From 1eac0f566552ea1016e5cab707dc2d5e1ca6c760 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 30 May 2019 08:36:41 +0300 Subject: [PATCH 1/8] Brute force implementation started --- monkey/infection_monkey/exploit/__init__.py | 10 +++ monkey/infection_monkey/monkey.py | 2 + monkey/infection_monkey/utils.py | 1 - .../cc/services/attack/attack_report.py | 5 +- .../attack/technique_reports/T1110.py | 21 ++++++ .../attack/technique_reports/T1210.py | 9 +-- monkey/monkey_island/cc/services/report.py | 6 +- .../src/components/attack/techniques/T1110.js | 64 +++++++++++++++++++ .../report-components/AttackReport.js | 4 +- 9 files changed, 107 insertions(+), 15 deletions(-) create mode 100644 monkey/monkey_island/cc/services/attack/technique_reports/T1110.py create mode 100644 monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js diff --git a/monkey/infection_monkey/exploit/__init__.py b/monkey/infection_monkey/exploit/__init__.py index f2decb590..b2355f853 100644 --- a/monkey/infection_monkey/exploit/__init__.py +++ b/monkey/infection_monkey/exploit/__init__.py @@ -1,6 +1,7 @@ from abc import ABCMeta, abstractmethod, abstractproperty import infection_monkey.config from common.utils.exploit_enum import ExploitType +from datetime import datetime __author__ = 'itamar' @@ -20,11 +21,20 @@ class HostExploiter(object): def __init__(self, host): self._config = infection_monkey.config.WormConfiguration self._exploit_info = {'display_name': self._EXPLOITED_SERVICE, + 'exploit_type': self.EXPLOIT_TYPE.name, + 'started': '', + 'finished': '', 'vulnerable_urls': [], 'vulnerable_ports': []} self._exploit_attempts = [] self.host = host + def set_start_time(self): + self._exploit_info['started'] = datetime.now().isoformat() + + def set_finish_time(self): + self._exploit_info['finished'] = datetime.now().isoformat() + def is_os_supported(self): return self.host.os.get('type') in self._TARGET_OS_TYPE diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index 6589e8718..ba6bf7879 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -286,7 +286,9 @@ class InfectionMonkey(object): result = False try: + exploiter.set_start_time() result = exploiter.exploit_host() + exploiter.set_finish_time() if result: self.successfully_exploited(machine, exploiter) return True diff --git a/monkey/infection_monkey/utils.py b/monkey/infection_monkey/utils.py index 0e08203c2..68b39163d 100644 --- a/monkey/infection_monkey/utils.py +++ b/monkey/infection_monkey/utils.py @@ -2,7 +2,6 @@ import os import sys import shutil import struct -import datetime from infection_monkey.config import WormConfiguration diff --git a/monkey/monkey_island/cc/services/attack/attack_report.py b/monkey/monkey_island/cc/services/attack/attack_report.py index c70d3d56d..6801bcd64 100644 --- a/monkey/monkey_island/cc/services/attack/attack_report.py +++ b/monkey/monkey_island/cc/services/attack/attack_report.py @@ -1,5 +1,5 @@ import logging -from monkey_island.cc.services.attack.technique_reports import T1210, T1197 +from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110 from monkey_island.cc.services.attack.attack_telem import AttackTelemService from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.database import mongo @@ -10,7 +10,8 @@ __author__ = "VakarisZ" LOG = logging.getLogger(__name__) TECHNIQUES = {'T1210': T1210.T1210, - 'T1197': T1197.T1197} + 'T1197': T1197.T1197, + 'T1110': T1110.T1110} REPORT_NAME = 'new_report' diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py new file mode 100644 index 000000000..b28b92e89 --- /dev/null +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py @@ -0,0 +1,21 @@ +from monkey_island.cc.database import mongo +from monkey_island.cc.services.attack.technique_reports import AttackTechnique +from common.utils.exploit_enum import ExploitType + +__author__ = "VakarisZ" + + +class T1110(AttackTechnique): + tech_id = "T1110" + unscanned_msg = "Monkey didn't try to brute force any services." + scanned_msg = "Monkey tried to brute force some services, but failed." + used_msg = "Monkey successfully used brute force in the network." + + @staticmethod + def get_report_data(): + data = {'title': T1110.technique_title(T1110.tech_id)} + results = mongo.db.telemetry.find({'telem_type': 'exploit', 'data.info.exploit_type': ExploitType.BRUTE_FORCE.name, 'data.attempts': {'$ne': '[]'}}, + {'data.machine': 1, 'data.info': 1, 'data.attempts': 1}) + results = [result['data'] for result in results] + data.update({'services': results}) + return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1210.