diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js
index 3853ecacc..dee3c8cb2 100644
--- a/monkey_island/cc/ui/src/components/pages/ReportPage.js
+++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js
@@ -8,6 +8,23 @@ import StolenPasswords from 'components/report-components/StolenPasswords';
import ScannedBreachedChart from 'components/report-components/ScannedBreachedChart';
class ReportPageComponent extends React.Component {
+
+ Issue =
+ {
+ WEAK_PASSWORD: 0,
+ STOLEN_CREDS: 1,
+ ELASTIC: 2,
+ SAMBACRY: 3,
+ SHELLSHOCK: 4,
+ CONFICKER: 5
+ };
+
+ Warning =
+ {
+ CROSS_SEGMENT: 0,
+ TUNNEL: 1
+ };
+
constructor(props) {
super(props);
this.stolen_passwords =
@@ -18,13 +35,48 @@ class ReportPageComponent extends React.Component {
{username: 'joe', password: 'FDA95FBECA288D44AAD3B435B51404EE', type: 'LM', origin: 'Monkey-RDP'}
];
this.state = {
- report: {},
+ report: {
+ overview:
+ {
+ monkey_start_time: '01/02/2017 21:45',
+ monkey_duration: '23:12 minutes',
+ issues: [false, true, true, true, false, true],
+ warnings: [true, true]
+ },
+ glance:
+ {
+ scanned:
+ [{"services": ["tcp-22: ssh", "elastic-search-9200: Lorelei Travis"], "ip_addresses": ["11.0.0.13"], "accessible_from_nodes": ["webServer-shellshock0"], "label": "Ubuntu-4ubuntu2.1"}, {"services": [], "ip_addresses": ["10.0.3.23"], "accessible_from_nodes": [], "label": "ubuntu"}, {"services": ["tcp-22: ssh", "tcp-80: http"], "ip_addresses": ["10.0.3.68", "11.0.0.41"], "accessible_from_nodes": ["Monkey-MSSQL1", "ubuntu"], "label": "webServer-shellshock0"}, {"services": ["tcp-445: Windows Server 2012 R2 Standard 6.3"], "ip_addresses": ["12.0.0.90", "11.0.0.90"], "accessible_from_nodes": ["webServer-shellshock0"], "label": "Monkey-MSSQL1"}],
+ exploited:
+ [{"ip_addresses": ["10.0.3.68", "11.0.0.41"], "exploits": ["ShellShockExploiter", "ShellShockExploiter"], "label": "webServer-shellshock0"}, {"ip_addresses": ["12.0.0.90", "11.0.0.90"], "exploits": ["SmbExploiter", "SmbExploiter"], "label": "Monkey-MSSQL1"}],
+ stolen_creds: this.stolen_passwords
+ },
+ recommendations:
+ {
+ issues:
+ [
+ {type: 'smb_password', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'},
+ {type: 'smb_pth', machine: 'Monkey-SMB2', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'},
+ {type: 'wmi_password', machine: 'Monkey-WMI', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'},
+ {type: 'wmi_pth', machine: 'Monkey-WMI2', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'},
+ {type: 'ssh', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'},
+ {type: 'rdp', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'},
+ {type: 'sambacry', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18'], username: 'Administrator'},
+ {type: 'elastic', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18']},
+ {type: 'shellshock', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18'], port: 8080, paths: ['/cgi/backserver.cgi', '/cgi/login.cgi']},
+ {type: 'conficker', machine: 'Monkey-SMB', ip_addresses: ['192.168.0.1', '10.0.0.18']},
+ {type: 'cross_segment', machine: 'Monkey-SMB', network: '192.168.0.0/24', server_network: '172.168.0.0/24'},
+ {type: 'tunnel', origin: 'Monkey-SSH', dest: 'Monkey-SambaCry'}
+ ]
+ }
+ },
graph: {nodes: [], edges: []}
};
}
componentDidMount() {
- this.getReportFromServer();
+ // TODO: uncomment
+ //this.getReportFromServer();
this.updateMapFromServer();
this.interval = setInterval(this.updateMapFromServer, 1000);
}
@@ -55,10 +107,243 @@ class ReportPageComponent extends React.Component {
});
}
+ generateIpListBadges(ip_addresses) {
+ return ip_addresses.map(ip_address => {ip_address});
+ }
+
+ generateShellshockPathListBadges(paths) {
+ return paths.map(path => {path});
+ }
+
+ generateSmbPasswordIssue(issue) {
+ return (
+
+ The machine
{issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a
SMB attack.
