forked from p34709852/monkey
Merge branch 'attack_comand_line_interface' into attack_powershell
# Conflicts: # monkey/infection_monkey/exploit/__init__.py # monkey/infection_monkey/exploit/hadoop.py # monkey/monkey_island/cc/services/attack/attack_report.py
This commit is contained in:
commit
fea8567177
|
@ -123,11 +123,11 @@ class ControlClient(object):
|
||||||
return {}
|
return {}
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def send_telemetry(telem_catagory, data):
|
def send_telemetry(telem_category, data):
|
||||||
if not WormConfiguration.current_server:
|
if not WormConfiguration.current_server:
|
||||||
return
|
return
|
||||||
try:
|
try:
|
||||||
telemetry = {'monkey_guid': GUID, 'telem_catagory': telem_catagory, 'data': data}
|
telemetry = {'monkey_guid': GUID, 'telem_category': telem_category, 'data': data}
|
||||||
reply = requests.post("https://%s/api/telemetry" % (WormConfiguration.current_server,),
|
reply = requests.post("https://%s/api/telemetry" % (WormConfiguration.current_server,),
|
||||||
data=json.dumps(telemetry),
|
data=json.dumps(telemetry),
|
||||||
headers={'content-type': 'application/json'},
|
headers={'content-type': 'application/json'},
|
||||||
|
|
|
@ -25,7 +25,7 @@ class HostExploiter(object):
|
||||||
'finished': '',
|
'finished': '',
|
||||||
'vulnerable_urls': [],
|
'vulnerable_urls': [],
|
||||||
'vulnerable_ports': [],
|
'vulnerable_ports': [],
|
||||||
'executed_cmds': {}}
|
'executed_cmds': []}
|
||||||
self._exploit_attempts = []
|
self._exploit_attempts = []
|
||||||
self.host = host
|
self.host = host
|
||||||
|
|
||||||
|
@ -49,8 +49,20 @@ class HostExploiter(object):
|
||||||
self._exploit_attempts.append({'result': result, 'user': user, 'password': password,
|
self._exploit_attempts.append({'result': result, 'user': user, 'password': password,
|
||||||
'lm_hash': lm_hash, 'ntlm_hash': ntlm_hash, 'ssh_key': ssh_key})
|
'lm_hash': lm_hash, 'ntlm_hash': ntlm_hash, 'ssh_key': ssh_key})
|
||||||
|
|
||||||
@abstractmethod
|
|
||||||
def exploit_host(self):
|
def exploit_host(self):
|
||||||
|
self.pre_exploit()
|
||||||
|
result = self._exploit_host()
|
||||||
|
self.post_exploit()
|
||||||
|
return result
|
||||||
|
|
||||||
|
def pre_exploit(self):
|
||||||
|
self.set_start_time()
|
||||||
|
|
||||||
|
def post_exploit(self):
|
||||||
|
self.set_finish_time()
|
||||||
|
|
||||||
|
@abstractmethod
|
||||||
|
def _exploit_host(self):
|
||||||
raise NotImplementedError()
|
raise NotImplementedError()
|
||||||
|
|
||||||
def add_vuln_url(self, url):
|
def add_vuln_url(self, url):
|
||||||
|
@ -59,16 +71,13 @@ class HostExploiter(object):
|
||||||
def add_vuln_port(self, port):
|
def add_vuln_port(self, port):
|
||||||
self._exploit_info['vulnerable_ports'].append(port)
|
self._exploit_info['vulnerable_ports'].append(port)
|
||||||
|
|
||||||
def set_example_cmd(self, cmd):
|
def add_executed_cmd(self, cmd):
|
||||||
|
"""
|
||||||
|
Appends command to exploiter's info.