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1210.py index 9d5ff4cfd..b6335422f 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1210.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1210.py @@ -4,13 +4,6 @@ from monkey_island.cc.database import mongo __author__ = "VakarisZ" -TECHNIQUE = "T1210" -MESSAGES = { - 'unscanned': "Monkey didn't scan any remote services. Maybe it didn't find any machines on the network?", - 'scanned': "Monkey scanned for remote services on the network, but couldn't exploit any of them.", - 'used': "Monkey scanned for remote services and exploited some on the network." -} - class T1210(AttackTechnique): @@ -21,7 +14,7 @@ class T1210(AttackTechnique): @staticmethod def get_report_data(): - data = {'title': T1210.technique_title(TECHNIQUE)} + data = {'title': T1210.technique_title(T1210.tech_id)} scanned_services = T1210.get_scanned_services() exploited_services = T1210.get_exploited_services() if exploited_services: diff --git a/monkey/monkey_island/cc/services/report.py b/monkey/monkey_island/cc/services/report.py index 21dcea0bc..702a42cd1 100644 --- a/monkey/monkey_island/cc/services/report.py +++ b/monkey/monkey_island/cc/services/report.py @@ -57,8 +57,8 @@ class ReportService: STRUTS2 = 8 WEBLOGIC = 9 HADOOP = 10 - PTH_CRIT_SERVICES_ACCESS = 11, - MSSQL = 12, + PTH_CRIT_SERVICES_ACCESS = 11 + MSSQL = 12 VSFTPD = 13 class WARNINGS_DICT(Enum): @@ -296,7 +296,7 @@ class ReportService: def process_vsftpd_exploit(exploit): processed_exploit = ReportService.process_general_creds_exploit(exploit) processed_exploit['type'] = 'vsftp' - return processed_exploit + return processed_exploit @staticmethod def process_sambacry_exploit(exploit): diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js new file mode 100644 index 000000000..31a12259c --- /dev/null +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js @@ -0,0 +1,64 @@ +import React from 'react'; +import '../../../styles/Collapse.scss' +import ReactTable from "react-table"; + + +class T1110 extends React.Component { + + constructor(props) { + super(props); + } + + static getServiceColumns() { + return ([{ + columns: [ + {Header: 'Machine', id: 'machine', accessor: x => this.renderMachine(x.machine), + style: { 'whiteSpace': 'unset' }, width: 200}, + {Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }, width: 170}, + {Header: 'Started', id: 'started', accessor: x => x.info.started, style: { 'whiteSpace': 'unset' }}, + {Header: 'Finished', id: 'finished', accessor: x => x.info.finished, style: { 'whiteSpace': 'unset' }}, + {Header: 'Attempts', id: 'attempts', accessor: x => x.attempts.length, style: { 'whiteSpace': 'unset' }}, + {Header: 'Successful credentials', id: 'credentials', accessor: x => this.renderCredentials(x.attempts), style: { 'whiteSpace': 'unset' }}, + ] + }])}; + + static renderMachine(val){ + return ( + {val.ip_addr} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")} + ) + }; + + static renderCredentials(creds){ + let content = ''; + creds.forEach((cred) => { + if (cred.result){ + if (cred.ntlm_hash){ + content += {cred.user} ; NTLM hash: {cred.ntlm_hash} + } else if (cred.ssh_key){ + content += {cred.user} ; SSH key: {cred.ssh_key} + } else if (cred.lm_hash){ + content += {cred.user} ; LM hash: {cred.lm_hash} + } else if (cred.password){ + content += {cred.user} : {cred.password} + } + content += {cred.user} : {cred.password} + } + }) + } + + render() { + return ( +
+
{this.props.data.message}
+ +
