From 8b2797306bf86a925660eb0427bc51a9bf4e9b25 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Wed, 22 Jul 2020 13:19:12 +0300 Subject: [PATCH] Split up config_schema.py into separate files --- monkey/infection_monkey/config.py | 2 +- .../system_info/system_info_collector.py | 2 +- monkey/monkey_island/cc/services/config.py | 2 +- .../cc/services/config_schema.py | 1113 ----------------- .../cc/services/config_schema/__init__.py | 0 .../cc/services/config_schema/basic.py | 69 + .../services/config_schema/basic_network.py | 79 ++ .../cc/services/config_schema/cnc.py | 45 + .../services/config_schema/config_schema.py | 36 + .../definitions/exploiter_classes.py | 130 ++ .../definitions/finger_classes.py | 70 ++ .../definitions/post_breach_actions.py | 70 ++ .../system_info_collector_classes.py | 48 + .../cc/services/config_schema/exploits.py | 105 ++ .../cc/services/config_schema/internal.py | 222 ++++ .../cc/services/config_schema/monkey.py | 190 +++ .../cc/services/config_schema/network.py | 82 ++ .../cc/services/utils/__init__.py | 0 .../cc/services/utils/typographic_symbols.py | 1 + .../configuration-components/UiSchema.js | 2 +- 20 files changed, 1151 insertions(+), 1117 deletions(-) delete mode 100644 monkey/monkey_island/cc/services/config_schema.py create mode 100644 monkey/monkey_island/cc/services/config_schema/__init__.py create mode 100644 monkey/monkey_island/cc/services/config_schema/basic.py create mode 100644 monkey/monkey_island/cc/services/config_schema/basic_network.py create mode 100644 monkey/monkey_island/cc/services/config_schema/cnc.py create mode 100644 monkey/monkey_island/cc/services/config_schema/config_schema.py create mode 100644 monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py create mode 100644 monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py create mode 100644 monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py create mode 100644 monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py create mode 100644 monkey/monkey_island/cc/services/config_schema/exploits.py create mode 100644 monkey/monkey_island/cc/services/config_schema/internal.py create mode 100644 monkey/monkey_island/cc/services/config_schema/monkey.py create mode 100644 monkey/monkey_island/cc/services/config_schema/network.py create mode 100644 monkey/monkey_island/cc/services/utils/__init__.py create mode 100644 monkey/monkey_island/cc/services/utils/typographic_symbols.py diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py index 910b0abd7..0413bdcd3 100644 --- a/monkey/infection_monkey/config.py +++ b/monkey/infection_monkey/config.py @@ -129,7 +129,7 @@ class Configuration(object): finger_classes = [] exploiter_classes = [] - system_info_collectors_classes = [] + system_info_collector_classes = [] # how many victims to look for in a single scan iteration victims_max_find = 100 diff --git a/monkey/infection_monkey/system_info/system_info_collector.py b/monkey/infection_monkey/system_info/system_info_collector.py index a16560930..ee4bb21e8 100644 --- a/monkey/infection_monkey/system_info/system_info_collector.py +++ b/monkey/infection_monkey/system_info/system_info_collector.py @@ -19,7 +19,7 @@ class SystemInfoCollector(Plugin, metaclass=ABCMeta): @staticmethod def should_run(class_name) -> bool: - return class_name in WormConfiguration.system_info_collectors_classes + return class_name in WormConfiguration.system_info_collector_classes @staticmethod def base_package_file(): diff --git a/monkey/monkey_island/cc/services/config.py b/monkey/monkey_island/cc/services/config.py index e8453a052..5b6c4529b 100644 --- a/monkey/monkey_island/cc/services/config.py +++ b/monkey/monkey_island/cc/services/config.py @@ -11,7 +11,7 @@ from monkey_island.cc.database import mongo from monkey_island.cc.encryptor import encryptor from monkey_island.cc.network_utils import local_ip_addresses -from .config_schema import SCHEMA +from monkey_island.cc.services.config_schema.config_schema import SCHEMA __author__ = "itay.mizeretz" diff --git a/monkey/monkey_island/cc/services/config_schema.py b/monkey/monkey_island/cc/services/config_schema.py deleted file mode 100644 index 07e9e9cb9..000000000 --- a/monkey/monkey_island/cc/services/config_schema.py +++ /dev/null @@ -1,1113 +0,0 @@ -from common.data.system_info_collectors_names import (AWS_COLLECTOR, - ENVIRONMENT_COLLECTOR, - HOSTNAME_COLLECTOR, - PROCESS_LIST_COLLECTOR) - -WARNING_SIGN = " \u26A0" - -SCHEMA = { - "title": "Monkey", - "type": "object", - "definitions": { - "exploiter_classes": { - "title": "Exploit class", - "description": "Click on exploiter to get more information about it." + WARNING_SIGN + - " Note that using unsafe exploits may cause crashes of the exploited machine/service.", - "type": "string", - "anyOf": [ - { - "type": "string", - "enum": [ - "SmbExploiter" - ], - "title": "SMB Exploiter", - "attack_techniques": ["T1110", "T1075", "T1035"], - "info": "Brute forces using credentials provided by user and" - " hashes gathered by mimikatz.", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "WmiExploiter" - ], - "title": "WMI Exploiter", - "attack_techniques": ["T1110", "T1106"], - "info": "Brute forces WMI (Windows Management Instrumentation) " - "using credentials provided by user and hashes gathered by mimikatz.", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "MSSQLExploiter" - ], - "title": "MSSQL Exploiter", - "attack_techniques": ["T1110"], - "info": "Tries to brute force into MsSQL server and uses insecure " - "configuration to execute commands on server.", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "Ms08_067_Exploiter" - ], - "title": "MS08-067 Exploiter (UNSAFE)", - "info": "Unsafe exploiter, that might cause system crash due to the use of buffer overflow. " - "Uses MS08-067 vulnerability.", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "SSHExploiter" - ], - "title": "SSH Exploiter", - "attack_techniques": ["T1110", "T1145", "T1106"], - "info": "Brute forces using credentials provided by user and SSH keys gathered from systems.", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "ShellShockExploiter" - ], - "title": "ShellShock Exploiter", - "info": "CVE-2014-6271, based on logic from " - "https://github.com/nccgroup/shocker/blob/master/shocker.py .", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "SambaCryExploiter" - ], - "title": "SambaCry Exploiter", - "info": "Bruteforces and searches for anonymous shares. Uses Impacket.", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "ElasticGroovyExploiter" - ], - "title": "ElasticGroovy Exploiter", - "info": "CVE-2015-1427. Logic is based on Metasploit module.", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "Struts2Exploiter" - ], - "title": "Struts2 Exploiter", - "info": "Exploits struts2 java web framework. CVE-2017-5638. Logic based on " - "https://www.exploit-db.com/exploits/41570 .", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "WebLogicExploiter" - ], - "title": "WebLogic Exploiter", - "info": "Exploits CVE-2017-10271 and CVE-2019-2725 vulnerabilities on WebLogic server.", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "HadoopExploiter" - ], - "title": "Hadoop/Yarn Exploiter", - "info": "Remote code execution on HADOOP server with YARN and default settings. " - "Logic based on https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn.", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - }, - { - "type": "string", - "enum": [ - "VSFTPDExploiter" - ], - "title": "VSFTPD Exploiter", - "info": "Exploits a malicious backdoor that was added to the VSFTPD download archive. " - "Logic based on Metasploit module.", - "link": "https://github.com/guardicore/monkey/wiki/Exploiters" - } - ] - }, - "system_info_collectors_classes": { - "title": "System