From df77ca4f96f84a00f3c2e9eaec7b905667674d3f Mon Sep 17 00:00:00 2001 From: vakarisz Date: Mon, 20 Jun 2022 15:52:50 +0300 Subject: [PATCH] Agent: Change the logic of depth to represent current depth Based on the previous logic the depth parameter represented hops remaining, not current depth. --- monkey/infection_monkey/config.py | 2 +- monkey/infection_monkey/exploit/hadoop.py | 2 +- monkey/infection_monkey/exploit/log4shell.py | 2 +- monkey/infection_monkey/exploit/mssqlexec.py | 2 +- monkey/infection_monkey/exploit/powershell.py | 2 +- monkey/infection_monkey/exploit/smbexec.py | 4 ++-- monkey/infection_monkey/exploit/sshexec.py | 2 +- monkey/infection_monkey/exploit/web_rce.py | 4 ++-- monkey/infection_monkey/exploit/wmiexec.py | 4 ++-- monkey/infection_monkey/master/automated_master.py | 4 ++-- monkey/infection_monkey/monkey.py | 10 ++-------- monkey/infection_monkey/utils/commands.py | 2 -- .../unit_tests/infection_monkey/utils/test_commands.py | 10 ---------- 13 files changed, 16 insertions(+), 34 deletions(-) diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py index 8e783dbf5..fe6106aed 100644 --- a/monkey/infection_monkey/config.py +++ b/monkey/infection_monkey/config.py @@ -60,7 +60,7 @@ class Configuration(object): ########################### # depth of propagation - depth = 2 + depth = 0 max_depth = None keep_tunnel_open_time = 30 diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 15e801452..8bafa6969 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -104,7 +104,7 @@ class HadoopExploiter(WebRCE): def _build_command(self, path, http_path): # Build command to execute - monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1) + monkey_cmd = build_monkey_commandline(self.host, self.current_depth + 1) if "linux" in self.host.os["type"]: base_command = HADOOP_LINUX_COMMAND else: diff --git a/monkey/infection_monkey/exploit/log4shell.py b/monkey/infection_monkey/exploit/log4shell.py index 198635976..077c7c865 100644 --- a/monkey/infection_monkey/exploit/log4shell.py +++ b/monkey/infection_monkey/exploit/log4shell.py @@ -114,7 +114,7 @@ class Log4ShellExploiter(WebRCE): def _build_command(self, path: PurePath, http_path) -> str: # Build command to execute - monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1, location=path) + monkey_cmd = build_monkey_commandline(self.host, self.current_depth + 1, location=path) if "linux" in self.host.os["type"]: base_command = LOG4SHELL_LINUX_COMMAND else: diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 75c369ecf..8e90365fb 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -178,7 +178,7 @@ class MSSQLExploiter(HostExploiter): def _build_agent_launch_command(self, agent_path_on_victim: PureWindowsPath) -> str: agent_args = build_monkey_commandline( - self.host, self.current_depth - 1, agent_path_on_victim + self.host, self.current_depth + 1, agent_path_on_victim ) return f"{agent_path_on_victim} {DROPPER_ARG} {agent_args}" diff --git a/monkey/infection_monkey/exploit/powershell.py b/monkey/infection_monkey/exploit/powershell.py index 7b33df9ed..6ef72963e 100644 --- a/monkey/infection_monkey/exploit/powershell.py +++ b/monkey/infection_monkey/exploit/powershell.py @@ -168,7 +168,7 @@ class PowerShellExploiter(HostExploiter): def _run_monkey_executable_on_victim(self, executable_path): monkey_execution_command = build_monkey_execution_command( - self.host, self.current_depth - 1, executable_path + self.host, self.current_depth + 1, executable_path ) logger.info( diff --git a/monkey/infection_monkey/exploit/smbexec.py b/monkey/infection_monkey/exploit/smbexec.py index 03b6bfb3e..84d477e98 100644 --- a/monkey/infection_monkey/exploit/smbexec.py +++ b/monkey/infection_monkey/exploit/smbexec.py @@ -91,13 +91,13 @@ class SMBExploiter(HostExploiter): "dropper_path": remote_full_path } + build_monkey_commandline( self.host, - self.current_depth - 1, + self.current_depth + 1, str(dest_path), ) else: cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % { "monkey_path": remote_full_path - } + build_monkey_commandline(self.host, self.current_depth - 1) + } + build_monkey_commandline(self.host, self.current_depth + 1) smb_conn = None for str_bind_format, port in SMBExploiter.KNOWN_PROTOCOLS.values(): diff --git a/monkey/infection_monkey/exploit/sshexec.py b/monkey/infection_monkey/exploit/sshexec.py index f76147fd1..a29cd8470 100644 --- a/monkey/infection_monkey/exploit/sshexec.py +++ b/monkey/infection_monkey/exploit/sshexec.py @@ -242,7 +242,7 @@ class SSHExploiter(HostExploiter): try: cmdline = f"{monkey_path_on_victim} {MONKEY_ARG}" - cmdline += build_monkey_commandline(self.host, self.current_depth - 1) + cmdline += build_monkey_commandline(self.host, self.current_depth + 1) cmdline += " > /dev/null 2>&1 &" ssh.exec_command(cmdline, timeout=SSH_EXEC_TIMEOUT) diff --git a/monkey/infection_monkey/exploit/web_rce.py b/monkey/infection_monkey/exploit/web_rce.py index 957ed361d..99438a0a7 100644 --- a/monkey/infection_monkey/exploit/web_rce.py +++ b/monkey/infection_monkey/exploit/web_rce.py @@ -369,14 +369,14 @@ class WebRCE(HostExploiter): default_path = self.get_default_dropper_path() if default_path is False: return False - monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1, default_path) + monkey_cmd = build_monkey_commandline(self.host, self.current_depth + 1, default_path) command = RUN_MONKEY % { "monkey_path": path, "monkey_type": DROPPER_ARG, "parameters": monkey_cmd, } else: - monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1) + monkey_cmd = build_monkey_commandline(self.host, self.current_depth + 1) command = RUN_MONKEY % { "monkey_path": path, "monkey_type": MONKEY_ARG, diff --git a/monkey/infection_monkey/exploit/wmiexec.py b/monkey/infection_monkey/exploit/wmiexec.py index b8d577365..29605fb8d 100644 --- a/monkey/infection_monkey/exploit/wmiexec.py +++ b/monkey/infection_monkey/exploit/wmiexec.py @@ -96,13 +96,13 @@ class WmiExploiter(HostExploiter): "dropper_path": remote_full_path } + build_monkey_commandline( self.host, - self.current_depth - 1, + self.current_depth + 1, DROPPER_TARGET_PATH_WIN64, ) else: cmdline = MONKEY_CMDLINE_WINDOWS % { "monkey_path": remote_full_path - } + build_monkey_commandline(self.host, self.current_depth - 1) + } + build_monkey_commandline(self.host, self.current_depth + 1) # execute the remote monkey result = WmiTools.get_object(wmi_connection, "Win32_Process").Create( diff --git a/monkey/infection_monkey/master/automated_master.py b/monkey/infection_monkey/master/automated_master.py index 26de7227e..51f675d11 100644 --- a/monkey/infection_monkey/master/automated_master.py +++ b/monkey/infection_monkey/master/automated_master.py @@ -169,10 +169,10 @@ class AutomatedMaster(IMaster): # still running. credential_collector_thread.join() - current_depth = self._current_depth if self._current_depth is not None else config["depth"] + current_depth = self._current_depth if self._current_depth is not None else 0 logger.info(f"Current depth is {current_depth}") - if self._can_propagate() and current_depth > 0: + if self._can_propagate() and current_depth < config["depth"]: self._propagator.propagate(config["propagation"], current_depth, self._stop) payload_thread = create_daemon_thread( diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index d7a051193..4eeec8b76 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -166,7 +166,7 @@ class InfectionMonkey: firewall.add_firewall_rule() self._monkey_inbound_tunnel = self._control_client.create_control_tunnel() - if self._monkey_inbound_tunnel and self._propagation_enabled(): + if self._monkey_inbound_tunnel: self._monkey_inbound_tunnel.start() StateTelem(is_done=False, version=get_version()).send() @@ -353,7 +353,7 @@ class InfectionMonkey: reset_signal_handlers() - if self._monkey_inbound_tunnel and self._propagation_enabled(): + if self._monkey_inbound_tunnel: self._monkey_inbound_tunnel.stop() self._monkey_inbound_tunnel.join() @@ -378,12 +378,6 @@ class InfectionMonkey: logger.info("Monkey is shutting down") - def _propagation_enabled(self) -> bool: - # If self._current_depth is None, assume that propagation is desired. - # The Master will ignore this value if it is None and pull the actual - # maximum depth from the server - return self._current_depth is None or self._current_depth > 0 - def _close_tunnel(self): tunnel_address = ( self._control_client.proxies.get("https", "").replace("http://", "").split(":")[0] diff --git a/monkey/infection_monkey/utils/commands.py b/monkey/infection_monkey/utils/commands.py index ddd07dc8d..b66a622e9 100644 --- a/monkey/infection_monkey/utils/commands.py +++ b/monkey/infection_monkey/utils/commands.py @@ -40,8 +40,6 @@ def build_monkey_commandline_explicitly( cmdline.append("-s") cmdline.append(str(server)) if depth is not None: - if int(depth) < 0: - depth = 0 cmdline.append("-d") cmdline.append(str(depth)) if location is not None: diff --git a/monkey/tests/unit_tests/infection_monkey/utils/test_commands.py b/monkey/tests/unit_tests/infection_monkey/utils/test_commands.py index db9ddbbe7..bbd27274e 100644 --- a/monkey/tests/unit_tests/infection_monkey/utils/test_commands.py +++ b/monkey/tests/unit_tests/infection_monkey/utils/test_commands.py @@ -28,16 +28,6 @@ def test_build_monkey_commandline_explicitly_arguments(): assert expected == actual -def test_build_monkey_commandline_explicitly_depth_condition_less(): - expected = [ - "-d", - "0", - ] - actual = build_monkey_commandline_explicitly(depth=-50) - - assert expected == actual - - def test_build_monkey_commandline_explicitly_depth_condition_greater(): expected = [ "-d",