forked from p15670423/monkey
Merge pull request #385 from VakarisZ/attack_remote_services
T1021 Remote services
This commit is contained in:
commit
9bd4238d9c
|
@ -3,7 +3,7 @@ import logging
|
|||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
|
||||
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
|
||||
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016
|
||||
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
|
@ -33,7 +33,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
|
|||
'T1222': T1222.T1222,
|
||||
'T1005': T1005.T1005,
|
||||
'T1018': T1018.T1018,
|
||||
'T1016': T1016.T1016}
|
||||
'T1016': T1016.T1016,
|
||||
'T1021': T1021.T1021}
|
||||
|
||||
REPORT_NAME = 'new_report'
|
||||
|
||||
|
|
|
@ -48,6 +48,15 @@ SCHEMA = {
|
|||
"necessary": True,
|
||||
"description": "Files may be copied from one system to another to stage "
|
||||
"adversary tools or other files over the course of an operation."
|
||||
},
|
||||
"T1021": {
|
||||
"title": "T1021 Remote services",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"depends_on": ["T1110"],
|
||||
"description": "An adversary may use Valid Accounts to log into a service"
|
||||
" specifically designed to accept remote connections."
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -62,7 +71,7 @@ SCHEMA = {
|
|||
"necessary": False,
|
||||
"description": "Adversaries may use brute force techniques to attempt access to accounts "
|
||||
"when passwords are unknown or when password hashes are obtained.",
|
||||
"depends_on": ["T1210"]
|
||||
"depends_on": ["T1210", "T1021"]
|
||||
},
|
||||
"T1003": {
|
||||
"title": "T1003 Credential dumping",
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.services.attack.technique_reports.technique_report_tools import parse_creds
|
||||
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1021(AttackTechnique):
|
||||
tech_id = "T1021"
|
||||
unscanned_msg = "Monkey didn't try to login to any remote services."
|
||||
scanned_msg = "Monkey tried to login to remote services with valid credentials, but failed."
|
||||
used_msg = "Monkey successfully logged into remote services on the network."
|
||||
|
||||
# Gets data about brute force attempts
|
||||
query = [{'$match': {'telem_category': 'exploit',
|
||||
'data.attempts': {'$not': {'$size': 0}}}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': '$data.machine',
|
||||
'info': '$data.info',
|
||||
'attempt_cnt': {'$size': '$data.attempts'},
|
||||
'attempts': {'$filter': {'input': '$data.attempts',
|
||||
'as': 'attempt',
|
||||
'cond': {'$eq': ['$$attempt.result', True]}
|
||||
}
|
||||
}
|
||||
}
|
||||
}]
|
||||
|
||||
scanned_query = {'telem_category': 'exploit',
|
||||
'data.attempts': {'$elemMatch': {'result': True}}}
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
attempts = []
|
||||
if mongo.db.telemetry.count_documents(T1021.scanned_query):
|
||||
attempts = list(mongo.db.telemetry.aggregate(T1021.query))
|
||||
if attempts:
|
||||
status = ScanStatus.USED.value
|
||||
for result in attempts:
|
||||
result['successful_creds'] = []
|
||||
for attempt in result['attempts']:
|
||||
result['successful_creds'].append(parse_creds(attempt))
|
||||
else:
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data = T1021.get_base_data_by_status(status)
|
||||
data.update({'services': attempts})
|
||||
return data
|
|
@ -1,7 +1,7 @@
|
|||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.encryptor import encryptor
|
||||
from monkey_island.cc.services.attack.technique_reports.technique_report_tools import parse_creds
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
@ -32,7 +32,7 @@ class T1110(AttackTechnique):
|
|||
result['successful_creds'] = []
|
||||
for attempt in result['attempts']:
|
||||
succeeded = True
|
||||
result['successful_creds'].append(T1110.parse_creds(attempt))
|
||||
result['successful_creds'].append(parse_creds(attempt))
|
||||
|
||||
if succeeded:
|
||||
status = ScanStatus.USED.value
|
||||
|
@ -47,47 +47,4 @@ class T1110(AttackTechnique):
|
|||
data.update({'services': attempts})
|
||||
return data
|
||||
|
||||
@staticmethod
|
||||
def parse_creds(attempt):
|
||||
"""
|
||||
Parses used credentials into a string
|
||||
:param attempt: login attempt from database
|
||||
:return: string with username and used password/hash
|
||||
"""
|
||||
username = attempt['user']
|
||||
creds = {'lm_hash': {'type': 'LM hash', 'output': T1110.censor_hash(attempt['lm_hash'])},
|
||||
'ntlm_hash': {'type': 'NTLM hash', 'output': T1110.censor_hash(attempt['ntlm_hash'], 20)},
|
||||
'ssh_key': {'type': 'SSH key', 'output': attempt['ssh_key']},
|
||||
'password': {'type': 'Plaintext password', 'output': T1110.censor_password(attempt['password'])}}
|
||||
for key, cred in creds.items():
|
||||
if attempt[key]:
|
||||
return '%s ; %s : %s' % (username,
|
||||
cred['type'],
|
||||
cred['output'])
|
||||
|
||||
@staticmethod
|
||||
def censor_password(password, plain_chars=3, secret_chars=5):
|
||||
"""
|
||||
Decrypts and obfuscates password by changing characters to *
|
||||
:param password: Password or string to obfuscate
|
||||
:param plain_chars: How many plain-text characters should be kept at the start of the string
|
||||
:param secret_chars: How many * symbols should be used to hide the remainder of the password
|
||||
:return: Obfuscated string e.g. Pass****
|
||||
"""
|
||||
if not password:
|
||||
return ""
|
||||
password = encryptor.dec(password)
|
||||
return password[0:plain_chars] + '*' * secret_chars
|
||||
|
||||
@staticmethod
|
||||
def censor_hash(hash_, plain_chars=5):
|
||||
"""
|
||||
Decrypts and obfuscates hash by only showing a part of it
|
||||
:param hash_: Hash to obfuscate
|
||||
:param plain_chars: How many chars of hash should be shown
|
||||
:return: Obfuscated string
|
||||
"""
|
||||
if not hash_:
|
||||
return ""
|
||||
hash_ = encryptor.dec(hash_)
|
||||
return hash_[0: plain_chars] + ' ...'
