PTH implementation finished, helper methods added

monkey/monkey_island/cc/services/attack/attack_report.py

@@ -1,5 +1,5 @@
 import logging
-from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110
+from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075
 from monkey_island.cc.services.attack.attack_telem import AttackTelemService
 from monkey_island.cc.services.attack.attack_config import AttackConfig
 from monkey_island.cc.database import mongo
@@ -11,7 +11,8 @@ LOG = logging.getLogger(__name__)
 
 TECHNIQUES = {'T1210': T1210.T1210,
               'T1197': T1197.T1197,
-              'T1110': T1110.T1110}
+              'T1110': T1110.T1110,
+              'T1075': T1075.T1075}
 
 REPORT_NAME = 'new_report'
 

monkey/monkey_island/cc/services/attack/technique_reports/T1075.py

@@ -0,0 +1,43 @@
+from monkey_island.cc.services.attack.technique_reports import AttackTechnique
+from common.utils.attack_utils import ScanStatus
+from monkey_island.cc.database import mongo
+
+__author__ = "VakarisZ"
+
+
+class T1075(AttackTechnique):
+
+    tech_id = "T1075"
+    unscanned_msg = "Monkey didn't try to use pass the hash attack."
+    scanned_msg = "Monkey tried to use hashes while logging in but didn't succeed."
+    used_msg = "Monkey successfully used hashed credentials."
+
+    login_attempt_query = {'data.attempts': {'$elemMatch': {'$or': [{'ntlm_hash': {'$ne': ''}},
+                                                                    {'lm_hash': {'$ne': ''}}]}}}
+
+    # Gets data about successful PTH logins
+    query = [{'$match': {'telem_type': 'exploit',
+                         'data.attempts': {'$not': {'$size': 0},
+                                           '$elemMatch': {'$and': [{'$or': [{'ntlm_hash': {'$ne': ''}},
+                                                                            {'lm_hash': {'$ne': ''}}]},
+                                                                   {'result': True}]}}}},
+             {'$project': {'_id': 0,
+                           'machine': '$data.machine',
+                           'info': '$data.info',
+                           'attempt_cnt': {'$size': '$data.attempts'},
+                           'attempts': {'$filter': {'input': '$data.attempts',
+                                                    'as': 'attempt',
+                                                    'cond': {'$eq': ['$$attempt.result', True]}}}}}]
+
+    @staticmethod
+    def get_report_data():
+        data = {'title': T1075.technique_title(T1075.tech_id)}
+        successful_logins = list(mongo.db.telemetry.aggregate(T1075.query))
+        data.update({'successful_logins': successful_logins})
+        if successful_logins:
+            data.update({'message': T1075.used_msg, 'status': ScanStatus.USED.name})
+        elif mongo.db.telemetry.count_documents(T1075.login_attempt_query):
+            data.update({'message': T1075.scanned_msg, 'status': ScanStatus.SCANNED.name})
+        else:
+            data.update({'message': T1075.unscanned_msg, 'status': ScanStatus.UNSCANNED.name})
+        return data

monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js

@@ -0,0 +1,7 @@
+import React from "react";
+
+export function RenderMachine(val){
+    return (
+      <span>{val.ip_addr} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")}</span>
+    )
+};

monkey/monkey_island/cc/ui/src/components/attack/techniques/T1075.js

@@ -0,0 +1,46 @@
+import React from 'react';
+import '../../../styles/Collapse.scss'
+import ReactTable from "react-table";
+import { RenderMachine } from "./Helpers"
+
+
+class T1075 extends React.Component {
+
+  constructor(props) {
+    super(props);
+    this.props.data.successful_logins.forEach((login) => {
+      if(login.attempts[0].ntlm_hash !== ""){
+        login.attempts[0].hashType = 'NTLM';
+      } else if(login.attempts[0].lm_hash !== ""){
+        login.attempts[0].hashType = 'LM';
+      }
+    })
+  }
+
+  static getHashColumns() {
+    return ([{
+      columns: [
+        {Header: 'Machine', id: 'machine', accessor: x => RenderMachine(x.machine), style: { 'whiteSpace': 'unset' }},
+        {Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }},
+        {Header: 'Username', id: 'attempts', accessor: x => x.attempts[0].user, style: { 'whiteSpace': 'unset' }},
+        {Header: 'Hash type', id: 'credentials', accessor: x => x.attempts[0].hashType, style: { 'whiteSpace': 'unset' }},
+        ]
+    }])};
+
+  render() {
+    return (
+      <div>
+        <div>{this.props.data.message}</div>
+        <br/>
+        <ReactTable
+            columns={T1075.getHashColumns()}
+            data={this.props.data.successful_logins}
+            showPagination={false}
+            defaultPageSize={this.props.data.successful_logins.length}
+        />
+      </div>
+    );
+  }
+}
+
+export default T1075;

monkey/monkey_island/cc/ui/src/components/attack/techniques/T1110.js

@@ -1,6 +1,7 @@
 import React from 'react';
 import '../../../styles/Collapse.scss'
 import ReactTable from "react-table";
+import { RenderMachine } from "./Helpers"
 
