insertions(+), 29 deletions(-) diff --git a/monkey/infection_monkey/exploit/HostExploiter.py b/monkey/infection_monkey/exploit/HostExploiter.py index 0f698c926..e1b6d0c80 100644 --- a/monkey/infection_monkey/exploit/HostExploiter.py +++ b/monkey/infection_monkey/exploit/HostExploiter.py @@ -72,11 +72,13 @@ class HostExploiter: def exploit_host( self, host, + current_depth: int, telemetry_messenger: ITelemetryMessenger, agent_repository: IAgentRepository, options: Dict, ): self.host = host + self.current_depth = current_depth self.telemetry_messenger = telemetry_messenger self.agent_repository = agent_repository self.options = options diff --git a/monkey/infection_monkey/exploit/exploiter_wrapper.py b/monkey/infection_monkey/exploit/exploiter_wrapper.py index c621ecaea..5e855ff22 100644 --- a/monkey/infection_monkey/exploit/exploiter_wrapper.py +++ b/monkey/infection_monkey/exploit/exploiter_wrapper.py @@ -26,10 +26,10 @@ class ExploiterWrapper: self._telemetry_messenger = telemetry_messenger self._agent_repository = agent_repository - def exploit_host(self, host: VictimHost, options: Dict): + def exploit_host(self, host: VictimHost, current_depth: int, options: Dict): exploiter = self._exploit_class() return exploiter.exploit_host( - host, self._telemetry_messenger, self._agent_repository, options + host, current_depth, self._telemetry_messenger, self._agent_repository, options ) def __init__( diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 69e5c601b..0618a3dad 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -12,7 +12,6 @@ from random import SystemRandom import requests from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT -from infection_monkey.exploit.tools.helpers import get_monkey_depth from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.exploit.web_rce import WebRCE from infection_monkey.model import ( @@ -95,7 +94,7 @@ class HadoopExploiter(WebRCE): def _build_command(self, path, http_path): # Build command to execute - monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1) + monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1) if "linux" in self.host.os["type"]: base_command = HADOOP_LINUX_COMMAND else: diff --git a/monkey/infection_monkey/exploit/log4shell.py b/monkey/infection_monkey/exploit/log4shell.py index 146f4c16a..e68b7f5ab 100644 --- a/monkey/infection_monkey/exploit/log4shell.py +++ b/monkey/infection_monkey/exploit/log4shell.py @@ -10,7 +10,6 @@ from infection_monkey.exploit.log4shell_utils import ( build_exploit_bytecode, get_log4shell_service_exploiters, ) -from infection_monkey.exploit.tools.helpers import get_monkey_depth from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.exploit.web_rce import WebRCE from infection_monkey.i_puppet.i_puppet import ExploiterResultData @@ -114,7 +113,7 @@ class Log4ShellExploiter(WebRCE): def _build_command(self, path, http_path) -> str: # Build command to execute - monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, location=path) + monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1, location=path) if "linux" in self.host.os["type"]: base_command = LOG4SHELL_LINUX_COMMAND else: diff --git a/monkey/infection_monkey/exploit/web_rce.py b/monkey/infection_monkey/exploit/web_rce.py index 8ef23acc0..bbb590b8b 100644 --- a/monkey/infection_monkey/exploit/web_rce.py +++ b/monkey/infection_monkey/exploit/web_rce.py @@ -5,7 +5,7 @@ from typing import List, Tuple from common.utils.attack_utils import BITS_UPLOAD_STRING, ScanStatus from infection_monkey.exploit.HostExploiter import HostExploiter -from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey +from infection_monkey.exploit.tools.helpers import get_target_monkey from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.model import ( BITSADMIN_CMDLINE_HTTP, @@ -371,14 +371,14 @@ class WebRCE(HostExploiter): default_path = self.get_default_dropper_path() if default_path is False: return False - monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, default_path) + monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1, default_path) command = RUN_MONKEY % { "monkey_path": path, "monkey_type": DROPPER_ARG, "parameters": monkey_cmd, } else: - monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1) + monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1) command = RUN_MONKEY % { "monkey_path": path, "monkey_type": MONKEY_ARG, diff --git a/monkey/infection_monkey/i_puppet/i_puppet.py b/monkey/infection_monkey/i_puppet/i_puppet.py index 5b27de4f6..0db62bae2 100644 --- a/monkey/infection_monkey/i_puppet/i_puppet.py +++ b/monkey/infection_monkey/i_puppet/i_puppet.py @@ -114,12 +114,18 @@ class IPuppet(metaclass=abc.ABCMeta): @abc.abstractmethod def exploit_host( - self, name: str, host: VictimHost, options: Dict, interrupt: threading.Event + self, + name: str, + host: VictimHost, + current_depth: int, + options: Dict, + interrupt: threading.Event, ) -> ExploiterResultData: """ Runs an exploiter against a remote host :param str name: The name of the exploiter to run :param VictimHost host: A VictimHost object representing the target to exploit + :param int current_depth: The current propagation depth :param Dict options: A dictionary containing options that modify the behavior of the exploiter :param threading.Event interrupt: A threading.Event object that signals the exploit to stop diff --git a/monkey/infection_monkey/master/automated_master.py b/monkey/infection_monkey/master/automated_master.py index 2da3d52e3..d90c8e902 100644 --- a/monkey/infection_monkey/master/automated_master.py +++ b/monkey/infection_monkey/master/automated_master.py @@ -162,8 +162,9 @@ class AutomatedMaster(IMaster): # still running. credential_collector_thread.join() - if self._can_propagate() and config["depth"] > 0: - self._propagator.propagate(config["propagation"], self._stop) + current_depth = config["depth"] + if self._can_propagate() and current_depth > 0: + self._propagator.propagate(config["propagation"], current_depth, self._stop) payload_thread = create_daemon_thread( target=self._run_plugins, diff --git a/monkey/infection_monkey/master/exploiter.py b/monkey/infection_monkey/master/exploiter.py index 151280ea0..b2049eb38 100644 --- a/monkey/infection_monkey/master/exploiter.py +++ b/monkey/infection_monkey/master/exploiter.py @@ -34,6 +34,7 @@ class Exploiter: self, exploiter_config: Dict, hosts_to_exploit: Queue, + current_depth: int, results_callback: Callback, scan_completed: Event, stop: Event, @@ -44,7 +45,14 @@ class Exploiter: f"{', '.join([e['name'] for e in exploiters_to_run])}" ) - exploit_args = (exploiters_to_run, hosts_to_exploit, results_callback, scan_completed, stop) + exploit_args = ( + exploiters_to_run, + hosts_to_exploit, + current_depth, + results_callback, + scan_completed, + stop, + ) run_worker_threads( target=self._exploit_hosts_on_queue, args=exploit_args, num_workers=self._num_workers ) @@ -69,6 +77,7 @@ class Exploiter: self, exploiters_to_run: List[Dict], hosts_to_exploit: Queue, + current_depth: int, results_callback: Callback, scan_completed: Event, stop: Event, @@ -78,7 +87,9 @@ class Exploiter: while not stop.is_set(): try: victim_host = hosts_to_exploit.get(timeout=QUEUE_TIMEOUT) - self._run_all_exploiters(exploiters_to_run, victim_host, results_callback, stop) + self._run_all_exploiters( + exploiters_to_run, victim_host, current_depth, results_callback, stop + ) except queue.Empty: if _all_hosts_have_been_processed(scan_completed, hosts_to_exploit): break @@ -93,6 +104,7 @@ class Exploiter: self, exploiters_to_run: List[Dict], victim_host: VictimHost, + current_depth: int, results_callback: Callback, stop: Event, ): @@ -100,7 +112,7 @@ class Exploiter: for exploiter in interruptable_iter(exploiters_to_run, stop): exploiter_name = exploiter["name"] exploiter_results = self._run_exploiter( - exploiter_name, exploiter["options"], victim_host, stop + exploiter_name, exploiter["options"], victim_host, current_depth, stop ) results_callback(exploiter_name, victim_host, exploiter_results) @@ -108,7 +120,12 @@ class Exploiter: break def _run_exploiter( - self, exploiter_name: str, options: Dict, victim_host: VictimHost, stop: Event + self, + exploiter_name: str, + options: Dict, + victim_host: VictimHost, + current_depth: int, + stop: Event, ) -> ExploiterResultData: logger.debug(f"Attempting to use {exploiter_name} on {victim_host.ip_addr}") @@ -116,7 +133,9 @@ class Exploiter: options = {"credentials": credentials, **options} try: - return self._puppet.exploit_host(exploiter_name, victim_host, options, stop) + return self._puppet.exploit_host( + exploiter_name, victim_host, current_depth, options, stop + ) except Exception as ex: msg = ( f"An unexpected error occurred while exploiting {victim_host.ip_addr} with " diff --git a/monkey/infection_monkey/master/mock_master.py b/monkey/infection_monkey/master/mock_master.py index e7e8e6237..8542ade12 100644 --- a/monkey/infection_monkey/master/mock_master.py +++ b/monkey/infection_monkey/master/mock_master.py @@ -101,13 +101,13 @@ class MockMaster(IMaster): def _exploit(self): logger.info("Exploiting victims") - result = self._puppet.exploit_host("PowerShellExploiter", "10.0.0.1", {}, None) + result = self._puppet.exploit_host("PowerShellExploiter", "10.0.0.1", 0, {}, None) logger.info(f"Attempts for exploiting {result.attempts}") self._telemetry_messenger.send_telemetry( ExploitTelem("PowerShellExploiter", self._hosts["10.0.0.1"], result) ) - result = self._puppet.exploit_host("SSHExploiter", "10.0.0.3", {}, None) + result = self._puppet.exploit_host("SSHExploiter", "10.0.0.3", 0, {}, None) logger.info(f"Attempts for exploiting {result.attempts}") self._telemetry_messenger.send_telemetry( ExploitTelem("SSHExploiter", self._hosts["10.0.0.3"], result) diff --git a/monkey/infection_monkey/master/propagator.py b/monkey/infection_monkey/master/propagator.py index 45fc0955b..4ed86cd32 100644 --- a/monkey/infection_monkey/master/propagator.py +++ b/monkey/infection_monkey/master/propagator.py @@ -39,7 +39,7 @@ class Propagator: self._local_network_interfaces = local_network_interfaces self._hosts_to_exploit = None - def propagate(self, propagation_config: Dict, stop: Event): + def propagate(self, propagation_config: Dict, current_depth: int, stop: Event): logger.info("Attempting to propagate") network_scan_completed = Event() @@ -50,7 +50,7 @@ class Propagator: ) exploit_thread = create_daemon_thread( target=self._exploit_hosts, - args=(propagation_config, network_scan_completed, stop), + args=(propagation_config, current_depth, network_scan_completed, stop), ) scan_thread.start() @@ -134,6 +134,7 @@ class Propagator: def _exploit_hosts( self, propagation_config: Dict, + current_depth: int, network_scan_completed: Event, stop: Event, ): @@ -143,6 +144,7 @@ class Propagator: self._exploiter.exploit_hosts( exploiter_config, self._hosts_to_exploit, + current_depth, self._process_exploit_attempts, network_scan_completed, stop, diff --git a/monkey/infection_monkey/puppet/mock_puppet.py b/monkey/infection_monkey/puppet/mock_puppet.py index d43d48983..bd00c3acb 100644 --- a/monkey/infection_monkey/puppet/mock_puppet.py +++ b/monkey/infection_monkey/puppet/mock_puppet.py @@ -137,7 +137,12 @@ class MockPuppet(IPuppet): # TODO: host should be VictimHost, at the moment it can't because of circular dependency def exploit_host( - self, name: str, host: VictimHost, options: Dict, interrupt: threading.Event + self, + name: str, + host: VictimHost, + current_depth: int, + options: Dict, + interrupt: threading.Event, ) -> ExploiterResultData: logger.debug(f"exploit_hosts({name}, {host}, {options})") attempts = [ diff --git a/monkey/infection_monkey/puppet/puppet.py b/monkey/infection_monkey/puppet/puppet.py index e10695993..95e72533f 100644 --- a/monkey/infection_monkey/puppet/puppet.py +++ b/monkey/infection_monkey/puppet/puppet.py @@ -58,10 +58,15 @@ class