Information Collectors", - "description": "Click on a system info collector to find out what it collects.", - "type": "string", - "anyOf": [ - { - "type": "string", - "enum": [ - ENVIRONMENT_COLLECTOR - ], - "title": "Environment collector", - "info": "Collects information about machine's environment (on premise/GCP/AWS).", - "attack_techniques": [] - }, - { - "type": "string", - "enum": [ - AWS_COLLECTOR - ], - "title": "AWS collector", - "info": "If on AWS, collects more information about the AWS instance currently running on.", - "attack_techniques": [] - }, - { - "type": "string", - "enum": [ - HOSTNAME_COLLECTOR - ], - "title": "Hostname collector", - "info": "Collects machine's hostname.", - "attack_techniques": [] - }, - { - "type": "string", - "enum": [ - PROCESS_LIST_COLLECTOR - ], - "title": "Process list collector", - "info": "Collects a list of running processes on the machine.", - "attack_techniques": [] - }, - ], - }, - "post_breach_actions": { - "title": "Post breach actions", - "description": "Runs scripts/commands on infected machines. These actions safely simulate what an adversary" - "might do after breaching a new machine. Used in ATT&CK and Zero trust reports.", - "type": "string", - "anyOf": [ - { - "type": "string", - "enum": [ - "BackdoorUser" - ], - "title": "Back door user", - "info": "Attempts to create a new user on the system and delete it afterwards.", - "attack_techniques": ["T1136"] - }, - { - "type": "string", - "enum": [ - "CommunicateAsNewUser" - ], - "title": "Communicate as new user", - "info": "Attempts to create a new user, create HTTPS requests as that user and delete the user " - "afterwards.", - "attack_techniques": ["T1136"] - }, - { - "type": "string", - "enum": [ - "ModifyShellStartupFiles" - ], - "title": "Modify shell startup files", - "info": "Attempts to modify shell startup files, like ~/.profile, ~/.bashrc, ~/.bash_profile " - "in linux, and profile.ps1 in windows. Reverts modifications done afterwards.", - "attack_techniques": ["T1156", "T1504"] - }, - { - "type": "string", - "enum": [ - "HiddenFiles" - ], - "title": "Hidden files and directories", - "info": "Attempts to create a hidden file and remove it afterward.", - "attack_techniques": ["T1158"] - }, - { - "type": "string", - "enum": [ - "TrapCommand" - ], - "title": "Trap", - "attack_techniques": ["T1154"] - }, - { - "type": "string", - "enum": [ - "ChangeSetuidSetgid" - ], - "title": "Setuid and Setgid", - "attack_techniques": ["T1166"] - }, - { - "type": "string", - "enum": [ - "ScheduleJobs" - ], - "title": "Job scheduling", - "attack_techniques": ["T1168", "T1053"] - } - ], - }, - "finger_classes": { - "title": "Fingerprint class", - "description": "Fingerprint modules collect info about external services " - "Infection Monkey scans.", - "type": "string", - "anyOf": [ - { - "type": "string", - "enum": [ - "SMBFinger" - ], - "title": "SMBFinger", - "info": "Figures out if SMB is running and what's the version of it.", - "attack_techniques": ["T1210"] - }, - { - "type": "string", - "enum": [ - "SSHFinger" - ], - "title": "SSHFinger", - "info": "Figures out if SSH is running.", - "attack_techniques": ["T1210"] - }, - { - "type": "string", - "enum": [ - "PingScanner" - ], - "title": "PingScanner", - "info": "Tries to identify if host is alive and which OS it's running by ping scan." - }, - { - "type": "string", - "enum": [ - "HTTPFinger" - ], - "title": "HTTPFinger", - "info": "Checks if host has HTTP/HTTPS ports open." - }, - { - "type": "string", - "enum": [ - "MySQLFinger" - ], - "title": "MySQLFinger", - "info": "Checks if MySQL server is running and tries to get it's version.", - "attack_techniques": ["T1210"] - }, - { - "type": "string", - "enum": [ - "MSSQLFinger" - ], - "title": "MSSQLFinger", - "info": "Checks if Microsoft SQL service is running and tries to gather information about it.", - "attack_techniques": ["T1210"] - }, - - { - "type": "string", - "enum": [ - "ElasticFinger" - ], - "title": "ElasticFinger", - "info": "Checks if ElasticSearch is running and attempts to find it's version.", - "attack_techniques": ["T1210"] - } - ] - } - }, - "properties": { - "basic": { - "title": "Exploits", - "type": "object", - "primary": True, - "properties": { - "exploiters": { - "title": "Exploiters", - "type": "object", - "properties": { - "exploiter_classes": { - "title": "Exploiters", - "type": "array", - "uniqueItems": True, - "items": { - "$ref": "#/definitions/exploiter_classes" - }, - "default": [ - "SmbExploiter", - "WmiExploiter", - "SSHExploiter", - "ShellShockExploiter", - "SambaCryExploiter", - "ElasticGroovyExploiter", - "Struts2Exploiter", - "WebLogicExploiter", - "HadoopExploiter", - "VSFTPDExploiter", - "MSSQLExploiter" - ] - } - } - }, - "credentials": { - "title": "Credentials", - "type": "object", - "properties": { - "exploit_user_list": { - "title": "Exploit user list", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [ - "Administrator", - "root", - "user" - ], - "description": "List of usernames to use on exploits using credentials" - }, - "exploit_password_list": { - "title": "Exploit password list", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [ - "Password1!", - "1234", - "password", - "12345678" - ], - "description": "List of password to use on exploits using credentials" - } - } - } - } - }, - "basic_network": { - "title": "Network", - "type": "object", - "properties": { - "scope": { - "title": "Scope", - "type": "object", - "properties": { - "blocked_ips": { - "title": "Blocked IPs", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [ - ], - "description": "List of IPs to not scan" - }, - "local_network_scan": { - "title": "Local network scan", - "type": "boolean", - "default": True, - "description": "Determines whether the monkey should scan its subnets additionally" - }, - "depth": { - "title": "Distance from island", - "type": "integer", - "default": 2, - "description": - "Amount of hops allowed for the monkey to spread from the island. " - + WARNING_SIGN - + " Note that setting this value too high may result in the monkey propagating too far" - }, - "subnet_scan_list": { - "title": "Scan IP/subnet list", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [ - ], - "description": - "List of IPs/subnets/hosts the monkey should scan." - " Examples: \"192.168.0.1\", \"192.168.0.5-192.168.0.20\", \"192.168.0.5/24\"," - " \"printer.example\"" - } - } - }, - "network_analysis": { - "title": "Network Analysis", - "type": "object", - "properties": { - "inaccessible_subnets": { - "title": "Network segmentation testing", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [ - ], - "description": - "Test for network segmentation by providing a list of" - " subnets that should NOT be accessible to each other." - " For example, given the following configuration:" - " '10.0.0.0/24, 11.0.0.2/32, 12.2.3.0/24'" - " a Monkey running on 10.0.0.5 will try to access machines in the following" - " subnets: 11.0.0.2/32, 12.2.3.0/24." - " An alert on successful connections will be shown in the report" - " Additional subnet formats include: 13.0.0.1, 13.0.0.1-13.0.0.5" - } - } - } - } - }, - "monkey": { - "title": "Monkey", - "type": "object", - "properties": { - "general": { - "title": "General", - "type": "object", - "properties": { - "alive": { - "title": "Alive", - "type": "boolean", - "default": True, - "description": "Is the monkey alive" - }, - "post_breach_actions": { - "title": "Post breach actions", - "type": "array", - "uniqueItems": True, - "items": { - "$ref": "#/definitions/post_breach_actions" - }, - "default": [ - "BackdoorUser", - "CommunicateAsNewUser", - "ModifyShellStartupFiles", - "HiddenFiles", - "TrapCommand", - "ChangeSetuidSetgid", - "ScheduleJobs" - ] - }, - } - }, - "behaviour": { - "title": "Behaviour", - "type": "object", - "properties": { - "custom_PBA_linux_cmd": { - "title": "Linux post breach command", - "type": "string", - "default": "", - "description": "Linux command to be executed after breaching." - }, - "PBA_linux_file": { - "title": "Linux post breach file", - "type": "string", - "format": "data-url", - "description": "File to be executed after breaching. " - "If you want custom execution behavior, " - "specify it in 'Linux post breach command' field. " - "Reference your file by filename." - }, - "custom_PBA_windows_cmd": { - "title": "Windows post breach command", - "type": "string", - "default": "", - "description": "Windows command to be executed after breaching." - }, - "PBA_windows_file": { - "title": "Windows post breach file", - "type": "string", - "format": "data-url", - "description": "File to be executed after breaching. " - "If you want custom execution behavior, " - "specify it in 'Windows post breach command' field. " - "Reference your file by filename." - }, - "PBA_windows_filename": { - "title": "Windows PBA filename", - "type": "string", - "default": "" - }, - "PBA_linux_filename": { - "title": "Linux PBA filename", - "type": "string", - "default": "" - }, - "self_delete_in_cleanup": { - "title": "Self delete on cleanup", - "type": "boolean", - "default": True, - "description": "Should the monkey delete its executable when going down" - }, - "use_file_logging": { - "title": "Use file logging", - "type": "boolean", - "default": True, - "description": "Should the monkey dump to a log file" - }, - "serialize_config": { - "title": "Serialize config", - "type": "boolean", - "default": False, - "description": "Should the monkey dump its config on startup" - } - } - }, - "system_info": { - "title": "System info", - "type": "object", - "properties": { - "extract_azure_creds": { - "title": "Harvest Azure Credentials", - "type": "boolean", - "default": True, - "attack_techniques": ["T1003"], - "description": - "Determine if the Monkey should try to harvest password credentials from Azure VMs" - }, - "collect_system_info": { - "title": "Collect system info", - "type": "boolean", - "default": True, - "attack_techniques": ["T1082", "T1005", "T1016"], - "description": "Determines whether to collect system info" - }, - "should_use_mimikatz": { - "title": "Should use Mimikatz", - "type": "boolean", - "default": True, - "attack_techniques": ["T1003"], - "description": "Determines whether to use Mimikatz" - }, - "system_info_collectors_classes": { - "title": "System info collectors", - "type": "array", - "uniqueItems": True, - "items": { - "$ref": "#/definitions/system_info_collectors_classes" - }, - "default": [ - ENVIRONMENT_COLLECTOR, - AWS_COLLECTOR, - HOSTNAME_COLLECTOR, - PROCESS_LIST_COLLECTOR - ] - }, - } - }, - "life_cycle": { - "title": "Life cycle", - "type": "object", - "properties": { - "max_iterations": { - "title": "Max iterations", - "type": "integer", - "default": 1, - "description": "Determines how many iterations of the monkey's full lifecycle should occur" - }, - "victims_max_find": { - "title": "Max victims to find", - "type": "integer", - "default": 100, - "description": "Determines the maximum number of machines the monkey is allowed to scan" - }, - "victims_max_exploit": { - "title": "Max victims to exploit", - "type": "integer", - "default": 15, - "description": - "Determines the maximum number of machines the monkey" - " is allowed to successfully exploit. " + WARNING_SIGN - + " Note that setting this value too high may result in the monkey propagating to " - "a high number of machines" - }, - "timeout_between_iterations": { - "title": "Wait time between iterations", - "type": "integer", - "default": 100, - "description": - "Determines for how long (in seconds) should the monkey wait between iterations" - }, - "retry_failed_explotation": { - "title": "Retry failed exploitation", - "type": "boolean", - "default": True, - "description": - "Determines whether the monkey should retry exploiting machines" - " it didn't successfully exploit on previous iterations" - } - } - } - } - }, - "internal": { - "title": "Internal", - "type": "object", - "properties": { - "general": { - "title": "General", - "type": "object", - "properties": { - "singleton_mutex_name": { - "title": "Singleton mutex name", - "type": "string", - "default": "{2384ec59-0df8-4ab9-918c-843740924a28}", - "description": - "The name of the mutex used to determine whether the monkey is already running" - }, - "keep_tunnel_open_time": { - "title": "Keep tunnel open time", - "type": "integer", - "default": 60, - "description": "Time to keep tunnel open before going down after last exploit (in seconds)" - }, - "monkey_dir_name": { - "title": "Monkey's directory name", - "type": "string", - "default": r"monkey_dir", - "description": "Directory name for the directory which will contain all of the monkey files" - }, - "started_on_island": { - "title": "Started on island", - "type": "boolean", - "default": False, - "description": "Was exploitation started from island" - "(did monkey with max depth ran on island)" - }, - } - }, - "classes": { - "title": "Classes", - "type": "object", - "properties": { - "finger_classes": { - "title": "Fingerprint classes", - "type": "array", - "uniqueItems": True, - "items": { - "$ref": "#/definitions/finger_classes" - }, - "default": [ - "SMBFinger", - "SSHFinger", - "PingScanner", - "HTTPFinger", - "MySQLFinger", - "MSSQLFinger", - "ElasticFinger" - ] - } - } - }, - "kill_file": { - "title": "Kill file", - "type": "object", - "properties": { - "kill_file_path_windows": { - "title": "Kill file path on Windows", - "type": "string", - "default": "%windir%\\monkey.not", - "description": "Path of file which kills monkey if it exists (on Windows)" - }, - "kill_file_path_linux": { - "title": "Kill file path on Linux", - "type": "string", - "default": "/var/run/monkey.not", - "description": "Path of file which kills monkey if it exists (on Linux)" - } - } - }, - "dropper": { - "title": "Dropper", - "type": "object", - "properties": { - "dropper_set_date": { - "title": "Dropper sets date", - "type": "boolean", - "default": True, - "description": - "Determines whether the dropper should set the monkey's file date to be the same as" - " another file" - }, - "dropper_date_reference_path_windows": { - "title": "Dropper date reference path (Windows)", - "type": "string", - "default": "%windir%\\system32\\kernel32.dll", - "description": - "Determines which file the dropper should copy the date from if it's configured to do" - " so on Windows (use fullpath)" - }, - "dropper_date_reference_path_linux": { - "title": "Dropper date reference path (Linux)", - "type": "string", - "default": "/bin/sh", - "description": - "Determines which file the dropper should copy the date from if it's configured to do" - " so on Linux (use fullpath)" - }, - "dropper_target_path_linux": { - "title": "Dropper target path on Linux", - "type": "string", - "default": "/tmp/monkey", - "description": "Determines where should the dropper place the monkey on a Linux machine" - }, - "dropper_target_path_win_32": { - "title": "Dropper target path on Windows (32bit)", - "type": "string", - "default": "C:\\Windows\\temp\\monkey32.exe", - "description": "Determines where should the dropper place the monkey on a Windows machine " - "(32bit)" - }, - "dropper_target_path_win_64": { - "title": "Dropper target path on Windows (64bit)", - "type": "string", - "default": "C:\\Windows\\temp\\monkey64.exe", - "description": "Determines where should the dropper place the monkey on a Windows machine " - "(64 bit)" - }, - "dropper_try_move_first": { - "title": "Try to move first", - "type": "boolean", - "default": True, - "description": - "Determines whether