 
 class T1110 extends React.Component {
@@ -12,7 +13,7 @@ class T1110 extends React.Component {
   static getServiceColumns() {
     return ([{
       columns: [
-        {Header: 'Machine', id: 'machine', accessor: x => this.renderMachine(x.machine),
+        {Header: 'Machine', id: 'machine', accessor: x => RenderMachine(x.machine),
           style: { 'whiteSpace': 'unset' }, width: 160},
         {Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }, width: 100},
         {Header: 'Started', id: 'started', accessor: x => x.info.started, style: { 'whiteSpace': 'unset' }},
@@ -23,13 +24,7 @@ class T1110 extends React.Component {
     }])};
 
   static renderCreds(creds) {
-    return <span>{creds.map(cred => <div>{cred}</div>)}</span>
-  };
-
-  static renderMachine(val){
-    return (
-      <span>{val.ip_addr} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")}</span>
-    )
+    return <span>{creds.map(cred => <div key={cred}>{cred}</div>)}</span>
   };
 
   render() {

monkey/monkey_island/cc/ui/src/components/attack/techniques/T1197.js

@@ -1,6 +1,7 @@
 import React from 'react';
 import '../../../styles/Collapse.scss'
 import ReactTable from "react-table";
+import { RenderMachine } from "./Helpers"
 
 
 class T1210 extends React.Component {
@@ -8,7 +9,7 @@ class T1210 extends React.Component {
   constructor(props) {
     super(props);
     this.columns = [ {Header: 'Machine',
-                      id: 'machine', accessor: x => T1210.renderMachine(x),
+                      id: 'machine', accessor: x => RenderMachine(x),
                       style: { 'whiteSpace': 'unset' },
                       width: 200},
                     {Header: 'Time',
@@ -21,12 +22,6 @@ class T1210 extends React.Component {
       ]
   }
 
-  static renderMachine(val){
-    return (
-      <span>{val.ip_addr} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")}</span>
-    )
-  };
-
   renderExploitedMachines(){
     if (this.props.data.bits_jobs.length === 0){
       return (<div />)

monkey/monkey_island/cc/ui/src/components/attack/techniques/T1210.js

@@ -1,6 +1,7 @@
 import React from 'react';
 import '../../../styles/Collapse.scss'
 import ReactTable from "react-table";
+import { RenderMachine } from "./Helpers"
 
 
 class T1210 extends React.Component {
@@ -12,7 +13,7 @@ class T1210 extends React.Component {
   static getScanColumns() {
     return ([{
       columns: [
-        {Header: 'Machine', id: 'machine', accessor: x => this.renderMachine(x.machine),
+        {Header: 'Machine', id: 'machine', accessor: x => RenderMachine(x.machine),
           style: { 'whiteSpace': 'unset' }, width: 200},
         {Header: 'Time', id: 'time', accessor: x => x.time, style: { 'whiteSpace': 'unset' }, width: 170},
         {Header: 'Port', id: 'port', accessor: x =>x.service.port, style: { 'whiteSpace': 'unset' }},
@@ -23,7 +24,7 @@ class T1210 extends React.Component {
   static getExploitColumns() {
     return ([{
       columns: [
-        {Header: 'Machine', id: 'machine', accessor: x => this.renderMachine(x.machine),
+        {Header: 'Machine', id: 'machine', accessor: x => RenderMachine(x.machine),
           style: { 'whiteSpace': 'unset' }, width: 200},
         {Header: 'Time', id: 'time', accessor: x => x.time, style: { 'whiteSpace': 'unset' }, width: 170},
         {Header: 'Port/url', id: 'port', accessor: x =>this.renderEndpoint(x.service), style: { 'whiteSpace': 'unset' }},
@@ -31,12 +32,6 @@ class T1210 extends React.Component {
         ]
     }])};
 
-  static renderMachine(val){
-    return (
-      <span>{val.ip_addr} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")}</span>
-    )
-  };
-
   static renderEndpoint(val){
     return (
       <span>{(val.vulnerable_urls.length !== 0 ? val.vulnerable_urls[0] : val.vulnerable_ports[0])}</span>

monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js

@@ -2,17 +2,19 @@ import React from 'react';
 import {Col} from 'react-bootstrap';
 import {ReactiveGraph} from 'components/reactive-graph/ReactiveGraph';
 import {edgeGroupToColor, options} from 'components/map/MapOptions';
+import '../../styles/Collapse.scss'
 import AuthComponent from '../AuthComponent';
 import Collapse from '@kunukn/react-collapse';
 import T1210 from '../attack/techniques/T1210';
 import T1197 from '../attack/techniques/T1197';
 import T1110 from '../attack/techniques/T1110';
-import '../../styles/Collapse.scss'
+import T1075 from "../attack/techniques/T1075";
 
 const tech_components = {
   'T1210': T1210,
   'T1197': T1197,
-  'T1110': T1110
+  'T1110': T1110,
+  'T1075': T1075
 };
 
 const classNames = require('classnames');