p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Refactored T1210 to have a dedicated telem.

This commit is contained in:
VakarisZ 2019-04-12 15:10:24 +03:00
parent fae8820528
commit f73fb9f3a9
20 changed files with 150 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
monkey/infection_monkey/exploit/elasticgroovy.py
View File

@ -58,6 +58,8 @@ class ElasticGroovyExploiter(WebRCE):
result = self.get_results(response)
if not result:
return False
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'url': url, 'service': 'Elastic search'}).send()
return result[0]
def upload_monkey(self, url, commands=None):

4
monkey/infection_monkey/exploit/hadoop.py
View File

@ -13,6 +13,8 @@ import posixpath
from infection_monkey.exploit.web_rce import WebRCE
from infection_monkey.exploit.tools import HTTPTools, build_monkey_commandline, get_monkey_depth
from infection_monkey.model import MONKEY_ARG, ID_STRING, HADOOP_WINDOWS_COMMAND, HADOOP_LINUX_COMMAND
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = 'VakarisZ'
@ -48,6 +50,8 @@ class HadoopExploiter(WebRCE):
return False
http_thread.join(self.DOWNLOAD_TIMEOUT)
http_thread.stop()
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'url': self.vulnerable_urls[0], 'service': 'Hadoop'}).send()
return True
def exploit(self, url, command):

5
monkey/infection_monkey/exploit/rdpgrinder.py
View File

@ -280,10 +280,12 @@ class RdpExploiter(HostExploiter):
cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1)
if self._config.rdp_use_vbs_download:
download_method = 'VBS'
command = RDP_CMDLINE_HTTP_VBS % {
'monkey_path': self._config.dropper_target_path_win_32,
'http_path': http_path, 'parameters': cmdline}
else:
download_method = 'BITS'
command = RDP_CMDLINE_HTTP_BITS % {
'monkey_path': self._config.dropper_target_path_win_32,
'http_path': http_path, 'parameters': cmdline}
@ -314,7 +316,8 @@ class RdpExploiter(HostExploiter):
client_factory.done_event.wait()
if client_factory.success:
VictimHostTelem("T1197", ScanStatus.USED.value, self.host, BITS_UPLOAD_STRING)
if download_method == 'BITS':
VictimHostTelem("T1197", ScanStatus.USED.value, self.host, BITS_UPLOAD_STRING)
exploited = True
self.report_login_attempt(True, user, password)
break

5
monkey/infection_monkey/exploit/sambacry.py
View File

@ -4,7 +4,6 @@ import posixpath
import re
import time
from io import BytesIO
from os import path
import impacket.smbconnection
from impacket.nmb import NetBIOSError
@ -22,6 +21,8 @@ from infection_monkey.model import DROPPER_ARG
from infection_monkey.network.smbfinger import SMB_SERVICE
from infection_monkey.exploit.tools import build_monkey_commandline, get_target_monkey_by_os, get_monkey_depth
from infection_monkey.pyinstaller_utils import get_binary_file_path
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = 'itay.mizeretz'
@ -89,6 +90,8 @@ class SambaCryExploiter(HostExploiter):
LOG.info(
"Shares triggered successfully on host %s: %s" % (
self.host.ip_addr, str(successfully_triggered_shares)))
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'port': '139/445', 'service': 'Samba'}).send()
return True
else:
LOG.info("No shares triggered successfully on host %s" % self.host.ip_addr)

5
monkey/infection_monkey/exploit/shellshock.py
View File

@ -11,6 +11,8 @@ from infection_monkey.exploit.tools import get_target_monkey, HTTPTools, get_mon
from infection_monkey.model import DROPPER_ARG
from infection_monkey.exploit.shellshock_resources import CGI_FILES
from infection_monkey.exploit.tools import build_monkey_commandline
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = 'danielg'
@ -143,7 +145,8 @@ class ShellShockExploiter(HostExploiter):
if not (self.check_remote_file_exists(url, header, exploit, self._config.monkey_log_path_linux)):
LOG.info("Log file does not exist, monkey might not have run")
continue
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'url': url, 'service': 'Bash'}).send()
return True
return False