+ ); + } +} + +export default T1110; diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js index 2cc582832..19a7bb7c6 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js @@ -6,11 +6,13 @@ import AuthComponent from '../AuthComponent'; import Collapse from '@kunukn/react-collapse'; import T1210 from '../attack/techniques/T1210'; import T1197 from '../attack/techniques/T1197'; +import T1110 from '../attack/techniques/T1110'; import '../../styles/Collapse.scss' const tech_components = { 'T1210': T1210, - 'T1197': T1197 + 'T1197': T1197, + 'T1110': T1110 }; const classNames = require('classnames'); From a4c5b360ca54b9309aa48146ef5bb7267a64c9c3 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 30 May 2019 16:31:21 +0300 Subject: [PATCH 2/8] Brute force working --- monkey/infection_monkey/exploit/mssqlexec.py | 2 + .../monkey_island/cc/resources/telemetry.py | 2 + .../attack/technique_reports/T1110.py | 57 +++++++++++++++++-- .../src/components/attack/techniques/T1110.js | 23 +------- 4 files changed, 60 insertions(+), 24 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 3f8af40fc..c7d29c8c2 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -124,10 +124,12 @@ class MSSQLExploiter(HostExploiter): conn = pymssql.connect(host, user, password, port=port, login_timeout=self.LOGIN_TIMEOUT) LOG.info('Successfully connected to host: {0}, ' 'using user: {1}, password: {2}'.format(host, user, password)) + self.add_vuln_port(MSSQLExploiter.SQL_DEFAULT_TCP_PORT) self.report_login_attempt(True, user, password) cursor = conn.cursor() return cursor except pymssql.OperationalError: + self.report_login_attempt(False, user, password) # Combo didn't work, hopping to the next one pass diff --git a/monkey/monkey_island/cc/resources/telemetry.py b/monkey/monkey_island/cc/resources/telemetry.py index 04a6ddbd1..5d63a96ca 100644 --- a/monkey/monkey_island/cc/resources/telemetry.py +++ b/monkey/monkey_island/cc/resources/telemetry.py @@ -119,6 +119,8 @@ class Telemetry(flask_restful.Resource): def process_exploit_telemetry(telemetry_json): edge = Telemetry.get_edge_by_scan_or_exploit_telemetry(telemetry_json) Telemetry.encrypt_exploit_creds(telemetry_json) + telemetry_json['data']['info']['started'] = dateutil.parser.parse(telemetry_json['data']['info']['started']) + telemetry_json['data']['info']['finished'] = dateutil.parser.parse(telemetry_json['data']['info']['finished']) new_exploit = copy.deepcopy(telemetry_json['data']) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py index b28b92e89..6f9bc1041 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py @@ -1,6 +1,8 @@ from monkey_island.cc.database import mongo from monkey_island.cc.services.attack.technique_reports import AttackTechnique +from common.utils.attack_utils import ScanStatus from common.utils.exploit_enum import ExploitType +from monkey_island.cc.encryptor import encryptor __author__ = "VakarisZ" @@ -14,8 +16,55 @@ class T1110(AttackTechnique): @staticmethod def get_report_data(): data = {'title': T1110.technique_title(T1110.tech_id)} - results = mongo.db.telemetry.find({'telem_type': 'exploit', 'data.info.exploit_type': ExploitType.BRUTE_FORCE.name, 'data.attempts': {'$ne': '[]'}}, - {'data.machine': 1, 'data.info': 1, 'data.attempts': 1}) - results = [result['data'] for result in results] - data.update({'services': results}) + results = mongo.db.telemetry.find({'telem_type': 'exploit', + 'data.info.exploit_type': ExploitType.BRUTE_FORCE.name, + 'data.attempts': {'$ne': '[]'}}, + {'data.machine': 1, 'data.info': 1, 'data.attempts': 1}) + parsed_results = [] + succeeded = False + attempted = False + + for result in results: + parsed_result, attempt_status = T1110.parse_exploiter_result(result) + parsed_results.append(parsed_result) + if parsed_result['successful_creds']: + succeeded = True + elif attempt_status: + attempted = True + + if succeeded: + data.update({'message': T1110.used_msg, 'status': ScanStatus.USED.name}) + elif attempted: + data.update({'message': T1110.scanned_msg, 'status': ScanStatus.SCANNED.name}) + else: + data.update({'message': T1110.unscanned_msg, 'status': ScanStatus.UNSCANNED.name}) + + data.update({'services': parsed_results}) return data + + @staticmethod + def parse_exploiter_result(result): + attempted = False + successful_creds = [] + for attempt in result['data']['attempts']: + attempted = True + if attempt['result']: + successful_creds.append(T1110.parse_creds(attempt)) + result['data']['successful_creds'] = successful_creds + return result['data'], attempted + + @staticmethod + def parse_creds(attempt): + username = attempt['user'] + if attempt['lm_hash']: + return '%s ; LM hash %s ...' % (username, encryptor.dec(attempt['lm_hash'])[0:5]) + if attempt['lm_hash']: + return '%s ; NTLM hash %s ...' % (username, encryptor.dec(attempt['ntlm_hash'])[0:20]) + if attempt['ssh_key']: + return '%s ; SSH key %s ...' % (username, encryptor.dec(attempt['ssh_key'])[0:15]) + if attempt['password']: + return '%s : %s' % (username, T1110.obfuscate_password(encryptor.dec(attempt['password']))) + + @staticmethod + def obfuscate_password(password, plain_chars=3): + return password[0:plain_chars] + '*' * (len(password) - plain_chars) diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js index 31a12259c..e78347428 100644 --- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js @@ -13,12 +13,12 @@ class T1110 extends React.Component { return ([{ columns: [ {Header: 'Machine', id: 'machine', accessor: x => this.renderMachine(x.machine), - style: { 'whiteSpace': 'unset' }, width: 200}, + style: { 'whiteSpace': 'unset' }, width: 160}, {Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }, width: 170}, {Header: 'Started', id: 'started', accessor: x => x.info.started, style: { 'whiteSpace': 'unset' }}, {Header: 'Finished', id: 'finished', accessor: x => x.info.finished, style: { 'whiteSpace': 'unset' }}, {Header: 'Attempts', id: 'attempts', accessor: x => x.attempts.length, style: { 'whiteSpace': 'unset' }}, - {Header: 'Successful credentials', id: 'credentials', accessor: x => this.renderCredentials(x.attempts), style: { 'whiteSpace': 'unset' }}, + {Header: 'Successful credentials', id: 'credentials', accessor: x => x.successful_creds, style: { 'whiteSpace': 'unset' }}, ] }])}; @@ -28,28 +28,11 @@ class T1110 extends React.Component { ) }; - static renderCredentials(creds){ - let content = ''; - creds.forEach((cred) => { - if (cred.result){ - if (cred.ntlm_hash){ - content += {cred.user} ; NTLM hash: {cred.ntlm_hash} - } else if (cred.ssh_key){ - content += {cred.user} ; SSH key: {cred.ssh_key} - } else if (cred.lm_hash){ - content += {cred.user} ; LM hash: {cred.lm_hash} - } else if (cred.password){ - content += {cred.user} : {cred.password} - } - content += {cred.user} : {cred.password} - } - }) - } - render() { return (
{this.props.data.message}
+
Date: Wed, 5 Jun 2019 10:33:56 +0300 Subject: [PATCH 3/8] Cosmetic changes and small bugfixes --- monkey/infection_monkey/post_breach/actions/add_user.py | 4 +++- .../cc/ui/src/components/attack/techniques/T1110.js | 4 ++-- .../monkey_island/cc/ui/src/components/pages/ConfigurePage.js | 3 +-- monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js | 4 ++-- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/monkey/infection_monkey/post_breach/actions/add_user.py b/monkey/infection_monkey/post_breach/actions/add_user.py index 650f37b2f..ff7ae3a50 100644 --- a/monkey/infection_monkey/post_breach/actions/add_user.py +++ b/monkey/infection_monkey/post_breach/actions/add_user.py @@ -16,4 +16,6 @@ WINDOWS_COMMANDS = ['net', 'user', WormConfiguration.user_to_add, class BackdoorUser(PBA): def __init__(self): - super(BackdoorUser, self).__init__("Backdoor user", linux_cmd=LINUX_COMMANDS, windows_cmd=WINDOWS_COMMANDS) + super(BackdoorUser, self).__init__("Backdoor user", + linux_cmd=' '.join(LINUX_COMMANDS), + windows_cmd=WINDOWS_COMMANDS) diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js index e78347428..ab3638a68 100644 --- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js @@ -14,10 +14,10 @@ class T1110 extends React.Component { columns: [ {Header: 'Machine', id: 'machine', accessor: x => this.renderMachine(x.machine), style: { 'whiteSpace': 'unset' }, width: 160}, - {Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }, width: 170}, + {Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }, width: 100}, {Header: 'Started', id: 'started', accessor: x => x.info.started, style: { 'whiteSpace': 'unset' }}, {Header: 'Finished', id: 'finished', accessor: x => x.info.finished, style: { 'whiteSpace': 'unset' }}, - {Header: 'Attempts', id: 