+
+ The attack succeeded by authenticating over SMB protocol with user
{issue.username} and its password.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Use a complex one-use password that is not shared with other computers on the network.
+
+
+ The machine
{issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a
SMB attack.
+
+ The attack succeeded by using a pass-the-hash attack over SMB protocol with user
{issue.username}.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Use a complex one-use password that is not shared with other computers on the network.
+
+
+ The machine
{issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a
WMI attack.
+
+ The attack succeeded by authenticating over WMI protocol with user
{issue.username} and its password.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Use a complex one-use password that is not shared with other computers on the network.
+
+
+ The machine
{issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a
WMI attack.
+
+ The attack succeeded by using a pass-the-hash attack over WMI protocol with user
{issue.username}.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Use a complex one-use password that is not shared with other computers on the network.
+
+
+ The machine
{issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a
SSH attack.
+
+ The attack succeeded by authenticating over SSH protocol with user
{issue.username} and its password.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Use a complex one-use password that is not shared with other computers on the network.
+
+
+ The machine
{issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a
RDP attack.
+
+ The attack succeeded by authenticating over RDP protocol with user
{issue.username} and its password.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Use a complex one-use password that is not shared with other computers on the network.
+
+
+ The machine
{issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a
SambaCry attack.
+
+ The attack succeeded by authenticating over SMB protocol with user
{issue.username} and its password, and by using the SambaCry vulnerability.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Update your Samba server to 4.4.14 and up, 4.5.10 and up, or 4.6.4 and up.
+ - Use a complex one-use password that is not shared with other computers on the network.
+
+
+ The machine
{issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to an
Elastic Groovy attack.
+
+ The attack succeeded because the Elastic Search server was not parched against CVE-2015-1427.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Update your Elastic Search server to version 1.4.3 and up.
+
+
+ The machine
{issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a
ShellShock attack.
+
+ The attack succeeded because the HTTP server running on port
{issue.port} was vulnerable to a shell injection attack on the paths: {this.generateShellshockPathListBadges(issue.paths)}.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Update your Bash to a ShellShock-patched version.
+
+
+ The machine
{issue.machine} with the following IP addresses {this.generateIpListBadges(issue.ip_addresses)} was vulnerable to a
Conficker attack.
+
+ The attack succeeded because the target machine uses an outdated and unpatched operating system vulnerable to Conficker.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Install the latest Windows updates or upgrade to a newer operating system.
+
+
+ The network can probably be segmented. A monkey instance on
{issue.machine} in the
{issue.network} network could directly access the Monkey Island C&C server in the
{issue.server_network} network.
+
+ In order to protect the network, the following steps should be performed:
+
+ - Segment your network. Make sure machines can't access machines from other segments.
+
+
+ Machines are not locked down at port level. Network tunnel was set up from
{issue.origin} to
{issue.dest}.
+
+ In order to protect the machine, the following steps should be performed:
+
+ - Use micro-segmentation policies to disable communication other than the required.
+
+
+
Issue #{index+1}
+ {data}
+
+ );
+ };
+
render() {
let content;
-
- if (Object.keys(this.state.report).length === 0) {
+ // TODO: remove 0==1
+ if (0==1 || Object.keys(this.state.report).length === 0) {
content = (Generating Report...
);
} else {
content =
@@ -69,8 +354,7 @@ class ReportPageComponent extends React.Component {
Overview
- {/* TODO: Replace 01/02/2017 21:45, 23:12 with data */}
- The monkey run was started on 01/02/2017 21:45. After 23:12 minutes, all monkeys finished propagation attempts.
+ The monkey run was started on {this.state.report.overview.monkey_start_time}. After {this.state.report.overview.monkey_duration}, all monkeys finished propagation attempts.
From the attacker's point of view, the network looks like this:
@@ -79,24 +363,21 @@ class ReportPageComponent extends React.Component {
- {/* TODO: Replace 3 with data */}
- During this simulated attack the Monkey uncovered
6 issues, detailed below. The security issues uncovered include:
+ During this simulated attack the Monkey uncovered
{this.state.report.overview.issues.filter(function(x){return x===true;}).length}, detailed below. The security issues uncovered include:
- {/* TODO: Replace lis with data */}
- - Users with weak passwords.