|
||||||
|
:param cmd: String of executed command. e.g. 'echo Example'
|
||||||
|
"""
|
||||||
powershell = True if "powershell" in cmd.lower() else False
|
powershell = True if "powershell" in cmd.lower() else False
|
||||||
self._exploit_info['executed_cmds']['example'].append({'command': cmd, 'powershell': powershell})
|
self._exploit_info['executed_cmds'].append({'cmd': cmd, 'powershell': powershell})
|
||||||
|
|
||||||
def add_powershell_cmd(self, cmd):
|
|
||||||
"""
|
|
||||||
Determines if command uses powershell and if so adds that command to exploiter info
|
|
||||||
:param cmd: Command used
|
|
||||||
:return: None
|
|
||||||
"""
|
|
||||||
|
|
||||||
|
|
||||||
from infection_monkey.exploit.win_ms08_067 import Ms08_067_Exploiter
|
from infection_monkey.exploit.win_ms08_067 import Ms08_067_Exploiter
|
||||||
|
|
|
@ -31,7 +31,7 @@ class HadoopExploiter(WebRCE):
|
||||||
def __init__(self, host):
|
def __init__(self, host):
|
||||||
super(HadoopExploiter, self).__init__(host)
|
super(HadoopExploiter, self).__init__(host)
|
||||||
|
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
# Try to get exploitable url
|
# Try to get exploitable url
|
||||||
urls = self.build_potential_urls(self.HADOOP_PORTS)
|
urls = self.build_potential_urls(self.HADOOP_PORTS)
|
||||||
self.add_vulnerable_urls(urls, True)
|
self.add_vulnerable_urls(urls, True)
|
||||||
|
@ -49,8 +49,7 @@ class HadoopExploiter(WebRCE):
|
||||||
return False
|
return False
|
||||||
http_thread.join(self.DOWNLOAD_TIMEOUT)
|
http_thread.join(self.DOWNLOAD_TIMEOUT)
|
||||||
http_thread.stop()
|
http_thread.stop()
|
||||||
self.add_powershell_cmd(command)
|
self.add_executed_cmd(command)
|
||||||
self.set_example_cmd(command)
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
def exploit(self, url, command):
|
def exploit(self, url, command):
|
||||||
|
|
|
@ -30,7 +30,7 @@ class MSSQLExploiter(HostExploiter):
|
||||||
def __init__(self, host):
|
def __init__(self, host):
|
||||||
super(MSSQLExploiter, self).__init__(host)
|
super(MSSQLExploiter, self).__init__(host)
|
||||||
|
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
# Brute force to get connection
|
# Brute force to get connection
|
||||||
username_passwords_pairs_list = self._config.get_exploit_user_password_pairs()
|
username_passwords_pairs_list = self._config.get_exploit_user_password_pairs()
|
||||||
cursor = self.brute_force(self.host.ip_addr, self.SQL_DEFAULT_TCP_PORT, username_passwords_pairs_list)
|
cursor = self.brute_force(self.host.ip_addr, self.SQL_DEFAULT_TCP_PORT, username_passwords_pairs_list)
|
||||||
|
@ -77,7 +77,7 @@ class MSSQLExploiter(HostExploiter):
|
||||||
commands.extend(monkey_args)
|
commands.extend(monkey_args)
|
||||||
MSSQLExploiter.execute_command(cursor, commands)
|
MSSQLExploiter.execute_command(cursor, commands)
|
||||||
MSSQLExploiter.run_file(cursor, tmp_file_path)
|
MSSQLExploiter.run_file(cursor, tmp_file_path)
|
||||||
self.set_example_cmd(commands[-1])
|
self.add_executed_cmd(commands[-1])
|
||||||
return True
|
return True
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -255,7 +255,7 @@ class RdpExploiter(HostExploiter):
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
global g_reactor
|
global g_reactor
|
||||||
|
|
||||||
is_open, _ = check_tcp_port(self.host.ip_addr, RDP_PORT)
|
is_open, _ = check_tcp_port(self.host.ip_addr, RDP_PORT)
|
||||||
|
@ -343,5 +343,5 @@ class RdpExploiter(HostExploiter):
|
||||||
|
|
||||||
LOG.info("Executed monkey '%s' on remote victim %r",
|
LOG.info("Executed monkey '%s' on remote victim %r",
|
||||||
os.path.basename(src_path), self.host)
|
os.path.basename(src_path), self.host)
|
||||||
self.set_example_cmd(command)
|
self.add_executed_cmd(command)
|
||||||
return True
|
return True
|
||||||
|
|
|
@ -57,7 +57,7 @@ class SambaCryExploiter(HostExploiter):
|
||||||
def __init__(self, host):
|
def __init__(self, host):
|
||||||
super(SambaCryExploiter, self).__init__(host)
|
super(SambaCryExploiter, self).__init__(host)
|
||||||
|
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
if not self.is_vulnerable():
|
if not self.is_vulnerable():
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
|
@ -36,7 +36,7 @@ class ShellShockExploiter(HostExploiter):
|
||||||
) for _ in range(20))
|
) for _ in range(20))
|
||||||
self.skip_exist = self._config.skip_exploit_if_file_exist
|
self.skip_exist = self._config.skip_exploit_if_file_exist
|
||||||
|
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
# start by picking ports
|
# start by picking ports
|
||||||
candidate_services = {
|
candidate_services = {
|
||||||
service: self.host.services[service] for service in self.host.services if
|
service: self.host.services[service] for service in self.host.services if
|
||||||
|
@ -144,7 +144,7 @@ class ShellShockExploiter(HostExploiter):
|
||||||
if not (self.check_remote_file_exists(url, header, exploit, self._config.monkey_log_path_linux)):
|
if not (self.check_remote_file_exists(url, header, exploit, self._config.monkey_log_path_linux)):
|
||||||
LOG.info("Log file does not exist, monkey might not have run")
|
LOG.info("Log file does not exist, monkey might not have run")
|
||||||
continue
|
continue
|
||||||
self.set_example_cmd(cmdline)
|
self.add_executed_cmd(cmdline)
|
||||||
return True
|
return True
|
||||||
|
|
||||||
return False
|
return False
|
||||||
|
|
|
@ -43,7 +43,7 @@ class SmbExploiter(HostExploiter):
|
||||||
return self.host.os.get('type') in self._TARGET_OS_TYPE
|
return self.host.os.get('type') in self._TARGET_OS_TYPE
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
src_path = get_target_monkey(self.host)
|
src_path = get_target_monkey(self.host)
|
||||||
|
|
||||||
if not src_path:
|
if not src_path:
|
||||||
|
|
|
@ -94,7 +94,7 @@ class SSHExploiter(HostExploiter):
|
||||||
continue
|
continue
|
||||||
return exploited
|
return exploited
|
||||||
|
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
ssh = paramiko.SSHClient()
|
ssh = paramiko.SSHClient()
|
||||||
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
|
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
|
||||||
|
|
||||||
|
@ -178,7 +178,7 @@ class SSHExploiter(HostExploiter):
|
||||||
self._config.dropper_target_path_linux, self.host, cmdline)
|
self._config.dropper_target_path_linux, self.host, cmdline)
|
||||||
|
|
||||||
ssh.close()
|
ssh.close()
|
||||||
self.set_example_cmd(cmdline)
|
self.add_executed_cmd(cmdline)
|
||||||
return True
|
return True
|
||||||
|
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
|
|
|
@ -60,7 +60,7 @@ class VSFTPDExploiter(HostExploiter):
|
||||||
LOG.error('Failed to send payload to %s', self.host.ip_addr)
|
LOG.error('Failed to send payload to %s', self.host.ip_addr)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
LOG.info("Attempting to trigger the Backdoor..")
