p41275903
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1582 from guardicore/1535-netstat-info-collector-removal 

1535 netstat info collector removal
This commit is contained in:
VakarisZ 2021-11-12 17:05:44 +02:00 committed by GitHub
parent 59e7ac34f7 435f52a658
commit 6ee1949d46
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 7 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.swm/OwcKMnALpn7tuBaJY1US.swm
View File

@ -14,7 +14,7 @@
"content": [ "content": [
{ {
"type": "text", "type": "text",
"text": "# What are system info collectors?\n\nWell, the name pretty much explains it. They are Monkey classes which collect various information regarding the victim system, such as Environment, SSH Info, Process List, Netstat and more. \n\n## What should I add? \n\nA system info collector which collects the hostname of the system.\n\n## Test manually\n\nOnce you're done, make sure that your collector:\n* Appears in the Island configuration, and is enabled by default\n* The collector actually runs when executing a Monkey.\n* Results show up in the relevant places:\n * The infection map.\n * The security report.\n * The relevant MITRE techniques.\n\n**There are a lot of hints for this unit - don't be afraid to use them!**" "text": "# What are system info collectors?\n\nWell, the name pretty much explains it. They are Monkey classes which collect various information regarding the victim system, such as Environment, SSH Info, Process List and more. \n\n## What should I add? \n\nA system info collector which collects the hostname of the system.\n\n## Test manually\n\nOnce you're done, make sure that your collector:\n* Appears in the Island configuration, and is enabled by default\n* The collector actually runs when executing a Monkey.\n* Results show up in the relevant places:\n * The infection map.\n * The security report.\n * The relevant MITRE techniques.\n\n**There are a lot of hints for this unit - don't be afraid to use them!**"
}, },
{ {
"type": "snippet", "type": "snippet",

3
CHANGELOG.md
View File

@ -15,8 +15,9 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
### Removed ### Removed
- The VSFTPD exploiter. #1533 - The VSFTPD exploiter. #1533
- Manual agent run command for CMD. #1570 - Manual agent run command for CMD. #1570
- Sambacry exploiter #1567 - Sambacry exploiter. #1567
- "Kill file" option in the config. #1536 - "Kill file" option in the config. #1536
- Netstat collector, because network connection information wasn't used anywhere. #1535
### Fixed ### Fixed
- A bug in network map page that caused delay of telemetry log loading. #1545 - A bug in network map page that caused delay of telemetry log loading. #1545

8
monkey/infection_monkey/system_info/__init__.py
View File

@ -7,7 +7,6 @@ import psutil
from common.common_consts.system_info_collectors_names import AZURE_CRED_COLLECTOR from common.common_consts.system_info_collectors_names import AZURE_CRED_COLLECTOR
from infection_monkey.network.info import get_host_subnets from infection_monkey.network.info import get_host_subnets
from infection_monkey.system_info.azure_cred_collector import AzureCollector from infection_monkey.system_info.azure_cred_collector import AzureCollector
from infection_monkey.system_info.netstat_collector import NetstatCollector
from infection_monkey.system_info.system_info_collectors_handler import SystemInfoCollectorsHandler from infection_monkey.system_info.system_info_collectors_handler import SystemInfoCollectorsHandler
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -72,15 +71,12 @@ class InfoCollector(object):
def get_network_info(self): def get_network_info(self):
""" """
Adds network information from the host to the system information. Adds network information from the host to the system information.
Currently updates with netstat and a list of networks accessible from host Currently updates with list of networks accessible from host
containing host ip and the subnet range containing host ip and the subnet range
:return: None. Updates class information :return: None. Updates class information
""" """
logger.debug("Reading subnets") logger.debug("Reading subnets")
self.info["network_info"] = { self.info["network_info"] = {"networks": get_host_subnets()}
"networks": get_host_subnets(),
"netstat": NetstatCollector.get_netstat_info(),
}
def get_azure_info(self): def get_azure_info(self):
""" """