10
monkey/infection_monkey/exploit/smbexec.py
View File

@ -10,6 +10,8 @@ from infection_monkey.network import SMBFinger
from infection_monkey.network.tools import check_tcp_port
from infection_monkey.exploit.tools import build_monkey_commandline
from common.utils.exploit_enum import ExploitType
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
LOG = getLogger(__name__)
@ -68,6 +70,10 @@ class SmbExploiter(HostExploiter):
LOG.debug("Successfully logged in %r using SMB (%s : %s : %s : %s)",
self.host, user, password, lm_hash, ntlm_hash)
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
VictimHostTelem('T1210', ScanStatus.USED.value, self.host,
{'port': ("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1])),
'service': 'SMB'}).send()
exploited = True
break
else:
@ -137,4 +143,8 @@ class SmbExploiter(HostExploiter):
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",
remote_full_path, self.host, cmdline)
VictimHostTelem('T1210', ScanStatus.USED.value, self.host,
{'port': ("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1])),
'service': 'Elastic'}).send()
return True

4
monkey/infection_monkey/exploit/sshexec.py
View File

@ -11,6 +11,8 @@ from infection_monkey.model import MONKEY_ARG
from infection_monkey.network.tools import check_tcp_port
from infection_monkey.exploit.tools import build_monkey_commandline
from common.utils.exploit_enum import ExploitType
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = 'hoffer'
@ -81,6 +83,8 @@ class SSHExploiter(HostExploiter):
LOG.debug("Successfully logged in %r using SSH (%s : %s)",
self.host, user, curpass)
exploited = True
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'port': port, 'service': 'SSH'}).send()
self.report_login_attempt(True, user, curpass)
break

4
monkey/infection_monkey/exploit/struts2.py
View File

@ -10,6 +10,8 @@ import re
import logging
from infection_monkey.exploit.web_rce import WebRCE
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = "VakarisZ"
@ -91,4 +93,6 @@ class Struts2Exploiter(WebRCE):
except httplib.IncompleteRead as e:
page = e.partial
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'url': url, 'service': 'Struts2'}).send()
return page

5
monkey/infection_monkey/exploit/weblogic.py
View File

@ -10,6 +10,8 @@ from requests import post, exceptions
from infection_monkey.exploit.web_rce import WebRCE
from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
import threading
import logging
@ -67,6 +69,9 @@ class WebLogicExploiter(WebRCE):
except Exception as e:
print('[!] Connection Error')
print(e)
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'url': url, 'service': 'Weblogic'}).send()
return True
def add_vulnerable_urls(self, urls, stop_checking=False):

5
monkey/infection_monkey/exploit/wmiexec.py
View File

@ -10,6 +10,8 @@ from infection_monkey.exploit.tools import SmbTools, WmiTools, AccessDeniedExcep
get_monkey_depth, build_monkey_commandline
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
from common.utils.exploit_enum import ExploitType
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
LOG = logging.getLogger(__name__)
@ -103,6 +105,9 @@ class WmiExploiter(HostExploiter):
if (0 != result.ProcessId) and (0 == result.ReturnValue):
LOG.info("Executed dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",
remote_full_path, self.host, result.ProcessId, result.ReturnValue, cmdline)
VictimHostTelem('T1210', ScanStatus.USED.value,
self.host, {'port': 'unknown', 'service': 'WMI'}).send()
success = True
else:
LOG.debug("Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",

2
monkey/infection_monkey/monkey.py
View File

@ -17,6 +17,8 @@ from infection_monkey.system_info import SystemInfoCollector
from infection_monkey.system_singleton import SystemSingleton
from infection_monkey.windows_upgrader import WindowsUpgrader
from infection_monkey.post_breach.post_breach_handler import PostBreach
from common.utils.attack_utils import ScanStatus
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
__author__ = 'itamar'

4
monkey/infection_monkey/network/elasticfinger.py
View File

@ -8,6 +8,8 @@ from requests.exceptions import Timeout, ConnectionError
import infection_monkey.config
from infection_monkey.model.host import VictimHost
from infection_monkey.network import HostFinger
from common.utils.attack_utils import ScanStatus
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
ES_PORT = 9200
ES_SERVICE = 'elastic-search-9200'
@ -39,6 +41,8 @@ class ElasticFinger(HostFinger):
host.services[ES_SERVICE]['cluster_name'] = data['cluster_name']
host.services[ES_SERVICE]['name'] = data['name']
host.services[ES_SERVICE]['version'] = data['version']['number']
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': ES_PORT, 'service': 'Elastic'}).send()
return True
except Timeout:
LOG.debug("Got timeout while trying to read header information")

4
monkey/infection_monkey/network/httpfinger.py
View File

@ -1,6 +1,8 @@
import infection_monkey.config
from infection_monkey.network import HostFinger
from infection_monkey.model.host import VictimHost
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
import logging
LOG = logging.getLogger(__name__)
@ -40,6 +42,8 @@ class HTTPFinger(HostFinger):
host.services['tcp-' + port[1]]['name'] = 'http'
host.services['tcp-' + port[1]]['data'] = (server,ssl)
LOG.info("Port %d is open on host %s " % (port[0], host))
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': port[0], 'service': 'HTTP/HTTPS'}).send()
break # https will be the same on the same port
except Timeout:
pass

