27 KiB
This document describes Infection Monkey’s test network, how to deploy and use it.
Warning!
Introduction
Getting started
Using islands
Running tests
Machines’ legend
Machines
Nr. 2 Hadoop
Nr. 3 Hadoop
Nr. 4 Elastic
Nr. 5 Elastic
Nr. 6 Sambacry
Nr. 7 Sambacry
Nr. 8 Shellshock
Nr. 9 Tunneling M1
Nr. 10 Tunneling M2
Nr. 11 SSH key steal
Nr. 12 SSH key steal
Nr. 13 RDP grinder
Nr. 14 Mimikatz
Nr. 15 Mimikatz
Nr. 16 MsSQL
Nr. 17 Upgrader
Nr. 18 WebLogic
Nr. 19 WebLogic
Nr. 20 SMB
Nr. 21 Scan
Nr. 22 Scan
Nr. 23 Struts2
Nr. 24 Struts2
Nr. 25 Zerologon
Nr. 3-45 Powershell
Nr. 3-46 Powershell
Nr. 3-47 Powershell
Nr. 250 MonkeyIsland
Nr. 251 MonkeyIsland
Network topography
Warning!
This project builds an intentionally vulnerable network. Make sure not to add production servers to the same network and leave it closed to the public.
Introduction:
MonkeyZoo is a Google Cloud Platform network deployed with terraform. Terraform scripts allows you to quickly setup a network that’s full of vulnerable machines to regression test monkey’s exploiters, evaluate scanning times in a real-world scenario and many more.
Getting started:
Requirements:
- Have terraform installed.
- Have a Google Cloud Platform account (upgraded if you want to test whole network at once).
To deploy:
-
Configure service account for your project:
a. Create a service account (GCP website -> IAM & Admin -> Service Accounts -> + CREATE SERVICE ACCOUNT) and name it “your_name-monkeyZoo-user”
b. Give these permissions to your service account:
Compute Engine -> Compute Network Admin and Compute Engine -> Compute Instance Admin (v1) and Compute Engine -> Compute Security Admin and Service Account User
or
Project -> Owner
c. Create and download its Service account key in JSON and place it in monkey_zoo/gcp_keys as gcp_key.json.
-
Get these permissions in the monkeyZoo project (guardicore-22050661) for your service account (ask monkey developers to add them):
a. Compute Engine -> Compute image user
-
Change configurations located in the ../monkey/envs/monkey_zoo/terraform/config.tf file (don’t forget to link to your service account key file):
provider "google" { project = "test-000000" // Change to your project id region = "europe-west3" // Change to your desired region or leave default zone = "europe-west3-b" // Change to your desired zone or leave default credentials = "${file("../gcp_keys/gcp_key.json")}" // Change to the location and name of the service key. // If you followed instruction above leave it as is } locals { resource_prefix = "" // All of the resources will have this prefix. // Only change if you want to have multiple zoo's in the same project service_account_email="tester-monkeyZoo-user@testproject-000000.iam.gserviceaccount.com" // Service account email monkeyzoo_project="guardicore-22050661" // Project where monkeyzoo images are kept. Leave as is. }
-
Run terraform init
To deploy the network run:
terraform plan
(review the changes it will make on GCP)
terraform apply
(creates 2 networks for machines)
terraform apply
(adds machines to these networks)
Using islands:
How to get into the islands:
island-linux-250: SSH from GCP
island-windows-251: In GCP/VM instances page click on island-windows-251. Set password for your account and then RDP into the island.
These are most common steps on monkey islands:
island-linux-250:
To run monkey island:
sudo /usr/run\_island.sh
To run monkey:
sudo /usr/run\_monkey.sh
To update repository:
git pull /usr/infection_monkey
Update all requirements using deployment script:
1. cd /usr/infection_monkey/deployment_scripts
2. ./deploy_linux.sh "/usr/infection_monkey" "develop"
island-windows-251:
To run monkey island:
Execute C:\run_monkey_island.bat as administrator
To run monkey:
Execute C:\run_monkey.bat as administrator
To update repository:
1. Open cmd as an administrator
2. cd C:\infection_monkey
3. git pull
(updates develop branch)
Update all requirements using deployment script:
1. cd C:\infection_monkey\deployment_scripts
2. ./run_script.bat "C:\infection_monkey" "develop"
Running tests:
Once you start monkey island you can import test configurations from ../monkey/envs/configs.
fullTest.conf is a good config to start, because it covers all machines.