|
LOG.info("Attempting to trigger the Backdoor..")
|
||||||
ftp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
ftp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
|
||||||
|
@ -138,7 +138,7 @@ class VSFTPDExploiter(HostExploiter):
|
||||||
if backdoor_socket.send(run_monkey):
|
if backdoor_socket.send(run_monkey):
|
||||||
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)", self._config.dropper_target_path_linux,
|
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)", self._config.dropper_target_path_linux,
|
||||||
self.host, run_monkey)
|
self.host, run_monkey)
|
||||||
self.set_example_cmd(run_monkey)
|
self.add_executed_cmd(run_monkey)
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
return False
|
return False
|
||||||
|
|
|
@ -66,7 +66,7 @@ class WebRCE(HostExploiter):
|
||||||
|
|
||||||
return exploit_config
|
return exploit_config
|
||||||
|
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
"""
|
"""
|
||||||
Method that contains default exploitation workflow
|
Method that contains default exploitation workflow
|
||||||
:return: True if exploited, False otherwise
|
:return: True if exploited, False otherwise
|
||||||
|
@ -408,7 +408,7 @@ class WebRCE(HostExploiter):
|
||||||
# If exploiter returns True / False
|
# If exploiter returns True / False
|
||||||
if type(resp) is bool:
|
if type(resp) is bool:
|
||||||
LOG.info("Execution attempt successfully finished")
|
LOG.info("Execution attempt successfully finished")
|
||||||
self.set_example_cmd(command)
|
self.add_executed_cmd(command)
|
||||||
return resp
|
return resp
|
||||||
# If exploiter returns command output, we can check for execution errors
|
# If exploiter returns command output, we can check for execution errors
|
||||||
if 'is not recognized' in resp or 'command not found' in resp:
|
if 'is not recognized' in resp or 'command not found' in resp:
|
||||||
|
@ -422,7 +422,7 @@ class WebRCE(HostExploiter):
|
||||||
return False
|
return False
|
||||||
LOG.info("Execution attempt finished")
|
LOG.info("Execution attempt finished")
|
||||||
|
|
||||||
self.set_example_cmd(command)
|
self.add_executed_cmd(command)
|
||||||
return resp
|
return resp
|
||||||
|
|
||||||
def get_monkey_upload_path(self, url_to_monkey):
|
def get_monkey_upload_path(self, url_to_monkey):
|
||||||
|
|
|
@ -175,7 +175,7 @@ class Ms08_067_Exploiter(HostExploiter):
|
||||||
self.host.os.get('version') in self._windows_versions.keys()
|
self.host.os.get('version') in self._windows_versions.keys()
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
src_path = get_target_monkey(self.host)
|
src_path = get_target_monkey(self.host)
|
||||||
|
|
||||||
if not src_path:
|
if not src_path:
|
||||||
|
|
|
@ -23,7 +23,7 @@ class WmiExploiter(HostExploiter):
|
||||||
super(WmiExploiter, self).__init__(host)
|
super(WmiExploiter, self).__init__(host)
|
||||||
|
|
||||||
@WmiTools.dcom_wrap
|
@WmiTools.dcom_wrap
|
||||||
def exploit_host(self):
|
def _exploit_host(self):
|
||||||
src_path = get_target_monkey(self.host)
|
src_path = get_target_monkey(self.host)
|
||||||
|
|
||||||
if not src_path:
|
if not src_path:
|
||||||
|
@ -114,7 +114,7 @@ class WmiExploiter(HostExploiter):
|
||||||
|
|
||||||
result.RemRelease()
|
result.RemRelease()
|
||||||
wmi_connection.close()
|
wmi_connection.close()
|
||||||
self.set_example_cmd(cmdline)
|
self.add_executed_cmd(cmdline)
|
||||||
return success
|
return success
|
||||||
|
|
||||||
return False
|
return False
|
||||||
|
|
|
@ -285,9 +285,7 @@ class InfectionMonkey(object):
|
||||||
|
|
||||||
result = False
|
result = False
|
||||||
try:
|
try:
|
||||||
exploiter.set_start_time()
|
|
||||||
result = exploiter.exploit_host()
|
result = exploiter.exploit_host()
|
||||||
exploiter.set_finish_time()
|
|
||||||
if result:
|
if result:
|
||||||
self.successfully_exploited(machine, exploiter)
|
self.successfully_exploited(machine, exploiter)
