Merge pull request #385 from VakarisZ/attack_remote_services

T1021 Remote services
This commit is contained in:
Itay Mizeretz 2019-08-22 14:11:56 +03:00 committed by GitHub
commit 9bd4238d9c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 159 additions and 49 deletions

View File

@ -3,7 +3,7 @@ import logging
from monkey_island.cc.models import Monkey from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082 from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188 from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016 from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021
from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
@ -33,7 +33,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1222': T1222.T1222, 'T1222': T1222.T1222,
'T1005': T1005.T1005, 'T1005': T1005.T1005,
'T1018': T1018.T1018, 'T1018': T1018.T1018,
'T1016': T1016.T1016} 'T1016': T1016.T1016,
'T1021': T1021.T1021}
REPORT_NAME = 'new_report' REPORT_NAME = 'new_report'

View File

@ -48,6 +48,15 @@ SCHEMA = {
"necessary": True, "necessary": True,
"description": "Files may be copied from one system to another to stage " "description": "Files may be copied from one system to another to stage "
"adversary tools or other files over the course of an operation." "adversary tools or other files over the course of an operation."
},
"T1021": {
"title": "T1021 Remote services",
"type": "bool",
"value": True,
"necessary": False,
"depends_on": ["T1110"],
"description": "An adversary may use Valid Accounts to log into a service"
" specifically designed to accept remote connections."
} }
} }
}, },
@ -62,7 +71,7 @@ SCHEMA = {
"necessary": False, "necessary": False,
"description": "Adversaries may use brute force techniques to attempt access to accounts " "description": "Adversaries may use brute force techniques to attempt access to accounts "
"when passwords are unknown or when password hashes are obtained.", "when passwords are unknown or when password hashes are obtained.",
"depends_on": ["T1210"] "depends_on": ["T1210", "T1021"]
}, },
"T1003": { "T1003": {
"title": "T1003 Credential dumping", "title": "T1003 Credential dumping",

View File

@ -0,0 +1,51 @@
from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.services.attack.technique_reports.technique_report_tools import parse_creds
__author__ = "VakarisZ"
class T1021(AttackTechnique):
tech_id = "T1021"
unscanned_msg = "Monkey didn't try to login to any remote services."
scanned_msg = "Monkey tried to login to remote services with valid credentials, but failed."
used_msg = "Monkey successfully logged into remote services on the network."
# Gets data about brute force attempts
query = [{'$match': {'telem_category': 'exploit',
'data.attempts': {'$not': {'$size': 0}}}},
{'$project': {'_id': 0,
'machine': '$data.machine',
'info': '$data.info',
'attempt_cnt': {'$size': '$data.attempts'},
'attempts': {'$filter': {'input': '$data.attempts',
'as': 'attempt',
'cond': {'$eq': ['$$attempt.result', True]}
}
}
}
}]
scanned_query = {'telem_category': 'exploit',
'data.attempts': {'$elemMatch': {'result': True}}}
@staticmethod
def get_report_data():
attempts = []
if mongo.db.telemetry.count_documents(T1021.scanned_query):
attempts = list(mongo.db.telemetry.aggregate(T1021.query))
if attempts:
status = ScanStatus.USED.value
for result in attempts:
result['successful_creds'] = []
for attempt in result['attempts']:
result['successful_creds'].append(parse_creds(attempt))
else:
status = ScanStatus.SCANNED.value
else:
status = ScanStatus.UNSCANNED.value
data = T1021.get_base_data_by_status(status)
data.update({'services': attempts})
return data

