forked from p15670423/monkey
Add a detailed issue to the security report
This commit is contained in:
parent
3df5078ec1
commit
1e259fc131
|
@ -1,22 +1,25 @@
|
||||||
import functools
|
import functools
|
||||||
|
import ipaddress
|
||||||
import itertools
|
import itertools
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
import ipaddress
|
|
||||||
from bson import json_util
|
|
||||||
from enum import Enum
|
from enum import Enum
|
||||||
|
|
||||||
|
from bson import json_util
|
||||||
|
|
||||||
from common.network.network_range import NetworkRange
|
from common.network.network_range import NetworkRange
|
||||||
from common.network.segmentation_utils import get_ip_in_src_and_not_in_dst
|
from common.network.segmentation_utils import get_ip_in_src_and_not_in_dst
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
from monkey_island.cc.models import Monkey
|
from monkey_island.cc.models import Monkey
|
||||||
|
from monkey_island.cc.network_utils import get_subnets, local_ip_addresses
|
||||||
from monkey_island.cc.services.config import ConfigService
|
from monkey_island.cc.services.config import ConfigService
|
||||||
from monkey_island.cc.services.configuration.utils import get_config_network_segments_as_subnet_groups
|
from monkey_island.cc.services.configuration.utils import \
|
||||||
|
get_config_network_segments_as_subnet_groups
|
||||||
from monkey_island.cc.services.node import NodeService
|
from monkey_island.cc.services.node import NodeService
|
||||||
from monkey_island.cc.services.reporting.pth_report import PTHReportService
|
from monkey_island.cc.services.reporting.pth_report import PTHReportService
|
||||||
from monkey_island.cc.services.reporting.report_exporter_manager import ReportExporterManager
|
from monkey_island.cc.services.reporting.report_exporter_manager import \
|
||||||
from monkey_island.cc.services.reporting.report_generation_synchronisation import safe_generate_regular_report
|
ReportExporterManager
|
||||||
from monkey_island.cc.network_utils import local_ip_addresses, get_subnets
|
from monkey_island.cc.services.reporting.report_generation_synchronisation import \
|
||||||
|
safe_generate_regular_report
|
||||||
|
|
||||||
__author__ = "itay.mizeretz"
|
__author__ = "itay.mizeretz"
|
||||||
|
|
||||||
|
@ -59,6 +62,7 @@ class ReportService:
|
||||||
PTH_CRIT_SERVICES_ACCESS = 11
|
PTH_CRIT_SERVICES_ACCESS = 11
|
||||||
MSSQL = 12
|
MSSQL = 12
|
||||||
VSFTPD = 13
|
VSFTPD = 13
|
||||||
|
DRUPAL = 14
|
||||||
|
|
||||||
class WARNINGS_DICT(Enum):
|
class WARNINGS_DICT(Enum):
|
||||||
CROSS_SEGMENT = 0
|
CROSS_SEGMENT = 0
|
||||||
|
@ -623,7 +627,7 @@ class ReportService:
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_config_exploits():
|
def get_config_exploits():
|
||||||
exploits_config_value = ['exploits', 'general', 'exploiter_classes']
|
exploits_config_value = ['basic', 'exploiters', 'exploiter_classes']
|
||||||
default_exploits = ConfigService.get_default_config(False)
|
default_exploits = ConfigService.get_default_config(False)
|
||||||
for namespace in exploits_config_value:
|
for namespace in exploits_config_value:
|
||||||
default_exploits = default_exploits[namespace]
|
default_exploits = default_exploits[namespace]
|
||||||
|
@ -637,11 +641,11 @@ class ReportService:
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_config_ips():
|
def get_config_ips():
|
||||||
return ConfigService.get_config_value(['basic_network', 'general', 'subnet_scan_list'], True, True)
|
