From c7d478904542fa7bdab98cff9d38376ce47b9a10 Mon Sep 17 00:00:00 2001 From: acepace Date: Sun, 10 Jul 2016 11:03:26 +0300 Subject: [PATCH 1/6] Add Monkey Business PIP file --- monkey_business/requirements.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 monkey_business/requirements.txt diff --git a/monkey_business/requirements.txt b/monkey_business/requirements.txt new file mode 100644 index 000000000..84599d796 --- /dev/null +++ b/monkey_business/requirements.txt @@ -0,0 +1,3 @@ +pyVmomi +celery +celery[mongodb] \ No newline at end of file From eaaa5f314b7dc6235b3904afd1a796b800b69294 Mon Sep 17 00:00:00 2001 From: acepace Date: Sun, 10 Jul 2016 11:20:22 +0300 Subject: [PATCH 2/6] Updated config documentation --- README.md | 33 +++++++++++++++++---------------- chaos_monkey/config.py | 9 ++++++--- 2 files changed, 23 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 0232b4aac..e2e36856a 100644 --- a/README.md +++ b/README.md @@ -97,36 +97,37 @@ Configuration Options Key | Type | Description | Possible Values --- | ---- | ----------- | --------------- singleton_mutex_name | string | string of the mutex name for single instance | example: {2384ec59-0df8-4ab9-918c-843740924a28} -alive | bool | sets whether or not the monkey is alive. if false will stop scanning and exploiting. -self_delete_in_cleanup | bool | sets whether or not to self delete the monkey executable when stopped. -use_file_logging | bool | sets whether or not to use a log file. +alive | bool | sets whether or not the monkey is alive. if false will stop scanning and exploiting +self_delete_in_cleanup | bool | sets whether or not to self delete the monkey executable when stopped +use_file_logging | bool | sets whether or not to use a log file +monkey_log_path_[windows/linux] | string | file path for monkey logger. timeout_between_iterations | int | how long to wait between scan iterations max_iterations | int | how many scan iterations to perform on each run victims_max_find | int | how many victims to look for in a single scan iteration victims_max_exploit | int | how many victims to exploit before stopping command_servers | array | addresses of c&c servers to try to connect | example: ["russian-mail-brides.com:5000"] -serialize_config | bool | sets whether or not to save the monkey to disk when finished (will be loaded in next run), saved next to the monkey exe with the name monkey.bin +internet_services | array | addresses of internet servers to ping and check if the monkey has internet acccess retry_failed_explotation | bool | sets whether or not to retry failed hosts on next scan range_class | class name | sets which ip ranges class is used to construct the list of ips to scan | `FixedRange` - scan list is a static ips list, `RelativeRange` - scan list will be constructed according to ip address of the machine and size of the scan, `ClassCRange` - will scan the entire class c the machine is in. scanner_class | class name | sets which scan class to use when scanning for hosts to exploit | `TCPScanner` - searches for hosts according to open tcp ports, `PingScanner` - searches for hosts according to ping scan -finger_classes | tuple of class names | sets which fingerprinting classes to use. | in the list: `SMBFinger` - get host os info by checking smb info, `SSHFinger` - get host os info by checking ssh banner, `PingScanner` - get host os type by checking ping ttl. For example: `(SMBFinger, SSHFinger, PingScanner)` +finger_classes | tuple of class names | sets which fingerprinting classes to use | in the list: `SMBFinger` - get host os info by checking smb info, `SSHFinger` - get host os info by checking ssh banner, `PingScanner` - get host os type by checking ping ttl. For example: `(SMBFinger, SSHFinger, PingScanner)` exploiter_classes | tuple of class names | | `SmbExploiter` - exploit using smb connection, `WmiExploiter` - exploit using wmi connection, `RdpExploiter` - exploit using rdp connection, `Ms08_067_Exploiter` - exploit using ms08_067 smb exploit, `SSHExploiter` - exploit using ssh connection range_fixed | tuple of strings | list of ips to scan -RelativeRange range_size | int | number of hosts to scan in relative range. -TCPScanner tcp_target_ports | list of int | which ports to scan using tcp scan. -tcp_scan_timeout | int | timeout for tcp connection in tcp scan (in milliseconds). -tcp_scan_interval | int | time to wait between ports in the tcp scan (in milliseconds). +RelativeRange range_size | int | number of hosts to scan in relative range +tcp_target_ports | list of int | which ports to scan using TCPScanner +tcp_scan_timeout | int | timeout for tcp connection in tcp scan (in milliseconds) +tcp_scan_interval | int | time