forked from p34709852/monkey
1063 lines
45 KiB
Python
1063 lines
45 KiB
Python
import copy
|
|
import collections
|
|
import functools
|
|
import logging
|
|
from jsonschema import Draft4Validator, validators
|
|
from six import string_types
|
|
|
|
from cc.database import mongo
|
|
from cc.encryptor import encryptor
|
|
from cc.environment.environment import env
|
|
from cc.utils import local_ip_addresses
|
|
|
|
__author__ = "itay.mizeretz"
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
WARNING_SIGN = u" \u26A0"
|
|
|
|
SCHEMA = {
|
|
"title": "Monkey",
|
|
"type": "object",
|
|
"definitions": {
|
|
"exploiter_classes": {
|
|
"title": "Exploit class",
|
|
"type": "string",
|
|
"anyOf": [
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"SmbExploiter"
|
|
],
|
|
"title": "SMB Exploiter"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"WmiExploiter"
|
|
],
|
|
"title": "WMI Exploiter"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"RdpExploiter"
|
|
],
|
|
"title": "RDP Exploiter (UNSAFE)"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"Ms08_067_Exploiter"
|
|
],
|
|
"title": "MS08-067 Exploiter (UNSAFE)"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"SSHExploiter"
|
|
],
|
|
"title": "SSH Exploiter"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"ShellShockExploiter"
|
|
],
|
|
"title": "ShellShock Exploiter"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"SambaCryExploiter"
|
|
],
|
|
"title": "SambaCry Exploiter"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"ElasticGroovyExploiter"
|
|
],
|
|
"title": "ElasticGroovy Exploiter"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"Struts2Exploiter"
|
|
],
|
|
"title": "Struts2 Exploiter"
|
|
}
|
|
]
|
|
},
|
|
"finger_classes": {
|
|
"title": "Fingerprint class",
|
|
"type": "string",
|
|
"anyOf": [
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"SMBFinger"
|
|
],
|
|
"title": "SMBFinger"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"SSHFinger"
|
|
],
|
|
"title": "SSHFinger"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"PingScanner"
|
|
],
|
|
"title": "PingScanner"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"HTTPFinger"
|
|
],
|
|
"title": "HTTPFinger"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"MySQLFinger"
|
|
],
|
|
"title": "MySQLFinger"
|
|
},
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"MSSQLFinger"
|
|
],
|
|
"title": "MSSQLFinger"
|
|
},
|
|
|
|
{
|
|
"type": "string",
|
|
"enum": [
|
|
"ElasticFinger"
|
|
],
|
|
"title": "ElasticFinger"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"properties": {
|
|
"basic": {
|
|
"title": "Basic - Credentials",
|
|
"type": "object",
|
|
"properties": {
|
|
"credentials": {
|
|
"title": "Credentials",
|
|
"type": "object",
|
|
"properties": {
|
|
"exploit_user_list": {
|
|
"title": "Exploit user list",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": [
|
|
"Administrator",
|
|
"root",
|
|
"user"
|
|
],
|
|
"description": "List of usernames to use on exploits using credentials"
|
|
},
|
|
"exploit_password_list": {
|
|
"title": "Exploit password list",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": [
|
|
"Password1!",
|
|
"1234",
|
|
"password",
|
|
"12345678"
|
|
],
|
|
"description": "List of password to use on exploits using credentials"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"basic_network": {
|
|
"title": "Basic - Network",
|
|
"type": "object",
|
|
"properties": {
|
|
"general": {
|
|
"title": "General",
|
|
"type": "object",
|
|
"properties": {
|
|
"blocked_ips": {
|
|
"title": "Blocked IPs",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": [
|
|
],
|
|
"description": "List of IPs to not scan"
|
|
},
|
|
"local_network_scan": {
|
|
"title": "Local network scan",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description": "Determines whether the monkey should scan its subnets additionally"
|
|
},
|
|
"depth": {
|
|
"title": "Distance from island",
|
|
"type": "integer",
|
|
"default": 2,
|
|
"description":
|
|
"Amount of hops allowed for the monkey to spread from the island. "
|
|
+ WARNING_SIGN
|
|
+ " Note that setting this value too high may result in the monkey propagating too far"
|
|
},
|
|
"subnet_scan_list": {
|
|
"title": "Scan IP/subnet list",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": [
|
|
],
|
|
"description":
|
|
"List of IPs/subnets the monkey should scan."
