From 8ff817eed21d42e2f80f54a5229af8760e97c427 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Fri, 23 Sep 2022 15:41:57 +0000 Subject: [PATCH] Island: Rename local_network_scan local_network_scan -> scan_local_interfaces --- .../agent_sub_configurations.py | 5 +- .../default_agent_configuration.py | 2 +- monkey/infection_monkey/master/propagator.py | 4 +- .../network_scanning/scan_target_generator.py | 4 +- .../cc/services/reporting/report.py | 2 +- .../configuration/propagation/propagation.js | 12 ++-- .../configuration/propagation/scanTarget.js | 57 ++++++++++--------- .../common/example_agent_configuration.py | 4 +- .../test_agent_configuration.py | 6 +- .../master/test_propagator.py | 6 +- .../test_scan_target_generator.py | 40 ++++++------- 11 files changed, 74 insertions(+), 68 deletions(-) diff --git a/monkey/common/agent_configuration/agent_sub_configurations.py b/monkey/common/agent_configuration/agent_sub_configurations.py index 8c4592d92..a2c74ef90 100644 --- a/monkey/common/agent_configuration/agent_sub_configurations.py +++ b/monkey/common/agent_configuration/agent_sub_configurations.py @@ -79,7 +79,8 @@ class ScanTargetConfiguration(MutableInfectionMonkeyBaseModel): Example: ("1.1.1.1", "2.2.2.2") :param inaccessible_subnets: Subnet ranges that shouldn't be accessible for the agent Example: ("1.1.1.1", "2.2.2.2/24", "myserver") - :param local_network_scan: Whether or not the agent should scan the local network + :param scan_local_interfaces: Whether or not the agent should scan the machine's + network interfaces in addition to the provided subnet ranges :param subnets: Subnet ranges to scan Example: ("192.168.1.1-192.168.2.255", "3.3.3.3", "2.2.2.2/24", "myHostname") @@ -87,7 +88,7 @@ class ScanTargetConfiguration(MutableInfectionMonkeyBaseModel): blocked_ips: Tuple[str, ...] inaccessible_subnets: Tuple[str, ...] - local_network_scan: bool + scan_local_interfaces: bool subnets: Tuple[str, ...] @validator("blocked_ips", each_item=True) diff --git a/monkey/common/agent_configuration/default_agent_configuration.py b/monkey/common/agent_configuration/default_agent_configuration.py index ec50eb422..3f22f9f83 100644 --- a/monkey/common/agent_configuration/default_agent_configuration.py +++ b/monkey/common/agent_configuration/default_agent_configuration.py @@ -78,7 +78,7 @@ FINGERPRINTERS = ( ) SCAN_TARGET_CONFIGURATION = ScanTargetConfiguration( - blocked_ips=tuple(), inaccessible_subnets=tuple(), local_network_scan=True, subnets=tuple() + blocked_ips=tuple(), inaccessible_subnets=tuple(), scan_local_interfaces=True, subnets=tuple() ) NETWORK_SCAN_CONFIGURATION = NetworkScanConfiguration( tcp=TCP_SCAN_CONFIGURATION, diff --git a/monkey/infection_monkey/master/propagator.py b/monkey/infection_monkey/master/propagator.py index 9b14bef2a..822cb6b83 100644 --- a/monkey/infection_monkey/master/propagator.py +++ b/monkey/infection_monkey/master/propagator.py @@ -121,14 +121,14 @@ class Propagator: ranges_to_scan = target_config.subnets inaccessible_subnets = target_config.inaccessible_subnets blocklisted_ips = target_config.blocked_ips - enable_local_network_scan = target_config.local_network_scan + scan_local_interfaces = target_config.scan_local_interfaces return compile_scan_target_list( self._local_network_interfaces, ranges_to_scan, inaccessible_subnets, blocklisted_ips, - enable_local_network_scan, + scan_local_interfaces, ) def _process_scan_results(self, address: NetworkAddress, scan_results: IPScanResults): diff --git a/monkey/infection_monkey/network_scanning/scan_target_generator.py b/monkey/infection_monkey/network_scanning/scan_target_generator.py index 6f66be507..169075bb8 100644 --- a/monkey/infection_monkey/network_scanning/scan_target_generator.py +++ b/monkey/infection_monkey/network_scanning/scan_target_generator.py @@ -18,11 +18,11 @@ def compile_scan_target_list( ranges_to_scan: Sequence[str], inaccessible_subnets: Sequence[str], blocklisted_ips: Sequence[str], - enable_local_network_scan: bool, + scan_local_interfaces: bool, ) -> List[NetworkAddress]: scan_targets = _get_ips_from_subnets_to_scan(ranges_to_scan) - if enable_local_network_scan: + if scan_local_interfaces: scan_targets.extend(_get_ips_to_scan_from_local_interface(local_network_interfaces)) if inaccessible_subnets: diff --git a/monkey/monkey_island/cc/services/reporting/report.py b/monkey/monkey_island/cc/services/reporting/report.py index 656b55da2..cf7988cf3 100644 --- a/monkey/monkey_island/cc/services/reporting/report.py +++ b/monkey/monkey_island/cc/services/reporting/report.py @@ -398,7 +398,7 @@ class ReportService: @classmethod def get_config_scan(cls): agent_configuration = cls._agent_configuration_repository.get_configuration() - return agent_configuration.propagation.network_scan.targets.local_network_scan + return agent_configuration.propagation.network_scan.targets.scan_local_interfaces @staticmethod def get_issue_set(issues): diff --git a/monkey/monkey_island/cc/ui/src/services/configuration/propagation/propagation.js b/monkey/monkey_island/cc/ui/src/services/configuration/propagation/propagation.js index e479de369..108e0c45b 100644 --- a/monkey/monkey_island/cc/ui/src/services/configuration/propagation/propagation.js +++ b/monkey/monkey_island/cc/ui/src/services/configuration/propagation/propagation.js @@ -14,12 +14,12 @@ const PROPAGATION_CONFIGURATION_SCHEMA = { 'minimum': 0, 'default': 2, 'description': 'Amount of hops allowed for the monkey to spread from the ' + - 'Island server. \n' + - ' \u26A0' + - ' Note that setting this value too high may result in the ' + - 'Monkey propagating too far, '+ - 'if "Local network scan" is enabled.\n' + - 'Setting this to 0 will disable all scanning and exploitation.' + 'Island server. \n' + + ' \u26A0' + + ' Note that setting this value too high may result in the ' + + 'Monkey propagating too far, ' + + 'if "Scan local interfaces" is enabled.\n' + + 'Setting this to 0 will disable all scanning and exploitation.' }, 'network_scan': NETWORK_SCAN_CONFIGURATION_SCHEMA } diff --git a/monkey/monkey_island/cc/ui/src/services/configuration/propagation/scanTarget.js b/monkey/monkey_island/cc/ui/src/services/configuration/propagation/scanTarget.js index 8d81b10e4..8045ec99f 100644 --- a/monkey/monkey_island/cc/ui/src/services/configuration/propagation/scanTarget.js +++ b/monkey/monkey_island/cc/ui/src/services/configuration/propagation/scanTarget.js @@ -3,8 +3,9 @@ const SCAN_TARGET_CONFIGURATION_SCHEMA = { 'type': 'object', 'properties': { 'info_box': { - 'info': 'The Monkey scans its subnet if "Local network scan" is checked. '+ - 'Additionally, the Monkey scans machines according to "Scan target list". ' + 'info': 'The Monkey scans for machines on each of the network interfaces of the ' + + 'machine it is running on if "Scan local interfaces" is checked. ' + + 'Additionally, the Monkey scans machines according to "Scan target list". ' }, 'blocked_ips': { 'title': 'Blocked IPs', @@ -27,25 +28,29 @@ const SCAN_TARGET_CONFIGURATION_SCHEMA = { }, 'default': [], 'description': 'Test for network segmentation by providing a list of network segments that should NOT be accessible to each other.