'attempts', accessor: x => x.attempts.length, style: { 'whiteSpace': 'unset' }}, + {Header: 'Attempts', id: 'attempts', accessor: x => x.attempts.length, style: { 'whiteSpace': 'unset' }, width: 160}, {Header: 'Successful credentials', id: 'credentials', accessor: x => x.successful_creds, style: { 'whiteSpace': 'unset' }}, ] }])}; diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js b/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js index 75d2b1c93..44d5a9a2b 100644 --- a/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js +++ b/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js @@ -299,9 +299,8 @@ class ConfigurePageComponent extends AuthComponent { try { this.setState({ configuration: JSON.parse(event.target.result), - selectedSection: 'basic', lastAction: 'import_success' - }, () => {this.sendConfig()}); + }, () => {this.sendConfig(); this.setInitialConfig(JSON.parse(event.target.result))}); this.currentSection = 'basic'; this.currentFormData = {}; } catch(SyntaxError) { diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js index adc0911d8..72aeca574 100644 --- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -81,7 +81,7 @@ class ReportPageComponent extends AuthComponent { } return ( - +

4. Security Report

{content} @@ -308,7 +308,7 @@ class ReportPageComponent extends AuthComponent { }).length} threats:
    {this.state.report.overview.issues[this.Issue.STOLEN_SSH_KEYS] ? -
  • Stolen SSH keys are used to exploit other machines.
    • : null } +
  • Stolen SSH keys are used to exploit other machines.
    • : null } {this.state.report.overview.issues[this.Issue.STOLEN_CREDS] ?
  • Stolen credentials are used to exploit other machines.
    • : null} {this.state.report.overview.issues[this.Issue.ELASTIC] ? From 18b8350279d64ba3822acb5c6eee260d4187751d Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 6 Jun 2019 15:14:52 +0300 Subject: [PATCH 4/8] Refactored, improved readability and performance --- monkey/infection_monkey/exploit/__init__.py | 1 - .../attack/technique_reports/T1110.py | 63 ++++++++++--------- .../src/components/attack/techniques/T1110.js | 13 ++-- 3 files changed, 41 insertions(+), 36 deletions(-) diff --git a/monkey/infection_monkey/exploit/__init__.py b/monkey/infection_monkey/exploit/__init__.py index b2355f853..7353d77bc 100644 --- a/monkey/infection_monkey/exploit/__init__.py +++ b/monkey/infection_monkey/exploit/__init__.py @@ -21,7 +21,6 @@ class HostExploiter(object): def __init__(self, host): self._config = infection_monkey.config.WormConfiguration self._exploit_info = {'display_name': self._EXPLOITED_SERVICE, - 'exploit_type': self.EXPLOIT_TYPE.name, 'started': '', 'finished': '', 'vulnerable_urls': [], diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py index 6f9bc1041..b01a3c23b 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py @@ -1,7 +1,6 @@ from monkey_island.cc.database import mongo from monkey_island.cc.services.attack.technique_reports import AttackTechnique from common.utils.attack_utils import ScanStatus -from common.utils.exploit_enum import ExploitType from monkey_island.cc.encryptor import encryptor __author__ = "VakarisZ" @@ -13,48 +12,44 @@ class T1110(AttackTechnique): scanned_msg = "Monkey tried to brute force some services, but failed." used_msg = "Monkey successfully used brute force in the network." + # Gets data about brute force attempts + query = [{'$match': {'telem_type': 'exploit', + 'data.attempts': {'$not': {'$size': 0}}}}, + {'$project': {'_id': 0, + 'machine': '$data.machine', + 'info': '$data.info', + 'attempt_cnt': {'$size': '$data.attempts'}, + 'attempts': {'$filter': {'input': '$data.attempts', + 'as': 'attempt', + 'cond': {'$eq': ['$$attempt.result', True]}}}}}] + @staticmethod def get_report_data(): - data = {'title': T1110.technique_title(T1110.tech_id)} - results = mongo.db.telemetry.find({'telem_type': 'exploit', - 'data.info.exploit_type': ExploitType.BRUTE_FORCE.name, - 'data.attempts': {'$ne': '[]'}}, - {'data.machine': 1, 'data.info': 1, 'data.attempts': 1}) - parsed_results = [] + attempts = list(mongo.db.telemetry.aggregate(T1110.query)) succeeded = False - attempted = False - for result in results: - parsed_result, attempt_status = T1110.parse_exploiter_result(result) - parsed_results.append(parsed_result) - if parsed_result['successful_creds']: + for result in attempts: + result['successful_creds'] = [] + for attempt in result['attempts']: succeeded = True - elif attempt_status: - attempted = True + result['successful_creds'].append(T1110.parse_creds(attempt)) if succeeded: - data.update({'message': T1110.used_msg, 'status': ScanStatus.USED.name}) - elif attempted: - data.update({'message': T1110.scanned_msg, 'status': ScanStatus.SCANNED.name}) + data = {'message': T1110.used_msg, 'status': ScanStatus.USED.name} + elif attempts: + data = {'message': T1110.scanned_msg, 'status': ScanStatus.SCANNED.name} else: - data.update({'message': T1110.unscanned_msg, 'status': ScanStatus.UNSCANNED.name}) - - data.update({'services': parsed_results}) + data = {'message': T1110.unscanned_msg, 'status': ScanStatus.UNSCANNED.name} + data.update({'services': attempts, 'title': T1110.technique_title(T1110.tech_id)}) return data - @staticmethod - def parse_exploiter_result(result): - attempted = False - successful_creds = [] - for attempt in result['data']['attempts']: - attempted = True - if attempt['result']: - successful_creds.append(T1110.parse_creds(attempt)) - result['data']['successful_creds'] = successful_creds - return result['data'], attempted - @staticmethod def parse_creds(attempt): + """ + Parses used credentials into a string + :param attempt: login attempt from database + :return: string with username and used password/hash + """ username = attempt['user'] if attempt['lm_hash']: return '%s ; LM hash %s ...' % (username, encryptor.dec(attempt['lm_hash'])[0:5]) @@ -67,4 +62,10 @@ class T1110(AttackTechnique): @staticmethod def obfuscate_password(password, plain_chars=3): + """ + Obfuscates password by changing characters to * + :param password: Password or string to obfuscate + :param plain_chars: How many plain-text characters should be kept at the start of the string + :return: Obfuscated string e.g. Pass**** + """ return password[0:plain_chars] + '*' * (len(password) - plain_chars) diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js index ab3638a68..64619ad55 100644 --- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js @@ -17,11 +17,15 @@ class T1110 extends React.Component { {Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }, width: 100}, {Header: 'Started', id: 'started', accessor: x => x.info.started, style: { 'whiteSpace': 'unset' }}, {Header: 'Finished', id: 'finished', accessor: x => x.info.finished, style: { 'whiteSpace': 'unset' }}, - {Header: 'Attempts', id: 'attempts', accessor: x => x.attempts.length, style: { 'whiteSpace': 'unset' }, width: 160}, - {Header: 'Successful credentials', id: 'credentials', accessor: x => x.successful_creds, style: { 'whiteSpace': 'unset' }}, + {Header: 'Attempts', id: 'attempts', accessor: x => x.attempt_cnt, style: { 'whiteSpace': 'unset' }, width: 160}, + {Header: 'Successful credentials', id: 'credentials', accessor: x => this.renderCreds(x.successful_creds), style: { 'whiteSpace': 'unset' }}, ] }])}; + static renderCreds(creds) { + return {creds.map(cred =>
    {cred}
    )}     + }; + static renderMachine(val){ return ( {val.ip_addr} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")} @@ -33,12 +37,13 @@ class T1110 extends React.Component {
    {this.props.data.message}

    - + /> : ""}
    ); } From 6c4a5154425b02c638d4fe4a795704a19ab65d82 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Fri, 7 Jun 2019 10:12:02 +0300 Subject: [PATCH 5/8] ntlm credential display bugfix --- .../monkey_island/cc/services/attack/technique_reports/T1110.