|
||||||
return True
|
return True
|
||||||
|
|
|
@ -15,7 +15,7 @@ class AttackTelem(BaseTelem):
|
||||||
self.technique = technique
|
self.technique = technique
|
||||||
self.status = status
|
self.status = status
|
||||||
|
|
||||||
telem_catagory = 'attack'
|
telem_category = 'attack'
|
||||||
|
|
||||||
def get_data(self):
|
def get_data(self):
|
||||||
return {
|
return {
|
||||||
|
|
|
@ -13,7 +13,7 @@ class TestVictimHostTelem(TestCase):
|
||||||
|
|
||||||
telem = VictimHostTelem(technique, status, machine)
|
telem = VictimHostTelem(technique, status, machine)
|
||||||
|
|
||||||
self.assertEqual(telem.telem_catagory, 'attack')
|
self.assertEqual(telem.telem_category, 'attack')
|
||||||
|
|
||||||
expected_data = {
|
expected_data = {
|
||||||
'machine': {
|
'machine': {
|
||||||
|
|
|
@ -19,10 +19,10 @@ class BaseTelem(object):
|
||||||
"""
|
"""
|
||||||
Sends telemetry to island
|
Sends telemetry to island
|
||||||
"""
|
"""
|
||||||
ControlClient.send_telemetry(self.telem_catagory, self.get_data())
|
ControlClient.send_telemetry(self.telem_category, self.get_data())
|
||||||
|
|
||||||
@abc.abstractproperty
|
@abc.abstractproperty
|
||||||
def telem_catagory(self):
|
def telem_category(self):
|
||||||
"""
|
"""
|
||||||
:return: Telemetry type
|
:return: Telemetry type
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -49,7 +49,8 @@ class FileServHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
|
||||||
start_range += chunk
|
start_range += chunk
|
||||||
|
|
||||||
if f.tell() == monkeyfs.getsize(self.filename):
|
if f.tell() == monkeyfs.getsize(self.filename):
|
||||||
self.report_download(self.client_address)
|
if self.report_download(self.client_address):
|
||||||
|
self.close_connection = 1
|
||||||
|
|
||||||
f.close()
|
f.close()
|
||||||
|
|
||||||
|
@ -171,7 +172,8 @@ class HTTPServer(threading.Thread):
|
||||||
LOG.info('File downloaded from (%s,%s)' % (dest[0], dest[1]))
|
LOG.info('File downloaded from (%s,%s)' % (dest[0], dest[1]))
|
||||||
self.downloads += 1
|
self.downloads += 1
|
||||||
if not self.downloads < self.max_downloads:
|
if not self.downloads < self.max_downloads:
|
||||||
self.close_connection = 1
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
httpd = BaseHTTPServer.HTTPServer((self._local_ip, self._local_port), TempHandler)
|
httpd = BaseHTTPServer.HTTPServer((self._local_ip, self._local_port), TempHandler)
|
||||||
httpd.timeout = 0.5 # this is irrelevant?
|
httpd.timeout = 0.5 # this is irrelevant?
|
||||||
|
@ -217,7 +219,8 @@ class LockedHTTPServer(threading.Thread):
|
||||||
LOG.info('File downloaded from (%s,%s)' % (dest[0], dest[1]))
|
LOG.info('File downloaded from (%s,%s)' % (dest[0], dest[1]))
|
||||||
self.downloads += 1
|
self.downloads += 1
|
||||||
if not self.downloads < self.max_downloads:
|
if not self.downloads < self.max_downloads:
|
||||||
self.close_connection = 1
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
httpd = BaseHTTPServer.HTTPServer((self._local_ip, self._local_port), TempHandler)
|
httpd = BaseHTTPServer.HTTPServer((self._local_ip, self._local_port), TempHandler)
|
||||||
self.lock.release()
|
self.lock.release()
|
||||||
|
|
|
@ -95,7 +95,7 @@ class Monkey(flask_restful.Resource):
|
||||||
parent_to_add = (monkey_json.get('guid'), None) # default values in case of manual run
|
parent_to_add = (monkey_json.get('guid'), None) # default values in case of manual run
|
||||||
if parent and parent != monkey_json.get('guid'): # current parent is known
|
if parent and parent != monkey_json.get('guid'): # current parent is known
|
||||||
exploit_telem = [x for x in
|
exploit_telem = [x for x in
|
||||||
mongo.db.telemetry.find({'telem_catagory': {'$eq': 'exploit'}, 'data.result': {'$eq': True},
|
mongo.db.telemetry.find({'telem_category': {'$eq': 'exploit'}, 'data.result': {'$eq': True},
|
||||||
'data.machine.ip_addr': {'$in': monkey_json['ip_addresses']},
