forked from p15670423/monkey
Merge pull request #2048 from guardicore/2002-remove-backend-encryption
Remove backend encryption
This commit is contained in:
commit
c4d5e58486
|
@ -83,6 +83,8 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- "+dev" from version numbers. #1553
|
- "+dev" from version numbers. #1553
|
||||||
- agent's "--config" argument. #906
|
- agent's "--config" argument. #906
|
||||||
- Option to export monkey telemetries. #1998
|
- Option to export monkey telemetries. #1998
|
||||||
|
- "/api/configuration/import" endpoint. #2002
|
||||||
|
- "/api/configuration/export" endpoint. #2002
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- A bug in network map page that caused delay of telemetry log loading. #1545
|
- A bug in network map page that caused delay of telemetry log loading. #1545
|
||||||
|
|
|
@ -23,8 +23,6 @@ from monkey_island.cc.resources.blackbox.monkey_blackbox_endpoint import MonkeyB
|
||||||
from monkey_island.cc.resources.blackbox.telemetry_blackbox_endpoint import (
|
from monkey_island.cc.resources.blackbox.telemetry_blackbox_endpoint import (
|
||||||
TelemetryBlackboxEndpoint,
|
TelemetryBlackboxEndpoint,
|
||||||
)
|
)
|
||||||
from monkey_island.cc.resources.configuration_export import ConfigurationExport
|
|
||||||
from monkey_island.cc.resources.configuration_import import ConfigurationImport
|
|
||||||
from monkey_island.cc.resources.edge import Edge
|
from monkey_island.cc.resources.edge import Edge
|
||||||
from monkey_island.cc.resources.exploitations.manual_exploitation import ManualExploitation
|
from monkey_island.cc.resources.exploitations.manual_exploitation import ManualExploitation
|
||||||
from monkey_island.cc.resources.exploitations.monkey_exploitation import MonkeyExploitation
|
from monkey_island.cc.resources.exploitations.monkey_exploitation import MonkeyExploitation
|
||||||
|
@ -154,8 +152,6 @@ def init_api_resources(api: FlaskDIWrapper):
|
||||||
|
|
||||||
api.add_resource(IslandMode)
|
api.add_resource(IslandMode)
|
||||||
api.add_resource(IslandConfiguration)
|
api.add_resource(IslandConfiguration)
|
||||||
api.add_resource(ConfigurationExport)
|
|
||||||
api.add_resource(ConfigurationImport)
|
|
||||||
api.add_resource(AgentConfiguration)
|
api.add_resource(AgentConfiguration)
|
||||||
api.add_resource(AgentBinaries)
|
api.add_resource(AgentBinaries)
|
||||||
api.add_resource(NetMap)
|
api.add_resource(NetMap)
|
||||||
|
|
|
@ -1,29 +0,0 @@
|
||||||
import json
|
|
||||||
|
|
||||||
from flask import request
|
|
||||||
|
|
||||||
from monkey_island.cc.resources.AbstractResource import AbstractResource
|
|
||||||
from monkey_island.cc.resources.request_authentication import jwt_required
|
|
||||||
from monkey_island.cc.server_utils.encryption import PasswordBasedStringEncryptor
|
|
||||||
from monkey_island.cc.services.config import ConfigService
|
|
||||||
|
|
||||||
|
|
||||||
class ConfigurationExport(AbstractResource):
|
|
||||||
urls = ["/api/configuration/export"]
|
|
||||||
|
|
||||||
@jwt_required
|
|
||||||
def post(self):
|
|
||||||
data = json.loads(request.data)
|
|
||||||
should_encrypt = data["should_encrypt"]
|
|
||||||
|
|
||||||
plaintext_config = ConfigService.get_config()
|
|
||||||
|
|
||||||
config_export = plaintext_config
|
|
||||||
if should_encrypt:
|
|
||||||
password = data["password"]
|
|
||||||
plaintext_config = json.dumps(plaintext_config)
|
|
||||||
|
|
||||||
pb_encryptor = PasswordBasedStringEncryptor(password)
|
|
||||||
config_export = pb_encryptor.encrypt(plaintext_config)
|
|
||||||
|
|
||||||