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
from monkey_island.cc.encryptor import encryptor
|
||||
|
||||
|
||||
def parse_creds(attempt):
|
||||
"""
|
||||
Parses used credentials into a string
|
||||
:param attempt: login attempt from database
|
||||
:return: string with username and used password/hash
|
||||
"""
|
||||
username = attempt['user']
|
||||
creds = {'lm_hash': {'type': 'LM hash', 'output': censor_hash(attempt['lm_hash'])},
|
||||
'ntlm_hash': {'type': 'NTLM hash', 'output': censor_hash(attempt['ntlm_hash'], 20)},
|
||||
'ssh_key': {'type': 'SSH key', 'output': attempt['ssh_key']},
|
||||
'password': {'type': 'Plaintext password', 'output': censor_password(attempt['password'])}}
|
||||
for key, cred in creds.items():
|
||||
if attempt[key]:
|
||||
return '%s ; %s : %s' % (username,
|
||||
cred['type'],
|
||||
cred['output'])
|
||||
|
||||
|
||||
def censor_password(password, plain_chars=3, secret_chars=5):
|
||||
"""
|
||||
Decrypts and obfuscates password by changing characters to *
|
||||
:param password: Password or string to obfuscate
|
||||
:param plain_chars: How many plain-text characters should be kept at the start of the string
|
||||
:param secret_chars: How many * symbols should be used to hide the remainder of the password
|
||||
:return: Obfuscated string e.g. Pass****
|
||||
"""
|
||||
if not password:
|
||||
return ""
|
||||
password = encryptor.dec(password)
|
||||
return password[0:plain_chars] + '*' * secret_chars
|
||||
|
||||
|
||||
def censor_hash(hash_, plain_chars=5):
|
||||
"""
|
||||
Decrypts and obfuscates hash by only showing a part of it
|
||||
:param hash_: Hash to obfuscate
|
||||
:param plain_chars: How many chars of hash should be shown
|
||||
:return: Obfuscated string
|
||||
"""
|
||||
if not hash_:
|
||||
return ""
|
||||
hash_ = encryptor.dec(hash_)
|
||||
return hash_[0: plain_chars] + ' ...'
|
|
@ -0,0 +1,44 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine, ScanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1021 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static getServiceColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.machine),
|
||||
style: { 'whiteSpace': 'unset' }, width: 160},
|
||||
{Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }, width: 100},
|
||||
{Header: 'Valid account used', id: 'credentials', accessor: x => this.renderCreds(x.successful_creds), style: { 'whiteSpace': 'unset' }},
|
||||
]
|
||||
}])};
|
||||
|
||||
static renderCreds(creds) {
|
||||
return <span>{creds.map(cred => <div key={cred}>{cred}</div>)}</span>
|
||||
};
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === ScanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1021.getServiceColumns()}
|
||||
data={this.props.data.services}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.services.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1021;
|
|
@ -28,6 +28,7 @@ import T1222 from "../attack/techniques/T1222";
|
|||
import T1005 from "../attack/techniques/T1005";
|
||||
import T1018 from "../attack/techniques/T1018";
|
||||
import T1016 from "../attack/techniques/T1016";
|
||||
import T1021 from "../attack/techniques/T1021";
|
||||
|
||||
const tech_components = {
|
||||
'T1210': T1210,
|
||||
|
@ -51,7 +52,8 @@ const tech_components = {
|
|||
'T1222': T1222,
|
||||
'T1005': T1005,
|
||||
'T1018': T1018,
|
||||
'T1016': T1016
|
||||
'T1016': T1016,
|
||||
'T1021': T1021
|
||||
};
|
||||
|
||||
const classNames = require('classnames');
|
||||
|
|
Loading…
Reference in New Issue