return ConfigService.get_config_value(['basic_network', 'scope', 'subnet_scan_list'], True, True)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_config_scan():
|
def get_config_scan():
|
||||||
return ConfigService.get_config_value(['basic_network', 'general', 'local_network_scan'], True, True)
|
return ConfigService.get_config_value(['basic_network', 'scope', 'local_network_scan'], True, True)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_issues_overview(issues, config_users, config_passwords):
|
def get_issues_overview(issues, config_users, config_passwords):
|
||||||
|
@ -671,6 +675,8 @@ class ReportService:
|
||||||
issues_byte_array[ReportService.ISSUES_DICT.MSSQL.value] = True
|
issues_byte_array[ReportService.ISSUES_DICT.MSSQL.value] = True
|
||||||
elif issue['type'] == 'hadoop':
|
elif issue['type'] == 'hadoop':
|
||||||
issues_byte_array[ReportService.ISSUES_DICT.HADOOP.value] = True
|
issues_byte_array[ReportService.ISSUES_DICT.HADOOP.value] = True
|
||||||
|
elif issue['type'] == 'drupal':
|
||||||
|
issues_byte_array[ReportService.ISSUES_DICT.DRUPAL.value] = True
|
||||||
elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \
|
elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \
|
||||||
issue['username'] in config_users or issue['type'] == 'ssh':
|
issue['username'] in config_users or issue['type'] == 'ssh':
|
||||||
issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True
|
issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True
|
||||||
|
|
|
@ -161,25 +161,29 @@ class ReportPageComponent extends AuthComponent {
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
The monkey started propagating from the following machines where it was manually installed:
|
The monkey started propagating from the following machines where it was manually installed:
|
||||||
<ul>
|
|
||||||
{this.state.report.overview.manual_monkeys.map(x => <li>{x}</li>)}
|
|
||||||
</ul>
|
|
||||||
</p>
|
</p>
|
||||||
|
<ul>
|
||||||
|
{this.state.report.overview.manual_monkeys.map(x => <li key={x}>{x}</li>)}
|
||||||
|
</ul>
|
||||||
<p>
|
<p>
|
||||||
The monkeys were run with the following configuration:
|
The monkeys were run with the following configuration:
|
||||||
</p>
|
</p>
|
||||||
{
|
{
|
||||||
this.state.report.overview.config_users.length > 0 ?
|
this.state.report.overview.config_users.length > 0 ?
|
||||||
|
<>
|
||||||
<p>
|
<p>
|
||||||
Usernames used for brute-forcing:
|
Usernames used for brute-forcing:
|
||||||
<ul>
|
|
||||||
{this.state.report.overview.config_users.map(x => <li>{x}</li>)}
|
|
||||||
</ul>
|
|
||||||
Passwords used for brute-forcing:
|
|
||||||
<ul>
|
|
||||||
{this.state.report.overview.config_passwords.map(x => <li>{x.substr(0, 3) + '******'}</li>)}
|
|
||||||
</ul>
|
|
||||||
</p>
|
</p>
|
||||||
|
<ul>
|
||||||
|
{this.state.report.overview.config_users.map(x => <li key={x}>{x}</li>)}
|
||||||
|
</ul>
|
||||||
|
<p>
|
||||||
|
Passwords used for brute-forcing:
|
||||||
|
</p>
|
||||||
|
<ul>
|
||||||
|
{this.state.report.overview.config_passwords.map(x => <li key={x}>{x.substr(0, 3) + '******'}</li>)}
|
||||||
|
</ul>
|
||||||
|
</>
|
||||||
:
|
:
|
||||||
<p>
|
<p>
|
||||||
Brute forcing uses stolen credentials only. No credentials were supplied during Monkey’s
|
Brute forcing uses stolen credentials only. No credentials were supplied during Monkey’s
|
||||||
|
@ -195,7 +199,7 @@ class ReportPageComponent extends AuthComponent {
|
||||||
<p>
|
<p>
|
||||||
The Monkey uses the following exploit methods:
|
The Monkey uses the following exploit methods:
|
||||||
<ul>
|
<ul>
|
||||||