- - Stolen passwords/hashes were used to exploit other machines.
- - Elastic Search servers not patched for CVE-2015-1427.
- - Samba servers not patched for ‘SambaCry’ (CVE-2017-7494).
- - Machines not patched for the ‘Shellshock’ (CVE-2014-6271).
- - Machines not patched for the ‘Conficker’ (MS08-067).
+ {this.state.report.overview.issues[this.Issue.WEAK_PASSWORD] ? - Users with weak passwords.
: null}
+ {this.state.report.overview.issues[this.Issue.STOLEN_CREDS] ?- Stolen passwords/hashes were used to exploit other machines.
: null}
+ {this.state.report.overview.issues[this.Issue.ELASTIC] ? - Elastic Search servers not patched for CVE-2015-1427.
: null}
+ {this.state.report.overview.issues[this.Issue.SAMBACRY] ? - Samba servers not patched for ‘SambaCry’ (CVE-2017-7494).
: null}
+ {this.state.report.overview.issues[this.Issue.SHELLSHOCK] ? - Machines not patched for the ‘Shellshock’ (CVE-2014-6271).
: null}
+ {this.state.report.overview.issues[this.Issue.CONFICKER] ? - Machines not patched for the ‘Conficker’ (MS08-067).
: null}
In addition, the monkey uncovered the following possible set of issues:
- {/* TODO: Replace lis with data */}
- - Possible cross segment traffic. Infected machines could communicate with the Monkey Island despite crossing segment boundaries using unused ports.
- - Lack of port level segmentation, machines successfully tunneled monkey activity using unused ports.
+ {this.state.report.overview.warnings[this.Warning.CROSS_SEGMENT] ? - Possible cross segment traffic. Infected machines could communicate with the Monkey Island despite crossing segment boundaries using unused ports.
: null}
+ {this.state.report.overview.warnings[this.Warning.TUNNEL] ? - Lack of port level segmentation, machines successfully tunneled monkey activity using unused ports.
: null}
@@ -110,8 +391,7 @@ class ReportPageComponent extends React.Component {
- {/* TODO: Replace 6,2 with data */}
- The Monkey discovered 6 machines and successfully breached 2 of them.
+ The Monkey discovered {this.state.report.glance.scanned.length} machines and successfully breached {this.state.report.glance.exploited.length} of them.
In addition, while attempting to exploit additional hosts , security software installed in the network should have picked up the attack attempts and logged them.
@@ -120,191 +400,27 @@ class ReportPageComponent extends React.Component {
-
+
-
+
-
- {/* TODO: Add table of scanned servers */}
+
-
+
Recommendations
-
-
Issue #1
-
- The machine
Monkey-SMB with the following IP addresses
192.168.0.1 10.0.0.18 was vulnerable to a
SMB attack.
-
- The attack succeeded by authenticating over SMB protocol with user
Administrator and its password.
-
- In order to protect the machine, the following steps should be performed:
-
- - Use a complex one-use password that is not shared with other computers on the network.
-
-
+ {this.state.report.recommendations.issues.map(this.generateIssue)}
-
-
Issue #2
-
- The machine
Monkey-SMB2 with the following IP address
192.168.0.2 was vulnerable to a
SMB attack.
-
- The attack succeeded by using a pass-the-hash attack over SMB protocol with user
temp.
-
- In order to protect the machine, the following steps should be performed:
-
- - Use a complex one-use password that is not shared with other computers on the network.
-
-
-
-
-
Issue #3
-
- The machine
Monkey-WMI with the following IP address
192.168.0.3 was vulnerable to a
WMI attack.
-
- The attack succeeded by authenticating over WMI protocol with user
Administrator and its password.
-
- In order to protect the machine, the following steps should be performed:
-
- - Use a complex one-use password that is not shared with other computers on the network.
-
-
-
-
-
Issue #4
-
- The machine
Monkey-WMI2 with the following IP address
192.168.0.4 was vulnerable to a
WMI attack.
-
- The attack succeeded by using a pass-the-hash attack over WMI protocol with user
Administrator.
-
- In order to protect the machine, the following steps should be performed:
-
- - Use a complex one-use password that is not shared with other computers on the network.
