From 83c7c3d13cf484cd0a0ae4317c77cccc6ddc38da Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Tue, 21 Nov 2017 16:25:39 +0200 Subject: [PATCH] Report now uses dynamic data --- .../cc/ui/src/components/pages/ReportPage.js | 494 +++++++++++------- .../report-components/ScannedBreachedChart.js | 4 +- 2 files changed, 307 insertions(+), 191 deletions(-) diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index 3853ecacc..dee3c8cb2 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -8,6 +8,23 @@ import StolenPasswords from 'components/report-components/StolenPasswords'; import ScannedBreachedChart from 'components/report-components/ScannedBreachedChart'; class ReportPageComponent extends React.Component { + + Issue = + { + WEAK_PASSWORD: 0, + STOLEN_CREDS: 1, + ELASTIC: 2, + SAMBACRY: 3, + SHELLSHOCK: 4, + CONFICKER: 5 + }; + + Warning = + { + CROSS_SEGMENT: 0, + TUNNEL: 1 + }; + constructor(props) { super(props); this.stolen_passwords = @@ -18,13 +35,48 @@ class ReportPageComponent extends React.Component { {username: 'joe', password: 'FDA95FBECA288D44AAD3B435B51404EE', type: 'LM', origin: 'Monkey-RDP'} ]; this.state = { - report: {}, + report: { + overview: + { + monkey_start_time: '01/02/2017 21:45', + monkey_duration: '23:12 minutes', + issues: [false, true, true, true, false, true], + warnings: [true, true] + }, + glance: + { + scanned: + [{"services": ["tcp-22: ssh", "elastic-search-9200: Lorelei Travis"], "ip_addresses": ["11.0.0.13"], "accessible_from_nodes": ["webServer-shellshock0"], "label": "Ubuntu-4ubuntu2.1"}, {"services": [], "ip_addresses": ["10.0.3.23"], "accessible_from_nodes": [], "label": "ubuntu"}, {"services": ["tcp-22: ssh", "tcp-80: http"], "ip_addresses": ["10.0.3.68", "11.0.0.41"], "accessible_from_nodes": ["Monkey-MSSQL1", "ubuntu"], "label": "webServer-shellshock0"}, {"services": ["tcp-445: Windows Server 2012 R2 Standard 6.3"], "ip_addresses": ["12.0.0.90", "11.0.0.90"], "accessible_from_nodes": ["webServer-shellshock0"], "label": "Monkey-MSSQL1"}], + exploited: + [{"ip_addresses": ["10.0.3.68", "11.0.0.41"], "exploits": ["ShellShockExploiter", "ShellShockExploiter"], "label": "webServer-shellshock0"}, {"ip_addresses": ["12.0.0.90", "11.0.0.90"], "exploits": ["SmbExploiter", "SmbExploiter"], "label": "Monkey-MSSQL1"}], + stolen_creds: this.stolen_passwords + }, + recommendations: + { + issues: + [ + {type: 'smb_password', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'}, + {type: 'smb_pth', machine: 'Monkey-SMB2', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'}, + {type: 'wmi_password', machine: 'Monkey-WMI', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'}, + {type: 'wmi_pth', machine: 'Monkey-WMI2', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'}, + {type: 'ssh', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'}, + {type: 'rdp', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'}, + {type: 'sambacry', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'}, + {type: 'elastic', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18']}, + {type: 'shellshock', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18'], port: 8080, paths: ['/cgi/backserver.cgi', '/cgi/login.cgi']}, + {type: 'conficker', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18']}, + {type: 'cross_segment', machine: 'Monkey-SMB', network: '192.168.0.0/24', server_network: '172.168.0.0/24'}, + {type: 'tunnel', origin: 'Monkey-SSH', dest: 'Monkey-SambaCry'} + ] + } + }, graph: {nodes: [], edges: []} }; } componentDidMount() { - this.getReportFromServer(); + // TODO: uncomment + //this.getReportFromServer(); this.updateMapFromServer(); this.interval = setInterval(this.updateMapFromServer, 1000); } @@ -55,10 +107,243 @@ class ReportPageComponent extends React.Component { }); } + generateIpListBadges(ip_addresses) { + return ip_addresses.map(ip_address => {ip_address}); + } + + generateShellshockPathListBadges(paths) { + return paths.map(path => {path}); + } + + generateSmbPasswordIssue(issue) { + return ( +
+ The machine {issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a SMB attack. +
+ The attack succeeded by authenticating over SMB protocol with user {issue.username} and its password. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateSmbPthIssue(issue) { + return ( +
+ The machine {issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a SMB attack. +
+ The attack succeeded by using a pass-the-hash attack over SMB protocol with user {issue.username}. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateWmiPasswordIssue(issue) { + return ( +
+ The machine {issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a WMI attack. +
+ The attack succeeded by authenticating over WMI protocol with user {issue.username} and its password. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateWmiPthIssue(issue) { + return ( +
+ The machine {issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a WMI attack. +
+ The attack succeeded by using a pass-the-hash attack over WMI protocol with user {issue.username}. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateSshIssue(issue) { + return ( +
+ The machine {issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a SSH attack. +
+ The attack succeeded by authenticating over SSH protocol with user {issue.username} and its password. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateRdpIssue(issue) { + return ( +
+ The machine {issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a RDP attack. +
+ The attack succeeded by authenticating over RDP protocol with user {issue.username} and its password. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateSambaCryIssue(issue) { + return ( +
+ The machine {issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a SambaCry attack. +
+ The attack succeeded by authenticating over SMB protocol with user {issue.username} and its password, and by using the SambaCry vulnerability. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateElasticIssue(issue) { + return ( +
+ The machine {issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to an Elastic Groovy attack. +
+ The attack succeeded because the Elastic Search server was not parched against CVE-2015-1427. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateShellshockIssue(issue) { + return ( +
+ The machine {issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a ShellShock attack. +
+ The attack succeeded because the HTTP server running on port {issue.port} was vulnerable to a shell injection attack on the paths: {this.generateShellshockPathListBadges(issue.paths)}. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateConfickerIssue(issue) { + return ( +
+ The machine {issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a Conficker attack. +
+ The attack succeeded because the target machine uses an outdated and unpatched operating system vulnerable to Conficker. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateCrossSegmentIssue(issue) { + return ( +
+ The network can probably be segmented. A monkey instance on {issue.machine} in the {issue.network} network could directly access the Monkey Island C&C server in the {issue.server_network} network. +
+ In order to protect the network, the following steps should be performed: + +
+ ); + } + + generateTunnelIssue(issue) { + return ( +
+ Machines are not locked down at port level. Network tunnel was set up from {issue.origin} to {issue.dest}. +
+ In order to protect the machine, the following steps should be performed: + +
+ ); + } + + generateIssue = (issue, index) => { + let data; + switch (issue.type) { + case 'smb_password': + data = this.generateSmbPasswordIssue(issue); + break; + case 'smb_pth': + data = this.generateSmbPthIssue(issue); + break; + case 'wmi_password': + data = this.generateWmiPasswordIssue(issue); + break; + case 'wmi_pth': + data = this.generateWmiPthIssue(issue); + break; + case 'ssh': + data = this.generateSshIssue(issue); + break; + case 'rdp': + data = this.generateRdpIssue(issue); + break; + case 'sambacry': + data = this.generateSambaCryIssue(issue); + break; + case 'elastic': + data = this.generateElasticIssue(issue); + break; + case 'shellshock': + data = this.generateShellshockIssue(issue); + break; + case 'conficker': + data = this.generateConfickerIssue(issue); + break; + case 'cross_segment': + data = this.generateCrossSegmentIssue(issue); + break; + case 'tunnel': + data = this.generateTunnelIssue(issue); + break; + } + return ( +
+

