From 5fbe01a32efdb4a976e0f7f150ec17a034d0dbf1 Mon Sep 17 00:00:00 2001 From: vakarisz Date: Thu, 16 Jun 2022 12:11:55 +0300 Subject: [PATCH] Island: Display tunneling ports in T1065 Non standard ports attack technique should include ports agent used for tunneling --- monkey/monkey_island/cc/models/monkey.py | 3 --- .../attack/technique_reports/T1065.py | 20 ++++++++++++------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/monkey/monkey_island/cc/models/monkey.py b/monkey/monkey_island/cc/models/monkey.py index 8dfbfd48d..a106f9965 100644 --- a/monkey/monkey_island/cc/models/monkey.py +++ b/monkey/monkey_island/cc/models/monkey.py @@ -144,9 +144,6 @@ class Monkey(Document): """ return {"ips": self.ip_addresses, "hostname": self.hostname} - def get_tunnel_info(self): - return {"tunnel": self.tunnel} - # data has TTL of 1 second. This is useful for rapid calls for report generation. @ring.lru(expire=1) @staticmethod diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1065.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1065.py index 408b3a24b..d28c5e9e0 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1065.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1065.py @@ -1,5 +1,8 @@ +from typing import Sequence + +from common.network.network_utils import address_to_ip_port from common.utils.attack_utils import ScanStatus -from monkey_island.cc.models.monkey import Monkey +from monkey_island.cc.models.telemetries.telemetry import Telemetry from monkey_island.cc.server_utils.consts import ISLAND_PORT from monkey_island.cc.services.attack.technique_reports import AttackTechnique @@ -10,13 +13,16 @@ class T1065(AttackTechnique): unscanned_msg = "" scanned_msg = "" used_msg = "" - message = "Monkey used port %s to communicate to C2 server." + message = "Monkey used ports %s to communicate to C2 server." @staticmethod def get_report_data(): - monkey = Monkey.objects.first() - tunnel = monkey.get_tunnel_info()["tunnel"] - port = tunnel.split(":")[1] if tunnel is not None else ISLAND_PORT - - T1065.used_msg = T1065.message % port + tunneling_ports = T1065.get_tunnel_ports() + non_standard_ports = [*tunneling_ports, str(ISLAND_PORT)] + T1065.used_msg = T1065.message % ", ".join(non_standard_ports) return T1065.get_base_data_by_status(ScanStatus.USED.value) + + @staticmethod + def get_tunnel_ports() -> Sequence[str]: + telems = Telemetry.objects(telem_category="tunnel", data__proxy__ne=None) + return [address_to_ip_port(telem["data"]["proxy"])[1] for telem in telems]