|
|
" Examples: \"192.168.0.1\", \"192.168.0.5-192.168.0.20\", \"192.168.0.5/24\""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"monkey": {
|
|
"title": "Monkey",
|
|
"type": "object",
|
|
"properties": {
|
|
"general": {
|
|
"title": "General",
|
|
"type": "object",
|
|
"properties": {
|
|
"alive": {
|
|
"title": "Alive",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description": "Is the monkey alive"
|
|
}
|
|
}
|
|
},
|
|
"behaviour": {
|
|
"title": "Behaviour",
|
|
"type": "object",
|
|
"properties": {
|
|
"self_delete_in_cleanup": {
|
|
"title": "Self delete on cleanup",
|
|
"type": "boolean",
|
|
"default": False,
|
|
"description": "Should the monkey delete its executable when going down"
|
|
},
|
|
"use_file_logging": {
|
|
"title": "Use file logging",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description": "Should the monkey dump to a log file"
|
|
},
|
|
"serialize_config": {
|
|
"title": "Serialize config",
|
|
"type": "boolean",
|
|
"default": False,
|
|
"description": "Should the monkey dump its config on startup"
|
|
}
|
|
}
|
|
},
|
|
"life_cycle": {
|
|
"title": "Life cycle",
|
|
"type": "object",
|
|
"properties": {
|
|
"max_iterations": {
|
|
"title": "Max iterations",
|
|
"type": "integer",
|
|
"default": 1,
|
|
"description": "Determines how many iterations of the monkey's full lifecycle should occur"
|
|
},
|
|
"victims_max_find": {
|
|
"title": "Max victims to find",
|
|
"type": "integer",
|
|
"default": 30,
|
|
"description": "Determines the maximum number of machines the monkey is allowed to scan"
|
|
},
|
|
"victims_max_exploit": {
|
|
"title": "Max victims to exploit",
|
|
"type": "integer",
|
|
"default": 7,
|
|
"description":
|
|
"Determines the maximum number of machines the monkey"
|
|
" is allowed to successfully exploit. " + WARNING_SIGN
|
|
+ " Note that setting this value too high may result in the monkey propagating to "
|
|
"a high number of machines"
|
|
},
|
|
"timeout_between_iterations": {
|
|
"title": "Wait time between iterations",
|
|
"type": "integer",
|
|
"default": 100,
|
|
"description":
|
|
"Determines for how long (in seconds) should the monkey wait between iterations"
|
|
},
|
|
"retry_failed_explotation": {
|
|
"title": "Retry failed exploitation",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description":
|
|
"Determines whether the monkey should retry exploiting machines"
|
|
" it didn't successfuly exploit on previous iterations"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"internal": {
|
|
"title": "Internal",
|
|
"type": "object",
|
|
"properties": {
|
|
"general": {
|
|
"title": "General",
|
|
"type": "object",
|
|
"properties": {
|
|
"singleton_mutex_name": {
|
|
"title": "Singleton mutex name",
|
|
"type": "string",
|
|
"default": "{2384ec59-0df8-4ab9-918c-843740924a28}",
|
|
"description":
|
|
"The name of the mutex used to determine whether the monkey is already running"
|
|
},
|
|
"collect_system_info": {
|
|
"title": "Collect system info",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description": "Determines whether to collect system info"
|
|
},
|
|
"keep_tunnel_open_time": {
|
|
"title": "Keep tunnel open time",
|
|
"type": "integer",
|
|
"default": 60,
|
|
"description": "Time to keep tunnel open before going down after last exploit (in seconds)"
|
|
}
|
|
}
|
|
},
|
|
"classes": {
|
|
"title": "Classes",
|