-
-
-
-
-
Issue #5
-
- The machine
Monkey-SSH with the following IP address
192.168.0.5 was vulnerable to a
SSH attack.
-
- The attack succeeded by authenticating over SSH protocol with user
user and its password.
-
- In order to protect the machine, the following steps should be performed:
-
- - Use a complex one-use password that is not shared with other computers on the network.
-
-
-
-
-
Issue #6
-
- The machine
Monkey-RDP with the following IP address
192.168.0.6 was vulnerable to a
RDP attack.
-
- The attack succeeded by authenticating over RDP protocol with user
Administrator and its password.
-
- In order to protect the machine, the following steps should be performed:
-
- - Use a complex one-use password that is not shared with other computers on the network.
-
-
-
-
-
Issue #7
-
- The machine
Monkey-SambaCry with the following IP address
192.168.0.7 was vulnerable to a
SambaCry attack.
-
- The attack succeeded by authenticating over SMB protocol with user
user and its password, and by using the SambaCry vulnerability.
-
- In order to protect the machine, the following steps should be performed:
-
- - Update your Samba server to 4.4.14 and up, 4.5.10 and up, or 4.6.4 and up.
- - Use a complex one-use password that is not shared with other computers on the network.
-
-
-
-
-
Issue #8
-
- The machine
Monkey-Elastic with the following IP address
192.168.0.8 was vulnerable to an
Elastic Groovy attack.
-
- The attack succeeded because the Elastic Search server was not parched against CVE-2015-1427.
-
- In order to protect the machine, the following steps should be performed:
-
- - Update your Elastic Search server to version 1.4.3 and up.
-
-
-
-
-
Issue #9
-
- The machine
Monkey-Shellshock with the following IP address
192.168.0.9 was vulnerable to a
ShellShock attack.
-
- The attack succeeded because the HTTP server running on port
8080 was vulnerable to a shell injection attack on the paths:
/cgi/backserver.cgi /cgi/login.cgi.
-
- In order to protect the machine, the following steps should be performed:
-
- - Update your Bash to a ShellShock-patched version.
-
-
-
-
-
Issue #10
-
- The machine
Monkey-Conficker with the following IP address
192.168.0.10 was vulnerable to a
Conficker attack.
-
- The attack succeeded because the target machine uses an outdated and unpatched operating system vulnerable to Conficker.
-
- In order to protect the machine, the following steps should be performed:
-
- - Install the latest Windows updates or upgrade to a newer operating system.
-
-
-
-
-
Issue #11
-
- The network can probably be segmented. A monkey instance on
Monkey-SMB in the
192.168.0.0/24 network could directly access the Monkey Island C&C server in the
172.168.0.0/24 network.
-
- In order to protect the network, the following steps should be performed:
-
- - Segment your network. Make sure machines can't access machines from other segments.
-
-
-
-
-
Issue #12
-
- The network can probably be segmented. A monkey instance on
Monkey-SSH in the
192.168.0.0/24 network could directly access the Monkey Island C&C server in the
172.168.0.0/24 network.
-
- In order to protect the network, the following steps should be performed:
-
- - Segment your network. Make sure machines can't access machines from other segments.
-
-
-
-
-
Issue #13
-
- Machines are not locked down at port level. Network tunnel was set up from
Monkey-SSH to
Monkey-SambaCry.
-
- In order to protect the machine, the following steps should be performed:
-
- - Use micro-segmentation policies to disable communication other than the required.
-
-
-
-
);
diff --git a/monkey_island/cc/ui/src/components/report-components/ScannedBreachedChart.js b/monkey_island/cc/ui/src/components/report-components/ScannedBreachedChart.js
index 4e7570e9f..413a19058 100644
--- a/monkey_island/cc/ui/src/components/report-components/ScannedBreachedChart.js
+++ b/monkey_island/cc/ui/src/components/report-components/ScannedBreachedChart.js
@@ -18,8 +18,8 @@ class ScannedBreachedChartComponent extends React.Component {
render() {
const data = [
- {label: 'Scanned', value: 4, color: '#f0ad4e'},
- {label: 'Exploited', value: 2, color: '#d9534f'}
+ {label: 'Scanned', value: this.props.scanned - this.props.exploited, color: '#f0ad4e'},
+ {label: 'Exploited', value: this.props.exploited, color: '#d9534f'}
];
return (