View File

@ -1,7 +1,7 @@
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from monkey_island.cc.encryptor import encryptor from monkey_island.cc.services.attack.technique_reports.technique_report_tools import parse_creds
__author__ = "VakarisZ" __author__ = "VakarisZ"
@ -32,7 +32,7 @@ class T1110(AttackTechnique):
result['successful_creds'] = [] result['successful_creds'] = []
for attempt in result['attempts']: for attempt in result['attempts']:
succeeded = True succeeded = True
result['successful_creds'].append(T1110.parse_creds(attempt)) result['successful_creds'].append(parse_creds(attempt))
if succeeded: if succeeded:
status = ScanStatus.USED.value status = ScanStatus.USED.value
@ -47,47 +47,4 @@ class T1110(AttackTechnique):
data.update({'services': attempts}) data.update({'services': attempts})
return data return data
@staticmethod
def parse_creds(attempt):
"""
Parses used credentials into a string
:param attempt: login attempt from database
:return: string with username and used password/hash
"""
username = attempt['user']
creds = {'lm_hash': {'type': 'LM hash', 'output': T1110.censor_hash(attempt['lm_hash'])},
'ntlm_hash': {'type': 'NTLM hash', 'output': T1110.censor_hash(attempt['ntlm_hash'], 20)},
'ssh_key': {'type': 'SSH key', 'output': attempt['ssh_key']},
'password': {'type': 'Plaintext password', 'output': T1110.censor_password(attempt['password'])}}
for key, cred in creds.items():
if attempt[key]:
return '%s ; %s : %s' % (username,
cred['type'],
cred['output'])
@staticmethod
def censor_password(password, plain_chars=3, secret_chars=5):
"""
Decrypts and obfuscates password by changing characters to *
:param password: Password or string to obfuscate
:param plain_chars: How many plain-text characters should be kept at the start of the string
:param secret_chars: How many * symbols should be used to hide the remainder of the password
:return: Obfuscated string e.g. Pass****
"""
if not password:
return ""
password = encryptor.dec(password)
return password[0:plain_chars] + '*' * secret_chars
@staticmethod
def censor_hash(hash_, plain_chars=5):
"""
Decrypts and obfuscates hash by only showing a part of it
:param hash_: Hash to obfuscate
:param plain_chars: How many chars of hash should be shown
:return: Obfuscated string
"""
if not hash_:
return ""
hash_ = encryptor.dec(hash_)
return hash_[0: plain_chars] + ' ...'

View File

@ -0,0 +1,46 @@
from monkey_island.cc.encryptor import encryptor
def parse_creds(attempt):
"""
Parses used credentials into a string
:param attempt: login attempt from database
:return: string with username and used password/hash
"""
username = attempt['user']
creds = {'lm_hash': {'type': 'LM hash', 'output': censor_hash(attempt['lm_hash'])},
'ntlm_hash': {'type': 'NTLM hash', 'output': censor_hash(attempt['ntlm_hash'], 20)},
'ssh_key': {'type': 'SSH key', 'output': attempt['ssh_key']},
'password': {'type': 'Plaintext password', 'output': censor_password(attempt['password'])}}
for key, cred in creds.items():
if attempt[key]:
return '%s ; %s : %s' % (username,
cred['type'],
cred['output'])
def censor_password(password, plain_chars=3, secret_chars=5):
"""
Decrypts and obfuscates password by changing characters to *
:param password: Password or string to obfuscate
:param plain_chars: How many plain-text characters should be kept at the start of the string
:param secret_chars: How many * symbols should be used to hide the remainder of the password
:return: Obfuscated string e.g. Pass****
"""
if not password:
return ""
password = encryptor.dec(password)
return password[0:plain_chars] + '*' * secret_chars
def censor_hash(hash_, plain_chars=5):
"""
Decrypts and obfuscates hash by only showing a part of it
:param hash_: Hash to obfuscate
:param plain_chars: How many chars of hash should be shown
:return: Obfuscated string
"""
if not hash_:
return ""
hash_ = encryptor.dec(hash_)
return hash_[0: plain_chars] + ' ...'

View File

@ -0,0 +1,44 @@
import React from 'react';
import '../../../styles/Collapse.scss'
import ReactTable from "react-table";
import { renderMachine, ScanStatus } from "./Helpers"
class T1021 extends React.Component {
constructor(props) {
super(props);
}
static getServiceColumns() {
return ([{
columns: [
{Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.machine),
style: { 'whiteSpace': 'unset' }, width: 160},
{Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }, width: 100},
{Header: 'Valid account used', id: 'credentials', accessor: x => this.renderCreds(x.successful_creds), style: { 'whiteSpace': 'unset' }},
]
}])};
static renderCreds(creds) {
return <span>{creds.map(cred => <div key={cred}>{cred}</div>)}</span>
};
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.status === ScanStatus.USED ?
<ReactTable
columns={T1021.getServiceColumns()}
data={this.props.data.services}
showPagination={false}
defaultPageSize={this.props.data.services.length}
/> : ""}
</div>
);
}
}
export default T1021;

View File

@ -28,6 +28,7 @@ import T1222 from "../attack/techniques/T1222";
import T1005 from "../attack/techniques/T1005"; import T1005 from "../attack/techniques/T1005";
import T1018 from "../attack/techniques/T1018"; import T1018 from "../attack/techniques/T1018";
import T1016 from "../attack/techniques/T1016"; import T1016 from "../attack/techniques/T1016";
import T1021 from "../attack/techniques/T1021";
const tech_components = { const tech_components = {
'T1210': T1210, 'T1210': T1210,
@ -51,7 +52,8 @@ const tech_components = {
'T1222': T1222, 'T1222': T1222,
'T1005': T1005, 'T1005': T1005,
'T1018': T1018, 'T1018': T1018,
'T1016': T1016 'T1016': T1016,
'T1021': T1021
}; };
const classNames = require('classnames'); const classNames = require('classnames');