forked from p15670423/monkey
parent
d831769d1f
commit
bafa0e42a0
|
@ -185,7 +185,7 @@ class Configuration(object):
|
|||
local_network_scan = True
|
||||
|
||||
subnet_scan_list = ['', ]
|
||||
inaccessible_subnet_groups = []
|
||||
inaccessible_subnets = []
|
||||
|
||||
blocked_ips = ['', ]
|
||||
|
||||
|
|
|
@ -41,18 +41,18 @@ class NetworkScanner(object):
|
|||
|
||||
def _get_inaccessible_subnets_ips(self):
|
||||
"""
|
||||
For each of the machine's IPs, checks if it's in one of the subnet groups specified in the
|
||||
'inaccessible_subnet_groups' config value. If so, all other subnets in the same group shouldn't be accessible.
|
||||
For each of the machine's IPs, checks if it's in one of the subnets specified in the
|
||||
'inaccessible_subnets' config value. If so, all other subnets in the config value shouldn't be accessible.
|
||||
All these subnets are returned.
|
||||
:return: A list of subnets that shouldn't be accessible from the machine the monkey is running on.
|
||||
"""
|
||||
subnets_to_scan = []
|
||||
for subnet_group in WormConfiguration.inaccessible_subnet_groups:
|
||||
for subnet_str in subnet_group:
|
||||
if len(WormConfiguration.inaccessible_subnets) > 1:
|
||||
for subnet_str in WormConfiguration.inaccessible_subnets:
|
||||
if NetworkScanner._is_any_ip_in_subnet([unicode(x) for x in self._ip_addresses], subnet_str):
|
||||
# If machine has IPs from 2 different subnets in the same group, there's no point checking the other
|
||||
# subnet.
|
||||
for other_subnet_str in subnet_group:
|
||||
for other_subnet_str in WormConfiguration.inaccessible_subnets:
|
||||
if other_subnet_str == subnet_str:
|
||||
continue
|
||||
if not NetworkScanner._is_any_ip_in_subnet([unicode(x) for x in self._ip_addresses],
|
||||
|
|
|
@ -222,33 +222,24 @@ SCHEMA = {
|
|||
"title": "Network Analysis",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"inaccessible_subnet_groups": {
|
||||
"title": "Inaccessible IP/subnet groups",
|
||||
"inaccessible_subnets": {
|
||||
"title": "Network segmentation testing",
|
||||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"type": "array",
|
||||
"title": "Subnet group",
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"minItems": 2,
|
||||
"uniqueItems": True,
|
||||
"description": "List of IPs/subnets."
|
||||
" Examples: \"192.168.0.1\", \"192.168.0.5-192.168.0.20\","
|
||||
" \"192.168.0.5/24\""
|
||||
},
|
||||
"default": [
|
||||
],
|
||||
"description":
|
||||
"You can use this feature to test for network segmentation, by proving lists of"
|
||||
" IP/subnet groups that should not be accessible to each other. Each input group"
|
||||
" consists of subnets that should not be accessible to each other. If the Monkey"
|
||||
" is inside of one of the subnets it will attempt to connect to machines in the"
|
||||
" other subnet."
|
||||
" Example, by providing input 192.168.1.0/24, 192.168.2.0/24, 192.168.3.1-192.168.3.10,"
|
||||
" a Monkey with the IP address 192.168.2.5 will try to access machines inside"
|
||||
" 192.168.1.0/24 or 192.168.3.1-192.168.3.10."
|
||||
"Test for network segmentation by providing a list of"
|
||||
" subnets that should NOT be accessible to each other."
|
||||
" For example, given the following configuration:"
|
||||
" '10.0.0.0/24, 11.0.0.2/32, 12.2.3.0/24'"
|
||||
" a Monkey running on 10.0.0.5 will try to access machines in the following"
|
||||
" subnets: 11.0.0.2/32, 12.2.3.0/24."
|
||||
" An alert on successful connections will be shown in the report"
|
||||
" Additional subnet formats include: 13.0.0.1, 13.0.0.1-13.0.0.5"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -442,7 +442,7 @@ class ReportService:
|
|||
cross_segment_issues = []
|
||||
|
||||
subnet_groups = ConfigService.get_config_value(
|
||||
['basic_network', 'network_analysis', 'inaccessible_subnet_groups'])
|
||||
['basic_network', 'network_analysis', 'inaccessible_subnets'])
|
||||
|
||||
for subnet_group in subnet_groups:
|
||||
cross_segment_issues += ReportService.get_cross_segment_issues_per_subnet_group(scans, subnet_group)
|
||||
|
|
Loading…
Reference in New Issue