|
"type": "object",
|
|
"properties": {
|
|
"scanner_class": {
|
|
"title": "Scanner class",
|
|
"type": "string",
|
|
"default": "TcpScanner",
|
|
"enum": [
|
|
"TcpScanner"
|
|
],
|
|
"enumNames": [
|
|
"TcpScanner"
|
|
],
|
|
"description": "Determines class to scan for machines. (Shouldn't be changed)"
|
|
},
|
|
"finger_classes": {
|
|
"title": "Fingerprint classes",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"$ref": "#/definitions/finger_classes"
|
|
},
|
|
"default": [
|
|
"SMBFinger",
|
|
"SSHFinger",
|
|
"PingScanner",
|
|
"HTTPFinger",
|
|
"MySQLFinger",
|
|
"MSSQLFinger",
|
|
"ElasticFinger"
|
|
],
|
|
"description": "Determines which classes to use for fingerprinting"
|
|
}
|
|
}
|
|
},
|
|
"kill_file": {
|
|
"title": "Kill file",
|
|
"type": "object",
|
|
"properties": {
|
|
"kill_file_path_windows": {
|
|
"title": "Kill file path on Windows",
|
|
"type": "string",
|
|
"default": "%windir%\\monkey.not",
|
|
"description": "Path of file which kills monkey if it exists (on Windows)"
|
|
},
|
|
"kill_file_path_linux": {
|
|
"title": "Kill file path on Linux",
|
|
"type": "string",
|
|
"default": "/var/run/monkey.not",
|
|
"description": "Path of file which kills monkey if it exists (on Linux)"
|
|
}
|
|
}
|
|
},
|
|
"dropper": {
|
|
"title": "Dropper",
|
|
"type": "object",
|
|
"properties": {
|
|
"dropper_set_date": {
|
|
"title": "Dropper sets date",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description":
|
|
"Determines whether the dropper should set the monkey's file date to be the same as"
|
|
" another file"
|
|
},
|
|
"dropper_date_reference_path_windows": {
|
|
"title": "Dropper date reference path (Windows)",
|
|
"type": "string",
|
|
"default": "%windir%\\system32\\kernel32.dll",
|
|
"description":
|
|
"Determines which file the dropper should copy the date from if it's configured to do"
|
|
" so on Windows (use fullpath)"
|
|
},
|
|
"dropper_date_reference_path_linux": {
|
|
"title": "Dropper date reference path (Linux)",
|
|
"type": "string",
|
|
"default": "/bin/sh",
|
|
"description":
|
|
"Determines which file the dropper should copy the date from if it's configured to do"
|
|
" so on Linux (use fullpath)"
|
|
},
|
|
"dropper_target_path_linux": {
|
|
"title": "Dropper target path on Linux",
|
|
"type": "string",
|
|
"default": "/tmp/monkey",
|
|
"description": "Determines where should the dropper place the monkey on a Linux machine"
|
|
},
|
|
"dropper_target_path_win_32": {
|
|
"title": "Dropper target path on Windows (32bit)",
|
|
"type": "string",
|
|
"default": "C:\\Windows\\monkey32.exe",
|
|
"description": "Determines where should the dropper place the monkey on a Windows machine "
|
|
"(32bit)"
|
|
},
|
|
"dropper_target_path_win_64": {
|
|
"title": "Dropper target path on Windows (64bit)",
|
|
"type": "string",
|
|
"default": "C:\\Windows\\monkey64.exe",
|
|
"description": "Determines where should the dropper place the monkey on a Windows machine "
|
|
"(64 bit)"
|
|
},
|
|
"dropper_try_move_first": {
|
|
"title": "Try to move first",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description":
|
|
"Determines whether the dropper should try to move itsel instead of copying itself"
|
|
" to target path"
|
|
}
|
|
}
|
|
},
|
|
"logging": {
|
|
"title": "Logging",
|
|
"type": "object",
|
|
"properties": {
|
|
"dropper_log_path_linux": {
|
|
"title": "Dropper log file path on Linux",
|
|
"type": "string",
|
|
"default": "/tmp/user-1562",
|
|
"description": "The fullpath of the dropper log file on Linux"
|
|
},
|
|
"dropper_log_path_windows": {
|
|
"title": "Dropper log file path on Windows",
|
|
"type": "string",
|
|
"default": "%temp%\\~df1562.tmp",
|
|
"description": "The fullpath of the dropper log file on Windows"
|
|
},
|
|
"monkey_log_path_linux": {
|
|
"title": "Monkey log file path on Linux",
|
|
"type": "string",
|
|
"default": "/tmp/user-1563",
|
|
"description": "The fullpath of the monkey log file on Linux"
|
|
},
|
|
"monkey_log_path_windows": {
|
|
"title": "Monkey log file path on Windows",
|
|
"type": "string",
|
|
"default": "%temp%\\~df1563.tmp",
|
|
"description": "The fullpath of the monkey log file on Windows"
|
|
},
|
|
"send_log_to_server": {
|
|
"title": "Send log to server",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description": "Determines whether the monkey sends its log to the Monkey Island server"
|
|
}
|
|
}
|
|
},
|
|
"exploits": {
|
|
"title": "Exploits",
|
|
"type": "object",
|
|
"properties": {
|
|
"exploit_lm_hash_list": {
|
|
"title": "Exploit LM hash list",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": [],
|
|
"description": "List of LM hashes to use on exploits using credentials"
|
|
},
|
|
"exploit_ntlm_hash_list": {
|
|
"title": "Exploit NTLM hash list",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": [],
|
|
"description": "List of NTLM hashes to use on exploits using credentials"
|
|
},
|
|
"exploit_ssh_keys": {
|
|
"title": "SSH key pairs list",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"default": [],
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"description": "List of SSH key pairs to use, when trying to ssh into servers"
|
|
}
|
|
}
|
|
},
|
|
"systemInfo": {
|
|
"title": "System collection",
|
|
"type": "object",
|
|
"properties": {
|
|
"mimikatz_dll_name": {
|
|
"title": "Mimikatz DLL name",
|
|
"type": "string",
|
|
"default": "mk.dll",
|
|
"description":
|
|
"Name of Mimikatz DLL (should be the same as in the monkey's pyinstaller spec file)"
|
|
},
|
|
"extract_azure_creds": {
|
|
"title": "Harvest Azure Credentials",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description":
|
|
"Determine if the Monkey should try to harvest password credentials from Azure VMs"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"cnc": {
|
|
"title": "Monkey Island",
|
|
"type": "object",
|
|
"properties": {
|
|
"servers": {
|
|
"title": "Servers",
|
|
"type": "object",
|
|
"properties": {
|
|
"command_servers": {
|
|
"title": "Command servers",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": [
|
|
"192.0.2.0:5000"
|
|
],
|
|
"description": "List of command servers to try and communicate with (format is <ip>:<port>)"
|
|
},
|
|
"internet_services": {
|
|
"title": "Internet services",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": [
|
|
"monkey.guardicore.com",
|
|
"www.google.com"
|
|
],
|
|
"description":
|
|
"List of internet services to try and communicate with to determine internet"
|
|
" connectivity (use either ip or domain)"
|
|
},
|
|
"current_server": {
|
|
"title": "Current server",
|
|
"type": "string",
|
|
"default": "192.0.2.0:5000",
|
|
"description": "The current command server the monkey is communicating with"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"exploits": {