{this.state.report.overview.config_exploits.map(x => <li>{x}</li>)}
|
{this.state.report.overview.config_exploits.map(x => <li key={x}>{x}</li>)}
|
||||||
</ul>
|
</ul>
|
||||||
</p>
|
</p>
|
||||||
)
|
)
|
||||||
|
@ -209,7 +213,7 @@ class ReportPageComponent extends AuthComponent {
|
||||||
<p>
|
<p>
|
||||||
The Monkey scans the following IPs:
|
The Monkey scans the following IPs:
|
||||||
<ul>
|
<ul>
|
||||||
{this.state.report.overview.config_ips.map(x => <li>{x}</li>)}
|
{this.state.report.overview.config_ips.map(x => <li key={x}>{x}</li>)}
|
||||||
</ul>
|
</ul>
|
||||||
</p>
|
</p>
|
||||||
:
|
:
|
||||||
|
@ -313,15 +317,15 @@ class ReportPageComponent extends AuthComponent {
|
||||||
The Monkey uncovered the following possible set of issues:
|
The Monkey uncovered the following possible set of issues:
|
||||||
<ul>
|
<ul>
|
||||||
{this.state.report.overview.warnings[this.Warning.CROSS_SEGMENT] ?
|
{this.state.report.overview.warnings[this.Warning.CROSS_SEGMENT] ?
|
||||||
<li>Weak segmentation - Machines from different segments are able to
|
<li key={this.Warning.CROSS_SEGMENT}>Weak segmentation - Machines from different segments are able to
|
||||||
communicate.</li> : null}
|
communicate.</li> : null}
|
||||||
{this.state.report.overview.warnings[this.Warning.TUNNEL] ?
|
{this.state.report.overview.warnings[this.Warning.TUNNEL] ?
|
||||||
<li>Weak segmentation - Machines were able to communicate over unused ports.</li> : null}
|
<li key={this.Warning.TUNNEL}>Weak segmentation - Machines were able to communicate over unused ports.</li> : null}
|
||||||
{this.state.report.overview.warnings[this.Warning.SHARED_LOCAL_ADMIN] ?
|
{this.state.report.overview.warnings[this.Warning.SHARED_LOCAL_ADMIN] ?
|
||||||
<li>Shared local administrator account - Different machines have the same account as a local
|
<li key={this.Warning.SHARED_LOCAL_ADMIN}>Shared local administrator account - Different machines have the same account as a local
|
||||||
administrator.</li> : null}
|
administrator.</li> : null}
|
||||||
{this.state.report.overview.warnings[this.Warning.SHARED_PASSWORDS] ?
|
{this.state.report.overview.warnings[this.Warning.SHARED_PASSWORDS] ?
|
||||||
<li>Multiple users have the same password</li> : null}
|
<li key={this.Warning.SHARED_PASSWORDS}>Multiple users have the same password</li> : null}
|
||||||
</ul>
|
</ul>
|
||||||
</div>
|
</div>
|
||||||
:
|
:
|
||||||
|
@ -443,21 +447,22 @@ class ReportPageComponent extends AuthComponent {
|
||||||
}
|
}
|
||||||
|
|
||||||
generateInfoBadges(data_array) {
|
generateInfoBadges(data_array) {
|
||||||
return data_array.map(badge_data => <span className="badge badge-info" style={{margin: '2px'}}>{badge_data}</span>);
|
return data_array.map(badge_data => <span key={badge_data} className="badge badge-info" style={{margin: '2px'}}>{badge_data}</span>);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateCrossSegmentIssue(crossSegmentIssue) {
|
generateCrossSegmentIssue(crossSegmentIssue) {
|
||||||
return <li>
|
let crossSegmentIssueOverview = 'Communication possible from ' + crossSegmentIssue['source_subnet'] + ' to ' + crossSegmentIssue['target_subnet']
|
||||||
{'Communication possible from ' + crossSegmentIssue['source_subnet'] + ' to ' + crossSegmentIssue['target_subnet']}
|
return <li key={crossSegmentIssueOverview}>
|
||||||
|
{crossSegmentIssueOverview}
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
<ul>
|
<ul>
|
||||||
{crossSegmentIssue['issues'].map(x =>
|
{crossSegmentIssue['issues'].map(x =>
|
||||||
x['is_self'] ?
