p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Add run info under overview section including zero-patients, interesting config values, and config recommendations.

This commit is contained in:
Itay Mizeretz 2017-12-05 16:29:18 +02:00
parent 013e29b76b
commit f14dc8e2fb
2 changed files with 238 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
monkey_island/cc/services/report.py
View File

@ -1,6 +1,7 @@
import ipaddress import ipaddress
from cc.database import mongo from cc.database import mongo
from cc.services.config import ConfigService
from cc.services.edge import EdgeService from cc.services.edge import EdgeService
from cc.services.node import NodeService from cc.services.node import NodeService
from cc.utils import local_ip_addresses, get_subnets from cc.utils import local_ip_addresses, get_subnets
@ -260,12 +261,57 @@ class ReportService:
issues_dict[machine].append(issue) issues_dict[machine].append(issue)
return issues_dict return issues_dict
@staticmethod
def get_manual_monkeys():
return [monkey['hostname'] for monkey in mongo.db.monkey.find({}, {'hostname': 1, 'parent': 1, 'guid': 1}) if
NodeService.get_monkey_manual_run(monkey)]
@staticmethod
def get_config_users():
return ConfigService.get_config_value(['basic', 'credentials', 'exploit_user_list'])
@staticmethod
def get_config_passwords():
return ConfigService.get_config_value(['basic', 'credentials', 'exploit_password_list'])
@staticmethod
def get_config_exploits():
exploit_display_dict = \
{
'SmbExploiter': 'SMB Exploiter',
'WmiExploiter': 'WMI Exploiter',
'SSHExploiter': 'SSH Exploiter',
'RdpExploiter': 'RDP Exploiter',
'SambaCryExploiter': 'SambaCry Exploiter',
'ElasticGroovyExploiter': 'Elastic Groovy Exploiter',
'Ms08_067_Exploiter': 'Conficker Exploiter',
'ShellShockExploiter': 'ShellShock Exploiter',
}
return [exploit_display_dict[exploit] for exploit in
ConfigService.get_config_value(['exploits', 'general', 'exploiter_classes'])]
@staticmethod
def get_config_ips():
if ConfigService.get_config_value(['basic_network', 'network_range', 'range_class']) != 'FixedRange':
return []
return ConfigService.get_config_value(['basic_network', 'network_range', 'range_fixed'])
@staticmethod
def get_config_scan():
return ConfigService.get_config_value(['basic_network', 'general', 'local_network_scan'])
@staticmethod @staticmethod
def get_report(): def get_report():
return \ return \
{ {
'overview': 'overview':
{ {
'manual_monkeys': ReportService.get_manual_monkeys(),
'config_users': ReportService.get_config_users(),
'config_passwords': ReportService.get_config_passwords(),
'config_exploits': ReportService.get_config_exploits(),
'config_ips': ReportService.get_config_ips(),
'config_scan': ReportService.get_config_scan(),
'monkey_start_time': ReportService.get_first_monkey_time().strftime("%d/%m/%Y %H:%M:%S"), 'monkey_start_time': ReportService.get_first_monkey_time().strftime("%d/%m/%Y %H:%M:%S"),
'monkey_duration': ReportService.get_monkey_duration(), 'monkey_duration': ReportService.get_monkey_duration(),
'issues': [False, True, True, True, False, True], 'issues': [False, True, True, True, False, True],

301
monkey_island/cc/ui/src/components/pages/ReportPage.js
View File

@ -337,127 +337,210 @@ class ReportPageComponent extends React.Component {
} else { } else {
let exploitPercentage = let exploitPercentage =
(100 * this.state.report.glance.exploited.length) / this.state.report.glance.scanned.length; (100 * this.state.report.glance.exploited.length) / this.state.report.glance.scanned.length;
content = content =
( (
<div className="report-page"> <div>
<div id="overview"> <div className="text-center no-print" style={{marginBottom: '20px'}}>
<div className="text-center no-print"> <Button bsSize="large" onClick={() => {
<Button bsSize="large" onClick={() => {print();}}><i className="glyphicon glyphicon-print"/> Print Report</Button> print();
</div> }}><i className="glyphicon glyphicon-print"/> Print Report</Button>
<h1>
Overview
</h1>
<p>
The first monkey run was started on <span
className="label label-info">{this.state.report.overview.monkey_start_time}</span>. After <span
className="label label-info">{this.state.report.overview.monkey_duration}</span>, all monkeys finished
propagation attempts.
</p>
<p>
A full report of the Monkeys activities follows.
</p>
</div> </div>
<div id="findings"> <div className="report-page">
<h1> <div id="overview">
Security Findings <h1>
</h1> Overview
<div> </h1>
<h3> {
Immediate Threats this.state.report.glance.exploited.length > 0 ?