|
'data.machine.ip_addr': {'$in': monkey_json['ip_addresses']},
|
||||||
'monkey_guid': {'$eq': parent}})]
|
'monkey_guid': {'$eq': parent}})]
|
||||||
if 1 == len(exploit_telem):
|
if 1 == len(exploit_telem):
|
||||||
|
@ -104,7 +104,7 @@ class Monkey(flask_restful.Resource):
|
||||||
parent_to_add = (parent, None)
|
parent_to_add = (parent, None)
|
||||||
elif (not parent or parent == monkey_json.get('guid')) and 'ip_addresses' in monkey_json:
|
elif (not parent or parent == monkey_json.get('guid')) and 'ip_addresses' in monkey_json:
|
||||||
exploit_telem = [x for x in
|
exploit_telem = [x for x in
|
||||||
mongo.db.telemetry.find({'telem_catagory': {'$eq': 'exploit'}, 'data.result': {'$eq': True},
|
mongo.db.telemetry.find({'telem_category': {'$eq': 'exploit'}, 'data.result': {'$eq': True},
|
||||||
'data.machine.ip_addr': {'$in': monkey_json['ip_addresses']}})]
|
'data.machine.ip_addr': {'$in': monkey_json['ip_addresses']}})]
|
||||||
|
|
||||||
if 1 == len(exploit_telem):
|
if 1 == len(exploit_telem):
|
||||||
|
|
|
@ -26,7 +26,7 @@ class Telemetry(flask_restful.Resource):
|
||||||
@jwt_required()
|
@jwt_required()
|
||||||
def get(self, **kw):
|
def get(self, **kw):
|
||||||
monkey_guid = request.args.get('monkey_guid')
|
monkey_guid = request.args.get('monkey_guid')
|
||||||
telem_catagory = request.args.get('telem_catagory')
|
telem_category = request.args.get('telem_category')
|
||||||
timestamp = request.args.get('timestamp')
|
timestamp = request.args.get('timestamp')
|
||||||
if "null" == timestamp: # special case to avoid ugly JS code...
|
if "null" == timestamp: # special case to avoid ugly JS code...
|
||||||
timestamp = None
|
timestamp = None
|
||||||
|
@ -36,8 +36,8 @@ class Telemetry(flask_restful.Resource):
|
||||||
|
|
||||||
if monkey_guid:
|
if monkey_guid:
|
||||||
find_filter["monkey_guid"] = {'$eq': monkey_guid}
|
find_filter["monkey_guid"] = {'$eq': monkey_guid}
|
||||||
if telem_catagory:
|
if telem_category:
|
||||||
find_filter["telem_catagory"] = {'$eq': telem_catagory}
|
find_filter["telem_category"] = {'$eq': telem_category}
|
||||||
if timestamp:
|
if timestamp:
|
||||||
find_filter['timestamp'] = {'$gt': dateutil.parser.parse(timestamp)}
|
find_filter['timestamp'] = {'$gt': dateutil.parser.parse(timestamp)}
|
||||||
|
|
||||||
|
@ -53,11 +53,11 @@ class Telemetry(flask_restful.Resource):
|
||||||
|
|
||||||
try:
|
try:
|
||||||
NodeService.update_monkey_modify_time(monkey["_id"])
|
NodeService.update_monkey_modify_time(monkey["_id"])
|
||||||
telem_catagory = telemetry_json.get('telem_catagory')
|
telem_category = telemetry_json.get('telem_category')
|
||||||
if telem_catagory in TELEM_PROCESS_DICT:
|
if telem_category in TELEM_PROCESS_DICT:
|
||||||
TELEM_PROCESS_DICT[telem_catagory](telemetry_json)
|
TELEM_PROCESS_DICT[telem_category](telemetry_json)
|
||||||
else:
|
else:
|
||||||
logger.info('Got unknown type of telemetry: %s' % telem_catagory)
|
logger.info('Got unknown type of telemetry: %s' % telem_category)
|
||||||
except Exception as ex:
|
except Exception as ex:
|
||||||
logger.error("Exception caught while processing telemetry", exc_info=True)
|
logger.error("Exception caught while processing telemetry", exc_info=True)
|
||||||
|
|
||||||
|
@ -79,7 +79,7 @@ class Telemetry(flask_restful.Resource):
|
||||||
monkey_label = telem_monkey_guid
|
monkey_label = telem_monkey_guid
|
||||||
x["monkey"] = monkey_label
|
x["monkey"] = monkey_label
|
||||||
objects.append(x)
|
objects.append(x)
|
||||||
if x['telem_catagory'] == 'system_info_collection' and 'credentials' in x['data']:
|
if x['telem_category'] == 'system_info_collection' and 'credentials' in x['data']:
|
||||||
for user in x['data']['credentials']:
|
for user in x['data']['credentials']:
|
||||||
if -1 != user.find(','):
|
if -1 != user.find(','):
|
||||||
new_user = user.replace(',', '.')
|
new_user = user.replace(',', '.')