\n\n ' + - 'For example, if you configured the following three segments: ' + - '"10.0.0.0/24", "11.0.0.2/32" and "12.2.3.0/24",' + - 'a Monkey running on 10.0.0.5 will try to access machines in ' + - 'the following subnets: ' + - '11.0.0.2/32, 12.2.3.0/24. An alert on successful cross-segment connections ' + - 'will be shown in the reports. \n\n' + - 'Network segments can be IPs, subnets or hosts. Examples:\n' + - '\tDefine a single-IP segment: "192.168.0.1"\n' + - '\tDefine a segment using a network range: ' + - '"192.168.0.5-192.168.0.20"\n' + - '\tDefine a segment using an subnet IP mask: "192.168.0.5/24"\n' + - '\tDefine a single-host segment: "printer.example"' + 'For example, if you configured the following three segments: ' + + '"10.0.0.0/24", "11.0.0.2/32" and "12.2.3.0/24",' + + 'a Monkey running on 10.0.0.5 will try to access machines in ' + + 'the following subnets: ' + + '11.0.0.2/32, 12.2.3.0/24. An alert on successful cross-segment connections ' + + 'will be shown in the reports. \n\n' + + 'Network segments can be IPs, subnets or hosts. Examples:\n' + + '\tDefine a single-IP segment: "192.168.0.1"\n' + + '\tDefine a segment using a network range: ' + + '"192.168.0.5-192.168.0.20"\n' + + '\tDefine a segment using an subnet IP mask: "192.168.0.5/24"\n' + + '\tDefine a single-host segment: "printer.example"' }, - 'local_network_scan': { - 'title': 'Local network scan', + 'scan_local_interaces': { + 'title': 'Scan local interfaces', 'type': 'boolean', - 'default': true, - 'description': 'Determines whether the Monkey will scan the local subnets of machines it runs on, ' + - 'in addition to the IPs that are configured manually in the "Scan target list"' + 'default': false, + 'description': 'Determines whether the Monkey will scan for machines on each the ' + + 'network interfaces of every machines it runs on, in addition to the IPs that ' + + 'are configured manually in the "Scan target list". ' + + 'Note: If a machine has a network interface that is connected to a public ' + + 'network, this setting will cause the Monkey to scan and attempt to exploit ' + + 'machines on the public network.' }, 'subnets': { 'title': 'Scan target list', @@ -57,13 +62,13 @@ const SCAN_TARGET_CONFIGURATION_SCHEMA = { }, 'default': [], 'description': 'List of targets the Monkey will try to scan. Targets can be ' + - 'IPs, subnets or hosts. ' + - 'Examples:\n' + - '\tTarget a specific IP: "192.168.0.1"\n' + - '\tTarget a subnet using a network range: ' + - '"192.168.0.5-192.168.0.20"\n'+ - '\tTarget a subnet using an IP mask: "192.168.0.5/24"\n' + - '\tTarget a specific host: "printer.example"' + 'IPs, subnets or hosts. ' + + 'Examples:\n' + + '\tTarget a specific IP: "192.168.0.1"\n' + + '\tTarget a subnet using a network range: ' + + '"192.168.0.5-192.168.0.20"\n' + + '\tTarget a subnet using an IP mask: "192.168.0.5/24"\n' + + '\tTarget a specific host: "printer.example"' } } diff --git a/monkey/tests/common/example_agent_configuration.py b/monkey/tests/common/example_agent_configuration.py index 25a1dbd5e..a54980c9f 100644 --- a/monkey/tests/common/example_agent_configuration.py +++ b/monkey/tests/common/example_agent_configuration.py @@ -15,12 +15,12 @@ CUSTOM_PBA_CONFIGURATION = { BLOCKED_IPS = ["10.0.0.1", "192.168.1.1"] INACCESSIBLE_SUBNETS = ["172.0.0.0/24", "172.2.2.0/24", "192.168.56.0/24"] -LOCAL_NETWORK_SCAN = True +SCAN_LOCAL_INTERFACES = True SUBNETS = ["10.0.0.2", "10.0.0.2/16"] SCAN_TARGET_CONFIGURATION = { "blocked_ips": BLOCKED_IPS, "inaccessible_subnets": INACCESSIBLE_SUBNETS, - "local_network_scan": LOCAL_NETWORK_SCAN, + "scan_local_interfaces": SCAN_LOCAL_INTERFACES, "subnets": SUBNETS, } diff --git a/monkey/tests/unit_tests/common/agent_configuration/test_agent_configuration.py b/monkey/tests/unit_tests/common/agent_configuration/test_agent_configuration.py index b90490906..6464b1c30 100644 --- a/monkey/tests/unit_tests/common/agent_configuration/test_agent_configuration.py +++ b/monkey/tests/unit_tests/common/agent_configuration/test_agent_configuration.py @@ -9,13 +9,13 @@ from tests.common.example_agent_configuration import ( INACCESSIBLE_SUBNETS, LINUX_COMMAND, LINUX_FILENAME, - LOCAL_NETWORK_SCAN, NETWORK_SCAN_CONFIGURATION, PLUGIN_CONFIGURATION, PLUGIN_NAME, PLUGIN_OPTIONS, PORTS, PROPAGATION_CONFIGURATION, + SCAN_LOCAL_INTERFACES, SCAN_TARGET_CONFIGURATION, SUBNETS, TCP_SCAN_CONFIGURATION, @@ -93,7 +93,7 @@ def test_scan_target_configuration(): assert config.blocked_ips == tuple(BLOCKED_IPS) assert config.inaccessible_subnets == tuple(INACCESSIBLE_SUBNETS) - assert config.local_network_scan == LOCAL_NETWORK_SCAN + assert config.scan_local_interfaces == SCAN_LOCAL_INTERFACES assert config.subnets == tuple(SUBNETS) @@ -174,7 +174,7 @@ def test_network_scan_configuration(): assert config.fingerprinters[0].options == FINGERPRINTERS[0]["options"] assert config.targets.blocked_ips == tuple(BLOCKED_IPS) assert config.targets.inaccessible_subnets == tuple(INACCESSIBLE_SUBNETS) - assert config.targets.local_network_scan == LOCAL_NETWORK_SCAN + assert config.targets.scan_local_interfaces == SCAN_LOCAL_INTERFACES assert config.targets.subnets == tuple(SUBNETS) diff --git a/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py b/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py index 8f1b51274..b07f08ac4 100644 --- a/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py +++ b/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py @@ -170,7 +170,7 @@ def test_scan_result_processing( targets = ScanTargetConfiguration( blocked_ips=[], inaccessible_subnets=[], - local_network_scan=False, + scan_local_interfaces=False, subnets=["10.0.0.1", "10.0.0.2", "10.0.0.3"], ) propagation_config = get_propagation_config(default_agent_configuration, targets) @@ -269,7 +269,7 @@ def test_exploiter_result_processing( targets = ScanTargetConfiguration( blocked_ips=[], inaccessible_subnets=[], - local_network_scan=False, + scan_local_interfaces=False, subnets=["10.0.0.1", "10.0.0.2", "10.0.0.3"], ) propagation_config = get_propagation_config(default_agent_configuration, targets) @@ -310,7 +310,7 @@ def test_scan_target_generation( targets = ScanTargetConfiguration( blocked_ips=["10.0.0.3"], inaccessible_subnets=["10.0.0.128/30", "10.0.0.8/29"], - local_network_scan=True, + scan_local_interfaces=True, subnets=["10.0.0.0/29", "172.10.20.30"], ) propagation_config = get_propagation_config(default_agent_configuration, targets) diff --git a/monkey/tests/unit_tests/infection_monkey/network_scanning/test_scan_target_generator.py b/monkey/tests/unit_tests/infection_monkey/network_scanning/test_scan_target_generator.py index 82179b618..8cd3dc8ff 100644 --- a/monkey/tests/unit_tests/infection_monkey/network_scanning/test_scan_target_generator.py +++ b/monkey/tests/unit_tests/infection_monkey/network_scanning/test_scan_target_generator.py @@ -14,7 +14,7 @@ def compile_ranges_only(ranges): ranges_to_scan=ranges, inaccessible_subnets=[], blocklisted_ips=[], - enable_local_network_scan=False, + scan_local_interfaces=False, ) @@ -88,7 +88,7 @@ def test_blocklisted_ips(): ranges_to_scan=["10.0.0.0/24"], inaccessible_subnets=[], blocklisted_ips=blocklisted_ips, - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 252 @@ -105,7 +105,7 @@ def test_only_ip_blocklisted(ranges_to_scan): ranges_to_scan=ranges_to_scan, inaccessible_subnets=[], blocklisted_ips=blocklisted_ips, - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 0 @@ -124,7 +124,7 @@ def test_local_network_interface_ips_removed_from_targets(): ranges_to_scan=["10.0.0.0/24"], inaccessible_subnets=[], blocklisted_ips=[], - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 