|
|
"title": "Exploits",
|
|
"type": "object",
|
|
"properties": {
|
|
"general": {
|
|
"title": "General",
|
|
"type": "object",
|
|
"properties": {
|
|
"exploiter_classes": {
|
|
"title": "Exploits",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"$ref": "#/definitions/exploiter_classes"
|
|
},
|
|
"default": [
|
|
"SmbExploiter",
|
|
"WmiExploiter",
|
|
"SSHExploiter",
|
|
"ShellShockExploiter",
|
|
"SambaCryExploiter",
|
|
"ElasticGroovyExploiter",
|
|
"Struts2Exploiter"
|
|
],
|
|
"description":
|
|
"Determines which exploits to use. " + WARNING_SIGN
|
|
+ " Note that using unsafe exploits may cause crashes of the exploited machine/service"
|
|
},
|
|
"skip_exploit_if_file_exist": {
|
|
"title": "Skip exploit if file exists",
|
|
"type": "boolean",
|
|
"default": False,
|
|
"description": "Determines whether the monkey should skip the exploit if the monkey's file"
|
|
" is already on the remote machine"
|
|
}
|
|
}
|
|
},
|
|
"ms08_067": {
|
|
"title": "MS08_067",
|
|
"type": "object",
|
|
"properties": {
|
|
"ms08_067_exploit_attempts": {
|
|
"title": "MS08_067 exploit attempts",
|
|
"type": "integer",
|
|
"default": 5,
|
|
"description": "Number of attempts to exploit using MS08_067"
|
|
},
|
|
"ms08_067_remote_user_add": {
|
|
"title": "MS08_067 remote user",
|
|
"type": "string",
|
|
"default": "Monkey_IUSER_SUPPORT",
|
|
"description": "Username to add on successful exploit"
|
|
},
|
|
"ms08_067_remote_user_pass": {
|
|
"title": "MS08_067 remote user password",
|
|
"type": "string",
|
|
"default": "Password1!",
|
|
"description": "Password to use for created user"
|
|
}
|
|
}
|
|
},
|
|
"rdp_grinder": {
|
|
"title": "RDP grinder",
|
|
"type": "object",
|
|
"properties": {
|
|
"rdp_use_vbs_download": {
|
|
"title": "Use VBS download",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description": "Determines whether to use VBS or BITS to download monkey to remote machine"
|
|
" (true=VBS, false=BITS)"
|
|
}
|
|
}
|
|
},
|
|
"sambacry": {
|
|
"title": "SambaCry",
|
|
"type": "object",
|
|
"properties": {
|
|
"sambacry_trigger_timeout": {
|
|
"title": "SambaCry trigger timeout",
|
|
"type": "integer",
|
|
"default": 5,
|
|
"description": "Timeout (in seconds) of SambaCry trigger"
|
|
},
|
|
"sambacry_folder_paths_to_guess": {
|
|
"title": "SambaCry folder paths to guess",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": [
|
|
'/',
|
|
'/mnt',
|
|
'/tmp',
|
|
'/storage',
|
|
'/export',
|
|
'/share',
|
|
'/shares',
|
|
'/home'
|
|
],
|
|
"description": "List of full paths to share folder for SambaCry to guess"
|
|
},
|
|
"sambacry_shares_not_to_check": {
|
|
"title": "SambaCry shares not to check",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"default": [
|
|
"IPC$", "print$"
|
|
],
|
|
"description": "These shares won't be checked when exploiting with SambaCry"
|
|
}
|
|
}
|
|
},
|
|
"smb_service": {
|
|
"title": "SMB service",
|
|
"type": "object",
|
|
"properties": {
|
|
"smb_download_timeout": {
|
|
"title": "SMB download timeout",
|
|
"type": "integer",
|
|
"default": 300,
|
|
"description":
|
|
"Timeout (in seconds) for SMB download operation (used in various exploits using SMB)"
|
|
},
|
|
"smb_service_name": {
|
|
"title": "SMB service name",
|
|
"type": "string",
|
|
"default": "InfectionMonkey",
|
|
"description": "Name of the SMB service that will be set up to download monkey"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"network": {
