forked from p15670423/monkey
Added AWS keys to config
This commit is contained in:
parent
dd3d5d317a
commit
17d91766df
|
@ -0,0 +1,9 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
|
class PROVIDERS(Enum):
|
||||||
|
AWS = 'aws'
|
||||||
|
AZURE = 'azure'
|
||||||
|
GCP = 'gcp'
|
||||||
|
ALIBABA = 'aliyun'
|
||||||
|
ORACLE = 'oci'
|
|
@ -246,6 +246,10 @@ class Configuration(object):
|
||||||
exploit_ntlm_hash_list = []
|
exploit_ntlm_hash_list = []
|
||||||
exploit_ssh_keys = []
|
exploit_ssh_keys = []
|
||||||
|
|
||||||
|
access_key_id = ''
|
||||||
|
secret_access_key = ''
|
||||||
|
session_token = ''
|
||||||
|
|
||||||
# smb/wmi exploiter
|
# smb/wmi exploiter
|
||||||
smb_download_timeout = 300 # timeout in seconds
|
smb_download_timeout = 300 # timeout in seconds
|
||||||
smb_service_name = "InfectionMonkey"
|
smb_service_name = "InfectionMonkey"
|
||||||
|
|
|
@ -1,22 +1,28 @@
|
||||||
|
import logging
|
||||||
|
|
||||||
import infection_monkey.system_info.collectors.scoutsuite_collector.scoutsuite_api as scoutsuite_api
|
import infection_monkey.system_info.collectors.scoutsuite_collector.scoutsuite_api as scoutsuite_api
|
||||||
|
from common.cloud.scoutsuite_consts import PROVIDERS
|
||||||
from infection_monkey.telemetry.scoutsuite_telem import ScoutSuiteTelem
|
from infection_monkey.telemetry.scoutsuite_telem import ScoutSuiteTelem
|
||||||
|
from infection_monkey.config import WormConfiguration
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
class CLOUD_TYPES:
|
def scan_cloud_security(cloud_type: PROVIDERS):
|
||||||
AWS = 'aws'
|
try:
|
||||||
AZURE = 'azure'
|
results = run_scoutsuite(cloud_type.value)
|
||||||
GCP = 'gcp'
|
if 'error' in results and results['error']:
|
||||||
ALIBABA = 'aliyun'
|
raise Exception(results['error'])
|
||||||
ORACLE = 'oci'
|
send_results(results)
|
||||||
|
except Exception as e:
|
||||||
|
logger.error(f"ScoutSuite didn't scan {cloud_type.value} security because: {e}")
|
||||||
|
|
||||||
|
|
||||||
def scan_cloud_security(cloud_type: CLOUD_TYPES):
|
def run_scoutsuite(cloud_type: str):
|
||||||
results = run_scoutsuite(cloud_type)
|
return scoutsuite_api.run(provider=cloud_type,
|
||||||
send_results(results)
|
aws_access_key_id=WormConfiguration.access_key_id,
|
||||||
|
aws_secret_access_key=WormConfiguration.secret_access_key,
|
||||||
|
aws_session_token=WormConfiguration.session_token)
|
||||||
def run_scoutsuite(cloud_type):
|
|
||||||
return scoutsuite_api.run(provider=cloud_type)
|
|
||||||
|
|
||||||
|
|
||||||
def send_results(results):
|
def send_results(results):
|
||||||
|
|
|
@ -21,12 +21,15 @@ from monkey_island.cc.services.config_schema.config_value_paths import STARTED_O
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
# This should be used for config values of array type (array of strings only)
|
# This should be used for config values of array type (array of strings only)
|
||||||
ENCRYPTED_CONFIG_ARRAYS = \
|
ENCRYPTED_CONFIG_VALUES = \