the dropper should try to move itself instead of copying itself" - " to target path" - } - } - }, - "logging": { - "title": "Logging", - "type": "object", - "properties": { - "dropper_log_path_linux": { - "title": "Dropper log file path on Linux", - "type": "string", - "default": "/tmp/user-1562", - "description": "The fullpath of the dropper log file on Linux" - }, - "dropper_log_path_windows": { - "title": "Dropper log file path on Windows", - "type": "string", - "default": "%temp%\\~df1562.tmp", - "description": "The fullpath of the dropper log file on Windows" - }, - "monkey_log_path_linux": { - "title": "Monkey log file path on Linux", - "type": "string", - "default": "/tmp/user-1563", - "description": "The fullpath of the monkey log file on Linux" - }, - "monkey_log_path_windows": { - "title": "Monkey log file path on Windows", - "type": "string", - "default": "%temp%\\~df1563.tmp", - "description": "The fullpath of the monkey log file on Windows" - }, - "send_log_to_server": { - "title": "Send log to server", - "type": "boolean", - "default": True, - "description": "Determines whether the monkey sends its log to the Monkey Island server" - } - } - }, - "exploits": { - "title": "Exploits", - "type": "object", - "properties": { - "exploit_lm_hash_list": { - "title": "Exploit LM hash list", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [], - "description": "List of LM hashes to use on exploits using credentials" - }, - "exploit_ntlm_hash_list": { - "title": "Exploit NTLM hash list", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [], - "description": "List of NTLM hashes to use on exploits using credentials" - }, - "exploit_ssh_keys": { - "title": "SSH key pairs list", - "type": "array", - "uniqueItems": True, - "default": [], - "items": { - "type": "string" - }, - "description": "List of SSH key pairs to use, when trying to ssh into servers" - } - } - }, - "testing": { - "title": "Testing", - "type": "object", - "properties": { - "export_monkey_telems": { - "title": "Export monkey telemetries", - "type": "boolean", - "default": False, - "description": "Exports unencrypted telemetries that can be used for tests in development." - " Do not turn on!" - } - } - } - } - }, - "cnc": { - "title": "Monkey Island", - "type": "object", - "properties": { - "servers": { - "title": "Servers", - "type": "object", - "properties": { - "command_servers": { - "title": "Command servers", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [ - "192.0.2.0:5000" - ], - "description": "List of command servers to try and communicate with (format is :)" - }, - "internet_services": { - "title": "Internet services", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [ - "monkey.guardicore.com", - "www.google.com" - ], - "description": - "List of internet services to try and communicate with to determine internet" - " connectivity (use either ip or domain)" - }, - "current_server": { - "title": "Current server", - "type": "string", - "default": "192.0.2.0:5000", - "description": "The current command server the monkey is communicating with" - } - } - }, - } - }, - "exploits": { - "title": "Exploits", - "type": "object", - "properties": { - "general": { - "title": "General", - "type": "object", - "properties": { - "skip_exploit_if_file_exist": { - "title": "Skip exploit if file exists", - "type": "boolean", - "default": False, - "description": "Determines whether the monkey should skip the exploit if the monkey's file" - " is already on the remote machine" - } - } - }, - "ms08_067": { - "title": "MS08_067", - "type": "object", - "properties": { - "ms08_067_exploit_attempts": { - "title": "MS08_067 exploit attempts", - "type": "integer", - "default": 5, - "description": "Number of attempts to exploit using MS08_067" - }, - "user_to_add": { - "title": "Remote user", - "type": "string", - "default": "Monkey_IUSER_SUPPORT", - "description": "Username to add on successful exploit" - }, - "remote_user_pass": { - "title": "Remote user password", - "type": "string", - "default": "Password1!", - "description": "Password to use for created user" - } - } - }, - "sambacry": { - "title": "SambaCry", - "type": "object", - "properties": { - "sambacry_trigger_timeout": { - "title": "SambaCry trigger timeout", - "type": "integer", - "default": 5, - "description": "Timeout (in seconds) of SambaCry trigger" - }, - "sambacry_folder_paths_to_guess": { - "title": "SambaCry folder paths to guess", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [ - '/', - '/mnt', - '/tmp', - '/storage', - '/export', - '/share', - '/shares', - '/home' - ], - "description": "List of full paths to share folder for SambaCry to guess" - }, - "sambacry_shares_not_to_check": { - "title": "SambaCry shares not to check", - "type": "array", - "uniqueItems": True, - "items": { - "type": "string" - }, - "default": [ - "IPC$", "print$" - ], - "description": "These shares won't be checked when exploiting with SambaCry" - } - } - }, - "smb_service": { - "title": "SMB service", - "type": "object", - "properties": { - "smb_download_timeout": { - "title": "SMB download timeout", - "type": "integer", - "default": 300, - "description": - "Timeout (in seconds) for SMB download operation (used in various exploits using SMB)" - }, - "smb_service_name": { - "title": "SMB service name", - "type": "string", - "default": "InfectionMonkey", - "description": "Name of the SMB service that will be set up to download monkey" - } - } - } - } - }, - "network": { - "title": "Network", - "type": "object", - "properties": { - "tcp_scanner": { - "title": "TCP scanner", - "type": "object", - "properties": { - "HTTP_PORTS": { - "title": "HTTP ports", - "type": "array", - "uniqueItems": True, - "items": { - "type": "integer" - }, - "default": [ - 80, - 8080, - 443, - 8008, - 7001 - ], - "description": "List of ports the monkey will check if are being used for HTTP" - }, - "tcp_target_ports": { - "title": "TCP target ports", - "type": "array", - "uniqueItems": True, - "items": { - "type": "integer" - }, - "default": [ - 22, - 2222, - 445, - 135, - 3389, - 80, - 8080, - 443, - 8008, - 3306, - 9200, - 7001, - 8088 - ], - "description": "List of TCP ports the monkey will check whether they're open" - }, - "tcp_scan_interval": { - "title": "TCP scan interval", - "type": "integer", - "default": 0, - "description": "Time to sleep (in milliseconds) between scans" - }, - "tcp_scan_timeout": { - "title": "TCP scan timeout", - "type": "integer", - "default": 3000, - "description": "Maximum time (in milliseconds) to wait for TCP response" - }, - "tcp_scan_get_banner": { - "title": "TCP scan - get banner", - "type": "boolean", - "default": True, - "description": "Determines whether the TCP scan should try to get the banner" - } - } - }, - "ping_scanner": { - "title": "Ping scanner", - "type": "object", - "properties": { - "ping_scan_timeout": { - "title": "Ping scan timeout", - "type": "integer", - "default": 1000, - "description": "Maximum time (in milliseconds) to wait for ping response" - } - } - } - } - } - }, - "options": { - "collapsed": True - } -} diff --git a/monkey/monkey_island/cc/services/config_schema/__init__.py b/monkey/monkey_island/cc/services/config_schema/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/monkey/monkey_island/cc/services/config_schema/basic.py b/monkey/monkey_island/cc/services/config_schema/basic.py new file mode 100644 index 000000000..6a255fc95 --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/basic.py @@ -0,0 +1,69 @@ +BASIC = { + "title": "Exploits", + "type": "object", + "primary": True, + "properties": { + "exploiters": { + "title": "Exploiters", + "type": "object", + "properties": { + "exploiter_classes": { + "title": "Exploiters", + "type": "array", + "uniqueItems": True, + "items": { + "$ref": "#/definitions/exploiter_classes" + }, + "default": [ + "SmbExploiter", + "WmiExploiter", + "SSHExploiter", + "ShellShockExploiter", + "SambaCryExploiter", + "ElasticGroovyExploiter", + "Struts2Exploiter", + "WebLogicExploiter", + "HadoopExploiter", + "VSFTPDExploiter", + "MSSQLExploiter" + ] + } + } + }, + "credentials": { + "title": "Credentials", + "type": "object", + "properties": { + "exploit_user_list": { + "title": "Exploit user list", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [ + "Administrator", + "root", + "user" + ], + "description": "List of usernames to use on exploits using credentials" + }, + "exploit_password_list": { + "title": "Exploit password list", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [ + "Password1!", + "1234", + "password", + "12345678" + ], + "description": "List of password to use on exploits using credentials" + } + } + } + } +} diff --git a/monkey/monkey_island/cc/services/config_schema/basic_network.py b/monkey/monkey_island/cc/services/config_schema/basic_network.py new file mode 100644 index 000000000..3674c0f71 --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/basic_network.py @@ -0,0 +1,79 @@ +from monkey_island.cc.services.utils.typographic_symbols import WARNING_SIGN + +BASIC_NETWORK = { + "title": "Network", + "type": "object", + "properties": { + "scope": { + "title": "Scope", + "type": "object", + "properties": { + "blocked_ips": { + "title": "Blocked IPs", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [ + ], + "description": "List of IPs to not scan" + }, + "local_network_scan": { + "title": "Local network scan", + "type": "boolean", + "default": True, + "description": "Determines whether the monkey should scan its subnets additionally" + }, + "depth": { + "title": "Distance from island", + "type": "integer", + "default": 2, + "description": + "Amount of hops allowed for the monkey to spread from the island. " + + WARNING_SIGN + + " Note that setting this value too high may result in the monkey propagating too far" + }, + "subnet_scan_list": { + "title": "Scan IP/subnet list", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [ + ], + "description": + "List of IPs/subnets/hosts the monkey should scan." + " Examples: \"192.168.0.1\", \"192.168.0.5-192.168.0.20\", \"192.168.0.5/24\"," + " \"printer.example\"" + } + } + }, + "network_analysis": { + "title": "Network Analysis", + "type": "object", + "properties": { + "inaccessible_subnets": { + "title": "Network segmentation testing", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [ + ], + "description": + "Test for network segmentation by providing a list of" + " subnets that should NOT be accessible to each other." + " For example, given the following configuration:" + " '10.0.0.0/24, 11.0.0.2/32, 12.2.3.0/24'" + " a Monkey running on 10.0.0.5 will try to access machines in the following" + " subnets: 11.0.0.2/32, 12.2.3.0/24." + " An alert on successful connections will be shown in the report" + " Additional subnet formats include: 13.0.0.1, 13.0.0.1-13.0.0.5" + } + } + } + } +} diff --git a/monkey/monkey_island/cc/services/config_schema/cnc.py b/monkey/monkey_island/cc/services/config_schema/cnc.py new file mode 100644 index 000000000..bade095e8 --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/cnc.py @@ -0,0 +1,45 @@ +CNC = { + "title": "Monkey Island", + "type": "object", + "properties": { + "servers": { + "title": "Servers", + "type": "object", + "properties": { + "command_servers": { + "title": "Command servers", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [ + "192.0.2.0:5000" + ], + "description": "List of command servers to try and communicate with (format is :)" + }, + "internet_services": { + "title": "Internet services", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [ + "monkey.guardicore.com", + "www.google.com" + ], + "description": + "List of internet services to try and communicate with to determine internet" + " connectivity (use either ip or domain)" + }, + "current_server": { + "title": "Current server", + "type": "string", + "default": "192.0.2.0:5000", + "description": "The current command server the monkey is communicating with" + } + } + }, + } +} diff --git a/monkey/monkey_island/cc/services/config_schema/config_schema.py b/monkey/monkey_island/cc/services/config_schema/config_schema.py new file mode 100644 index 000000000..49dc61ad2 --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/config_schema.py @@ -0,0 +1,36 @@ +from monkey_island.cc.services.config_schema.basic import BASIC +from monkey_island.cc.services.config_schema.basic_network import BASIC_NETWORK +from monkey_island.cc.services.config_schema.cnc import CNC +from monkey_island.cc.services.config_schema.definitions.exploiter_classes import EXPLOITER_CLASSES +from monkey_island.cc.services.config_schema.definitions.finger_classes import FINGER_CLASSES +from monkey_island.cc.services.config_schema.definitions.post_breach_actions import POST_BREACH_ACTIONS +from monkey_island.cc.services.config_schema.definitions.system_info_collector_classes import \ + SYSTEM_INFO_COLLECTOR_CLASSES +from monkey_island.cc.services.config_schema.exploits import EXPLOITS +from monkey_island.cc.services.config_schema.internal import INTERNAL +from monkey_island.cc.services.config_schema.monkey import MONKEY +from monkey_island.cc.services.config_schema.network import NETWORK + +SCHEMA = { + "title": "Monkey", + "type": "object", + "definitions": { + "exploiter_classes": EXPLOITER_CLASSES, + "system_info_collector_classes": SYSTEM_INFO_COLLECTOR_CLASSES, + "post_breach_actions": POST_BREACH_ACTIONS, + "finger_classes": FINGER_CLASSES + + }, + "properties": { + "basic": BASIC, + "basic_network": BASIC_NETWORK, + "monkey": MONKEY, + "internal": INTERNAL, + "cnc": CNC, + "exploits": EXPLOITS, + "network": NETWORK + }, + "options": { + "collapsed": True + } +} diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py new file mode 100644 index 000000000..0b9e97fa1 --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py @@ -0,0 +1,130 @@ +from monkey_island.cc.services.utils.typographic_symbols import WARNING_SIGN + +EXPLOITER_CLASSES = { + "title": "Exploit class", + "description": "Click on exploiter to get more information about it." + WARNING_SIGN + + " Note that using unsafe exploits may cause crashes of the exploited machine/service.", + "type": "string", + "anyOf": [ + { + "type": "string", + "enum": [ + "SmbExploiter" + ], + "title": "SMB Exploiter", + "attack_techniques": ["T1110", "T1075", "T1035"], + "info": "Brute forces using credentials provided by user and" + " hashes gathered by mimikatz.", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "WmiExploiter" + ], + "title": "WMI Exploiter", + "attack_techniques": ["T1110", "T1106"], + "info": "Brute forces WMI (Windows Management Instrumentation) " + "using credentials provided by user and hashes gathered by mimikatz.", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "MSSQLExploiter" + ], + "title": "MSSQL Exploiter", + "attack_techniques": ["T1110"], + "info": "Tries to brute force into MsSQL server and uses insecure " + "configuration to execute commands on server.", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "Ms08_067_Exploiter" + ], + "title": "MS08-067 Exploiter (UNSAFE)", + "info": "Unsafe exploiter, that might cause system crash due to the use of buffer overflow. " + "Uses MS08-067 vulnerability.", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "SSHExploiter" + ], + "title": "SSH Exploiter", + "attack_techniques": ["T1110", "T1145", "T1106"], + "info": "Brute forces using credentials provided by user and SSH keys gathered from systems.", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "ShellShockExploiter" + ], + "title": "ShellShock