|
||||||
|
|
|
@ -38,7 +38,7 @@ class TelemetryFeed(flask_restful.Resource):
|
||||||
'id': telem['_id'],
|
'id': telem['_id'],
|
||||||
'timestamp': telem['timestamp'].strftime('%d/%m/%Y %H:%M:%S'),
|
'timestamp': telem['timestamp'].strftime('%d/%m/%Y %H:%M:%S'),
|
||||||
'hostname': monkey.get('hostname', default_hostname) if monkey else default_hostname,
|
'hostname': monkey.get('hostname', default_hostname) if monkey else default_hostname,
|
||||||
'brief': TELEM_PROCESS_DICT[telem['telem_catagory']](telem)
|
'brief': TELEM_PROCESS_DICT[telem['telem_category']](telem)
|
||||||
}
|
}
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
import logging
|
import logging
|
||||||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086
|
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059
|
||||||
from monkey_island.cc.services.attack.attack_telem import AttackTelemService
|
from monkey_island.cc.services.attack.attack_telem import AttackTelemService
|
||||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
|
@ -47,7 +47,7 @@ class AttackReportService:
|
||||||
Gets timestamp of latest attack telem
|
Gets timestamp of latest attack telem
|
||||||
:return: timestamp of latest attack telem
|
:return: timestamp of latest attack telem
|
||||||
"""
|
"""
|
||||||
return [x['timestamp'] for x in mongo.db.telemetry.find({'telem_catagory': 'attack'}).sort('timestamp', -1).limit(1)][0]
|
return [x['timestamp'] for x in mongo.db.telemetry.find({'telem_category': 'attack'}).sort('timestamp', -1).limit(1)][0]
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_latest_report():
|
def get_latest_report():
|
||||||
|
|
|
@ -12,7 +12,8 @@ class T1003(AttackTechnique):
|
||||||
scanned_msg = ""
|
scanned_msg = ""
|
||||||
used_msg = "Monkey successfully obtained some credentials from systems on the network."
|
used_msg = "Monkey successfully obtained some credentials from systems on the network."
|
||||||
|
|
||||||
query = {'telem_type': 'system_info_collection', '$and': [{'data.credentials': {'$exists': True}},
|
query = {'telem_category': 'system_info_collection', '$and': [{'data.credentials': {'$exists': True}},
|
||||||
|
# $gt: {} checks if field is not an empty object
|
||||||
{'data.credentials': {'$gt': {}}}]}
|
{'data.credentials': {'$gt': {}}}]}
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -12,8 +12,8 @@ class T1059(AttackTechnique):
|
||||||
scanned_msg = ""
|
scanned_msg = ""
|
||||||
used_msg = "Monkey successfully ran commands on exploited machines in the network."
|
used_msg = "Monkey successfully ran commands on exploited machines in the network."
|
||||||
|
|
||||||
query = [{'$match': {'telem_type': 'exploit',
|
query = [{'$match': {'telem_category': 'exploit',
|
||||||
'data.info.executed_cmds.example': {'$exists': True}}},
|
'data.info.executed_cmds': {'$exists': True, '$ne': []}}},
|
||||||
{'$project': {'_id': 0,
|
{'$project': {'_id': 0,
|
||||||
'machine': '$data.machine',
|
'machine': '$data.machine',
|
||||||
'info': '$data.info'}},
|
'info': '$data.info'}},
|
||||||
|
|
|
@ -13,7 +13,7 @@ class T1110(AttackTechnique):
|
||||||
used_msg = "Monkey successfully used brute force in the network."
|
used_msg = "Monkey successfully used brute force in the network."
