forked from p15670423/monkey
Island: Display tunneling ports in T1065
Non standard ports attack technique should include ports agent used for tunneling
This commit is contained in:
parent
136747b1c8
commit
5fbe01a32e
|
@ -144,9 +144,6 @@ class Monkey(Document):
|
||||||
"""
|
"""
|
||||||
return {"ips": self.ip_addresses, "hostname": self.hostname}
|
return {"ips": self.ip_addresses, "hostname": self.hostname}
|
||||||
|
|
||||||
def get_tunnel_info(self):
|
|
||||||
return {"tunnel": self.tunnel}
|
|
||||||
|
|
||||||
# data has TTL of 1 second. This is useful for rapid calls for report generation.
|
# data has TTL of 1 second. This is useful for rapid calls for report generation.
|
||||||
@ring.lru(expire=1)
|
@ring.lru(expire=1)
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
|
from typing import Sequence
|
||||||
|
|
||||||
|
from common.network.network_utils import address_to_ip_port
|
||||||
from common.utils.attack_utils import ScanStatus
|
from common.utils.attack_utils import ScanStatus
|
||||||
from monkey_island.cc.models.monkey import Monkey
|
from monkey_island.cc.models.telemetries.telemetry import Telemetry
|
||||||
from monkey_island.cc.server_utils.consts import ISLAND_PORT
|
from monkey_island.cc.server_utils.consts import ISLAND_PORT
|
||||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||||
|
|
||||||
|
@ -10,13 +13,16 @@ class T1065(AttackTechnique):
|
||||||
unscanned_msg = ""
|
unscanned_msg = ""
|
||||||
scanned_msg = ""
|
scanned_msg = ""
|
||||||
used_msg = ""
|
used_msg = ""
|
||||||
message = "Monkey used port %s to communicate to C2 server."
|
message = "Monkey used ports %s to communicate to C2 server."
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
monkey = Monkey.objects.first()
|
tunneling_ports = T1065.get_tunnel_ports()
|
||||||
tunnel = monkey.get_tunnel_info()["tunnel"]
|
non_standard_ports = [*tunneling_ports, str(ISLAND_PORT)]
|
||||||
port = tunnel.split(":")[1] if tunnel is not None else ISLAND_PORT
|
T1065.used_msg = T1065.message % ", ".join(non_standard_ports)
|
||||||
|
|
||||||
T1065.used_msg = T1065.message % port
|
|
||||||
return T1065.get_base_data_by_status(ScanStatus.USED.value)
|
return T1065.get_base_data_by_status(ScanStatus.USED.value)
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def get_tunnel_ports() -> Sequence[str]:
|
||||||
|
telems = Telemetry.objects(telem_category="tunnel", data__proxy__ne=None)
|
||||||
|
return [address_to_ip_port(telem["data"]["proxy"])[1] for telem in telems]
|
||||||
|
|
Loading…
Reference in New Issue