* Added MSSQL exploiter report frontend details.

2018-07-16 11:57:56 +03:00 · 2018-07-16 11:57:56 +03:00 · 80d6b327bc
parent 19d324d81f
commit 80d6b327bc
3 changed files with 39 additions and 4 deletions
--- a/infection_monkey/exploit/mssqlexec.py
+++ b/infection_monkey/exploit/mssqlexec.py
@ -88,6 +88,7 @@ class MSSQLExploiter(HostExploiter):
                conn = pymssql.connect(host, user, password, port=port, login_timeout=self.LOGIN_TIMEOUT)
                LOG.info('Successfully connected to host: {0}, ' 
                         'using user: {1}, password: {2}'.format(host, user, password))
+                self.report_login_attempt(True, user, password)
                cursor = conn.cursor()

                # Handles the payload and return True or False
--- a/monkey_island/cc/services/report.py
+++ b/monkey_island/cc/services/report.py
@ -30,7 +30,8 @@ class ReportService:
            'ElasticGroovyExploiter': 'Elastic Groovy Exploiter',
            'Ms08_067_Exploiter': 'Conficker Exploiter',
            'ShellShockExploiter': 'ShellShock Exploiter',
-            'Struts2Exploiter': 'Struts2 Exploiter'
+            'Struts2Exploiter': 'Struts2 Exploiter',
+            'MSSQLExploiter': 'MSSQL Exploiter'
        }

    class ISSUES_DICT(Enum):
@ -43,6 +44,7 @@ class ReportService:
        AZURE = 6
        STOLEN_SSH_KEYS = 7
        STRUTS2 = 8
+        MSSQL = 9

    class WARNINGS_DICT(Enum):
        CROSS_SEGMENT = 0
@ -298,6 +300,13 @@ class ReportService:
        processed_exploit['type'] = 'struts2'
        return processed_exploit

+    @staticmethod
+    def process_mssql_exploit(exploit):
+        processed_exploit = ReportService.process_general_exploit(exploit)
+        processed_exploit['type'] = 'mssql'
+        return processed_exploit
+
+
    @staticmethod
    def process_exploit(exploit):
        exploiter_type = exploit['data']['exploiter']
@ -310,7 +319,8 @@ class ReportService:
            'ElasticGroovyExploiter': ReportService.process_elastic_exploit,
            'Ms08_067_Exploiter': ReportService.process_conficker_exploit,
            'ShellShockExploiter': ReportService.process_shellshock_exploit,
-            'Struts2Exploiter': ReportService.process_struts2_exploit
+            'Struts2Exploiter': ReportService.process_struts2_exploit,
+            'MSSQLExploiter': ReportService.process_mssql_exploit
        }

        return EXPLOIT_PROCESS_FUNCTION_DICT[exploiter_type](exploit)
@ -430,6 +440,8 @@ class ReportService:
                    issues_byte_array[ReportService.ISSUES_DICT.STOLEN_SSH_KEYS.value] = True
                elif issue['type'] == 'struts2':
                    issues_byte_array[ReportService.ISSUES_DICT.STRUTS2.value] = True
+                elif issue['type'] == 'mssql':
+                    issues_byte_array[ReportService.ISSUES_DICT.MSSQL.value] = True
                elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \
                        issue['username'] in config_users or issue['type'] == 'ssh':
                    issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True
--- a/monkey_island/cc/ui/src/components/pages/ReportPage.js
+++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js
@ -24,7 +24,8 @@ class ReportPageComponent extends AuthComponent {
      CONFICKER: 5,
      AZURE: 6,
      STOLEN_SSH_KEYS: 7,
-      STRUTS2: 8
+      STRUTS2: 8,
+      MSSQL: 9
    };

  Warning =
@ -326,6 +327,10 @@ class ReportPageComponent extends AuthComponent {
                    <li>Struts2 servers are vulnerable to remote code execution. (<a
                      href="https://cwiki.apache.org/confluence/display/WW/S2-045">
                      CVE-2017-5638</a>)</li> : null }
+                  {this.state.report.overview.issues[this.Issue.MSSQL] ?
+                    <li>MS-SQL servers are vulnerable to remote code execution via xp_cmdshell command. (<a
+                      href="https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017">
+                      More Info.</a>)</li> : null }
                </ul>
              </div>
              :
@ -693,7 +698,21 @@ class ReportPageComponent extends AuthComponent {
    );
  }

-
+  generateMSSQLIssue(issue) {
+    return(
+      <li>
+        Disable the xp_cmdshell option.
+        <CollapsibleWellComponent>
+          The machine <span className="label label-primary">{issue.machine}</span> (<span
+          className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to a <span
+          className="label label-danger">Conficker</span> attack.
+          <br/>
+          The attack was made possible because the target machine used an outdated MSSQL server configuration allowing
+          the usage of the xp_cmdshell command.
+        </CollapsibleWellComponent>
+      </li>
+    );
+  }

  generateIssue = (issue) => {
    let data;
@ -743,6 +762,9 @@ class ReportPageComponent extends AuthComponent {
      case 'struts2':
        data = this.generateStruts2Issue(issue);
        break;
+      case 'mssql':
+        data = this.generateMSSQLIssue(issue);
+        break;
    }
    return data;
  };