return {"config_export": config_export, "encrypted": should_encrypt}
|
|
|
@ -1,103 +0,0 @@
|
||||||
import json
|
|
||||||
import logging
|
|
||||||
from dataclasses import dataclass
|
|
||||||
from json.decoder import JSONDecodeError
|
|
||||||
|
|
||||||
from flask import request
|
|
||||||
|
|
||||||
from common.utils.exceptions import InvalidConfigurationError
|
|
||||||
from monkey_island.cc.resources.AbstractResource import AbstractResource
|
|
||||||
from monkey_island.cc.resources.request_authentication import jwt_required
|
|
||||||
from monkey_island.cc.server_utils.encryption import (
|
|
||||||
InvalidCiphertextError,
|
|
||||||
InvalidCredentialsError,
|
|
||||||
PasswordBasedStringEncryptor,
|
|
||||||
is_encrypted,
|
|
||||||
)
|
|
||||||
from monkey_island.cc.services.config import ConfigService
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
class ImportStatuses:
|
|
||||||
UNSAFE_OPTION_VERIFICATION_REQUIRED = "unsafe_options_verification_required"
|
|
||||||
INVALID_CONFIGURATION = "invalid_configuration"
|
|
||||||
INVALID_CREDENTIALS = "invalid_credentials"
|
|
||||||
IMPORTED = "imported"
|
|
||||||
|
|
||||||
|
|
||||||
@dataclass
|
|
||||||
class ResponseContents:
|
|
||||||
import_status: str = ImportStatuses.IMPORTED
|
|
||||||
message: str = ""
|
|
||||||
status_code: int = 200
|
|
||||||
config: str = ""
|
|
||||||
config_schema: str = ""
|
|
||||||
|
|
||||||
def form_response(self):
|
|
||||||
return self.__dict__
|
|
||||||
|
|
||||||
|
|
||||||
class ConfigurationImport(AbstractResource):
|
|
||||||
# API Spec: Should probably be merged with IslandConfiguration
|
|
||||||
urls = ["/api/configuration/import"]
|
|
||||||
SUCCESS = False
|
|
||||||
|
|
||||||
@jwt_required
|
|
||||||
def post(self):
|
|
||||||
request_contents = json.loads(request.data)
|
|
||||||
try:
|
|
||||||
config = ConfigurationImport._get_plaintext_config_from_request(request_contents)
|
|
||||||
if request_contents["unsafeOptionsVerified"]:
|
|
||||||
ConfigurationImport.import_config(config)
|
|
||||||
return ResponseContents().form_response()
|
|
||||||
else:
|
|
||||||
return ResponseContents(
|
|
||||||
config=json.dumps(config),
|
|
||||||
config_schema=ConfigService.get_config_schema(),
|
|
||||||
import_status=ImportStatuses.UNSAFE_OPTION_VERIFICATION_REQUIRED,
|
|
||||||
).form_response()
|
|
||||||
# API Spec: HTTP status code should be 401 here
|
|
||||||
except InvalidCredentialsError:
|
|
||||||
return ResponseContents(
|
|
||||||
import_status=ImportStatuses.INVALID_CREDENTIALS,
|
|
||||||
message="Invalid credentials provided",
|
|
||||||
).form_response()
|
|
||||||
# API Spec: HTTP status code should be 400 (or something else) here
|
|
||||||
except InvalidConfigurationError:
|
|
||||||
return ResponseContents(
|
|
||||||
import_status=ImportStatuses.INVALID_CONFIGURATION,
|
|
||||||
message="Invalid configuration supplied. "
|
|
||||||
"Maybe the format is outdated or the file has been corrupted.",
|
|
||||||
).form_response()
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def _get_plaintext_config_from_request(request_contents: dict) -> dict:
|
|
||||||
try:
|
|
||||||
config = request_contents["config"]
|
|
||||||
if ConfigurationImport.is_config_encrypted(request_contents["config"]):
|
|
||||||
pb_encryptor = PasswordBasedStringEncryptor(request_contents["password"])
|
|
||||||
config = pb_encryptor.decrypt(config)
|
|
||||||
return json.loads(config)
|
|
||||||
except (JSONDecodeError, InvalidCiphertextError):
|
|
||||||
logger.exception(
|
|
||||||
"Exception encountered when trying to extract plaintext configuration."