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py index b01a3c23b..040b05be2 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py @@ -53,7 +53,7 @@ class T1110(AttackTechnique): username = attempt['user'] if attempt['lm_hash']: return '%s ; LM hash %s ...' % (username, encryptor.dec(attempt['lm_hash'])[0:5]) - if attempt['lm_hash']: + if attempt['ntlm_hash']: return '%s ; NTLM hash %s ...' % (username, encryptor.dec(attempt['ntlm_hash'])[0:20]) if attempt['ssh_key']: return '%s ; SSH key %s ...' % (username, encryptor.dec(attempt['ssh_key'])[0:15]) From f2d25c44810d3c19464396a1eb9fafd11c36dcec Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Wed, 12 Jun 2019 11:51:20 +0300 Subject: [PATCH 6/8] fixed PR comments --- .../attack/technique_reports/T1110.py | 38 ++++++++++++------- .../attack/technique_reports/__init__.py | 9 +++++ 2 files changed, 34 insertions(+), 13 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py index 040b05be2..977fb860a 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py @@ -35,11 +35,11 @@ class T1110(AttackTechnique): result['successful_creds'].append(T1110.parse_creds(attempt)) if succeeded: - data = {'message': T1110.used_msg, 'status': ScanStatus.USED.name} + data = T1110.get_message_and_status(T1110, ScanStatus.USED) elif attempts: - data = {'message': T1110.scanned_msg, 'status': ScanStatus.SCANNED.name} + data = T1110.get_message_and_status(T1110, ScanStatus.SCANNED) else: - data = {'message': T1110.unscanned_msg, 'status': ScanStatus.UNSCANNED.name} + data = T1110.get_message_and_status(T1110, ScanStatus.UNSCANNED) data.update({'services': attempts, 'title': T1110.technique_title(T1110.tech_id)}) return data @@ -51,21 +51,33 @@ class T1110(AttackTechnique): :return: string with username and used password/hash """ username = attempt['user'] - if attempt['lm_hash']: - return '%s ; LM hash %s ...' % (username, encryptor.dec(attempt['lm_hash'])[0:5]) - if attempt['ntlm_hash']: - return '%s ; NTLM hash %s ...' % (username, encryptor.dec(attempt['ntlm_hash'])[0:20]) - if attempt['ssh_key']: - return '%s ; SSH key %s ...' % (username, encryptor.dec(attempt['ssh_key'])[0:15]) - if attempt['password']: - return '%s : %s' % (username, T1110.obfuscate_password(encryptor.dec(attempt['password']))) + creds = {'lm_hash': {'type': 'LM hash', 'shown_chars': 5, 'funct': T1110.censor_hash}, + 'ntlm_hash': {'type': 'NTLM hash', 'shown_chars': 20, 'funct': T1110.censor_hash}, + 'ssh_key': {'type': 'SSH key', 'shown_chars': 15, 'funct': T1110.censor_hash}, + 'password': {'type': 'Plaintext password', 'shown_chars': 3, 'funct': T1110.censor_password}} + for key, cred in creds.items(): + if attempt[key]: + return '%s ; %s : %s' % (username, + cred['type'], + cred['funct'](encryptor.dec(attempt[key]), cred['shown_chars'])) @staticmethod - def obfuscate_password(password, plain_chars=3): + def censor_password(password, plain_chars=3, secret_chars=5): """ Obfuscates password by changing characters to * :param password: Password or string to obfuscate :param plain_chars: How many plain-text characters should be kept at the start of the string + :param secret_chars: How many * symbols should be used to hide the remainder of the password :return: Obfuscated string e.g. Pass**** """ - return password[0:plain_chars] + '*' * (len(password) - plain_chars) + return password[0:plain_chars] + '*' * secret_chars + + @staticmethod + def censor_hash(hash_, plain_chars=5): + """ + Obfuscates hash by only showing a part of it + :param hash_: Hash to obfuscate + :param plain_chars: How many chars of hash should be shown + :return: Obfuscated string + """ + return hash_[0: plain_chars] + ' ...' diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py index 0346a1857..782ca389d 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py @@ -60,6 +60,15 @@ class AttackTechnique(object): else: return ScanStatus.UNSCANNED + @staticmethod + def get_message_and_status(technique, status): + if status == ScanStatus.UNSCANNED: + return {'message': technique.unscanned_msg, 'status': ScanStatus.UNSCANNED.name} + elif status == ScanStatus.SCANNED: + return {'message': technique.scanned_msg, 'status': ScanStatus.SCANNED.name} + else: + return {'message': technique.used_msg, 'status': ScanStatus.USED.name} + @staticmethod def technique_title(technique): """ From 0422cd32dbecfb3e33635af945af5ce84604dc31 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Fri, 14 Jun 2019 15:52:49 +0300 Subject: [PATCH 7/8] Bugfix --- .../attack/technique_reports/T1110.py | 24 +++++++++++++------ 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py index 977fb860a..7fe5ac90f 