252 @@ -142,7 +142,7 @@ def test_no_redundant_targets(): ranges_to_scan=["127.0.0.0", "127.0.0.1", "localhost"], inaccessible_subnets=[], blocklisted_ips=[], - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 2 @@ -164,7 +164,7 @@ def test_only_scan_ip_is_local(ranges_to_scan): ranges_to_scan=ranges_to_scan, inaccessible_subnets=[], blocklisted_ips=[], - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 0 @@ -184,7 +184,7 @@ def test_local_network_interface_ips_and_blocked_ips_removed_from_targets(): ranges_to_scan=["10.0.0.0/24", "192.168.1.0/24"], inaccessible_subnets=[], blocklisted_ips=blocked_ips, - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == (2 * (256 - 1)) - len(local_network_interfaces) - ( @@ -206,7 +206,7 @@ def test_local_subnet_added(): ranges_to_scan=[], inaccessible_subnets=[], blocklisted_ips=[], - enable_local_network_scan=True, + scan_local_interfaces=True, ) assert len(scan_targets) == 254 @@ -226,7 +226,7 @@ def test_multiple_local_subnets_added(): ranges_to_scan=[], inaccessible_subnets=[], blocklisted_ips=[], - enable_local_network_scan=True, + scan_local_interfaces=True, ) assert len(scan_targets) == 2 * (255 - 1) @@ -250,7 +250,7 @@ def test_blocklisted_ips_missing_from_local_subnets(): ranges_to_scan=[], inaccessible_subnets=[], blocklisted_ips=blocklisted_ips, - enable_local_network_scan=True, + scan_local_interfaces=True, ) assert len(scan_targets) == 2 * (255 - 1) - len(blocklisted_ips) @@ -267,7 +267,7 @@ def test_local_subnets_and_ranges_added(): ranges_to_scan=["172.33.66.40/30"], inaccessible_subnets=[], blocklisted_ips=[], - enable_local_network_scan=True, + scan_local_interfaces=True, ) assert len(scan_targets) == 254 + 3 @@ -289,7 +289,7 @@ def test_local_network_interfaces_specified_but_disabled(): ranges_to_scan=["172.33.66.40/30"], inaccessible_subnets=[], blocklisted_ips=[], - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 3 @@ -309,7 +309,7 @@ def test_local_network_interfaces_subnet_masks(): ranges_to_scan=[], inaccessible_subnets=[], blocklisted_ips=[], - enable_local_network_scan=True, + scan_local_interfaces=True, ) assert len(scan_targets) == 4 @@ -328,7 +328,7 @@ def test_segmentation_targets(): ranges_to_scan=[], inaccessible_subnets=inaccessible_subnets, blocklisted_ips=[], - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 3 @@ -351,7 +351,7 @@ def test_segmentation_clash_with_blocked(): ranges_to_scan=[], inaccessible_subnets=inaccessible_subnets, blocklisted_ips=blocked, - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 0 @@ -371,7 +371,7 @@ def test_segmentation_clash_with_targets(): ranges_to_scan=targets, inaccessible_subnets=inaccessible_subnets, blocklisted_ips=[], - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 3 @@ -394,7 +394,7 @@ def test_segmentation_one_network(): ranges_to_scan=targets, inaccessible_subnets=inaccessible_subnets, blocklisted_ips=[], - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 3 @@ -413,7 +413,7 @@ def test_segmentation_inaccessible_networks(): ranges_to_scan=[], inaccessible_subnets=inaccessible_subnets, blocklisted_ips=[], - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 0 @@ -437,7 +437,7 @@ def test_invalid_inputs(): ranges_to_scan=targets, inaccessible_subnets=inaccessible_subnets, blocklisted_ips=[], - enable_local_network_scan=False, + scan_local_interfaces=False, ) assert len(scan_targets) == 3 @@ -461,7 +461,7 @@ def test_invalid_blocklisted_ip(): ranges_to_scan=targets, inaccessible_subnets=inaccessible_subnets, blocklisted_ips=blocklisted, - enable_local_network_scan=False, + scan_local_interfaces=False, )