|
|
||||||
)
|
|
||||||
raise InvalidConfigurationError
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def import_config(config_json):
|
|
||||||
if not ConfigService.update_config(config_json, should_encrypt=True):
|
|
||||||
raise InvalidConfigurationError
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def is_config_encrypted(config: str):
|
|
||||||
try:
|
|
||||||
if config.startswith("{"):
|
|
||||||
return False
|
|
||||||
elif is_encrypted(config):
|
|
||||||
return True
|
|
||||||
else:
|
|
||||||
raise InvalidConfigurationError
|
|
||||||
except Exception:
|
|
||||||
raise InvalidConfigurationError
|
|
|
@ -2,10 +2,6 @@ from .i_encryptor import IEncryptor
|
||||||
from .key_based_encryptor import (
|
from .key_based_encryptor import (
|
||||||
KeyBasedEncryptor,
|
KeyBasedEncryptor,
|
||||||
)
|
)
|
||||||
from .password_based_string_encryptor import (
|
|
||||||
PasswordBasedStringEncryptor,
|
|
||||||
is_encrypted,
|
|
||||||
)
|
|
||||||
from .password_based_bytes_encryptor import (
|
from .password_based_bytes_encryptor import (
|
||||||
PasswordBasedBytesEncryptor,
|
PasswordBasedBytesEncryptor,
|
||||||
InvalidCredentialsError,
|
InvalidCredentialsError,
|
||||||
|
|
|
@ -1,33 +0,0 @@
|
||||||
import base64
|
|
||||||
import logging
|
|
||||||
|
|
||||||
import pyAesCrypt
|
|
||||||
|
|
||||||
from .i_encryptor import IEncryptor
|
|
||||||
from .password_based_bytes_encryptor import PasswordBasedBytesEncryptor
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
class PasswordBasedStringEncryptor(IEncryptor):
|
|
||||||
|
|
||||||
_BUFFER_SIZE = pyAesCrypt.crypto.bufferSizeDef
|
|
||||||
|
|
||||||
def __init__(self, password: str):
|
|
||||||
self.password = password
|
|
||||||
|
|
||||||
def encrypt(self, plaintext: str) -> str:
|
|
||||||
ciphertext = PasswordBasedBytesEncryptor(self.password).encrypt(plaintext.encode())
|
|
||||||
|
|
||||||
return base64.b64encode(ciphertext).decode()
|
|
||||||
|
|
||||||
def decrypt(self, ciphertext: str) -> str:
|
|
||||||
ciphertext = base64.b64decode(ciphertext)
|
|
||||||
|
|
||||||
plaintext_stream = PasswordBasedBytesEncryptor(self.password).decrypt(ciphertext)
|
|
||||||
return plaintext_stream.decode()
|
|
||||||
|
|
||||||
|
|
||||||
def is_encrypted(ciphertext: str) -> bool:
|
|
||||||
ciphertext = base64.b64decode(ciphertext)
|
|
||||||
return ciphertext.startswith(b"AES")
|
|
|
@ -12,6 +12,7 @@ type Props = {
|
||||||
}
|
}
|
||||||
|
|
||||||
const ConfigExportModal = (props: Props) => {
|
const ConfigExportModal = (props: Props) => {
|
||||||
|
// TODO: Change this endpoint to new agent-configuration endpoint
|
||||||
const configExportEndpoint = '/api/configuration/export';
|
const configExportEndpoint = '/api/configuration/export';
|
||||||
|
|
||||||
const [pass, setPass] = useState('');
|
const [pass, setPass] = useState('');
|
||||||
|
|
|
@ -18,6 +18,7 @@ type Props = {
|
||||||
|
|
||||||
|
|
||||||
const ConfigImportModal = (props: Props) => {
|
const ConfigImportModal = (props: Props) => {
|
||||||
|
// TODO: change this endpoint to the new configuration import endpoint
|
||||||
const configImportEndpoint = '/api/configuration/import';
|
const configImportEndpoint = '/api/configuration/import';
|
||||||
|
|
||||||
const [uploadStatus, setUploadStatus] = useState(UploadStatuses.clean);
|
const [uploadStatus, setUploadStatus] = useState(UploadStatuses.clean);
|
||||||
|
|
|
@ -1,113 +0,0 @@
|
||||||
{
|
|
||||||
"basic": {
|
|
||||||
"exploiters": {
|
|
||||||
"exploiter_classes": [
|
|
||||||
"SmbExploiter",
|
|
||||||
"WmiExploiter",
|
|
||||||
"SSHExploiter",
|
|
||||||
"HadoopExploiter",
|
|
||||||
"MSSQLExploiter"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"credentials": {
|
|
||||||
"exploit_user_list": [
|
|
||||||
"Administrator",
|
|
||||||
"root",
|
|
||||||
"user"
|
|
||||||
],
|
|
||||||
"exploit_password_list": [
|
|
||||||
"root",
|
|
||||||
"123456",
|
|
||||||
"password",
|
|
||||||
"123456789",
|
|
||||||
"qwerty",
|
|
||||||
"111111",
|
|
||||||
"iloveyou"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"basic_network": {
|
|
||||||
"scope": {
|
|
||||||
"blocked_ips": [],
|
|
||||||
"local_network_scan": true,
|
|
||||||
"depth": 2,
|
|
||||||
"subnet_scan_list": []
|
|
||||||
},
|
|
||||||
"network_analysis": {
|
|
||||||
"inaccessible_subnets": []
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"internal": {
|
|
||||||
"general": {
|
|
||||||
"keep_tunnel_open_time": 60
|
|
||||||
},
|
|
||||||
"network": {
|
|
||||||
"tcp_scanner": {
|
|
||||||
"HTTP_PORTS": [
|
|
||||||
80,
|
|
||||||
8080,
|
|
||||||
443,
|
|
||||||
8008,
|
|
||||||
7001,
|
|
||||||
9200
|
|
||||||
],
|
|
||||||
"tcp_target_ports": [
|
|
||||||
22,
|
|
||||||
2222,
|
|
||||||
445,
|
|
||||||
135,
|
|
||||||
3389,
|
|
||||||
80,
|
|
||||||
8080,
|
|
||||||
443,
|
|
||||||
8008,
|
|
||||||
3306,
|
|
||||||
7001,
|
|
||||||
8088
|
|
||||||
],
|
|
||||||
"tcp_scan_timeout": 3000
|
|
||||||
},
|
|
||||||
"ping_scanner": {
|
|
||||||
"ping_scan_timeout": 1000
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"classes": {
|
|
||||||
"finger_classes": [
|
|
||||||
"SMBFinger",
|
|
||||||
"SSHFinger",
|
|
||||||
"HTTPFinger",
|
|
||||||
"MSSQLFinger",
|
|
||||||
"ElasticFinger"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"exploits": {
|
|
||||||
"exploit_lm_hash_list": [],
|
|
||||||
"exploit_ntlm_hash_list": [],
|
|
||||||
"exploit_ssh_keys": []
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"monkey": {
|
|
||||||
"post_breach": {
|
|
||||||
"custom_pba_linux_cmd": "",
|
|
||||||
"custom_pba_windows_cmd": "",
|
|
||||||
"pba_windows_filename": "",
|
|
||||||
"pba_linux_filename": "",
|
|
||||||
"post_breach_actions": [
|
|
||||||
"communicateasbackdooruser",
|
|
||||||
"modifyshellstartupfiles",
|
|
||||||
"hiddenfiles",
|
|
||||||
"trapcommand",
|
|
||||||
"changesetuidsetgid",
|
|
||||||
"schedulejobs",
|
|
||||||
"timestomping",
|
|
||||||
"accountdiscovery"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"system_info": {
|
|
||||||
"system_info_collector_classes": [
|
|
||||||
"MimikatzCollector",
|
|
||||||
"SSHCollector"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,28 +1,14 @@
|
||||||
# Without these imports pytests can't use fixtures,
|
|
||||||
# because they are not found
|
|
||||||
import json
|
|
||||||
|
|
||||||
import pytest
|
import pytest
|
||||||
from tests.unit_tests.monkey_island.cc.mongomock_fixtures import * # noqa: F401,F403,E402
|
from tests.unit_tests.monkey_island.cc.mongomock_fixtures import * # noqa: F401,F403,E402
|
||||||
|
|
||||||
from monkey_island.cc.server_utils.encryption import unlock_datastore_encryptor
|
from monkey_island.cc.server_utils.encryption import unlock_datastore_encryptor
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture
|
|
||||||
def monkey_config(load_monkey_config):
|
|
||||||
return load_monkey_config("monkey_config_standard.json")
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture
|
@pytest.fixture
|
||||||
def flat_monkey_config(load_monkey_config):
|
def flat_monkey_config(load_monkey_config):
|
||||||
return load_monkey_config("flat_config.json")
|
return load_monkey_config("flat_config.json")
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture
|
|
||||||
def monkey_config_json(monkey_config):
|
|
||||||
return json.dumps(monkey_config)
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture
|
@pytest.fixture
|
||||||
def uses_encryptor(data_for_tests_dir):