4
monkey/infection_monkey/network/mssql_fingerprint.py
View File

@ -4,6 +4,8 @@ import socket
from infection_monkey.model.host import VictimHost
from infection_monkey.network import HostFinger
import infection_monkey.config
from common.utils.attack_utils import ScanStatus
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
__author__ = 'Maor Rayzin'
@ -68,6 +70,8 @@ class MSSQLFinger(HostFinger):
# Loop through the server data
instances_list = data[3:].decode().split(';;')
LOG.info('{0} MSSQL instances found'.format(len(instances_list)))
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': MSSQLFinger.SQL_BROWSER_DEFAULT_PORT, 'service': 'MsSQL'}).send()
for instance in instances_list:
instance_info = instance.split(';')
if len(instance_info) > 1:

5
monkey/infection_monkey/network/mysqlfinger.py
View File

@ -5,6 +5,8 @@ import infection_monkey.config
from infection_monkey.model.host import VictimHost
from infection_monkey.network import HostFinger
from infection_monkey.network.tools import struct_unpack_tracker, struct_unpack_tracker_string
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
MYSQL_PORT = 3306
SQL_SERVICE = 'mysqld-3306'
@ -59,7 +61,8 @@ class MySQLFinger(HostFinger):
host.services[SQL_SERVICE]['minor_version'] = version[1]
host.services[SQL_SERVICE]['build_version'] = version[2]
thread_id, curpos = struct_unpack_tracker(data, curpos, "<I") # ignore thread id
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': MYSQL_PORT, 'service': 'MYSQL'}).send()
# protocol parsing taken from
# https://nmap.org/nsedoc/scripts/mysql-info.html
if protocol == 10:

5
monkey/infection_monkey/network/smbfinger.py
View File

@ -5,6 +5,8 @@ from odict import odict
from infection_monkey.network import HostFinger
from infection_monkey.model.host import VictimHost
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
SMB_PORT = 445
SMB_SERVICE = 'tcp-445'
@ -150,7 +152,8 @@ class SMBFinger(HostFinger):
host.os['version'] = os_version
else:
host.services[SMB_SERVICE]['os-version'] = os_version
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': SMB_PORT, 'service': 'SMB'}).send()
return True
except Exception as exc:
LOG.debug("Error getting smb fingerprint: %s", exc)

4
monkey/infection_monkey/network/sshfinger.py
View File

@ -4,6 +4,8 @@ import infection_monkey.config
from infection_monkey.model.host import VictimHost
from infection_monkey.network import HostFinger
from infection_monkey.network.tools import check_tcp_port
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
SSH_PORT = 22
SSH_SERVICE_DEFAULT = 'tcp-22'
@ -49,6 +51,8 @@ class SSHFinger(HostFinger):
host.services[SSH_SERVICE_DEFAULT]['banner'] = banner
if self._banner_regex.search(banner):
self._banner_match(SSH_SERVICE_DEFAULT, host, banner)
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': SSH_PORT, 'service': 'SSH'}).send()
return True
return False

5
monkey/infection_monkey/network/tcp_scanner.py
View File

@ -4,6 +4,8 @@ from random import shuffle
import infection_monkey.config
from infection_monkey.network import HostScanner, HostFinger
from infection_monkey.network.tools import check_tcp_ports, tcp_port_to_service
from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
from common.utils.attack_utils import ScanStatus
__author__ = 'itamar'
@ -31,6 +33,9 @@ class TcpScanner(HostScanner, HostFinger):
ports, banners = check_tcp_ports(host.ip_addr, target_ports, self._config.tcp_scan_timeout / 1000.0,
self._config.tcp_scan_get_banner)
for port in ports:
VictimHostTelem('T1210', ScanStatus.SCANNED.value,
host, {'port': port, 'service': 'unknown(TCP)'}).send()
for target_port, banner in izip_longest(ports, banners, fillvalue=None):
service = tcp_port_to_service(target_port)
host.services[service] = {}