|
||||||
[
|
[
|
||||||
['basic', 'credentials', 'exploit_password_list'],
|
PASSWORD_LIST_PATH,
|
||||||
['internal', 'exploits', 'exploit_lm_hash_list'],
|
LM_HASH_LIST_PATH,
|
||||||
['internal', 'exploits', 'exploit_ntlm_hash_list'],
|
NTLM_HASH_LIST_PATH,
|
||||||
['internal', 'exploits', 'exploit_ssh_keys']
|
SSH_KEYS_PATH,
|
||||||
|
AWS_KEYS_PATH + ['access_key_id'],
|
||||||
|
AWS_KEYS_PATH + ['secret_access_key'],
|
||||||
|
AWS_KEYS_PATH + ['session_token']
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -69,8 +72,11 @@ class ConfigService:
|
||||||
for config_key_part in config_key_as_arr:
|
for config_key_part in config_key_as_arr:
|
||||||
config = config[config_key_part]
|
config = config[config_key_part]
|
||||||
if should_decrypt:
|
if should_decrypt:
|
||||||
if config_key_as_arr in ENCRYPTED_CONFIG_ARRAYS:
|
if config_key_as_arr in ENCRYPTED_CONFIG_VALUES:
|
||||||
config = [encryptor.dec(x) for x in config]
|
if isinstance(config, str):
|
||||||
|
config = encryptor.dec(config)
|
||||||
|
elif isinstance(config, list):
|
||||||
|
config = [encryptor.dec(x) for x in config]
|
||||||
return config
|
return config
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
@ -79,12 +85,6 @@ class ConfigService:
|
||||||
mongo.db.config.update({'name': 'newconfig'},
|
mongo.db.config.update({'name': 'newconfig'},
|
||||||
{"$set": {mongo_key: value}})
|
{"$set": {mongo_key: value}})
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def append_to_config_array(config_key_as_arr, value):
|
|
||||||
mongo_key = ".".join(config_key_as_arr)
|
|
||||||
mongo.db.config.update({'name': 'newconfig'},
|
|
||||||
{"$push": {mongo_key: value}})
|
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_flat_config(is_initial_config=False, should_decrypt=True):
|
def get_flat_config(is_initial_config=False, should_decrypt=True):
|
||||||
config_json = ConfigService.get_config(is_initial_config, should_decrypt)
|
config_json = ConfigService.get_config(is_initial_config, should_decrypt)
|
||||||
|
@ -92,7 +92,11 @@ class ConfigService:
|
||||||
for i in config_json:
|
for i in config_json:
|
||||||
for j in config_json[i]:
|
for j in config_json[i]:
|
||||||
for k in config_json[i][j]:
|
for k in config_json[i][j]:
|
||||||
flat_config_json[k] = config_json[i][j][k]
|
if isinstance(config_json[i][j][k], dict):
|
||||||
|
for key, value in config_json[i][j][k].items():
|
||||||
|
flat_config_json[key] = value
|
||||||
|
else:
|
||||||
|
flat_config_json[k] = config_json[i][j][k]
|
||||||
|
|
||||||
return flat_config_json
|
return flat_config_json
|
||||||
|
|
||||||
|
@ -101,8 +105,8 @@ class ConfigService:
|
||||||
return SCHEMA
|
return SCHEMA
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def add_item_to_config_set_if_dont_exist(item_key, item_value, should_encrypt):
|
def add_item_to_config_set_if_dont_exist(item_path_array, item_value, should_encrypt):
|
||||||
item_path_array = item_key.split('.')