|
|
"title": "Network",
|
|
"type": "object",
|
|
"properties": {
|
|
"tcp_scanner": {
|
|
"title": "TCP scanner",
|
|
"type": "object",
|
|
"properties": {
|
|
"HTTP_PORTS": {
|
|
"title": "HTTP ports",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "integer"
|
|
},
|
|
"default": [
|
|
80,
|
|
8080,
|
|
443,
|
|
8008
|
|
],
|
|
"description": "List of ports the monkey will check if are being used for HTTP"
|
|
},
|
|
"tcp_target_ports": {
|
|
"title": "TCP target ports",
|
|
"type": "array",
|
|
"uniqueItems": True,
|
|
"items": {
|
|
"type": "integer"
|
|
},
|
|
"default": [
|
|
22,
|
|
2222,
|
|
445,
|
|
135,
|
|
3389,
|
|
80,
|
|
8080,
|
|
443,
|
|
8008,
|
|
3306,
|
|
9200
|
|
],
|
|
"description": "List of TCP ports the monkey will check whether they're open"
|
|
},
|
|
"tcp_scan_interval": {
|
|
"title": "TCP scan interval",
|
|
"type": "integer",
|
|
"default": 200,
|
|
"description": "Time to sleep (in milliseconds) between scans"
|
|
},
|
|
"tcp_scan_timeout": {
|
|
"title": "TCP scan timeout",
|
|
"type": "integer",
|
|
"default": 3000,
|
|
"description": "Maximum time (in milliseconds) to wait for TCP response"
|
|
},
|
|
"tcp_scan_get_banner": {
|
|
"title": "TCP scan - get banner",
|
|
"type": "boolean",
|
|
"default": True,
|
|
"description": "Determines whether the TCP scan should try to get the banner"
|
|
}
|
|
}
|
|
},
|
|
"ping_scanner": {
|
|
"title": "Ping scanner",
|
|
"type": "object",
|
|
"properties": {
|
|
"ping_scan_timeout": {
|
|
"title": "Ping scan timeout",
|
|
"type": "integer",
|
|
"default": 1000,
|
|
"description": "Maximum time (in milliseconds) to wait for ping response"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"options": {
|
|
"collapsed": True
|
|
}
|
|
}
|
|
|
|
ENCRYPTED_CONFIG_ARRAYS = \
|
|
[
|
|
['basic', 'credentials', 'exploit_password_list'],
|
|
['internal', 'exploits', 'exploit_lm_hash_list'],
|
|
['internal', 'exploits', 'exploit_ntlm_hash_list'],
|
|
['internal', 'exploits', 'exploit_ssh_keys']
|
|
]
|
|
|
|
|
|
class ConfigService:
|
|
default_config = None
|
|
|
|
def __init__(self):
|
|
pass
|
|
|
|
@staticmethod
|
|
def get_config(is_initial_config=False, should_decrypt=True):
|
|
"""
|
|
Gets the entire global config.
|
|
:param is_initial_config: If True, the initial config will be returned instead of the current config.
|
|
:param should_decrypt: If True, all config values which are set as encrypted will be decrypted.
|
|
:return: The entire global config.
|
|
"""
|
|
config = mongo.db.config.find_one({'name': 'initial' if is_initial_config else 'newconfig'}) or {}
|
|
for field in ('name', '_id'):
|
|
config.pop(field, None)
|
|
if should_decrypt and len(config) > 0:
|
|
ConfigService.decrypt_config(config)
|
|
return config
|
|
|
|
@staticmethod
|
|
def get_config_value(config_key_as_arr, is_initial_config=False, should_decrypt=True):
|
|
"""
|
|
Get a specific config value.
|
|
:param config_key_as_arr: The config key as an array. e.g. ['basic', 'credentials', 'exploit_password_list'].
|
|
:param is_initial_config: If True, returns the value of the initial config instead of the current config.
|
|
:param should_decrypt: If True, the value of the config key will be decrypted
|
|
(if it's in the list of encrypted config values).
|
|
:return: The value of the requested config key.