|
def uses_encryptor(data_for_tests_dir):
|
||||||
secret = "m0nk3y_u53r:3cr3t_p455w0rd"
|
secret = "m0nk3y_u53r:3cr3t_p455w0rd"
|
||||||
|
|
|
@ -1,32 +0,0 @@
|
||||||
import pytest
|
|
||||||
from tests.unit_tests.monkey_island.cc.server_utils.encryption.test_password_based_encryption import ( # noqa: E501
|
|
||||||
PASSWORD,
|
|
||||||
)
|
|
||||||
from tests.unit_tests.monkey_island.cc.services.utils.ciphertexts_for_encryption_test import (
|
|
||||||
MALFORMED_CIPHER_TEXT_CORRUPTED,
|
|
||||||
)
|
|
||||||
|
|
||||||
from common.utils.exceptions import InvalidConfigurationError
|
|
||||||
from monkey_island.cc.resources.configuration_import import ConfigurationImport
|
|
||||||
from monkey_island.cc.server_utils.encryption import PasswordBasedStringEncryptor
|
|
||||||
|
|
||||||
|
|
||||||
def test_is_config_encrypted__json(monkey_config_json):
|
|
||||||
assert not ConfigurationImport.is_config_encrypted(monkey_config_json)
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.slow
|
|
||||||
def test_is_config_encrypted__ciphertext(monkey_config_json):
|
|
||||||
pb_encryptor = PasswordBasedStringEncryptor(PASSWORD)
|
|
||||||
encrypted_config = pb_encryptor.encrypt(monkey_config_json)
|
|
||||||
assert ConfigurationImport.is_config_encrypted(encrypted_config)
|
|
||||||
|
|
||||||
|
|
||||||
def test_is_config_encrypted__corrupt_ciphertext():
|
|
||||||
with pytest.raises(InvalidConfigurationError):
|
|
||||||
assert ConfigurationImport.is_config_encrypted(MALFORMED_CIPHER_TEXT_CORRUPTED)
|
|
||||||
|
|
||||||
|
|
||||||
def test_is_config_encrypted__unknown_format():
|
|
||||||
with pytest.raises(InvalidConfigurationError):
|
|
||||||
assert ConfigurationImport.is_config_encrypted("ABC")
|
|
|
@ -1,47 +0,0 @@
|
||||||
import pytest
|
|
||||||
from tests.unit_tests.monkey_island.cc.services.utils.ciphertexts_for_encryption_test import (
|
|
||||||
MALFORMED_CIPHER_TEXT_CORRUPTED,
|
|
||||||
VALID_CIPHER_TEXT,
|
|
||||||
)
|
|
||||||
|
|
||||||
from monkey_island.cc.server_utils.encryption import (
|
|
||||||
InvalidCiphertextError,
|
|
||||||
InvalidCredentialsError,
|
|
||||||
PasswordBasedStringEncryptor,
|
|
||||||
)
|
|
||||||
|
|
||||||
# Mark all tests in this module as slow
|
|
||||||
pytestmark = pytest.mark.slow
|
|
||||||
|
|
||||||
PASSWORD = "hello123"
|
|
||||||
INCORRECT_PASSWORD = "goodbye321"
|
|
||||||
|
|
||||||
|
|
||||||
def test_encrypt_decrypt_string(monkey_config_json):
|
|
||||||
pb_encryptor = PasswordBasedStringEncryptor(PASSWORD)
|
|
||||||
encrypted_config = pb_encryptor.encrypt(monkey_config_json)
|
|
||||||
assert pb_encryptor.decrypt(encrypted_config) == monkey_config_json
|
|
||||||
|
|
||||||
|
|
||||||
def test_decrypt_string__wrong_password(monkey_config_json):
|
|
||||||
pb_encryptor = PasswordBasedStringEncryptor(INCORRECT_PASSWORD)
|
|
||||||
with pytest.raises(InvalidCredentialsError):
|
|
||||||
pb_encryptor.decrypt(VALID_CIPHER_TEXT)
|
|
||||||
|
|
||||||
|
|
||||||
def test_decrypt_string__malformed_corrupted():
|
|
||||||
pb_encryptor = PasswordBasedStringEncryptor(PASSWORD)
|
|
||||||
with pytest.raises(ValueError):
|
|
||||||
pb_encryptor.decrypt(MALFORMED_CIPHER_TEXT_CORRUPTED)
|
|
||||||
|
|
||||||
|
|
||||||
def test_decrypt_string__no_password(monkey_config_json):
|
|
||||||
pb_encryptor = PasswordBasedStringEncryptor("")
|
|
||||||
with pytest.raises(InvalidCredentialsError):
|
|
||||||
pb_encryptor.decrypt(VALID_CIPHER_TEXT)
|
|
||||||
|
|
||||||
|
|
||||||
def test_decrypt_string__invalid_cyphertext(monkey_config_json):
|
|
||||||
pb_encryptor = PasswordBasedStringEncryptor("")
|
|
||||||
with pytest.raises(InvalidCiphertextError):
|
|
||||||
pb_encryptor.decrypt("")
|
|
Loading…
Reference in New Issue