|
x['is_self'] ?
|
||||||
<li>
|
<li key={x['hostname']}>
|
||||||
{'Machine ' + x['hostname'] + ' has both ips: ' + x['source'] + ' and ' + x['target']}
|
{'Machine ' + x['hostname'] + ' has both ips: ' + x['source'] + ' and ' + x['target']}
|
||||||
</li>
|
</li>
|
||||||
:
|
:
|
||||||
<li>
|
<li key={x['source'] + x['target']}>
|
||||||
{'IP ' + x['source'] + ' (' + x['hostname'] + ') connected to IP ' + x['target']
|
{'IP ' + x['source'] + ' (' + x['hostname'] + ') connected to IP ' + x['target']
|
||||||
+ ' using the services: ' + Object.keys(x['services']).join(', ')}
|
+ ' using the services: ' + Object.keys(x['services']).join(', ')}
|
||||||
</li>
|
</li>
|
||||||
|
@ -468,12 +473,12 @@ class ReportPageComponent extends AuthComponent {
|
||||||
}
|
}
|
||||||
|
|
||||||
generateShellshockPathListBadges(paths) {
|
generateShellshockPathListBadges(paths) {
|
||||||
return paths.map(path => <span className="badge badge-warning" style={{margin: '2px'}}>{path}</span>);
|
return paths.map(path => <span className="badge badge-warning" style={{margin: '2px'}} key={path}>{path}</span>);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateSmbPasswordIssue(issue) {
|
generateSmbPasswordIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
||||||
that is not shared with other computers on the network.
|
that is not shared with other computers on the network.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
|
@ -484,13 +489,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
The Monkey authenticated over the SMB protocol with user <span
|
The Monkey authenticated over the SMB protocol with user <span
|
||||||
className="badge badge-success">{issue.username}</span> and its password.
|
className="badge badge-success">{issue.username}</span> and its password.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateSmbPthIssue(issue) {
|
generateSmbPthIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
||||||
that is not shared with other computers on the network.
|
that is not shared with other computers on the network.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
|
@ -501,13 +506,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
The Monkey used a pass-the-hash attack over SMB protocol with user <span
|
The Monkey used a pass-the-hash attack over SMB protocol with user <span
|
||||||
className="badge badge-success">{issue.username}</span>.
|
className="badge badge-success">{issue.username}</span>.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateWmiPasswordIssue(issue) {
|
generateWmiPasswordIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
||||||
that is not shared with other computers on the network.
|
that is not shared with other computers on the network.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
|
@ -518,13 +523,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
The Monkey authenticated over the WMI protocol with user <span
|
The Monkey authenticated over the WMI protocol with user <span
|
||||||
className="badge badge-success">{issue.username}</span> and its password.
|
className="badge badge-success">{issue.username}</span> and its password.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateWmiPthIssue(issue) {
|
generateWmiPthIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
||||||
that is not shared with other computers on the network.
|
that is not shared with other computers on the network.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
|
@ -535,13 +540,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
The Monkey used a pass-the-hash attack over WMI protocol with user <span
|
The Monkey used a pass-the-hash attack over WMI protocol with user <span
|
||||||
className="badge badge-success">{issue.username}</span>.
|
className="badge badge-success">{issue.username}</span>.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateSshIssue(issue) {
|
generateSshIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
||||||
that is not shared with other computers on the network.