</h3> (<p className="alert alert-danger">
During this simulated attack the Monkey uncovered <span <i className="glyphicon glyphicon-exclamation-sign" style={{'marginRight': '5px'}}/>
className="label label-warning">{this.state.report.overview.issues.filter(function (x) { Critical security issues found by Infection Monkey!
return x === true; </p>) :
}).length} issues</span>, detailed below. The security issues uncovered include: (<p className="alert alert-success">
<ul> <i className="glyphicon glyphicon-ok-sign" style={{'marginRight': '5px'}}/>
{this.state.report.overview.issues[this.Issue.WEAK_PASSWORD] ? Infection Monkey did not find any critical security issues.
<li>Users with weak passwords.</li> : null} </p>)
{this.state.report.overview.issues[this.Issue.STOLEN_CREDS] ? }
<li>Stolen passwords/hashes were used to exploit other machines.</li> : null} <p className="alert alert-info">
{this.state.report.overview.issues[this.Issue.ELASTIC] ? <i className="glyphicon glyphicon-ok-sign" style={{'marginRight': '5px'}}/>
<li>Elastic Search servers not patched for <a To improve the monkey's success rate, try adding users and passwords, and enabling the "Local
href="https://www.cvedetails.com/cve/cve-2015-1427">CVE-2015-1427</a>. network scan" config value under "Basic - Network"
</li> : null}
{this.state.report.overview.issues[this.Issue.SAMBACRY] ?
<li>Samba servers not patched for SambaCry (<a
href="https://www.samba.org/samba/security/CVE-2017-7494.html"
>CVE-2017-7494</a>).</li> : null}
{this.state.report.overview.issues[this.Issue.SHELLSHOCK] ?
<li>Machines not patched for the Shellshock (<a
href="https://www.cvedetails.com/cve/CVE-2014-6271">CVE-2014-6271</a>).
</li> : null}
{this.state.report.overview.issues[this.Issue.CONFICKER] ?
<li>Machines not patched for the Conficker (<a
href="https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067"
>MS08-067</a>).</li> : null}
</ul>
</div>
<div>
<h3>
Security Issues
</h3>
The monkey uncovered the following possible set of issues:
<ul>
{this.state.report.overview.warnings[this.Warning.CROSS_SEGMENT] ?
<li>Possible cross segment traffic. Infected machines could communicate with the
Monkey Island despite crossing segment boundaries using unused ports.</li> : null}
{this.state.report.overview.warnings[this.Warning.TUNNEL] ?
<li>Lack of Micro-segmentation, machines successfully tunneled monkey activity
using unused ports.</li> : null}
</ul>
</div>
</div>
<div id="recommendations">
<h1>
Recommendations
</h1>
<div>
{this.generateIssues(this.state.report.recommendations.issues)}
</div>
</div>
<div id="glance">
<h1>
The Network from the Monkey's Eyes
</h1>
<div>
<p>
The Monkey discovered <span
className="label label-warning">{this.state.report.glance.scanned.length}</span> machines and
successfully breached <span
className="label label-danger">{this.state.report.glance.exploited.length}</span> of them.
<br/>
In addition, while attempting to exploit additional hosts , security software installed in the
network should have picked up the attack attempts and logged them.
<br/>
Detailed recommendations in the <a href="#recommendations">next part of the report</a>.
</p> </p>
<div className="text-center" style={{margin: '10px'}}> <p>
<Line style={{width: '300px', marginRight: '5px'}} percent={exploitPercentage} strokeWidth="4" The first monkey run was started on <span
trailWidth="4" className="label label-info">{this.state.report.overview.monkey_start_time}</span>. After <span
strokeColor="#d9534f" trailColor="#f0ad4e"/> className="label label-info">{this.state.report.overview.monkey_duration}</span>, all monkeys finished
<b>{Math.round(exploitPercentage)}% of scanned machines exploited</b> propagation attempts.
</p>
<p>
The monkey started propagating from the following machines where it was manually installed:
<ul>
{this.state.report.overview.manual_monkeys.map(x => <li>{x}</li>)}
</ul>
</p>
<p>
The monkeys were run with the following configuration:
</p>
{
this.state.report.overview.config_users.length > 0 ?
<p>
Users to try:
<ul>
{this.state.report.overview.config_users.map(x => <li>{x}</li>)}
</ul>
Passwords to try:
<ul>
{this.state.report.overview.config_passwords.map(x => <li>{x.substr(0, 3) + '******'}</li>)}
</ul>
</p>
:
<p>
No Users and Passwords were provided for the monkey.
</p>
}
{
this.state.report.overview.config_exploits.length > 0 ?
<p>
Use the following exploit methods:
<ul>
{this.state.report.overview.config_exploits.map(x => <li>{x}</li>)}
</ul>
</p>
:
<p>
Don't use any exploit.
</p>
}
{
this.state.report.overview.config_ips.length > 0 ?
<p>
Scan the following IPs:
<ul>
{this.state.report.overview.config_ips.map(x => <li>{x}</li>)}
</ul>
</p>
:
''
}
{
this.state.report.overview.config_scan ?