|
||||||
|
|
||||||
# Gets data about brute force attempts
|
# Gets data about brute force attempts
|
||||||
query = [{'$match': {'telem_type': 'exploit',
|
query = [{'$match': {'telem_category': 'exploit',
|
||||||
'data.attempts': {'$not': {'$size': 0}}}},
|
'data.attempts': {'$not': {'$size': 0}}}},
|
||||||
{'$project': {'_id': 0,
|
{'$project': {'_id': 0,
|
||||||
'machine': '$data.machine',
|
'machine': '$data.machine',
|
||||||
|
|
|
@ -13,8 +13,10 @@ class T1197(AttackTechnique):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
data = T1197.get_tech_base_data()
|
data = T1197.get_tech_base_data()
|
||||||
bits_results = mongo.db.telemetry.aggregate([{'$match': {'telem_catagory': 'attack', 'data.technique': T1197.tech_id}},
|
bits_results = mongo.db.telemetry.aggregate([{'$match': {'telem_category': 'attack',
|
||||||
{'$group': {'_id': {'ip_addr': '$data.machine.ip_addr', 'usage': '$data.usage'},
|
'data.technique': T1197.tech_id}},
|
||||||
|
{'$group': {'_id': {'ip_addr': '$data.machine.ip_addr',
|
||||||
|
'usage': '$data.usage'},
|
||||||
'ip_addr': {'$first': '$data.machine.ip_addr'},
|
'ip_addr': {'$first': '$data.machine.ip_addr'},
|
||||||
'domain_name': {'$first': '$data.machine.domain_name'},
|
'domain_name': {'$first': '$data.machine.domain_name'},
|
||||||
'usage': {'$first': '$data.usage'},
|
'usage': {'$first': '$data.usage'},
|
||||||
|
|
|
@ -22,14 +22,14 @@ class T1210(AttackTechnique):
|
||||||
elif scanned_services:
|
elif scanned_services:
|
||||||
status = ScanStatus.SCANNED
|
status = ScanStatus.SCANNED
|
||||||
else:
|
else:
|
||||||
status = ScanStatus.UNSCANNED.name
|
status = ScanStatus.UNSCANNED
|
||||||
data.update(T1210.get_message_and_status(status))
|
data.update(T1210.get_message_and_status(status))
|
||||||
data.update({'scanned_services': scanned_services, 'exploited_services': exploited_services})
|
data.update({'scanned_services': scanned_services, 'exploited_services': exploited_services})
|
||||||
return data
|
return data
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_scanned_services():
|
def get_scanned_services():
|
||||||
results = mongo.db.telemetry.aggregate([{'$match': {'telem_catagory': 'scan'}},
|
results = mongo.db.telemetry.aggregate([{'$match': {'telem_category': 'scan'}},
|
||||||
{'$sort': {'data.service_count': -1}},
|
{'$sort': {'data.service_count': -1}},
|
||||||
{'$group': {
|
{'$group': {
|
||||||
'_id': {'ip_addr': '$data.machine.ip_addr'},
|
'_id': {'ip_addr': '$data.machine.ip_addr'},
|
||||||
|
@ -39,7 +39,7 @@ class T1210(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_exploited_services():
|
def get_exploited_services():
|
||||||
results = mongo.db.telemetry.aggregate([{'$match': {'telem_catagory': 'exploit', 'data.result': True}},
|
results = mongo.db.telemetry.aggregate([{'$match': {'telem_category': 'exploit', 'data.result': True}},
|
||||||
{'$group': {
|
{'$group': {
|
||||||
'_id': {'ip_addr': '$data.machine.ip_addr'},
|
'_id': {'ip_addr': '$data.machine.ip_addr'},
|
||||||
'service': {'$first': '$data.info'},
|
'service': {'$first': '$data.info'},
|
||||||
|
|
|
@ -52,11 +52,11 @@ class AttackTechnique(object):
|
||||||
Gets the status of a certain attack technique.
|
Gets the status of a certain attack technique.
|
||||||
:return: ScanStatus Enum object
|
:return: ScanStatus Enum object
|
||||||
"""
|
"""
|
||||||
if mongo.db.attack_results.find_one({'telem_catagory': 'attack',
|
if mongo.db.attack_results.find_one({'telem_category': 'attack',
|
||||||
'status': ScanStatus.USED.value,
|
'status': ScanStatus.USED.value,
|
||||||
'technique': cls.tech_id}):
|
'technique': cls.tech_id}):
|
||||||
return ScanStatus.USED
|
return ScanStatus.USED
|
||||||
elif mongo.db.attack_results.find_one({'telem_catagory': 'attack',
|
elif mongo.db.attack_results.find_one({'telem_category': 'attack',
|
||||||
'status': ScanStatus.SCANNED.value,
|
'status': ScanStatus.SCANNED.value,
|
||||||
'technique': cls.tech_id}):
|
'technique': cls.tech_id}):
|
||||||
return ScanStatus.SCANNED
|
return ScanStatus.SCANNED
|
||||||
|
|
|
@ -171,7 +171,7 @@ class ReportService:
|
||||||
PASS_TYPE_DICT = {'password': 'Clear Password', 'lm_hash': 'LM hash', 'ntlm_hash': 'NTLM hash'}
|
PASS_TYPE_DICT = {'password': 'Clear Password', 'lm_hash': 'LM hash', 'ntlm_hash': 'NTLM hash'}
|
||||||
creds = []
|
creds = []
|
||||||
for telem in mongo.db.telemetry.find(
|
for telem in mongo.db.telemetry.find(
|
||||||
{'telem_catagory': 'system_info_collection', 'data.credentials': {'$exists': True}},
|
{'telem_category': 'system_info_collection', 'data.credentials': {'$exists': True}},
|
||||||
{'data.credentials': 1, 'monkey_guid': 1}
|
{'data.credentials': 1, 'monkey_guid': 1}
|
||||||
):
|
):
|
||||||
monkey_creds = telem['data']['credentials']