Exploiter", + "info": "CVE-2014-6271, based on logic from " + "https://github.com/nccgroup/shocker/blob/master/shocker.py .", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "SambaCryExploiter" + ], + "title": "SambaCry Exploiter", + "info": "Bruteforces and searches for anonymous shares. Uses Impacket.", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "ElasticGroovyExploiter" + ], + "title": "ElasticGroovy Exploiter", + "info": "CVE-2015-1427. Logic is based on Metasploit module.", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "Struts2Exploiter" + ], + "title": "Struts2 Exploiter", + "info": "Exploits struts2 java web framework. CVE-2017-5638. Logic based on " + "https://www.exploit-db.com/exploits/41570 .", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "WebLogicExploiter" + ], + "title": "WebLogic Exploiter", + "info": "Exploits CVE-2017-10271 and CVE-2019-2725 vulnerabilities on WebLogic server.", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "HadoopExploiter" + ], + "title": "Hadoop/Yarn Exploiter", + "info": "Remote code execution on HADOOP server with YARN and default settings. " + "Logic based on https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn.", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + }, + { + "type": "string", + "enum": [ + "VSFTPDExploiter" + ], + "title": "VSFTPD Exploiter", + "info": "Exploits a malicious backdoor that was added to the VSFTPD download archive. " + "Logic based on Metasploit module.", + "link": "https://github.com/guardicore/monkey/wiki/Exploiters" + } + ] +} diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py new file mode 100644 index 000000000..6fe5e8fea --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py @@ -0,0 +1,70 @@ +FINGER_CLASSES = { + "title": "Fingerprint class", + "description": "Fingerprint modules collect info about external services " + "Infection Monkey scans.", + "type": "string", + "anyOf": [ + { + "type": "string", + "enum": [ + "SMBFinger" + ], + "title": "SMBFinger", + "info": "Figures out if SMB is running and what's the version of it.", + "attack_techniques": ["T1210"] + }, + { + "type": "string", + "enum": [ + "SSHFinger" + ], + "title": "SSHFinger", + "info": "Figures out if SSH is running.", + "attack_techniques": ["T1210"] + }, + { + "type": "string", + "enum": [ + "PingScanner" + ], + "title": "PingScanner", + "info": "Tries to identify if host is alive and which OS it's running by ping scan." + }, + { + "type": "string", + "enum": [ + "HTTPFinger" + ], + "title": "HTTPFinger", + "info": "Checks if host has HTTP/HTTPS ports open." + }, + { + "type": "string", + "enum": [ + "MySQLFinger" + ], + "title": "MySQLFinger", + "info": "Checks if MySQL server is running and tries to get it's version.", + "attack_techniques": ["T1210"] + }, + { + "type": "string", + "enum": [ + "MSSQLFinger" + ], + "title": "MSSQLFinger", + "info": "Checks if Microsoft SQL service is running and tries to gather information about it.", + "attack_techniques": ["T1210"] + }, + + { + "type": "string", + "enum": [ + "ElasticFinger" + ], + "title": "ElasticFinger", + "info": "Checks if ElasticSearch is running and attempts to find it's version.", + "attack_techniques": ["T1210"] + } + ] +} diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py new file mode 100644 index 000000000..9e55ee5ba --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py @@ -0,0 +1,70 @@ +POST_BREACH_ACTIONS = { + "title": "Post breach actions", + "description": "Runs scripts/commands on infected machines. These actions safely simulate what an adversary" + "might do after breaching a new machine. Used in ATT&CK and Zero trust reports.", + "type": "string", + "anyOf": [ + { + "type": "string", + "enum": [ + "BackdoorUser" + ], + "title": "Back door user", + "info": "Attempts to create a new user on the system and delete it afterwards.", + "attack_techniques": ["T1136"] + }, + { + "type": "string", + "enum": [ + "CommunicateAsNewUser" + ], + "title": "Communicate as new user", + "info": "Attempts to create a new user, create HTTPS requests as that user and delete the user " + "afterwards.", + "attack_techniques": ["T1136"] + }, + { + "type": "string", + "enum": [ + "ModifyShellStartupFiles" + ], + "title": "Modify shell startup files", + "info": "Attempts to modify shell startup files, like ~/.profile, ~/.bashrc, ~/.bash_profile " + "in linux, and profile.ps1 in windows. Reverts modifications done afterwards.", + "attack_techniques": ["T1156", "T1504"] + }, + { + "type": "string", + "enum": [ + "HiddenFiles" + ], + "title": "Hidden files and directories", + "info": "Attempts to create a hidden file and remove it afterward.", + "attack_techniques": ["T1158"] + }, + { + "type": "string", + "enum": [ + "TrapCommand" + ], + "title": "Trap", + "attack_techniques": ["T1154"] + }, + { + "type": "string", + "enum": [ + "ChangeSetuidSetgid" + ], + "title": "Setuid and Setgid", + "attack_techniques": ["T1166"] + }, + { + "type": "string", + "enum": [ + "ScheduleJobs" + ], + "title": "Job scheduling", + "attack_techniques": ["T1168", "T1053"] + } + ] +} diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py new file mode 100644 index 000000000..c77b77b7c --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py @@ -0,0 +1,48 @@ +from common.data.system_info_collectors_names import (AWS_COLLECTOR, + ENVIRONMENT_COLLECTOR, + HOSTNAME_COLLECTOR, + PROCESS_LIST_COLLECTOR) + +SYSTEM_INFO_COLLECTOR_CLASSES = { + "title": "System Information Collectors", + "description": "Click on a system info collector to find out what it collects.", + "type": "string", + "anyOf": [ + { + "type": "string", + "enum": [ + ENVIRONMENT_COLLECTOR + ], + "title": "Environment collector", + "info": "Collects information about machine's environment (on premise/GCP/AWS).", + "attack_techniques": [] + }, + { + "type": "string", + "enum": [ + AWS_COLLECTOR + ], + "title": "AWS collector", + "info": "If on AWS, collects more information about the AWS instance currently running on.", + "attack_techniques": [] + }, + { + "type": "string", + "enum": [ + HOSTNAME_COLLECTOR + ], + "title": "Hostname collector", + "info": "Collects machine's hostname.", + "attack_techniques": [] + }, + { + "type": "string", + "enum": [ + PROCESS_LIST_COLLECTOR + ], + "title": "Process list collector", + "info": "Collects a list of running processes on the machine.", + "attack_techniques": [] + }, + ] +} diff --git a/monkey/monkey_island/cc/services/config_schema/exploits.py b/monkey/monkey_island/cc/services/config_schema/exploits.py new file mode 100644 index 000000000..acbb2f973 --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/exploits.py @@ -0,0 +1,105 @@ +EXPLOITS = { + "title": "Exploits", + "type": "object", + "properties": { + "general": { + "title": "General", + "type": "object", + "properties": { + "skip_exploit_if_file_exist": { + "title": "Skip exploit if file exists", + "type": "boolean", + "default": False, + "description": "Determines whether the monkey should skip the exploit if the monkey's file" + " is already on the remote machine" + } + } + }, + "ms08_067": { + "title": "MS08_067", + "type": "object", + "properties": { + "ms08_067_exploit_attempts": { + "title": "MS08_067 exploit attempts", + "type": "integer", + "default": 5, + "description": "Number of attempts to exploit using MS08_067" + }, + "user_to_add": { + "title": "Remote user", + "type": "string", + "default": "Monkey_IUSER_SUPPORT", + "description": "Username to add on successful exploit" + }, + "remote_user_pass": { + "title": "Remote user password", + "type": "string", + "default": "Password1!", + "description": "Password to use for created user" + } + } + }, + "sambacry": { + "title": "SambaCry", + "type": "object", + "properties": { + "sambacry_trigger_timeout": { + "title": "SambaCry