''
:
<p>
Monkeys were configured to not scan local network
</p>
}
<p>
A full report of the Monkeys activities follows.
</p>
</div>
<div id="findings">
<h1>
Security Findings
</h1>
<div>
<h3>
Immediate Threats
</h3>
During this simulated attack the Monkey uncovered <span
className="label label-warning">{this.state.report.overview.issues.filter(function (x) {
return x === true;
}).length} issues</span>, detailed below. The security issues uncovered include:
<ul>
{this.state.report.overview.issues[this.Issue.WEAK_PASSWORD] ?
<li>Users with weak passwords.</li> : null}
{this.state.report.overview.issues[this.Issue.STOLEN_CREDS] ?
<li>Stolen passwords/hashes were used to exploit other machines.</li> : null}
{this.state.report.overview.issues[this.Issue.ELASTIC] ?
<li>Elastic Search servers not patched for <a
href="https://www.cvedetails.com/cve/cve-2015-1427">CVE-2015-1427</a>.
</li> : null}
{this.state.report.overview.issues[this.Issue.SAMBACRY] ?
<li>Samba servers not patched for SambaCry (<a
href="https://www.samba.org/samba/security/CVE-2017-7494.html"
>CVE-2017-7494</a>).</li> : null}
{this.state.report.overview.issues[this.Issue.SHELLSHOCK] ?
<li>Machines not patched for the Shellshock (<a
href="https://www.cvedetails.com/cve/CVE-2014-6271">CVE-2014-6271</a>).
</li> : null}
{this.state.report.overview.issues[this.Issue.CONFICKER] ?
<li>Machines not patched for the Conficker (<a
href="https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067"
>MS08-067</a>).</li> : null}
</ul>
</div>
<div>
<h3>
Security Issues
</h3>
The monkey uncovered the following possible set of issues:
<ul>
{this.state.report.overview.warnings[this.Warning.CROSS_SEGMENT] ?
<li>Possible cross segment traffic. Infected machines could communicate with the
Monkey Island despite crossing segment boundaries using unused ports.</li> : null}
{this.state.report.overview.warnings[this.Warning.TUNNEL] ?
<li>Lack of Micro-segmentation, machines successfully tunneled monkey activity
using unused ports.</li> : null}
</ul>
</div> </div>
</div> </div>
<p> <div id="recommendations">
From the attacker's point of view, the network looks like this: <h1>
</p> Recommendations
<div style={{position: 'relative', height: '80vh'}}> </h1>
<ReactiveGraph graph={this.state.graph} options={options}/> <div>
{this.generateIssues(this.state.report.recommendations.issues)}
</div>
</div> </div>
<div style={{marginBottom: '20px'}}> <div id="glance">
<BreachedServers data={this.state.report.glance.exploited}/> <h1>
</div> The Network from the Monkey's Eyes
<div style={{marginBottom: '20px'}}> </h1>
<ScannedServers data={this.state.report.glance.scanned}/> <div>
</div> <p>
<div> The Monkey discovered <span
<StolenPasswords data={this.state.report.glance.stolen_creds}/> className="label label-warning">{this.state.report.glance.scanned.length}</span> machines and
successfully breached <span
className="label label-danger">{this.state.report.glance.exploited.length}</span> of them.
<br/>
In addition, while attempting to exploit additional hosts , security software installed in the
network should have picked up the attack attempts and logged them.
<br/>
Detailed recommendations in the <a href="#recommendations">next part of the report</a>.
</p>
<div className="text-center" style={{margin: '10px'}}>
<Line style={{width: '300px', marginRight: '5px'}} percent={exploitPercentage} strokeWidth="4"
trailWidth="4"
strokeColor="#d9534f" trailColor="#f0ad4e"/>
<b>{Math.round(exploitPercentage)}% of scanned machines exploited</b>
</div>
</div>
<p>
From the attacker's point of view, the network looks like this:
</p>
<div style={{position: 'relative', height: '80vh'}}>
<ReactiveGraph graph={this.state.graph} options={options}/>
</div>
<div style={{marginBottom: '20px'}}>
<BreachedServers data={this.state.report.glance.exploited}/>
</div>
<div style={{marginBottom: '20px'}}>
<ScannedServers data={this.state.report.glance.scanned}/>
</div>
<div>
<StolenPasswords data={this.state.report.glance.stolen_creds}/>
</div>
</div> </div>
</div> </div>
<div className="text-center no-print" style={{marginTop: '20px'}}>
<Button bsSize="large" onClick={() => {
print();
}}><i className="glyphicon glyphicon-print"/> Print Report</Button>
</div>
</div> </div>
); );
} }
return ( return (
<Col xs={12} lg={8}> <Col xs={12} lg={8}>
<h1 className="page-title">4. Security Report</h1> <h1 className="page-title">4. Security Report</h1>