|
|
"""
|
|
config_key = functools.reduce(lambda x, y: x + '.' + y, config_key_as_arr)
|
|
config = mongo.db.config.find_one({'name': 'initial' if is_initial_config else 'newconfig'}, {config_key: 1})
|
|
for config_key_part in config_key_as_arr:
|
|
config = config[config_key_part]
|
|
if should_decrypt and (config_key_as_arr in ENCRYPTED_CONFIG_ARRAYS):
|
|
config = [encryptor.dec(x) for x in config]
|
|
return config
|
|
|
|
@staticmethod
|
|
def get_flat_config(is_initial_config=False, should_decrypt=True):
|
|
config_json = ConfigService.get_config(is_initial_config, should_decrypt)
|
|
flat_config_json = {}
|
|
for i in config_json:
|
|
for j in config_json[i]:
|
|
for k in config_json[i][j]:
|
|
flat_config_json[k] = config_json[i][j][k]
|
|
|
|
return flat_config_json
|
|
|
|
@staticmethod
|
|
def get_config_schema():
|
|
return SCHEMA
|
|
|
|
@staticmethod
|
|
def add_item_to_config_set(item_key, item_value):
|
|
mongo.db.config.update(
|
|
{'name': 'newconfig'},
|
|
{'$addToSet': {item_key: item_value}},
|
|
upsert=False
|
|
)
|
|
|
|
mongo.db.monkey.update(
|
|
{},
|
|
{'$addToSet': {'config.' + item_key.split('.')[-1]: item_value}},
|
|
multi=True
|
|
)
|
|
|
|
@staticmethod
|
|
def creds_add_username(username):
|
|
ConfigService.add_item_to_config_set('basic.credentials.exploit_user_list', username)
|
|
|
|
@staticmethod
|
|
def creds_add_password(password):
|
|
ConfigService.add_item_to_config_set('basic.credentials.exploit_password_list', password)
|
|
|
|
@staticmethod
|
|
def creds_add_lm_hash(lm_hash):
|
|
ConfigService.add_item_to_config_set('internal.exploits.exploit_lm_hash_list', lm_hash)
|
|
|
|
@staticmethod
|
|
def creds_add_ntlm_hash(ntlm_hash):
|
|
ConfigService.add_item_to_config_set('internal.exploits.exploit_ntlm_hash_list', ntlm_hash)
|
|
|
|
@staticmethod
|
|
def ssh_add_keys(public_key, private_key, user, ip):
|
|
if not ConfigService.ssh_key_exists(ConfigService.get_config_value(['internal', 'exploits', 'exploit_ssh_keys'],
|
|
False, False), user, ip):
|
|
ConfigService.add_item_to_config_set('internal.exploits.exploit_ssh_keys',
|
|
{"public_key": public_key, "private_key": private_key,
|
|
"user": user, "ip": ip})
|
|
|
|
@staticmethod
|
|
def ssh_key_exists(keys, user, ip):
|
|
return [key for key in keys if key['user'] == user and key['ip'] == ip]
|
|
|
|
@staticmethod
|
|
def update_config(config_json, should_encrypt):
|
|
if should_encrypt:
|
|
ConfigService.encrypt_config(config_json)
|
|
mongo.db.config.update({'name': 'newconfig'}, {"$set": config_json}, upsert=True)
|
|
logger.info('monkey config was updated')
|
|
|
|
@staticmethod
|
|
def init_default_config():
|
|
if ConfigService.default_config is None:
|
|
defaultValidatingDraft4Validator = ConfigService._extend_config_with_default(Draft4Validator)
|
|
config = {}
|
|
defaultValidatingDraft4Validator(SCHEMA).validate(config)
|
|
ConfigService.default_config = config
|
|
|
|
@staticmethod
|
|
def get_default_config(should_encrypt=False):
|
|
ConfigService.init_default_config()
|
|
config = copy.deepcopy(ConfigService.default_config)
|
|
if should_encrypt:
|
|
ConfigService.encrypt_config(config)
|
|
logger.info("Default config was called")
|
|
return config
|
|
|
|
@staticmethod
|
|
def init_config():
|
|
if ConfigService.get_config(should_decrypt=False) != {}:
|
|
return
|
|
ConfigService.reset_config()
|
|
|
|
@staticmethod
|
|
def reset_config():
|
|
config = ConfigService.get_default_config(True)
|
|
ConfigService.set_server_ips_in_config(config)
|
|
ConfigService.update_config(config, should_encrypt=False)
|
|
logger.info('Monkey config reset was called')
|
|
|
|
@staticmethod
|
|
def set_server_ips_in_config(config):
|
|
ips = local_ip_addresses()
|
|
config["cnc"]["servers"]["command_servers"] = ["%s:%d" % (ip, env.get_island_port()) for ip in ips]
|
|
config["cnc"]["servers"]["current_server"] = "%s:%d" % (ips[0], env.get_island_port())
|
|
|
|
@staticmethod
|
|
def save_initial_config_if_needed():
|
|
if mongo.db.config.find_one({'name': 'initial'}) is not None:
|
|
return
|
|
|
|
initial_config = mongo.db.config.find_one({'name': 'newconfig'})
|
|
initial_config['name'] = 'initial'
|
|
initial_config.pop('_id')
|
|
mongo.db.config.insert(initial_config)
|
|
logger.info('Monkey config was inserted to mongo and saved')
|
|
|
|
@staticmethod
|
|
def _extend_config_with_default(validator_class):
|
|
validate_properties = validator_class.VALIDATORS["properties"]
|
|
|
|
def set_defaults(validator, properties, instance, schema):