Issue #{index+1}

+ {data} +
+ ); + }; + render() { let content; - - if (Object.keys(this.state.report).length === 0) { + // TODO: remove 0==1 + if (0==1 || Object.keys(this.state.report).length === 0) { content = (

Generating Report...

); } else { content = @@ -69,8 +354,7 @@ class ReportPageComponent extends React.Component { Overview

- {/* TODO: Replace 01/02/2017 21:45, 23:12 with data */} - The monkey run was started on 01/02/2017 21:45. After 23:12 minutes, all monkeys finished propagation attempts. + The monkey run was started on {this.state.report.overview.monkey_start_time}. After {this.state.report.overview.monkey_duration}, all monkeys finished propagation attempts.

From the attacker's point of view, the network looks like this: @@ -79,24 +363,21 @@ class ReportPageComponent extends React.Component {

- {/* TODO: Replace 3 with data */} - During this simulated attack the Monkey uncovered 6 issues, detailed below. The security issues uncovered include: + During this simulated attack the Monkey uncovered {this.state.report.overview.issues.filter(function(x){return x===true;}).length}, detailed below. The security issues uncovered include:
In addition, the monkey uncovered the following possible set of issues:

@@ -110,8 +391,7 @@ class ReportPageComponent extends React.Component {

- {/* TODO: Replace 6,2 with data */} - The Monkey discovered 6 machines and successfully breached 2 of them. + The Monkey discovered {this.state.report.glance.scanned.length} machines and successfully breached {this.state.report.glance.exploited.length} of them.
In addition, while attempting to exploit additional hosts , security software installed in the network should have picked up the attack attempts and logged them.
@@ -120,191 +400,27 @@ class ReportPageComponent extends React.Component {

- +
- +
- - {/* TODO: Add table of scanned servers */} +
- +

Recommendations

-
-

Issue #1

-
- The machine Monkey-SMB with the following IP addresses 192.168.0.1 10.0.0.18 was vulnerable to a SMB attack. -
- The attack succeeded by authenticating over SMB protocol with user Administrator and its password. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Use a complex one-use password that is not shared with other computers on the network.
  • -
-
+ {this.state.report.recommendations.issues.map(this.generateIssue)}
-
-