|
item_key = '.'.join(item_path_array)
|
||||||
items_from_config = ConfigService.get_config_value(item_path_array, False, should_encrypt)
|
items_from_config = ConfigService.get_config_value(item_path_array, False, should_encrypt)
|
||||||
if item_value in items_from_config:
|
if item_value in items_from_config:
|
||||||
return
|
return
|
||||||
|
|
|
@ -94,6 +94,23 @@ INTERNAL = {
|
||||||
"type": "boolean",
|
"type": "boolean",
|
||||||
"default": True,
|
"default": True,
|
||||||
"description": "Is the monkey alive"
|
"description": "Is the monkey alive"
|
||||||
|
},
|
||||||
|
"aws_keys": {
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"access_key_id": {
|
||||||
|
"type": "string",
|
||||||
|
"default": ""
|
||||||
|
},
|
||||||
|
"secret_access_key": {
|
||||||
|
"type": "string",
|
||||||
|
"default": ""
|
||||||
|
},
|
||||||
|
"session_token": {
|
||||||
|
"type": "string",
|
||||||
|
"default": ""
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
import pkgutil
|
||||||
|
import sys
|
||||||
|
from pathlib import PurePath
|
||||||
|
from typing import Tuple
|
||||||
|
|
||||||
|
from common.cloud.scoutsuite_consts import PROVIDERS
|
||||||
|
from common.utils.exceptions import InvalidAWSKeys
|
||||||
|
from monkey_island.cc.encryptor import encryptor
|
||||||
|
from monkey_island.cc.services.config import ConfigService
|
||||||
|
from monkey_island.cc.services.config_schema.config_value_paths import AWS_KEYS_PATH
|
||||||
|
|
||||||
|
_scoutsuite_api_package = pkgutil.get_loader('common.cloud.scoutsuite.ScoutSuite.__main__')
|
||||||
|
|
||||||
|
|
||||||
|
def _add_scoutsuite_to_python_path():
|
||||||
|
scoutsuite_path = PurePath(_scoutsuite_api_package.path).parent.parent.__str__()
|
||||||
|
sys.path.append(scoutsuite_path)
|
||||||
|
|
||||||
|
|
||||||
|
_add_scoutsuite_to_python_path()
|
||||||
|
|
||||||
|
|
||||||
|
def is_cloud_authentication_setup(provider: PROVIDERS) -> Tuple[bool, str]:
|
||||||
|
if provider == PROVIDERS.AWS.value:
|
||||||
|
if is_aws_keys_setup():
|
||||||
|
return True, "AWS keys already setup. Run monkey on Island to scan."
|
||||||
|
|
||||||
|
import common.cloud.scoutsuite.ScoutSuite.providers.aws.authentication_strategy as auth_strategy
|
||||||
|
try:
|
||||||
|
profile = auth_strategy.AWSAuthenticationStrategy().authenticate()
|
||||||
|
return True, f" Profile \"{profile.session.profile_name}\" is already setup. Run monkey on Island to scan."
|
||||||
|
except Exception:
|
||||||
|
return False, ""
|
||||||
|
|
||||||
|
|
||||||
|
def is_aws_keys_setup():
|
||||||
|
return (ConfigService.get_config_value(AWS_KEYS_PATH + ['access_key_id']) and
|
||||||
|
ConfigService.get_config_value(AWS_KEYS_PATH + ['secret_access_key']))
|
||||||
|
|
||||||
|
|
||||||
|
def set_aws_keys(access_key_id: str, secret_access_key: str, session_token: str):
|
||||||
|
if not access_key_id or not secret_access_key:
|
||||||
|
raise InvalidAWSKeys("Missing some of the following fields: access key ID, secret access key.")
|
||||||
|
_set_aws_key('access_key_id', access_key_id)
|
||||||
|
_set_aws_key('secret_access_key', secret_access_key)
|
||||||
|
_set_aws_key('session_token', session_token)
|
||||||
|
|
||||||
|
|
||||||
|
def _set_aws_key(key_type: str, key_value: str):
|
||||||
|
path_to_keys = AWS_KEYS_PATH
|
||||||
|
encrypted_key = encryptor.enc(key_value)
|
||||||
|
ConfigService.set_config_value(path_to_keys + [key_type], encrypted_key)
|
||||||
|
|
||||||
|
|
||||||
|
def get_aws_keys():
|
||||||
|
return {'access_key_id': _get_aws_key('access_key_id'),
|
||||||
|
'secret_access_key': _get_aws_key('secret_access_key'),
|
||||||
|
'session_token': _get_aws_key('session_token')}
|
||||||
|
|
||||||
|
|
||||||
|
def _get_aws_key(key_type: str):
|
||||||
|
path_to_keys = AWS_KEYS_PATH
|
||||||
|
return ConfigService.get_config_value(config_key_as_arr=path_to_keys + [key_type])
|
|
@ -84,6 +84,9 @@ export default function UiSchema(props) {
|
||||||
monkey: {
|
monkey: {
|
||||||
alive: {
|
alive: {
|
||||||
classNames: 'config-field-hidden'
|
classNames: 'config-field-hidden'
|
||||||
|
},
|
||||||
|
aws_keys: {
|
||||||
|
classNames: 'config-field-hidden'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue