Merge pull request #478 from guardicore/feature/refactor_fingerprinting

Feature/refactor fingerprinting
2019-11-14 11:11:57 +02:00 · 2019-11-14 11:11:57 +02:00 · e1b31e00a5
parent aab8315cae 4f59a85f0b
commit e1b31e00a5
22 changed files with 144 additions and 103 deletions
--- a/monkey/infection_monkey/config.py
+++ b/monkey/infection_monkey/config.py
@ -33,9 +33,6 @@ class Configuration(object):
            if self._depth_from_commandline and key == "depth":
                continue
            # handle in cases
-            if key == 'finger_classes':
-                class_objects = [getattr(network_import, val) for val in value]
-                setattr(self, key, class_objects)
            elif key == 'exploiter_classes':
                class_objects = [getattr(exploit_import, val) for val in value]
                setattr(self, key, class_objects)
--- a/monkey/infection_monkey/exploit/smbexec.py
+++ b/monkey/infection_monkey/exploit/smbexec.py
@ -7,7 +7,7 @@ from infection_monkey.exploit import HostExploiter
 from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline
 from infection_monkey.exploit.tools.smb_tools import SmbTools
 from infection_monkey.model import MONKEY_CMDLINE_DETACHED_WINDOWS, DROPPER_CMDLINE_DETACHED_WINDOWS
-from infection_monkey.network import SMBFinger
+from infection_monkey.network.smbfinger import SMBFinger
 from infection_monkey.network.tools import check_tcp_port
 from common.utils.exploit_enum import ExploitType
 from infection_monkey.telemetry.attack.t1035_telem import T1035Telem
--- a/monkey/infection_monkey/exploit/win_ms08_067.py
+++ b/monkey/infection_monkey/exploit/win_ms08_067.py
@ -17,7 +17,7 @@ from impacket.dcerpc.v5 import transport
 from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline
 from infection_monkey.exploit.tools.smb_tools import SmbTools
 from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
-from infection_monkey.network import SMBFinger
+from infection_monkey.network.smbfinger import SMBFinger
 from infection_monkey.network.tools import check_tcp_port
 from . import HostExploiter

@ -234,7 +234,8 @@ class Ms08_067_Exploiter(HostExploiter):
        # execute the remote dropper in case the path isn't final
        if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
            cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \
-                      build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path_win_32)
+                      build_monkey_commandline(self.host, get_monkey_depth() - 1,
+                                               self._config.dropper_target_path_win_32)
        else:
            cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \
                      build_monkey_commandline(self.host, get_monkey_depth() - 1)
--- a/monkey/infection_monkey/monkey.py
+++ b/monkey/infection_monkey/monkey.py
@ -6,6 +6,7 @@ import sys
 import time

 import infection_monkey.tunnel as tunnel
+from infection_monkey.network.HostFinger import HostFinger
 from infection_monkey.utils.monkey_dir import create_monkey_dir, get_monkey_dir_path, remove_monkey_dir
 from infection_monkey.utils.monkey_log_path import get_monkey_log_path
 from infection_monkey.utils.environment import is_windows_os
@ -145,7 +146,7 @@ class InfectionMonkey(object):

            self._exploiters = WormConfiguration.exploiter_classes

-            self._fingerprint = [fingerprint() for fingerprint in WormConfiguration.finger_classes]
+            self._fingerprint = HostFinger.get_instances()