32
monkey/monkey_island/cc/services/attack/technique_reports/T1210.py
View File

@ -13,18 +13,24 @@ MESSAGES = {
def get_report_data():
data = {}
scanned_machines = ReportService.get_scanned()
exploited_machines = ReportService.get_exploited()
data.update({'message': MESSAGES['unscanned'], 'status': ScanStatus.UNSCANNED.name})
for machine in scanned_machines:
if machine['services']:
data.update({'message': MESSAGES['scanned'], 'status': ScanStatus.SCANNED.name})
for machine in exploited_machines:
if machine['exploits']:
data.update({'message': MESSAGES['used'], 'status': ScanStatus.USED.name})
data.update({'technique': TECHNIQUE, 'title': technique_title(TECHNIQUE)})
data.update({'scanned_machines': scanned_machines})
data.update({'exploited_machines': exploited_machines})
data = get_tech_base_data(TECHNIQUE, MESSAGES)
found_services = get_res_by_status(ScanStatus.SCANNED.value)
exploited_services = get_res_by_status(ScanStatus.USED.value)
data.update({'found_services': found_services, 'exploited_services': exploited_services})
return data
def get_res_by_status(status):
results = mongo.db.attack_results.aggregate([{'$match': {'technique': TECHNIQUE, 'status': status}},
{'$group': {
'_id': {'ip_addr': '$machine.ip_addr',
'port': '$port',
'url': '$url'},
'ip_addr': {'$first': '$machine.ip_addr'},
'domain_name': {'$first': '$machine.domain_name'},
'port': {'$first': '$port'},
'url': {'$first': '$url'},
'service': {'$last': '$service'},
'time': {'$first': '$time'}}
}])
return list(results)

88
monkey/monkey_island/cc/ui/src/components/attack/T1210.js
View File

@ -1,56 +1,76 @@
import React from 'react';
import '../../styles/Collapse.scss'
import {Link} from "react-router-dom";
let renderArray = function(val) {
return <span>{val.map(x => <span key={x.toString()}> {x} </span>)}</span>;
};
import ReactTable from "react-table";
let renderMachine = function (val, index, exploited=false) {
let renderMachine = function (val) {
return (
<div key={index}>
{renderArray(val.ip_addresses)}
{(val.domain_name ? " (".concat(val.domain_name, ")") : " (".concat(val.label, ")"))} :
{exploited ? renderArray(val.exploits) : renderArray(val.services)}
</div>
<span>{val.ip_addr} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")}</span>
)
};
let renderPort = function (service){
if(service.url){
return service.url
} else {
return service.port
}
};
const columns = [
{
columns: [
{Header: 'Machine', id: 'machine', accessor: x => renderMachine(x), style: { 'whiteSpace': 'unset' }, width: 200},
{Header: 'Time', id: 'time', accessor: x => x.time, style: { 'whiteSpace': 'unset' }, width: 170},
{Header: 'Port/url', id: 'port', accessor: x =>renderPort(x), style: { 'whiteSpace': 'unset' }},
{Header: 'Service', id: 'service', accessor: x => x.service, style: { 'whiteSpace': 'unset' }}
]
}
];
class T1210 extends React.Component {
renderScannedMachines = (machines) => {
let content = [];
for (let i = 0; i < machines.length; i++ ){
if (machines[i].services.length !== 0){
content.push(renderMachine(machines[i], i))
}
}
return <div>{content}</div>;
};
renderExploitedMachines = (machines) => {
let content = [];
for (let i = 0; i < machines.length; i++ ){
if (machines[i].exploits.length !== 0){
content.push(renderMachine(machines[i], i, true))
}
}
return <div>{content}</div>;
};
constructor(props) {
super(props);
}
renderFoundServices(data) {
return (
<div>
<br/>
<div>Found services: </div>
<ReactTable
columns={columns}
data={data}
showPagination={false}
defaultPageSize={data.length}
/>
</div>)
}
renderExploitedServices(data) {
return (
<div>
<br/>
<div>Exploited services: </div>
<ReactTable
columns={columns}
data={data}
showPagination={false}
defaultPageSize={data.length}
/>
</div>)
}
render() {
return (
<div>
<div>{this.props.data.message}</div>
{this.props.data.scanned_machines.length > 0 ? <div>Found services: </div> : ''}
{this.renderScannedMachines(this.props.data.scanned_machines)}
{this.props.data.exploited_machines.length > 0 ? <div>Successful exploiters:</div> : ''}
{this.renderExploitedMachines(this.props.data.exploited_machines)}
{this.props.data.found_services.length > 0 ?
this.renderFoundServices(this.props.data.found_services) : ''}
{this.props.data.exploited_services.length > 0 ?
this.renderExploitedServices(this.props.data.exploited_services) : ''}
<div className="attack-report footer-text">
To get more info about scanned and exploited machines view <Link to="/report">standard report.</Link>
</div>