Issue #2

-
- The machine Monkey-SMB2 with the following IP address 192.168.0.2 was vulnerable to a SMB attack. -
- The attack succeeded by using a pass-the-hash attack over SMB protocol with user temp. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Use a complex one-use password that is not shared with other computers on the network.
  • -
-
-
-
-

Issue #3

-
- The machine Monkey-WMI with the following IP address 192.168.0.3 was vulnerable to a WMI attack. -
- The attack succeeded by authenticating over WMI protocol with user Administrator and its password. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Use a complex one-use password that is not shared with other computers on the network.
  • -
-
-
-
-

Issue #4

-
- The machine Monkey-WMI2 with the following IP address 192.168.0.4 was vulnerable to a WMI attack. -
- The attack succeeded by using a pass-the-hash attack over WMI protocol with user Administrator. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Use a complex one-use password that is not shared with other computers on the network.
  • -
-
-
-
-

Issue #5

-
- The machine Monkey-SSH with the following IP address 192.168.0.5 was vulnerable to a SSH attack. -
- The attack succeeded by authenticating over SSH protocol with user user and its password. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Use a complex one-use password that is not shared with other computers on the network.
  • -
-
-
-
-

Issue #6

-
- The machine Monkey-RDP with the following IP address 192.168.0.6 was vulnerable to a RDP attack. -
- The attack succeeded by authenticating over RDP protocol with user Administrator and its password. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Use a complex one-use password that is not shared with other computers on the network.
  • -
-
-
-
-

Issue #7

-
- The machine Monkey-SambaCry with the following IP address 192.168.0.7 was vulnerable to a SambaCry attack. -
- The attack succeeded by authenticating over SMB protocol with user user and its password, and by using the SambaCry vulnerability. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Update your Samba server to 4.4.14 and up, 4.5.10 and up, or 4.6.4 and up.
  • -
  • Use a complex one-use password that is not shared with other computers on the network.
  • -
-
-
-
-

Issue #8

-
- The machine Monkey-Elastic with the following IP address 192.168.0.8 was vulnerable to an Elastic Groovy attack. -
- The attack succeeded because the Elastic Search server was not parched against CVE-2015-1427. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Update your Elastic Search server to version 1.4.3 and up.
  • -
-
-
-
-

Issue #9

-
- The machine Monkey-Shellshock with the following IP address 192.168.0.9 was vulnerable to a ShellShock attack. -
- The attack succeeded because the HTTP server running on port 8080 was vulnerable to a shell injection attack on the paths: /cgi/backserver.cgi /cgi/login.cgi. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Update your Bash to a ShellShock-patched version.
  • -
-
-
-
-

Issue #10

-
- The machine Monkey-Conficker with the following IP address 192.168.0.10 was vulnerable to a Conficker attack. -
- The attack succeeded because the target machine uses an outdated and unpatched operating system vulnerable to Conficker. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Install the latest Windows updates or upgrade to a newer operating system.
  • -
-
-
-
-

Issue #11

-
- The network can probably be segmented. A monkey instance on Monkey-SMB in the 192.168.0.0/24 network could directly access the Monkey Island C&C server in the 172.168.0.0/24 network. -
- In order to protect the network, the following steps should be performed: -
    -
  • Segment your network. Make sure machines can't access machines from other segments.
  • -
-
-
-
-

Issue #12

-
- The network can probably be segmented. A monkey instance on Monkey-SSH in the 192.168.0.0/24 network could directly access the Monkey Island C&C server in the 172.168.0.0/24 network. -
- In order to protect the network, the following steps should be performed: -
    -
  • Segment your network. Make sure machines can't access machines from other segments.
  • -
-
-
-
-

Issue #13

-
- Machines are not locked down at port level. Network tunnel was set up from Monkey-SSH to Monkey-SambaCry. -
- In order to protect the machine, the following steps should be performed: -
    -
  • Use micro-segmentation policies to disable communication other than the required.
  • -
-
-
-
); diff --git a/monkey_island/cc/ui/src/components/report-components/ScannedBreachedChart.js b/monkey_island/cc/ui/src/components/report-components/ScannedBreachedChart.js index 4e7570e9f..413a19058 100644 --- a/monkey_island/cc/ui/src/components/report-components/ScannedBreachedChart.js +++ b/monkey_island/cc/ui/src/components/report-components/ScannedBreachedChart.js @@ -18,8 +18,8 @@ class ScannedBreachedChartComponent extends React.Component { render() { const data = [ - {label: 'Scanned', value: 4, color: '#f0ad4e'}, - {label: 'Exploited', value: 2, color: '#d9534f'} + {label: 'Scanned', value: this.props.scanned - this.props.exploited, color: '#f0ad4e'}, + {label: 'Exploited', value: this.props.exploited, color: '#d9534f'} ]; return (