to wait between ports in the tcp scan (in milliseconds) tcp_scan_get_banner | bool | sets whether or not to read a banner from the tcp ports when scanning -PingScanner ping_scan_timeout | int | timeout for the ping command (in milliseconds). -SmbExploiter/WmiExploiter/RdpExploiter psexec_user | string | user to use for connection +ping_scan_timeout | int | timeout for the ping command (in milliseconds) utilised by PingScanner +psexec_user | string | user to use for connection, utilised by SmbExploiter/WmiExploiter/RdpExploiter psexec_passwords | list of strings | list of passwords to use when trying to exploit -SmbExploiter skip_exploit_if_file_exist | bool | sets whether or not to abort exploit if the monkey already exists in target. -RdpExploiter rdp_use_vbs_download | bool | sets whether to use vbs payload for rdp exploitation. If false, bits payload is used (will fail if bitsadmin.exe doesn’t exist). -Ms08_067_Exploiter ms08_067_exploit_attempt | int | number of times to try and exploit using ms08_067 exploit. +skip_exploit_if_file_exist | bool | sets whether or not to abort exploit if the monkey already exists in target, used by SmbExploiter +rdp_use_vbs_download | bool | sets whether to use vbs payload for rdp exploitation in RdpExploiter. If false, bits payload is used (will fail if bitsadmin.exe doesn’t exist) +ms08_067_exploit_attempt | int | number of times to try and exploit using ms08_067 exploit ms08_067_remote_user_add | string | user to add to target when using ms08_067 exploit ms08_067_remote_user_pass | string | password of the user the exploit will add -SSHExploiter ssh_user | string | user to use for ssh connection -ssh_passwords | list of strings | list of passwords to use when trying to exploit +ssh_user | string | user to use for ssh connection, used by SSHExploiter +ssh_passwords | list of strings | list of passwords to use when trying to exploit using SSHExploiter Building the Monkey from source diff --git a/chaos_monkey/config.py b/chaos_monkey/config.py index c3767a362..1e99cfc73 100644 --- a/chaos_monkey/config.py +++ b/chaos_monkey/config.py @@ -106,11 +106,13 @@ class Configuration(object): ########################### # monkey config ########################### - + #sets whether or not the monkey is alive. if false will stop scanning and exploiting alive = True + #sets whether or not to self delete the monkey executable when stopped self_delete_in_cleanup = False + #string of the mutex name for single instance singleton_mutex_name = "{2384ec59-0df8-4ab9-918c-843740924a28}" # how long to wait between scan iterations @@ -133,14 +135,15 @@ class Configuration(object): depth = 2 current_server = "" + #Configuration servers to try to connect to, in this order. command_servers = [ "127.0.0.1:5000" ] - serialize_config = False - + #sets whether or not to retry failed hosts on next scan retry_failed_explotation = True + #addresses of internet servers to ping and check if the monkey has internet acccess. internet_services = ["www.guardicore.com", "www.google.com"] ########################### From 3767e05434fad588096108aa73b1385f60f5fe1a Mon Sep 17 00:00:00 2001 From: acepace Date: Sun, 10 Jul 2016 11:41:13 +0300 Subject: [PATCH 3/6] Change order of config file to be easier to modify. Added internet servers to config file --- chaos_monkey/example.conf | 50 +++++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 23 deletions(-) diff --git a/chaos_monkey/example.conf b/chaos_monkey/example.conf index 8d1affb35..6aac82c1c 100644 --- a/chaos_monkey/example.conf +++ b/chaos_monkey/example.conf @@ -1,11 +1,34 @@ { - "alive": true, - "collect_system_info": true, "command_servers": [ "russian-mail-brides.com:5000", - "127.0.0.1:5000" + "41.50.73.31:5000" ], - "current_server": "127.0.0.1:5000", + "internet_services": = [ + "www.guardicore.com", + "www.google.com" + ], + "range_class": "RelativeRange", + "range_fixed": [ + "" + ], + "current_server": "41.50.73.31:5000", + "psexec_passwords": [ + "Password1!", + "1234", + "password", + "12345678" + ], + "ssh_passwords": [ + "Password1!", + "Password", + "1234", + "12345", + "123", + "password", + "12345678" + ], + "alive": true, + "collect_system_info": true, "dropper_date_reference_path": "/bin/sh", "dropper_log_path_windows": "%temp%\\~df1562.tmp", "dropper_log_path_linux": "/tmp/user-1562", @@ -32,17 +55,7 @@ "ms08_067_remote_user_add": "Monkey_IUSER_SUPPORT", "ms08_067_remote_user_pass": "Password1!", "ping_scan_timeout": 10000, - "psexec_passwords": [ - "Password1!", - "1234", - "password", - "12345678" - ], "psexec_user": "Administrator", - "range_class": "RelativeRange", - "range_fixed": [ - "" - ], "range_size": 