p59342861
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Island: Display tunneling ports in T1065 

Non standard ports attack technique should include ports agent used for tunneling
This commit is contained in:
vakarisz 2022-06-16 12:11:55 +03:00
parent 136747b1c8
commit 5fbe01a32e
2 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
monkey/monkey_island/cc/models/monkey.py
View File

@ -144,9 +144,6 @@ class Monkey(Document):
"""
return {"ips": self.ip_addresses, "hostname": self.hostname}
def get_tunnel_info(self):
return {"tunnel": self.tunnel}
# data has TTL of 1 second. This is useful for rapid calls for report generation.
@ring.lru(expire=1)
@staticmethod

20
monkey/monkey_island/cc/services/attack/technique_reports/T1065.py
View File

@ -1,5 +1,8 @@
from typing import Sequence
from common.network.network_utils import address_to_ip_port
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.models.monkey import Monkey
from monkey_island.cc.models.telemetries.telemetry import Telemetry
from monkey_island.cc.server_utils.consts import ISLAND_PORT
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
@ -10,13 +13,16 @@ class T1065(AttackTechnique):
unscanned_msg = ""
scanned_msg = ""
used_msg = ""
message = "Monkey used port %s to communicate to C2 server."
message = "Monkey used ports %s to communicate to C2 server."
@staticmethod
def get_report_data():
monkey = Monkey.objects.first()
tunnel = monkey.get_tunnel_info()["tunnel"]
port = tunnel.split(":")[1] if tunnel is not None else ISLAND_PORT
T1065.used_msg = T1065.message % port
tunneling_ports = T1065.get_tunnel_ports()
non_standard_ports = [*tunneling_ports, str(ISLAND_PORT)]
T1065.used_msg = T1065.message % ", ".join(non_standard_ports)
return T1065.get_base_data_by_status(ScanStatus.USED.value)
@staticmethod
def get_tunnel_ports() -> Sequence[str]:
telems = Telemetry.objects(telem_category="tunnel", data__proxy__ne=None)
return [address_to_ip_port(telem["data"]["proxy"])[1] for telem in telems]