diff --git a/chaos_monkey/config.py b/chaos_monkey/config.py index cfda27913..e1ebfcdcd 100644 --- a/chaos_monkey/config.py +++ b/chaos_monkey/config.py @@ -1,13 +1,14 @@ import os import sys -from network.range import FixedRange, RelativeRange, ClassCRange -from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter,\ - SambaCryExploiter -from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger +import types +import uuid from abc import ABCMeta from itertools import product -import uuid -import types + +from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter, \ + SambaCryExploiter +from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger +from network.range import FixedRange __author__ = 'itamar' @@ -15,6 +16,7 @@ GUID = str(uuid.getnode()) EXTERNAL_CONFIG_FILE = os.path.join(os.path.abspath(os.path.dirname(sys.argv[0])), 'monkey.bin') + def _cast_by_example(value, example): """ a method that casts a value to the type of the parameter given as example @@ -140,7 +142,7 @@ class Configuration(object): max_iterations = 1 scanner_class = TcpScanner - finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger] + finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger, MySQLFinger] exploiter_classes = [SmbExploiter, WmiExploiter, RdpExploiter, Ms08_067_Exploiter, # Windows exploits SSHExploiter, ShellShockExploiter, SambaCryExploiter # Linux ] @@ -178,7 +180,7 @@ class Configuration(object): range_class = FixedRange range_size = 1 - range_fixed = ['',] + range_fixed = ['', ] blocked_ips = ['', ] @@ -186,7 +188,7 @@ class Configuration(object): HTTP_PORTS = [80, 8080, 443, 8008, # HTTP alternate ] - tcp_target_ports = [22, 2222, 445, 135, 3389] + tcp_target_ports = [22, 2222, 445, 135, 3389, 3306, ] tcp_target_ports.extend(HTTP_PORTS) tcp_scan_timeout = 3000 # 3000 Milliseconds tcp_scan_interval = 200 @@ -217,7 +219,7 @@ class Configuration(object): exploit_password_list = ["Password1!", "1234", "password", "12345678"] # smb/wmi exploiter - smb_download_timeout = 300 # timeout in seconds + smb_download_timeout = 300 # timeout in seconds smb_service_name = "InfectionMonkey" # Timeout (in seconds) for sambacry's trigger to yield results. @@ -243,7 +245,6 @@ class Configuration(object): # Monkey copy filename on share (64 bit) sambacry_monkey_copy_filename_64 = "monkey64_2" - # system info collection collect_system_info = True @@ -253,4 +254,5 @@ class Configuration(object): mimikatz_dll_name = "mk.dll" + WormConfiguration = Configuration() diff --git a/chaos_monkey/example.conf b/chaos_monkey/example.conf index 4396cae34..6ef9558ae 100644 --- a/chaos_monkey/example.conf +++ b/chaos_monkey/example.conf @@ -39,7 +39,8 @@ "SSHFinger", "PingScanner", "HTTPFinger", - "SMBFinger" + "SMBFinger", + "MySQLFinger" ], "max_iterations": 3, "monkey_log_path_windows": "%temp%\\~df1563.tmp", @@ -83,6 +84,7 @@ 80, 8080, 443, + 3306, 8008 ], "timeout_between_iterations": 10, diff --git a/chaos_monkey/network/__init__.py b/chaos_monkey/network/__init__.py index 850159342..e7f22de28 100644 --- a/chaos_monkey/network/__init__.py +++ b/chaos_monkey/network/__init__.py @@ -23,5 +23,6 @@ from tcp_scanner import TcpScanner from smbfinger import SMBFinger from sshfinger import SSHFinger from httpfinger import HTTPFinger +from mysqlfinger import MySQLFinger from info import local_ips from info import get_free_tcp_port diff --git a/chaos_monkey/network/mysqlfinger.py b/chaos_monkey/network/mysqlfinger.py new file mode 100644 index 000000000..39baa05ac --- /dev/null +++ b/chaos_monkey/network/mysqlfinger.py @@ -0,0 +1,85 @@ +import logging +import socket + +from model.host import VictimHost +from network import HostFinger +from .tools import struct_unpack_tracker, struct_unpack_tracker_string + +MYSQL_PORT = 3306 +SQL_SERVICE = 'mysqld-3306' + +LOG = logging.getLogger(__name__) + + +class MySQLFinger(HostFinger): + """ + Fingerprints mysql databases, only on port 3306 + """ + + SOCKET_TIMEOUT = 0.5 + HEADER_SIZE = 4 # in bytes + + def __init__(self): + self._config = __import__('config').WormConfiguration + + def get_host_fingerprint(self, host): + """ + Returns mySQLd data using the host header + :param host: + :return: Success/failure, data is saved in the host struct + """ + assert isinstance(host, VictimHost) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(self.SOCKET_TIMEOUT) + + try: + s.connect((host.ip_addr, MYSQL_PORT)) + header = s.recv(self.HEADER_SIZE) # max header size? + + response, curpos = struct_unpack_tracker(header, 0, "I") + response = response[0] + response_length = response & 0xff # first byte is significant + data = s.recv(response_length) + # now we can start parsing + protocol, curpos = struct_unpack_tracker(data, 0, "B") + protocol = protocol[0] + + if protocol == 0xFF: + # error code, bug out + LOG.debug("Mysql server returned error") + return False + + version, curpos = struct_unpack_tracker_string(data, curpos) # special coded to solve string parsing + version = version[0] + host.services[SQL_SERVICE] = {} + host.services[SQL_SERVICE]['version'] = version + version = version.split('-')[0].split('.') + host.services[SQL_SERVICE]['major_version'] = version[0] + host.services[SQL_SERVICE]['minor_version'] = version[1] + host.services[SQL_SERVICE]['build_version'] = version[2] + thread_id, curpos = struct_unpack_tracker(data, curpos, "