30, "rdp_use_vbs_download": true, "retry_failed_explotation": true, @@ -51,15 +64,6 @@ "serialize_config": true, "singleton_mutex_name": "{2384ec59-0df8-4ab9-918c-843740924a28}", "skip_exploit_if_file_exist": true, - "ssh_passwords": [ - "Password1!", - "Password", - "1234", - "12345", - "123", - "password", - "12345678" - ], "ssh_user": "root", "tcp_scan_get_banner": true, "tcp_scan_interval": 200, From 0b00db2fc257c003a78167d3e7c6dc9364f20a41 Mon Sep 17 00:00:00 2001 From: Daniel Goldberg Date: Mon, 11 Jul 2016 19:07:34 +0300 Subject: [PATCH 4/6] Fixed path bug --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e2e36856a..bdd4cb3e3 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ The Monkey itself has been tested on Windows XP, 7, 8.1 and 10. The Linux build ### Installation -For off the shelf use, download our pre-compiled binaries from our website, to setup the C&C server follow the instructions in [Monkey Island readme](monkey_island/readme.txt). If you with to compile the binaries yourself, follow the build instructions in the appropiate [readme](build_env/readme.txt). +For off the shelf use, download our pre-compiled binaries from our website, to setup the C&C server follow the instructions in [Monkey Island readme](monkey_island/readme.txt). If you with to compile the binaries yourself, follow the build instructions in the appropiate [readme](chaos_monkey/readme.txt). Usage ----- From aa9ded7ff28eb932641976bdc0ec8aa89c101717 Mon Sep 17 00:00:00 2001 From: Daniel Goldberg Date: Tue, 12 Jul 2016 22:22:10 +0300 Subject: [PATCH 5/6] Windows flow does not require hardcoded paths. --- monkey_island/readme.txt | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/monkey_island/readme.txt b/monkey_island/readme.txt index 1e9408e6c..edc101a13 100644 --- a/monkey_island/readme.txt +++ b/monkey_island/readme.txt @@ -11,27 +11,19 @@ How to set C&C server: python -m pip install Flask-Pymongo python -m pip install Flask-Restful python -m pip install python-dateutil - mkdir C:\MonkeyIsland\bin - mkdir C:\MonkeyIsland\db - mkdir C:\MonkeyIsland\cc\binaries -4. Put monkey binaries in C:\MonkeyIsland\cc\binaries: + mkdir MonkeyIsland\bin + mkdir MonkeyIsland\db + mkdir MonkeyIsland\cc\binaries +4. Put monkey binaries in MonkeyIsland\cc\binaries: monkey-linux-64 - monkey binary for linux 64bit monkey-linux-32 - monkey binary for linux 32bit monkey-windows-32.exe - monkey binary for windows 32bit monkey-windows-64.exe - monkey binary for windows 64bit -4. Download MongoDB & Extract to C:\MonkeyIsland\bin\mongodb +4. Download MongoDB & Extract to MonkeyIsland\bin\mongodb http://downloads.mongodb.org/win32/mongodb-win32-x86_64-2008plus-ssl-latest.zip 5. Install OpenSSL https://slproweb.com/download/Win64OpenSSL_Light-1_0_2d.exe -6. Generate SSL Certificate, Run create_certificate.bat - -How to Connect to build environment: -1. set hostname to MONKEYCC -2. Put monkey source code at C:\Code\monkey -3. Run: - net share binaries=C:\MonkeyIsland\cc\binaries - net share sources=C:\Code\monkey\chaos_monkey -4. Run batch/sh script according to build environment readme +6. Generate SSL Certificate, run create_certificate.bat when your current working directory is MonkeyIsland How to run: 1. start run_mongodb.bat From 4d7b129b9030d45f5d91264e127e314efd0f5d19 Mon Sep 17 00:00:00 2001 From: Daniel Goldberg Date: Fri, 15 Jul 2016 09:17:14 +0300 Subject: [PATCH 6/6] Changed license table, changed installation link --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bdd4cb3e3..a47e488f1 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,8 @@ The Monkey itself has been tested on Windows XP, 7, 8.1 and 10. The Linux build ### Installation -For off the shelf use, download our pre-compiled binaries from our website, to setup the C&C server follow the instructions in [Monkey Island readme](monkey_island/readme.txt). If you with to compile the binaries yourself, follow the build instructions in the appropiate [readme](chaos_monkey/readme.txt). +For off the shelf use, download our pre-compiled binaries from our website, to setup the C&C server follow the instructions in [Monkey Island readme](monkey_island/readme.txt). If you with to compile the binaries yourself, follow the build instructions later on in this readme. + Usage ----- @@ -148,7 +149,7 @@ Dependency | License | ----------------------------|---------------------------- libffi-dev | https://github.com/atgreen/libffi/blob/master/LICENSE PyCrypto | Public domain - upx | Custom license, http://upx.sourceforge.net/upx-license.html, according to it (IANL) we're fine as long as we're not modifying UPX + upx | Custom license, http://upx.sourceforge.net/upx-license.html bson | BSD enum34 | BSD pyasn1 | BSD