Machines:
Nr. 2 Hadoop (10.2.2.2) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | JDK, |
Default server’s port: | 8020 |
Server’s config: | Single node cluster |
Scan results: | Machine exploited using Hadoop exploiter |
Notes: |
Nr. 3 Hadoop (10.2.2.3) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | JDK, |
Default server’s port: | 8020 |
Server’s config: | Single node cluster |
Scan results: | Machine exploited using Hadoop exploiter |
Notes: |
Nr. 4 Elastic (10.2.2.4) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | JDK, |
Default server’s port: | 9200 |
Server’s config: | Default |
Scan results: | Machine exploited using Elastic exploiter |
Notes: | Quick tutorial on how to add entries (was useful when setting up). |
Nr. 5 Elastic (10.2.2.5) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | JDK, |
Default server’s port: | 9200 |
Server’s config: | Default |
Scan results: | Machine exploited using Elastic exploiter |
Notes: | Quick tutorial on how to add entries (was useful when setting up). |
Nr. 6 Sambacry (10.2.2.6) |
(Not implemented) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | Samba > 3.5.0 and < 4.6.4, 4.5.10 and 4.4.14 |
Default server’s port: | - |
Root password: | ;^TK`9XN_x^ |
Server’s config: | |
Scan results: | Machine exploited using Sambacry exploiter |
Notes: |
Nr. 7 Sambacry (10.2.2.7) |
(Not implemented) |
---|---|
OS: | Ubuntu 16.04.05 x32 |
Software: | Samba > 3.5.0 and < 4.6.4, 4.5.10 and 4.4.14 |
Default server’s port: | - |
Root password: | *.&A7/W}Rc$ |
Server’s config: | |
Scan results: | Machine exploited using Sambacry exploiter |
Notes: |
Nr. 8 Shellshock (10.2.2.8) |
(Vulnerable) |
---|---|
OS: | Ubuntu 12.04 LTS x64 |
Software: | Apache2, bash 4.2. |
Default server’s port: | 80 |
Scan results: | Machine exploited using Shellshock exploiter |
Notes: | Vulnerable app is under /cgi-bin/test.cgi |
Nr. 9 Tunneling M1 (10.2.2.9, 10.2.1.9) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | OpenSSL |
Default service’s port: | 22 |
Root password: | `))jU7L(w} |
Server’s config: | Default |
Notes: |
Nr. 10 Tunneling M2 (10.2.1.10) |
(Exploitable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | OpenSSL |
Default service’s port: | 22 |
Root password: | 3Q=(Ge(+&w]* |
Server’s config: | Default |
Notes: | Accessible only trough Nr.9 |
Nr. 11 Tunneling M3 (10.2.0.11) |
(Exploitable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | OpenSSL |
Default service’s port: | 22 |
Root password: | 3Q=(Ge(+&w]* |
Server’s config: | Default |
Notes: | Accessible only trough Nr.10 |
Nr. 12 Tunneling M4 (10.2.0.12) |
(Exploitable) |
---|---|
OS: | Windows server 2019 x64 |
Default service’s port: | 445 |
Root password: | t67TC5ZDmz |
Server’s config: | Default |
Notes: | Accessible only trough Nr.10 |
Nr. 11 SSH key steal. (10.2.2.11) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | OpenSSL |
Default connection port: | 22 |
Root password: | ^NgDvY59~8 |
Server’s config: | SSH keys to connect to NR. 11 |
Notes: |
Nr. 12 SSH key steal. (10.2.2.12) |
(Exploitable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | OpenSSL |
Default connection port: | 22 |
Root password: | u?Sj5@6(-C |
Server’s config: | SSH configured to allow connection from NR.10 |
Notes: | Don’t add this machine’s credentials to exploit configuration. |
Nr. 13 RDP grinder (10.2.2.13) |
(Not implemented) |
---|---|
OS: | Windows 10 x64 |
Software: | - |
Default connection port: | 3389 |
Root password: | 2}p}aR]&=M |
Server’s config: | Remote desktop enabled Admin user’s credentials: m0nk3y, 2}p}aR]&=M |
Notes: |