|
that is not shared with other computers on the network.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
|
@ -552,13 +557,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
The Monkey authenticated over the SSH protocol with user <span
|
The Monkey authenticated over the SSH protocol with user <span
|
||||||
className="badge badge-success">{issue.username}</span> and its password.
|
className="badge badge-success">{issue.username}</span> and its password.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateSshKeysIssue(issue) {
|
generateSshKeysIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Protect <span className="badge badge-success">{issue.ssh_key}</span> private key with a pass phrase.
|
Protect <span className="badge badge-success">{issue.ssh_key}</span> private key with a pass phrase.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
||||||
|
@ -568,14 +573,14 @@ class ReportPageComponent extends AuthComponent {
|
||||||
The Monkey authenticated over the SSH protocol with private key <span
|
The Monkey authenticated over the SSH protocol with private key <span
|
||||||
className="badge badge-success">{issue.ssh_key}</span>.
|
className="badge badge-success">{issue.ssh_key}</span>.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
generateSambaCryIssue(issue) {
|
generateSambaCryIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
Change <span className="badge badge-success">{issue.username}</span>'s password to a complex one-use password
|
||||||
that is not shared with other computers on the network.
|
that is not shared with other computers on the network.
|
||||||
<br/>
|
<br/>
|
||||||
|
@ -589,13 +594,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
className="badge badge-success">{issue.username}</span> and its password, and used the SambaCry
|
className="badge badge-success">{issue.username}</span> and its password, and used the SambaCry
|
||||||
vulnerability.
|
vulnerability.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateVsftpdBackdoorIssue(issue) {
|
generateVsftpdBackdoorIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Update your VSFTPD server to the latest version vsftpd-3.0.3.
|
Update your VSFTPD server to the latest version vsftpd-3.0.3.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
||||||
|
@ -614,13 +619,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523"
|
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523"
|
||||||
>here</a>.
|
>here</a>.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateElasticIssue(issue) {
|
generateElasticIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Update your Elastic Search server to version 1.4.3 and up.
|
Update your Elastic Search server to version 1.4.3 and up.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
||||||
|
@ -629,13 +634,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
<br/>
|
<br/>
|
||||||
The attack was made possible because the Elastic Search server was not patched against CVE-2015-1427.
|
The attack was made possible because the Elastic Search server was not patched against CVE-2015-1427.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateShellshockIssue(issue) {
|
generateShellshockIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Update your Bash to a ShellShock-patched version.
|
Update your Bash to a ShellShock-patched version.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
||||||
|
@ -646,13 +651,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
className="badge badge-info">{issue.port}</span> was vulnerable to a shell injection attack on the
|
className="badge badge-info">{issue.port}</span> was vulnerable to a shell injection attack on the
|
||||||
paths: {this.generateShellshockPathListBadges(issue.paths)}.
|
paths: {this.generateShellshockPathListBadges(issue.paths)}.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateAzureIssue(issue) {
|
generateAzureIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Delete VM Access plugin configuration files.
|
Delete VM Access plugin configuration files.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
Credentials could be stolen from <span
|
Credentials could be stolen from <span
|
||||||
|
@ -661,13 +666,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
|
href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
|
||||||
>here</a>.
|
>here</a>.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateConfickerIssue(issue) {
|
generateConfickerIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Install the latest Windows updates or upgrade to a newer operating system.
|
Install the latest Windows updates or upgrade to a newer operating system.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
||||||
|
@ -677,13 +682,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
The attack was made possible because the target machine used an outdated and unpatched operating system
|
The attack was made possible because the target machine used an outdated and unpatched operating system
|
||||||
vulnerable to Conficker.
|
vulnerable to Conficker.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateIslandCrossSegmentIssue(issue) {
|
generateIslandCrossSegmentIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Segment your network and make sure there is no communication between machines from different segments.