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py @@ -40,6 +40,10 @@ class T1110(AttackTechnique): data = T1110.get_message_and_status(T1110, ScanStatus.SCANNED) else: data = T1110.get_message_and_status(T1110, ScanStatus.UNSCANNED) + + # Remove data with no successful brute force attempts + attempts = [attempt for attempt in attempts if attempt['attempts']] + data.update({'services': attempts, 'title': T1110.technique_title(T1110.tech_id)}) return data @@ -51,33 +55,39 @@ class T1110(AttackTechnique): :return: string with username and used password/hash """ username = attempt['user'] - creds = {'lm_hash': {'type': 'LM hash', 'shown_chars': 5, 'funct': T1110.censor_hash}, - 'ntlm_hash': {'type': 'NTLM hash', 'shown_chars': 20, 'funct': T1110.censor_hash}, - 'ssh_key': {'type': 'SSH key', 'shown_chars': 15, 'funct': T1110.censor_hash}, - 'password': {'type': 'Plaintext password', 'shown_chars': 3, 'funct': T1110.censor_password}} + creds = {'lm_hash': {'type': 'LM hash', 'output': T1110.censor_hash(attempt['lm_hash'])}, + 'ntlm_hash': {'type': 'NTLM hash', 'output': T1110.censor_hash(attempt['ntlm_hash'], 20)}, + 'ssh_key': {'type': 'SSH key', 'output': attempt['ssh_key']}, + 'password': {'type': 'Plaintext password', 'output': T1110.censor_password(attempt['password'])}} for key, cred in creds.items(): if attempt[key]: return '%s ; %s : %s' % (username, cred['type'], - cred['funct'](encryptor.dec(attempt[key]), cred['shown_chars'])) + cred['output']) @staticmethod def censor_password(password, plain_chars=3, secret_chars=5): """ - Obfuscates password by changing characters to * + Decrypts and obfuscates password by changing characters to * :param password: Password or string to obfuscate :param plain_chars: How many plain-text characters should be kept at the start of the string :param secret_chars: How many * symbols should be used to hide the remainder of the password :return: Obfuscated string e.g. Pass**** """ + if not password: + return "" + password = encryptor.dec(password) return password[0:plain_chars] + '*' * secret_chars @staticmethod def censor_hash(hash_, plain_chars=5): """ - Obfuscates hash by only showing a part of it + Decrypts and obfuscates hash by only showing a part of it :param hash_: Hash to obfuscate :param plain_chars: How many chars of hash should be shown :return: Obfuscated string """ + if not hash_: + return "" + hash_ = encryptor.dec(hash_) return hash_[0: plain_chars] + ' ...' From dc2755173d6416a6530aea343f271cbb1d4fd17c Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Tue, 18 Jun 2019 14:15:13 +0300 Subject: [PATCH 8/8] Refactored technique report basic data generation methods --- .../attack/technique_reports/__init__.py | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py index 782ca389d..8d60e963f 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py @@ -62,12 +62,16 @@ class AttackTechnique(object): @staticmethod def get_message_and_status(technique, status): + return {'message': technique.get_message_by_status(technique, status), 'status': status.name} + + @staticmethod + def get_message_by_status(technique, status): if status == ScanStatus.UNSCANNED: - return {'message': technique.unscanned_msg, 'status': ScanStatus.UNSCANNED.name} + return technique.unscanned_msg elif status == ScanStatus.SCANNED: - return {'message': technique.scanned_msg, 'status': ScanStatus.SCANNED.name} + return technique.scanned_msg else: - return {'message': technique.used_msg, 'status': ScanStatus.USED.name} + return technique.used_msg @staticmethod def technique_title(technique): @@ -87,11 +91,7 @@ class AttackTechnique(object): data = {} status = AttackTechnique.technique_status(technique.tech_id) title = AttackTechnique.technique_title(technique.tech_id) - data.update({'status': status.name, 'title': title}) - if status == ScanStatus.UNSCANNED: - data.update({'message': technique.unscanned_msg}) - elif status == ScanStatus.SCANNED: - data.update({'message': technique.scanned_msg}) - else: - data.update({'message': technique.used_msg}) + data.update({'status': status.name, + 'title': title, + 'message': technique.get_message_by_status(technique, status)}) return data