From 31d9f04fe732415a6a0f07ea420c1325b24ab4cd Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Wed, 30 Mar 2022 12:18:32 +0530 Subject: [PATCH 1/6] Agent: Remove leftover WormConfiguration code from HostExploiter --- monkey/infection_monkey/exploit/HostExploiter.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/HostExploiter.py b/monkey/infection_monkey/exploit/HostExploiter.py index 09a6d274e..602dd338a 100644 --- a/monkey/infection_monkey/exploit/HostExploiter.py +++ b/monkey/infection_monkey/exploit/HostExploiter.py @@ -5,7 +5,6 @@ from datetime import datetime from typing import Dict from common.utils.exceptions import FailedExploitationError -from infection_monkey.config import WormConfiguration from infection_monkey.i_puppet import ExploiterResultData from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger @@ -21,7 +20,6 @@ class HostExploiter: pass def __init__(self): - self._config = WormConfiguration self.exploit_info = { "display_name": self._EXPLOITED_SERVICE, "started": "", From 99b621f2c8505c997a3c302864e8834258694223 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Wed, 30 Mar 2022 12:25:59 +0530 Subject: [PATCH 2/6] Project: Add config's post_breach_actions to Vulture's allowlist --- vulture_allowlist.py | 1 + 1 file changed, 1 insertion(+) diff --git a/vulture_allowlist.py b/vulture_allowlist.py index 687a9b497..4d1b25d3f 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -149,6 +149,7 @@ Report.meta LDAPServerFactory.buildProtocol get_file_sha256_hash strict_slashes # unused attribute (monkey/monkey_island/cc/app.py:96) +post_breach_actions # unused variable (monkey\infection_monkey\config.py:95) # these are not needed for it to work, but may be useful extra information to understand what's going on WINDOWS_PBA_TYPE # unused variable (monkey/monkey_island/cc/resources/pba_file_upload.py:23) From 296a91a458a362eddf485f2671b1e66e06071648 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Wed, 30 Mar 2022 12:26:34 +0530 Subject: [PATCH 3/6] Agent: Remove unused file post_breach_handler.py --- .../post_breach/post_breach_handler.py | 39 ------------------- 1 file changed, 39 deletions(-) delete mode 100644 monkey/infection_monkey/post_breach/post_breach_handler.py diff --git a/monkey/infection_monkey/post_breach/post_breach_handler.py b/monkey/infection_monkey/post_breach/post_breach_handler.py deleted file mode 100644 index 489b2065a..000000000 --- a/monkey/infection_monkey/post_breach/post_breach_handler.py +++ /dev/null @@ -1,39 +0,0 @@ -import logging -from multiprocessing.dummy import Pool -from typing import Sequence - -from infection_monkey.post_breach.pba import PBA - -logger = logging.getLogger(__name__) - - -class PostBreach(object): - """ - This class handles post breach actions execution - """ - - def __init__(self): - self.pba_list = self.config_to_pba_list() - - def execute_all_configured(self): - """ - Executes all post breach actions. - """ - with Pool(5) as pool: - pool.map(self.run_pba, self.pba_list) - logger.info("All PBAs executed. Total {} executed.".format(len(self.pba_list))) - - @staticmethod - def config_to_pba_list() -> Sequence[PBA]: - """ - :return: A list of PBA objects. - """ - return PBA.get_instances() - - def run_pba(self, pba): - try: - logger.debug("Executing PBA: '{}'".format(pba.name)) - pba.run() - logger.debug(f"Execution of {pba.name} finished") - except Exception as e: - logger.error("PBA {} failed. Error info: {}".format(pba.name, e)) From 2c32c354ae36627be6c26620c5b11efb3ccb2192 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 30 Mar 2022 07:20:37 -0400 Subject: [PATCH 4/6] Agent: Remove MockMaster This mock has outlived its usefulness and can now be removed. --- monkey/infection_monkey/master/mock_master.py | 127 ------------------ vulture_allowlist.py | 1 - 2 files changed, 128 deletions(-) delete mode 100644 monkey/infection_monkey/master/mock_master.py diff --git a/monkey/infection_monkey/master/mock_master.py b/monkey/infection_monkey/master/mock_master.py deleted file mode 100644 index 528f0ec3d..000000000 --- a/monkey/infection_monkey/master/mock_master.py +++ /dev/null @@ -1,127 +0,0 @@ -import logging - -from infection_monkey.i_master import IMaster -from infection_monkey.i_puppet import IPuppet, PortStatus -from infection_monkey.model.host import VictimHost -from infection_monkey.telemetry.credentials_telem import CredentialsTelem -from infection_monkey.telemetry.exploit_telem import ExploitTelem -from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger -from infection_monkey.telemetry.post_breach_telem import PostBreachTelem -from infection_monkey.telemetry.scan_telem import ScanTelem - -logger = logging.getLogger() - - -class MockMaster(IMaster): - def __init__(self, puppet: IPuppet, telemetry_messenger: ITelemetryMessenger): - self._puppet = puppet - self._telemetry_messenger = telemetry_messenger - self._hosts = { - "10.0.0.1": VictimHost("10.0.0.1"), - "10.0.0.2": VictimHost("10.0.0.2"), - "10.0.0.3": VictimHost("10.0.0.3"), - "10.0.0.4": VictimHost("10.0.0.4"), - } - - def start(self) -> None: - self._run_sys_info_collectors() - self._run_pbas() - self._scan_victims() - self._fingerprint() - self._exploit() - self._run_payload() - - def _run_credential_collectors(self): - logger.info("Running credential collectors") - - windows_credentials = self._puppet.run_credential_collector("MimikatzCollector") - if windows_credentials: - self._telemetry_messenger.send_telemetry(CredentialsTelem(windows_credentials)) - - ssh_credentials = self._puppet.run_sys_info_collector("SSHCollector") - if ssh_credentials: - self._telemetry_messenger.send_telemetry(CredentialsTelem(ssh_credentials)) - - logger.info("Finished running credential collectors") - - def _run_pbas(self): - - # TODO: Create monkey_dir and revise setup in monkey.py - - logger.info("Running post breach actions") - name = "AccountDiscovery" - display_name, command, result = self._puppet.run_pba(name, {}) - self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result)) - - name = "CommunicateAsBackdoorUser" - display_name, command, result = self._puppet.run_pba(name, {}) - self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result)) - logger.info("Finished running post breach actions") - - def _scan_victims(self): - logger.info("Scanning network for potential victims") - ips = ["10.0.0.1", "10.0.0.2", "10.0.0.3"] - ports = [22, 445, 3389, 8008] - for ip in ips: - h = self._hosts[ip] - - ping_scan_data = self._puppet.ping(ip, 1) - h.icmp = ping_scan_data.response_received - if ping_scan_data.os is not None: - h.os["type"] = ping_scan_data.os - - ports_scan_data = self._puppet.scan_tcp_ports(ip, ports) - - for psd in ports_scan_data.values(): - logger.debug(f"The port {psd.port} is {psd.status}") - if psd.status == PortStatus.OPEN: - h.services[psd.service] = {} - h.services[psd.service]["display_name"] = "unknown(TCP)" - h.services[psd.service]["port"] = psd.port - if psd.banner is not None: - h.services[psd.service]["banner"] = psd.banner - - self._telemetry_messenger.send_telemetry(ScanTelem(h)) - logger.info("Finished scanning network for potential victims") - - def _fingerprint(self): - logger.info("Running fingerprinters on potential victims") - machine_1 = self._hosts["10.0.0.1"] - machine_3 = self._hosts["10.0.0.3"] - - self._puppet.fingerprint("SMBFinger", machine_1, None, None, None) - self._telemetry_messenger.send_telemetry(ScanTelem(machine_1)) - - self._puppet.fingerprint("SMBFinger", machine_3, None, None, None) - self._telemetry_messenger.send_telemetry(ScanTelem(machine_3)) - - self._puppet.fingerprint("HTTPFinger", machine_3, None, None, None) - self._telemetry_messenger.send_telemetry(ScanTelem(machine_3)) - logger.info("Finished running fingerprinters on potential victims") - - def _exploit(self): - logger.info("Exploiting victims") - result = self._puppet.exploit_host("PowerShellExploiter", "10.0.0.1", 0, {}, None) - logger.info(f"Attempts for exploiting {result.attempts}") - self._telemetry_messenger.send_telemetry( - ExploitTelem("PowerShellExploiter", self._hosts["10.0.0.1"], result) - ) - - result = self._puppet.exploit_host("SSHExploiter", "10.0.0.3", 0, {}, None) - logger.info(f"Attempts for exploiting {result.attempts}") - self._telemetry_messenger.send_telemetry( - ExploitTelem("SSHExploiter", self._hosts["10.0.0.3"], result) - ) - logger.info("Finished exploiting victims") - - def _run_payload(self): - logger.info("Running payloads") - self._puppet.run_payload("RansomwarePayload", {}, None) - logger.info("Finished running payloads") - - def terminate(self, block: bool = False) -> None: - logger.info("Terminating MockMaster") - - def cleanup(self) -> None: - # TODO: Cleanup monkey_dir and send telemetry - pass diff --git a/vulture_allowlist.py b/vulture_allowlist.py index 4d1b25d3f..eb62c2df5 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -182,5 +182,4 @@ MockPuppet ControlChannel should_agent_stop get_credentials_for_propagation -MockMaster register_signal_handlers From 97384303339690d794e1d019e47a68f045e2391f Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 30 Mar 2022 07:31:29 -0400 Subject: [PATCH 5/6] Project: Remove temporary agent-refactor vulture exceptions --- vulture_allowlist.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/vulture_allowlist.py b/vulture_allowlist.py index eb62c2df5..bf1244f93 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -171,15 +171,3 @@ _.instance_name # unused attribute (monkey/common/cloud/azure/azure_instance.py _.instance_name # unused attribute (monkey/common/cloud/azure/azure_instance.py:64) GCPHandler # unused function (envs/monkey_zoo/blackbox/test_blackbox.py:57) architecture # unused variable (monkey/infection_monkey/exploit/caching_agent_repository.py:25) - -# TODO: Reevaluate these as the agent refactor progresses -run_sys_info_collector -ping -scan_tcp_port -fingerprint -interrupt -MockPuppet -ControlChannel -should_agent_stop -get_credentials_for_propagation -register_signal_handlers From 315471ab575dde8b0611d41cbf001652e891521f Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 30 Mar 2022 07:33:53 -0400 Subject: [PATCH 6/6] Agent: Remove disused WebRCE.target_url attribute --- monkey/infection_monkey/exploit/web_rce.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/monkey/infection_monkey/exploit/web_rce.py b/monkey/infection_monkey/exploit/web_rce.py index 9978f46d3..3a546d321 100644 --- a/monkey/infection_monkey/exploit/web_rce.py +++ b/monkey/infection_monkey/exploit/web_rce.py @@ -39,7 +39,6 @@ class WebRCE(HostExploiter): super(WebRCE, self).__init__() self.monkey_target_paths = monkey_target_paths self.vulnerable_urls = [] - self.target_url = None def get_exploit_config(self): """ @@ -89,8 +88,6 @@ class WebRCE(HostExploiter): if not self.are_vulnerable_urls_sufficient(): return False - self.target_url = self.get_target_url() - # Upload the right monkey to target data = self.upload_monkey(self.get_target_url(), exploit_config["upload_commands"])