|
Segment your network and make sure there is no communication between machines from different segments.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
The network can probably be segmented. A monkey instance on <span
|
The network can probably be segmented. A monkey instance on <span
|
||||||
|
@ -692,37 +697,37 @@ class ReportPageComponent extends AuthComponent {
|
||||||
could directly access the Monkey Island server in the
|
could directly access the Monkey Island server in the
|
||||||
networks {this.generateInfoBadges(issue.server_networks)}.
|
networks {this.generateInfoBadges(issue.server_networks)}.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateSharedCredsDomainIssue(issue) {
|
generateSharedCredsDomainIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Some domain users are sharing passwords, this should be fixed by changing passwords.
|
Some domain users are sharing passwords, this should be fixed by changing passwords.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
These users are sharing access password:
|
These users are sharing access password:
|
||||||
{this.generateInfoBadges(issue.shared_with)}.
|
{this.generateInfoBadges(issue.shared_with)}.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateSharedCredsIssue(issue) {
|
generateSharedCredsIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Some users are sharing passwords, this should be fixed by changing passwords.
|
Some users are sharing passwords, this should be fixed by changing passwords.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
These users are sharing access password:
|
These users are sharing access password:
|
||||||
{this.generateInfoBadges(issue.shared_with)}.
|
{this.generateInfoBadges(issue.shared_with)}.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateSharedLocalAdminsIssue(issue) {
|
generateSharedLocalAdminsIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Make sure the right administrator accounts are managing the right machines, and that there isn’t an unintentional local
|
Make sure the right administrator accounts are managing the right machines, and that there isn’t an unintentional local
|
||||||
admin sharing.
|
admin sharing.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
|
@ -730,13 +735,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
className="badge badge-primary">{issue.username}</span> is defined as an administrator:
|
className="badge badge-primary">{issue.username}</span> is defined as an administrator:
|
||||||
{this.generateInfoBadges(issue.shared_machines)}
|
{this.generateInfoBadges(issue.shared_machines)}
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateStrongUsersOnCritIssue(issue) {
|
generateStrongUsersOnCritIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
This critical machine is open to attacks via strong users with access to it.
|
This critical machine is open to attacks via strong users with access to it.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
The services: {this.generateInfoBadges(issue.services)} have been found on the machine
|
The services: {this.generateInfoBadges(issue.services)} have been found on the machine
|
||||||
|
@ -744,26 +749,26 @@ class ReportPageComponent extends AuthComponent {
|
||||||
These users has access to it:
|
These users has access to it:
|
||||||
{this.generateInfoBadges(issue.threatening_users)}.
|
{this.generateInfoBadges(issue.threatening_users)}.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateTunnelIssue(issue) {
|
generateTunnelIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Use micro-segmentation policies to disable communication other than the required.
|
Use micro-segmentation policies to disable communication other than the required.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
Machines are not locked down at port level. Network tunnel was set up from <span
|
Machines are not locked down at port level. Network tunnel was set up from <span
|
||||||
className="badge badge-primary">{issue.machine}</span> to <span
|
className="badge badge-primary">{issue.machine}</span> to <span
|
||||||
className="badge badge-primary">{issue.dest}</span>.
|
className="badge badge-primary">{issue.dest}</span>.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateStruts2Issue(issue) {
|
generateStruts2Issue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Upgrade Struts2 to version 2.3.32 or 2.5.10.1 or any later versions.
|
Upgrade Struts2 to version 2.3.32 or 2.5.10.1 or any later versions.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
Struts2 server at <span className="badge badge-primary">{issue.machine}</span> (<span
|
Struts2 server at <span className="badge badge-primary">{issue.machine}</span> (<span
|
||||||
|
@ -775,13 +780,31 @@ class ReportPageComponent extends AuthComponent {
|
||||||
href="https://cwiki.apache.org/confluence/display/WW/S2-045"
|
href="https://cwiki.apache.org/confluence/display/WW/S2-045"
|
||||||
>here</a>.