Nr. 14 Mimikatz (10.2.2.14) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | - |
Admin password: | Ivrrw5zEzs |
Server’s config: | Has cached mimikatz-15 RDP credentials SMB turned on |
Notes: |
Nr. 15 Mimikatz (10.2.2.15) |
(Exploitable) |
---|---|
OS: | Windows 10 x64 |
Software: | - |
Admin password: | pAJfG56JX>< |
Server’s config: | It’s credentials are cashed at mimikatz-14 SMB turned on |
Notes: | If you change this machine’s IP it won’t get exploited. |
Nr. 16 MsSQL (10.2.2.16) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | MSSQL Server |
Default service port: | 1433 |
Server’s config: | xp_cmdshell feature enabled in MSSQL server |
SQL server auth. creds: | m0nk3y : Xk8VDTsC |
Notes: | Enabled SQL server browser service |
Nr. 17 Upgrader (10.2.2.17) |
(Not implemented) |
---|---|
OS: | Windows 10 x64 |
Default service port: | 445 |
Root password: | U??7ppG_ |
Server’s config: | Turn on SMB |
Notes: |
Nr. 18 WebLogic (10.2.2.18) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | JDK, |
Default server’s port: | 7001 |
Admin domain credentials: | weblogic : B74Ot0c4 |
Server’s config: | Default |
Notes: |
Nr. 19 WebLogic (10.2.2.19) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | JDK, |
Default server’s port: | 7001 |
Admin servers credentials: | weblogic : =ThS2d=m(`B |
Server’s config: | Default |
Notes: |
Nr. 20 SMB (10.2.2.20) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | - |
Default service’s port: | 445 |
Root password: | YbS,<tpS.2av |
Server’s config: | SMB turned on |
Notes: |
Nr. 21 Scan (10.2.2.21) |
(Secure) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | Apache tomcat 7.0.92 |
Default server’s port: | 8080 |
Server’s config: | Default |
Notes: | Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.) |
Nr. 22 Scan (10.2.2.22) |
(Secure) |
---|---|
OS: | Windows 10 x64 |
Software: | Apache tomcat 7.0.92 |
Default server’s port: | 8080 |
Server’s config: | Default |
Notes: | Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.) |
Nr. 23 Struts2 (10.2.2.23) |
(Vulnerable) |
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | JDK, struts2 2.3.15.1, tomcat 9.0.0.M9 |
Default server’s port: | 8080 |
Server’s config: | Default |
Notes: |
Nr. 24 Struts2 (10.2.2.24) |
(Vulnerable) |
---|---|
OS: | Windows 10 x64 |
Software: | JDK, struts2 2.3.15.1, tomcat 9.0.0.M9 |
Default server’s port: | 8080 |
Server’s config: | Default |
Notes: |
Nr. 25 ZeroLogon (10.2.2.25) |
(Vulnerable) |
---|---|
OS: | Server 2016 |
Default server’s port: | 135 |
Nr. 3-45 Powershell (10.2.3.45) |
(Vulnerable) |
---|---|
OS: | Windows Server 2016 x64 |
Software: | WinRM service |
Default server’s port: | - |
Notes: | User: m0nk3y, Password: Passw0rd! User: m0nk3y-user, No Password. |
Nr. 3-46 Powershell (10.2.3.46) |
(Vulnerable) |
---|---|
OS: | Windows Server 2016 x64 |
Software: | WinRM service |
Default server’s port: | - |
Notes: | User: m0nk3y, Password: Passw0rd! |
Nr. 3-47 Powershell (10.2.3.47) |
(Vulnerable) |
---|---|
OS: | Windows Server 2016 x64 |
Software: | WinRM service |
Default server’s port: | - |
Notes: | User: m0nk3y, Password: Xk8VDTsC |
Nr. 250 MonkeyIsland (10.2.2.250) |
|
---|---|
OS: | Ubuntu 16.04.05 x64 |
Software: | MonkeyIsland server, git, mongodb etc. |
Default server’s port: | 22, 443 |
Private key passphrase: | - |
Notes: | Only accessible trough GCP |
Nr. 251 MonkeyIsland (10.2.2.251) |
|
---|---|
OS: | Windows Server 2016 x64 |
Software: | MonkeyIsland server, git, mongodb etc. |
Default server’s port: | 3389, 443 |
Private key passphrase: | - |
Notes: | Only accessible trough GCP |