Puppet(IPuppet): return fingerprinter.get_host_fingerprint(host, ping_scan_data, port_scan_data, options) def exploit_host( - self, name: str, host: VictimHost, options: Dict, interrupt: threading.Event + self, + name: str, + host: VictimHost, + current_depth: int, + options: Dict, + interrupt: threading.Event, ) -> ExploiterResultData: exploiter = self._plugin_registry.get_plugin(name, PluginType.EXPLOITER) - return exploiter.exploit_host(host, options) + return exploiter.exploit_host(host, current_depth, options) def run_payload(self, name: str, options: Dict, interrupt: threading.Event): payload = self._plugin_registry.get_plugin(name, PluginType.PAYLOAD) diff --git a/monkey/tests/unit_tests/infection_monkey/master/test_exploiter.py b/monkey/tests/unit_tests/infection_monkey/master/test_exploiter.py index c32ad5acb..014b3b912 100644 --- a/monkey/tests/unit_tests/infection_monkey/master/test_exploiter.py +++ b/monkey/tests/unit_tests/infection_monkey/master/test_exploiter.py @@ -74,7 +74,7 @@ def run_exploiters(exploiter_config, hosts_to_exploit, callback, scan_completed, scan_completed.set() e = Exploiter(puppet, num_workers, get_credentials_for_propagation) - e.exploit_hosts(exploiter_config, hosts_to_exploit, callback, scan_completed, stop) + e.exploit_hosts(exploiter_config, hosts_to_exploit, 1, callback, scan_completed, stop) return inner @@ -102,7 +102,7 @@ def test_credentials_passed_to_exploiter(run_exploiters): run_exploiters(mock_puppet, 1) for call_args in mock_puppet.exploit_host.call_args_list: - assert call_args[0][2].get("credentials") == CREDENTIALS_FOR_PROPAGATION + assert call_args[0][3].get("credentials") == CREDENTIALS_FOR_PROPAGATION def test_stop_after_callback(exploiter_config, callback, scan_completed, stop, hosts_to_exploit): @@ -121,7 +121,7 @@ def test_stop_after_callback(exploiter_config, callback, scan_completed, stop, h # Intentionally NOT setting scan_completed.set(); _callback() will set stop e = Exploiter(MockPuppet(), callback_barrier_count + 2, get_credentials_for_propagation) - e.exploit_hosts(exploiter_config, hosts_to_exploit, stoppable_callback, scan_completed, stop) + e.exploit_hosts(exploiter_config, hosts_to_exploit, 1, stoppable_callback, scan_completed, stop) assert stoppable_callback.call_count == 2 diff --git a/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py b/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py index 06be41c71..49cdd103a 100644 --- a/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py +++ b/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py @@ -124,7 +124,13 @@ def mock_ip_scanner(): class StubExploiter: def exploit_hosts( - self, hosts_to_exploit, exploiter_config, results_callback, scan_completed, stop + self, + exploiters_to_run, + hosts_to_exploit, + current_depth, + results_callback, + scan_completed, + stop, ): pass @@ -144,6 +150,7 @@ def test_scan_result_processing(telemetry_messenger_spy, mock_ip_scanner, mock_v "network_scan": {}, # This is empty since MockIPscanner ignores it "exploiters": {}, # This is empty since StubExploiter ignores it }, + 1, Event(), ) @@ -174,7 +181,13 @@ def test_scan_result_processing(telemetry_messenger_spy, mock_ip_scanner, mock_v class MockExploiter: def exploit_hosts( - self, exploiter_config, hosts_to_exploit, results_callback, scan_completed, stop + self, + exploiters_to_run, + hosts_to_exploit, + current_depth, + results_callback, + scan_completed, + stop, ): scan_completed.wait() hte = [] @@ -240,6 +253,7 @@ def test_exploiter_result_processing( "network_scan": {}, # This is empty since MockIPscanner ignores it "exploiters": {}, # This is empty since MockExploiter ignores it }, + 1, Event(), ) @@ -284,6 +298,7 @@ def test_scan_target_generation(telemetry_messenger_spy, mock_ip_scanner, mock_v "network_scan": {}, # This is empty since MockIPscanner ignores it "exploiters": {}, # This is empty since MockExploiter ignores it }, + 1, Event(), ) expected_ip_scan_list = [