|
>here</a>.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
generateDrupalIssue(issue) {
|
||||||
|
return (
|
||||||
|
<>
|
||||||
|
Upgrade Drupal server to versions 8.5.11, 8.6.10, or later.
|
||||||
|
<CollapsibleWellComponent>
|
||||||
|
Drupal server at <span className="badge badge-primary">{issue.machine}</span> (<span
|
||||||
|
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
|
||||||
|
className="badge badge-danger">remote command execution</span> attack.
|
||||||
|
<br/>
|
||||||
|
The attack was made possible because the server is using an old version of Drupal.
|
||||||
|
For possible workarounds and more info read <a
|
||||||
|
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340"
|
||||||
|
>here</a>.
|
||||||
|
</CollapsibleWellComponent>
|
||||||
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateWebLogicIssue(issue) {
|
generateWebLogicIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Update Oracle WebLogic server to the latest supported version.
|
Update Oracle WebLogic server to the latest supported version.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
Oracle WebLogic server at <span className="badge badge-primary">{issue.machine}</span> (<span
|
Oracle WebLogic server at <span className="badge badge-primary">{issue.machine}</span> (<span
|
||||||
|
@ -792,13 +815,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
<a href={'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271'}> CVE-2017-10271</a> or
|
<a href={'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271'}> CVE-2017-10271</a> or
|
||||||
<a href={'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725'}> CVE-2019-2725</a>
|
<a href={'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725'}> CVE-2019-2725</a>
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateHadoopIssue(issue) {
|
generateHadoopIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Run Hadoop in secure mode (<a
|
Run Hadoop in secure mode (<a
|
||||||
href="http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html">
|
href="http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html">
|
||||||
add Kerberos authentication</a>).
|
add Kerberos authentication</a>).
|
||||||
|
@ -809,13 +832,13 @@ class ReportPageComponent extends AuthComponent {
|
||||||
<br/>
|
<br/>
|
||||||
The attack was made possible due to default Hadoop/Yarn configuration being insecure.
|
The attack was made possible due to default Hadoop/Yarn configuration being insecure.
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateMSSQLIssue(issue) {
|
generateMSSQLIssue(issue) {
|
||||||
return (
|
return (
|
||||||
<li>
|
<>
|
||||||
Disable the xp_cmdshell option.
|
Disable the xp_cmdshell option.
|
||||||
<CollapsibleWellComponent>
|
<CollapsibleWellComponent>
|
||||||
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
||||||
|
@ -827,88 +850,91 @@ class ReportPageComponent extends AuthComponent {
|
||||||
href="https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017">
|
href="https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017">
|
||||||
Microsoft's documentation. </a>
|
Microsoft's documentation. </a>
|
||||||
</CollapsibleWellComponent>
|
</CollapsibleWellComponent>
|
||||||
</li>
|
</>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
generateIssue = (issue) => {
|
generateIssue = (issue) => {
|
||||||
let data;
|
let issueData;
|
||||||
switch (issue.type) {
|
switch (issue.type) {
|
||||||
case 'vsftp':
|
case 'vsftp':
|
||||||
data = this.generateVsftpdBackdoorIssue(issue);
|
issueData = this.generateVsftpdBackdoorIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'smb_password':
|
case 'smb_password':
|
||||||
data = this.generateSmbPasswordIssue(issue);
|
issueData = this.generateSmbPasswordIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'smb_pth':
|
case 'smb_pth':
|
||||||
data = this.generateSmbPthIssue(issue);
|
issueData = this.generateSmbPthIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'wmi_password':
|
case 'wmi_password':
|
||||||
data = this.generateWmiPasswordIssue(issue);
|