|
monkey_creds = telem['data']['credentials']
|
||||||
|
@ -199,7 +199,7 @@ class ReportService:
|
||||||
"""
|
"""
|
||||||
creds = []
|
creds = []
|
||||||
for telem in mongo.db.telemetry.find(
|
for telem in mongo.db.telemetry.find(
|
||||||
{'telem_catagory': 'system_info_collection', 'data.ssh_info': {'$exists': True}},
|
{'telem_category': 'system_info_collection', 'data.ssh_info': {'$exists': True}},
|
||||||
{'data.ssh_info': 1, 'monkey_guid': 1}
|
{'data.ssh_info': 1, 'monkey_guid': 1}
|
||||||
):
|
):
|
||||||
origin = NodeService.get_monkey_by_guid(telem['monkey_guid'])['hostname']
|
origin = NodeService.get_monkey_by_guid(telem['monkey_guid'])['hostname']
|
||||||
|
@ -220,7 +220,7 @@ class ReportService:
|
||||||
"""
|
"""
|
||||||
creds = []
|
creds = []
|
||||||
for telem in mongo.db.telemetry.find(
|
for telem in mongo.db.telemetry.find(
|
||||||
{'telem_catagory': 'system_info_collection', 'data.Azure': {'$exists': True}},
|
{'telem_category': 'system_info_collection', 'data.Azure': {'$exists': True}},
|
||||||
{'data.Azure': 1, 'monkey_guid': 1}
|
{'data.Azure': 1, 'monkey_guid': 1}
|
||||||
):
|
):
|
||||||
azure_users = telem['data']['Azure']['usernames']
|
azure_users = telem['data']['Azure']['usernames']
|
||||||
|
@ -373,7 +373,7 @@ class ReportService:
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_exploits():
|
def get_exploits():
|
||||||
exploits = []
|
exploits = []
|
||||||
for exploit in mongo.db.telemetry.find({'telem_catagory': 'exploit', 'data.result': True}):
|
for exploit in mongo.db.telemetry.find({'telem_category': 'exploit', 'data.result': True}):
|
||||||
new_exploit = ReportService.process_exploit(exploit)
|
new_exploit = ReportService.process_exploit(exploit)
|
||||||
if new_exploit not in exploits:
|
if new_exploit not in exploits:
|
||||||
exploits.append(new_exploit)
|
exploits.append(new_exploit)
|
||||||
|
@ -382,7 +382,7 @@ class ReportService:
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_monkey_subnets(monkey_guid):
|
def get_monkey_subnets(monkey_guid):
|
||||||
network_info = mongo.db.telemetry.find_one(
|
network_info = mongo.db.telemetry.find_one(
|
||||||
{'telem_catagory': 'system_info_collection', 'monkey_guid': monkey_guid},
|
{'telem_category': 'system_info_collection', 'monkey_guid': monkey_guid},
|
||||||
{'data.network_info.networks': 1}
|
{'data.network_info.networks': 1}
|
||||||
)
|
)
|
||||||
if network_info is None:
|
if network_info is None:
|
||||||
|
@ -540,7 +540,7 @@ class ReportService:
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_cross_segment_issues():
|
def get_cross_segment_issues():
|
||||||
scans = mongo.db.telemetry.find({'telem_catagory': 'scan'},
|
scans = mongo.db.telemetry.find({'telem_category': 'scan'},
|
||||||
{'monkey_guid': 1, 'data.machine.ip_addr': 1, 'data.machine.services': 1})
|
{'monkey_guid': 1, 'data.machine.ip_addr': 1, 'data.machine.services': 1})
|
||||||
|
|
||||||
cross_segment_issues = []
|
cross_segment_issues = []
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
import React from 'react';
|
import React from 'react';
|
||||||
import '../../../styles/Collapse.scss'
|
import '../../../styles/Collapse.scss'
|
||||||
import ReactTable from "react-table";
|
import ReactTable from "react-table";
|
||||||
import { RenderMachine } from "./Helpers"
|
import { renderMachine } from "./Helpers"
|
||||||
|
|
||||||
|
|
||||||
class T1059 extends React.Component {
|
class T1059 extends React.Component {
|
||||||
|
@ -14,13 +14,14 @@ class T1059 extends React.Component {
|
||||||
return ([{
|
return ([{
|
||||||
Header: 'Example commands used',
|
Header: 'Example commands used',
|
||||||
columns: [
|
columns: [
|
||||||
{Header: 'Machine', id: 'machine', accessor: x => RenderMachine(x.data[0].machine), style: { 'whiteSpace': 'unset'}, width: 160 },
|
{Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.data[0].machine), style: { 'whiteSpace': 'unset'}, width: 160 },
|
||||||
{Header: 'Approx. Time', id: 'time', accessor: x => x.data[0].info.finished, style: { 'whiteSpace': 'unset' }},
|
{Header: 'Approx. Time', id: 'time', accessor: x => x.data[0].info.finished, style: { 'whiteSpace': 'unset' }},
|
||||||
{Header: 'Command', id: 'command', accessor: x => x.data[0].info.executed_cmds.example, style: { 'whiteSpace': 'unset' }},
|
{Header: 'Command', id: 'command', accessor: x => x.data[0].info.executed_cmds[0].cmd, style: { 'whiteSpace': 'unset' }},
|
||||||
]
|
]
|
||||||
}])};
|
}])};
|
||||||
|
|
||||||
render() {
|
render() {
|
||||||
|
console.log(this.props.data);
|
||||||
return (
|
return (
|
||||||
<div>
|
<div>
|
||||||
<div>{this.props.data.message}</div>
|
<div>{this.props.data.message}</div>
|
||||||
|
|
Loading…
Reference in New Issue