trigger timeout", + "type": "integer", + "default": 5, + "description": "Timeout (in seconds) of SambaCry trigger" + }, + "sambacry_folder_paths_to_guess": { + "title": "SambaCry folder paths to guess", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [ + '/', + '/mnt', + '/tmp', + '/storage', + '/export', + '/share', + '/shares', + '/home' + ], + "description": "List of full paths to share folder for SambaCry to guess" + }, + "sambacry_shares_not_to_check": { + "title": "SambaCry shares not to check", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [ + "IPC$", "print$" + ], + "description": "These shares won't be checked when exploiting with SambaCry" + } + } + }, + "smb_service": { + "title": "SMB service", + "type": "object", + "properties": { + "smb_download_timeout": { + "title": "SMB download timeout", + "type": "integer", + "default": 300, + "description": + "Timeout (in seconds) for SMB download operation (used in various exploits using SMB)" + }, + "smb_service_name": { + "title": "SMB service name", + "type": "string", + "default": "InfectionMonkey", + "description": "Name of the SMB service that will be set up to download monkey" + } + } + } + } +} diff --git a/monkey/monkey_island/cc/services/config_schema/internal.py b/monkey/monkey_island/cc/services/config_schema/internal.py new file mode 100644 index 000000000..755347538 --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/internal.py @@ -0,0 +1,222 @@ +INTERNAL = { + "title": "Internal", + "type": "object", + "properties": { + "general": { + "title": "General", + "type": "object", + "properties": { + "singleton_mutex_name": { + "title": "Singleton mutex name", + "type": "string", + "default": "{2384ec59-0df8-4ab9-918c-843740924a28}", + "description": + "The name of the mutex used to determine whether the monkey is already running" + }, + "keep_tunnel_open_time": { + "title": "Keep tunnel open time", + "type": "integer", + "default": 60, + "description": "Time to keep tunnel open before going down after last exploit (in seconds)" + }, + "monkey_dir_name": { + "title": "Monkey's directory name", + "type": "string", + "default": r"monkey_dir", + "description": "Directory name for the directory which will contain all of the monkey files" + }, + "started_on_island": { + "title": "Started on island", + "type": "boolean", + "default": False, + "description": "Was exploitation started from island" + "(did monkey with max depth ran on island)" + }, + } + }, + "classes": { + "title": "Classes", + "type": "object", + "properties": { + "finger_classes": { + "title": "Fingerprint classes", + "type": "array", + "uniqueItems": True, + "items": { + "$ref": "#/definitions/finger_classes" + }, + "default": [ + "SMBFinger", + "SSHFinger", + "PingScanner", + "HTTPFinger", + "MySQLFinger", + "MSSQLFinger", + "ElasticFinger" + ] + } + } + }, + "kill_file": { + "title": "Kill file", + "type": "object", + "properties": { + "kill_file_path_windows": { + "title": "Kill file path on Windows", + "type": "string", + "default": "%windir%\\monkey.not", + "description": "Path of file which kills monkey if it exists (on Windows)" + }, + "kill_file_path_linux": { + "title": "Kill file path on Linux", + "type": "string", + "default": "/var/run/monkey.not", + "description": "Path of file which kills monkey if it exists (on Linux)" + } + } + }, + "dropper": { + "title": "Dropper", + "type": "object", + "properties": { + "dropper_set_date": { + "title": "Dropper sets date", + "type": "boolean", + "default": True, + "description": + "Determines whether the dropper should set the monkey's file date to be the same as" + " another file" + }, + "dropper_date_reference_path_windows": { + "title": "Dropper date reference path (Windows)", + "type": "string", + "default": "%windir%\\system32\\kernel32.dll", + "description": + "Determines which file the dropper should copy the date from if it's configured to do" + " so on Windows (use fullpath)" + }, + "dropper_date_reference_path_linux": { + "title": "Dropper date reference path (Linux)", + "type": "string", + "default": "/bin/sh", + "description": + "Determines which file the dropper should copy the date from if it's configured to do" + " so on Linux (use fullpath)" + }, + "dropper_target_path_linux": { + "title": "Dropper target path on Linux", + "type": "string", + "default": "/tmp/monkey", + "description": "Determines where should the dropper place the monkey on a Linux machine" + }, + "dropper_target_path_win_32": { + "title": "Dropper target path on Windows (32bit)", + "type": "string", + "default": "C:\\Windows\\temp\\monkey32.exe", + "description": "Determines where should the dropper place the monkey on a Windows machine " + "(32bit)" + }, + "dropper_target_path_win_64": { + "title": "Dropper target path on Windows (64bit)", + "type": "string", + "default": "C:\\Windows\\temp\\monkey64.exe", + "description": "Determines where should the dropper place the monkey on a Windows machine " + "(64 bit)" + }, + "dropper_try_move_first": { + "title": "Try to move first", + "type": "boolean", + "default": True, + "description": + "Determines whether the dropper should try to move itself instead of copying itself" + " to target path" + } + } + }, + "logging": { + "title": "Logging", + "type": "object", + "properties": { + "dropper_log_path_linux": { + "title": "Dropper log file path on Linux", + "type": "string", + "default": "/tmp/user-1562", + "description": "The fullpath of the dropper log file on Linux" + }, + "dropper_log_path_windows": { + "title": "Dropper log file path on Windows", + "type": "string", + "default": "%temp%\\~df1562.tmp", + "description": "The fullpath of the dropper log file on Windows" + }, + "monkey_log_path_linux": { + "title": "Monkey log file path on Linux", + "type": "string", + "default": "/tmp/user-1563", + "description": "The fullpath of the monkey log file on Linux" + }, + "monkey_log_path_windows": { + "title": "Monkey log file path on Windows", + "type": "string", + "default": "%temp%\\~df1563.tmp", + "description": "The fullpath of the monkey log file on Windows" + }, + "send_log_to_server": { + "title": "Send log to server", + "type": "boolean", + "default": True, + "description": "Determines whether the monkey sends its log to the Monkey Island server" + } + } + }, + "exploits": { + "title": "Exploits", + "type": "object", + "properties": { + "exploit_lm_hash_list": { + "title": "Exploit LM hash list", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [], + "description": "List of LM hashes to use on exploits using credentials" + }, + "exploit_ntlm_hash_list": { + "title": "Exploit NTLM hash list", + "type": "array", + "uniqueItems": True, + "items": { + "type": "string" + }, + "default": [], + "description": "List of NTLM hashes to use on exploits using credentials" + }, + "exploit_ssh_keys": { + "title": "SSH key pairs list", + "type": "array", + "uniqueItems": True, + "default": [], + "items": { + "type": "string" + }, + "description": "List of SSH key pairs to use, when trying to ssh into servers" + } + } + }, + "testing": { + "title": "Testing", + "type": "object", + "properties": { + "export_monkey_telems": { + "title": "Export monkey telemetries", + "type": "boolean", + "default": False, + "description": "Exports unencrypted telemetries that can be used for tests in development." + " Do not turn on!" + } + } + } + } +} diff --git a/monkey/monkey_island/cc/services/config_schema/monkey.py b/monkey/monkey_island/cc/services/config_schema/monkey.py new file mode 100644 index 000000000..924a077d0 --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/monkey.py @@ -0,0 +1,190 @@ +from monkey_island.cc.services.utils.typographic_symbols import WARNING_SIGN +from common.data.system_info_collectors_names import (AWS_COLLECTOR, + ENVIRONMENT_COLLECTOR, + HOSTNAME_COLLECTOR, + PROCESS_LIST_COLLECTOR) + +MONKEY = { + "title": "Monkey", + "type": "object", + "properties": { + "general": { + "title": "General", + "type": "object", + "properties": { + "alive": { + "title": "Alive", + "type": "boolean", + "default": True, + "description": "Is the monkey alive" + }, + "post_breach_actions": { + "title": "Post breach actions", + "type": "array", + "uniqueItems": True, + "items": { + "$ref": "#/definitions/post_breach_actions" + }, + "default": [ + "BackdoorUser", + "CommunicateAsNewUser", + "ModifyShellStartupFiles", + "HiddenFiles", + "TrapCommand", + "ChangeSetuidSetgid", + "ScheduleJobs" + ] + }, + } + }, + "behaviour": { + "title": "Behaviour", + "type": "object", + "properties": { + "custom_PBA_linux_cmd": { + "title": "Linux post breach command", + "type": "string", + "default": "", + "description": "Linux command to be executed after breaching." + }, + "PBA_linux_file": { + "title": "Linux post breach file", + "type": "string", + "format": "data-url", + "description": "File to be executed after breaching. " + "If you want custom execution behavior, " + "specify it in 'Linux post breach command' field. " + "Reference your file by filename." + }, + "custom_PBA_windows_cmd": { + "title": "Windows post breach command", + "type": "string", + "default": "", + "description": "Windows command to be executed after breaching." + }, + "PBA_windows_file": { + "title": "Windows post breach file", + "type": "string", + "format": "data-url", + "description": "File to be executed after breaching. " + "If you want custom execution behavior, " + "specify it in 'Windows post breach command' field. " + "Reference your file by filename." + }, + "PBA_windows_filename": { + "title": "Windows PBA filename", + "type": "string", + "default": "" + }, + "PBA_linux_filename": { + "title": "Linux PBA filename", + "type": "string", + "default": "" + }, + "self_delete_in_cleanup": { + "title": "Self delete on cleanup", + "type": "boolean", + "default": True, + "description": "Should the monkey delete its executable when going down" + }, + "use_file_logging": { + "title": "Use file logging", + "type": "boolean", + "default": True, + "description": "Should the monkey dump to a log file" + }, + "serialize_config": { + "title": "Serialize config", + "type": "boolean", + "default": False, + "description": "Should the monkey dump its config on startup" + } + } + }, + "system_info": { + "title": "System info", + "type": "object", + "properties": { + "extract_azure_creds": { + "title": "Harvest Azure Credentials", + "type": "boolean", + "default": True, + "attack_techniques": ["T1003"], + "description": + "Determine if the Monkey should try to harvest password credentials from Azure VMs" + }, + "collect_system_info": { + "title": "Collect system info", + "type": "boolean", + "default": True, + "attack_techniques": ["T1082", "T1005", "T1016"], + "description": "Determines whether to collect system info" + }, + "should_use_mimikatz": { + "title": "Should use Mimikatz", + "type": "boolean", + "default": True, + "attack_techniques": ["T1003"], + "description": "Determines whether to use Mimikatz" + }, + "system_info_collector_classes": { + "title": "System info collectors", + "type": "array", + "uniqueItems": True, + "items": { + "$ref": "#/definitions/system_info_collector_classes" + }, + "default": [ + ENVIRONMENT_COLLECTOR, + AWS_COLLECTOR, + HOSTNAME_COLLECTOR, + PROCESS_LIST_COLLECTOR + ] + }, + } + }, + "life_cycle": { + "title": "Life cycle", + "type": "object", + "properties": { + "max_iterations": { + "title": "Max iterations", + "type": "integer", + "default": 1, + "description": "Determines how many iterations of the monkey's full lifecycle should occur" + }, + "victims_max_find": { + "title": "Max victims to find", + "type": "integer", + "default": 100, + "description": "Determines the maximum number of machines the monkey is allowed to scan" + }, + "victims_max_exploit": { + "title": "Max victims to exploit", + "type": "integer", + "default": 15, + "description": + "Determines the maximum number of machines the monkey" + " is allowed to successfully exploit. " + WARNING_SIGN + + " Note that setting this value too high may result in the monkey propagating to " + "a high number of machines" + }, + "timeout_between_iterations": { + "title": "Wait time between iterations", + "type": "integer", + "default": 100, + "description": + "Determines for how long (in seconds) should the monkey wait between iterations" + }, + "retry_failed_explotation": { + "title": "Retry failed exploitation", + "type": "boolean", + "default": True, + "description": + "Determines whether the monkey should retry exploiting machines" + " it didn't successfully exploit on previous iterations" + } + } + } + } +} diff --git a/monkey/monkey_island/cc/services/config_schema/network.py b/monkey/monkey_island/cc/services/config_schema/network.py new file mode 100644 index 000000000..3ded2658f --- /dev/null +++ b/monkey/monkey_island/cc/services/config_schema/network.py @@ -0,0 +1,82 @@ +NETWORK = { + "title": "Network", + "type": "object", + "properties": { + "tcp_scanner": { + "title": "TCP scanner", + "type": "object", + "properties": { + "HTTP_PORTS": { + "title": "HTTP ports", + "type": "array", + "uniqueItems": True, + "items": { + "type": "integer" + }, + "default": [ + 80, + 8080, + 443, + 8008, + 7001 + ], + "description": "List of ports the monkey will check if are being used for HTTP" + }, + "tcp_target_ports": { + "title": "TCP target ports", + "type": "array", + "uniqueItems": True, + "items": { + "type": "integer" + }, + "default": [ + 22, + 2222, + 445, + 135, + 3389, + 80, + 8080, + 443, + 8008, + 3306, + 9200, + 7001, + 8088 + ], + "description": "List of TCP ports the monkey will check whether they're open" + }, + "tcp_scan_interval": { + "title": "TCP scan interval", + "type": "integer", + "default": 0, + "description": "Time to sleep (in milliseconds) between scans" + }, + "tcp_scan_timeout": { + "title": "TCP scan timeout", + "type": "integer", + "default": 3000, + "description": "Maximum time (in milliseconds) to wait for TCP response" + }, + "tcp_scan_get_banner": { + "title": "TCP scan - get banner", + "type": "boolean", + "default": True, + "description": "Determines whether the TCP scan should try to get the banner" + } + } + }, + "ping_scanner": { + "title": "Ping scanner", + "type": "object", + "properties": { + "ping_scan_timeout": { + "title": "Ping scan timeout", + "type": "integer", + "default": 1000, + "description": "Maximum time (in milliseconds) to wait for ping response" + } + } + } + } +} diff --git a/monkey/monkey_island/cc/services/utils/__init__.py b/monkey/monkey_island/cc/services/utils/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/monkey/monkey_island/cc/services/utils/typographic_symbols.py b/monkey/monkey_island/cc/services/utils/typographic_symbols.py new file mode 100644 index 000000000..ab87f169e --- /dev/null +++ b/monkey/monkey_island/cc/services/utils/typographic_symbols.py @@ -0,0 +1 @@ +WARNING_SIGN = " \u26A0" diff --git a/monkey/monkey_island/cc/ui/src/components/configuration-components/UiSchema.js b/monkey/monkey_island/cc/ui/src/components/configuration-components/UiSchema.js index 3b1e233d8..6185ca647 100644 --- a/monkey/monkey_island/cc/ui/src/components/configuration-components/UiSchema.js +++ b/monkey/monkey_island/cc/ui/src/components/configuration-components/UiSchema.js @@ -59,7 +59,7 @@ export default function UiSchema(props) { } }, system_info: { - system_info_collectors_classes: { + system_info_collector_classes: { classNames: 'config-template-no-header', 'ui:widget': AdvancedMultiSelect }