issueData = this.generateWmiPasswordIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'wmi_pth':
|
case 'wmi_pth':
|
||||||
data = this.generateWmiPthIssue(issue);
|
issueData = this.generateWmiPthIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'ssh':
|
case 'ssh':
|
||||||
data = this.generateSshIssue(issue);
|
issueData = this.generateSshIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'ssh_key':
|
case 'ssh_key':
|
||||||
data = this.generateSshKeysIssue(issue);
|
issueData = this.generateSshKeysIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'sambacry':
|
case 'sambacry':
|
||||||
data = this.generateSambaCryIssue(issue);
|
issueData = this.generateSambaCryIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'elastic':
|
case 'elastic':
|
||||||
data = this.generateElasticIssue(issue);
|
issueData = this.generateElasticIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'shellshock':
|
case 'shellshock':
|
||||||
data = this.generateShellshockIssue(issue);
|
issueData = this.generateShellshockIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'conficker':
|
case 'conficker':
|
||||||
data = this.generateConfickerIssue(issue);
|
issueData = this.generateConfickerIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'island_cross_segment':
|
case 'island_cross_segment':
|
||||||
data = this.generateIslandCrossSegmentIssue(issue);
|
issueData = this.generateIslandCrossSegmentIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'shared_passwords':
|
case 'shared_passwords':
|
||||||
data = this.generateSharedCredsIssue(issue);
|
issueData = this.generateSharedCredsIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'shared_passwords_domain':
|
case 'shared_passwords_domain':
|
||||||
data = this.generateSharedCredsDomainIssue(issue);
|
issueData = this.generateSharedCredsDomainIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'shared_admins_domain':
|
case 'shared_admins_domain':
|
||||||
data = this.generateSharedLocalAdminsIssue(issue);
|
issueData = this.generateSharedLocalAdminsIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'strong_users_on_crit':
|
case 'strong_users_on_crit':
|
||||||
data = this.generateStrongUsersOnCritIssue(issue);
|
issueData = this.generateStrongUsersOnCritIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'tunnel':
|
case 'tunnel':
|
||||||
data = this.generateTunnelIssue(issue);
|
issueData = this.generateTunnelIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'azure_password':
|
case 'azure_password':
|
||||||
data = this.generateAzureIssue(issue);
|
issueData = this.generateAzureIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'struts2':
|
case 'struts2':
|
||||||
data = this.generateStruts2Issue(issue);
|
issueData = this.generateStruts2Issue(issue);
|
||||||
break;
|
break;
|
||||||
case 'weblogic':
|
case 'weblogic':
|
||||||
data = this.generateWebLogicIssue(issue);
|
issueData = this.generateWebLogicIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'hadoop':
|
case 'hadoop':
|
||||||
data = this.generateHadoopIssue(issue);
|
issueData = this.generateHadoopIssue(issue);
|
||||||
break;
|
break;
|
||||||
case 'mssql':
|
case 'mssql':
|
||||||
data = this.generateMSSQLIssue(issue);
|
issueData = this.generateMSSQLIssue(issue);
|
||||||
|
break;
|
||||||
|
case 'drupal':
|
||||||
|
issueData = this.generateDrupalIssue(issue);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
return data;
|
return <li key={JSON.stringify(issue)}>{issueData}</li>;
|
||||||
};
|
};
|
||||||
|
|
||||||
generateIssues = (issues) => {
|
generateIssues = (issues) => {
|
||||||
let issuesDivArray = [];
|
let issuesDivArray = [];
|
||||||
for (let machine of Object.keys(issues)) {
|
for (let machine of Object.keys(issues)) {
|
||||||
issuesDivArray.push(
|
issuesDivArray.push(
|
||||||
<li>
|
<li key={JSON.stringify(machine)}>
|
||||||
<h4><b>{machine}</b></h4>
|
<h4><b>{machine}</b></h4>
|
||||||
<ol>
|
<ol>
|
||||||
{issues[machine].map(this.generateIssue)}
|
{issues[machine].map(this.generateIssue)}
|
||||||
|
|
Loading…
Reference in New Issue