|
|
# Do it only for root.
|
|
if instance != {}:
|
|
return
|
|
for property, subschema in properties.iteritems():
|
|
main_dict = {}
|
|
for property2, subschema2 in subschema["properties"].iteritems():
|
|
sub_dict = {}
|
|
for property3, subschema3 in subschema2["properties"].iteritems():
|
|
if "default" in subschema3:
|
|
sub_dict[property3] = subschema3["default"]
|
|
main_dict[property2] = sub_dict
|
|
instance.setdefault(property, main_dict)
|
|
|
|
for error in validate_properties(validator, properties, instance, schema):
|
|
yield error
|
|
|
|
return validators.extend(
|
|
validator_class, {"properties": set_defaults},
|
|
)
|
|
|
|
@staticmethod
|
|
def decrypt_config(config):
|
|
ConfigService._encrypt_or_decrypt_config(config, True)
|
|
|
|
@staticmethod
|
|
def encrypt_config(config):
|
|
ConfigService._encrypt_or_decrypt_config(config, False)
|
|
|
|
@staticmethod
|
|
def decrypt_flat_config(flat_config):
|
|
"""
|
|
Same as decrypt_config but for a flat configuration
|
|
"""
|
|
keys = [config_arr_as_array[2] for config_arr_as_array in ENCRYPTED_CONFIG_ARRAYS]
|
|
for key in keys:
|
|
if isinstance(flat_config[key], collections.Sequence) and not isinstance(flat_config[key], string_types):
|
|
# Check if we are decrypting ssh key pair
|
|
if flat_config[key] and isinstance(flat_config[key][0], dict) and 'public_key' in flat_config[key][0]:
|
|
flat_config[key] = [ConfigService.decrypt_ssh_key_pair(item) for item in flat_config[key]]
|
|
else:
|
|
flat_config[key] = [encryptor.dec(item) for item in flat_config[key]]
|
|
else:
|
|
flat_config[key] = encryptor.dec(flat_config[key])
|
|
return flat_config
|
|
|
|
@staticmethod
|
|
def _encrypt_or_decrypt_config(config, is_decrypt=False):
|
|
for config_arr_as_array in ENCRYPTED_CONFIG_ARRAYS:
|
|
config_arr = config
|
|
for config_key_part in config_arr_as_array:
|
|
config_arr = config_arr[config_key_part]
|
|
|
|
for i in range(len(config_arr)):
|
|
# Check if array of shh key pairs and then decrypt
|
|
if isinstance(config_arr[i], dict) and 'public_key' in config_arr[i]:
|
|
config_arr[i] = ConfigService.decrypt_ssh_key_pair(config_arr[i]) if is_decrypt else \
|
|
ConfigService.decrypt_ssh_key_pair(config_arr[i], True)
|
|
else:
|
|
config_arr[i] = encryptor.dec(config_arr[i]) if is_decrypt else encryptor.enc(config_arr[i])
|
|
|
|
@staticmethod
|
|
def decrypt_ssh_key_pair(pair, encrypt=False):
|
|
if encrypt:
|
|
pair['public_key'] = encryptor.enc(pair['public_key'])
|
|
pair['private_key'] = encryptor.enc(pair['private_key'])
|
|
else:
|
|
pair['public_key'] = encryptor.dec(pair['public_key'])
|
|
pair['private_key'] = encryptor.dec(pair['private_key'])
|
|
return pair
|