42
monkey/infection_monkey/system_info/netstat_collector.py
View File

@ -1,42 +0,0 @@
# Inspired by Giampaolo Rodola's psutil example from
# https://github.com/giampaolo/psutil/blob/master/scripts/netstat.py
import logging
import socket
from socket import AF_INET, SOCK_DGRAM, SOCK_STREAM
import psutil
logger = logging.getLogger(__name__)
class NetstatCollector(object):
"""
Extract netstat info
"""
AF_INET6 = getattr(socket, "AF_INET6", object())
proto_map = {
(AF_INET, SOCK_STREAM): "tcp",
(AF_INET6, SOCK_STREAM): "tcp6",
(AF_INET, SOCK_DGRAM): "udp",
(AF_INET6, SOCK_DGRAM): "udp6",
}
@staticmethod
def get_netstat_info():
logger.info("Collecting netstat info")
return [NetstatCollector._parse_connection(c) for c in psutil.net_connections(kind="inet")]
@staticmethod
def _parse_connection(c):
return {
"proto": NetstatCollector.proto_map[(c.family, c.type)],
"local_address": c.laddr[0],
"local_port": c.laddr[1],
"remote_address": c.raddr[0] if c.raddr else None,
"remote_port": c.raddr[1] if c.raddr else None,
"status": c.status,
"pid": c.pid,
}

8
monkey/monkey_island/cc/services/attack/technique_reports/T1016.py
View File

@ -16,21 +16,13 @@ class T1016(AttackTechnique):
"$project": { "$project": {
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"}, "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
"networks": "$data.network_info.networks", "networks": "$data.network_info.networks",
"netstat": "$data.network_info.netstat",
} }
}, },
{ {
"$addFields": { "$addFields": {
"_id": 0, "_id": 0,
"netstat": 0,
"networks": 0, "networks": 0,
"info": [ "info": [
{
"used": {
"$and": [{"$ifNull": ["$netstat", False]}, {"$gt": ["$netstat", {}]}]
},
"name": {"$literal": "Network connections (netstat)"},
},
{ {
"used": { "used": {
"$and": [{"$ifNull": ["$networks", False]}, {"$gt": ["$networks", {}]}] "$and": [{"$ifNull": ["$networks", False]}, {"$gt": ["$networks", {}]}]

10
monkey/monkey_island/cc/services/attack/technique_reports/T1082.py
View File

@ -16,7 +16,6 @@ class T1082(AttackTechnique):
"$project": { "$project": {
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"}, "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
"aws": "$data.aws", "aws": "$data.aws",
"netstat": "$data.network_info.netstat",
"process_list": "$data.process_list", "process_list": "$data.process_list",
"ssh_info": "$data.ssh_info", "ssh_info": "$data.ssh_info",
"azure_info": "$data.Azure", "azure_info": "$data.Azure",
@ -28,7 +27,7 @@ class T1082(AttackTechnique):
"machine": 1, "machine": 1,
"collections": [ "collections": [
{ {
"used": {"$and": [{"$ifNull": ["$netstat", False]}, {"$gt": ["$aws", {}]}]}, "used": {"$and": [{"$gt": ["$aws", {}]}]},
"name": {"$literal": "Amazon Web Services info"}, "name": {"$literal": "Amazon Web Services info"},
}, },
{ {
@ -40,12 +39,6 @@ class T1082(AttackTechnique):
}, },
"name": {"$literal": "Running process list"}, "name": {"$literal": "Running process list"},
}, },
{
"used": {
"$and": [{"$ifNull": ["$netstat", False]}, {"$ne": ["$netstat", []]}]
},
"name": {"$literal": "Network connections"},
},
{ {
"used": { "used": {
"$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}] "$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}]
@ -61,6 +54,7 @@ class T1082(AttackTechnique):
}, },
"name": {"$literal": "Azure info"}, "name": {"$literal": "Azure info"},
}, },
{"used": True, "name": {"$literal": "Network interfaces"}},
], ],
} }
}, },