            if not self._keep_running or not WormConfiguration.alive:
                break
@ -192,9 +193,7 @@ class InfectionMonkey(object):
                    self._exploiters = sorted(self._exploiters, key=lambda exploiter_: exploiter_.EXPLOIT_TYPE.value)
                    host_exploited = False
                    for exploiter in [exploiter(machine) for exploiter in self._exploiters]:
-
                        if self.try_exploiting(machine, exploiter):
-
                            host_exploited = True
                            VictimHostTelem('T1210', ScanStatus.USED, machine=machine).send()
                            break
--- a/monkey/infection_monkey/network/HostFinger.py
+++ b/monkey/infection_monkey/network/HostFinger.py
@ -0,0 +1,33 @@
+from abc import abstractmethod
+
+from infection_monkey.config import WormConfiguration
+from infection_monkey.utils.plugins.plugin import Plugin
+import infection_monkey.network
+
+
+class HostFinger(Plugin):
+    @staticmethod
+    def base_package_file():
+        return infection_monkey.network.__file__
+
+    @staticmethod
+    def base_package_name():
+        return infection_monkey.network.__package__
+
+    @property
+    @abstractmethod
+    def _SCANNED_SERVICE(self):
+        pass
+
+    def init_service(self, services, service_key, port):
+        services[service_key] = {}
+        services[service_key]['display_name'] = self._SCANNED_SERVICE
+        services[service_key]['port'] = port
+
+    @abstractmethod
+    def get_host_fingerprint(self, host):
+        raise NotImplementedError()
+
+    @staticmethod
+    def should_run(class_name: str) -> bool:
+        return class_name in WormConfiguration.finger_classes
--- a/monkey/infection_monkey/network/HostScanner.py
+++ b/monkey/infection_monkey/network/HostScanner.py
@ -0,0 +1,8 @@
+from abc import ABCMeta, abstractmethod
+
+
+class HostScanner(metaclass=ABCMeta):
+    @property
+    @abstractmethod
+    def is_host_alive(self, host):
+        raise NotImplementedError()
--- a/monkey/infection_monkey/network/init.py
+++ b/monkey/infection_monkey/network/init.py
@ -1,36 +1 @@
-from abc import ABCMeta, abstractmethod
-
 __author__ = 'itamar'
-
-
-class HostScanner(object, metaclass=ABCMeta):
-    @abstractmethod
-    def is_host_alive(self, host):
-        raise NotImplementedError()
-
-
-class HostFinger(object, metaclass=ABCMeta):
-    @property
-    @abstractmethod
-    def _SCANNED_SERVICE(self):
-        pass
-
-    def init_service(self, services, service_key, port):
-        services[service_key] = {}
-        services[service_key]['display_name'] = self._SCANNED_SERVICE
-        services[service_key]['port'] = port
-
-    @abstractmethod
-    def get_host_fingerprint(self, host):
-        raise NotImplementedError()
-
-
-from infection_monkey.network.ping_scanner import PingScanner
-from infection_monkey.network.tcp_scanner import TcpScanner
-from infection_monkey.network.smbfinger import SMBFinger
-from infection_monkey.network.sshfinger import SSHFinger
-from infection_monkey.network.httpfinger import HTTPFinger
-from infection_monkey.network.elasticfinger import ElasticFinger
-from infection_monkey.network.mysqlfinger import MySQLFinger
-from infection_monkey.network.info import local_ips, get_free_tcp_port
-from infection_monkey.network.mssql_fingerprint import MSSQLFinger
--- a/monkey/infection_monkey/network/elasticfinger.py
+++ b/monkey/infection_monkey/network/elasticfinger.py
@ -6,9 +6,8 @@ import requests
 from requests.exceptions import Timeout, ConnectionError

 import infection_monkey.config
+from infection_monkey.network.HostFinger import HostFinger
 from common.data.network_consts import ES_SERVICE
-from infection_monkey.model.host import VictimHost
-from infection_monkey.network import HostFinger

 ES_PORT = 9200
 ES_HTTP_TIMEOUT = 5
@ -31,7 +30,6 @@ class ElasticFinger(HostFinger):
        :param host:
        :return: Success/failure, data is saved in the host struct
        """
-        assert isinstance(host, VictimHost)
        try:
            url = 'http://%s:%s/' % (host.ip_addr, ES_PORT)
            with closing(requests.get(url, timeout=ES_HTTP_TIMEOUT)) as req:
--- a/monkey/infection_monkey/network/httpfinger.py
+++ b/monkey/infection_monkey/network/httpfinger.py
@ -1,6 +1,5 @@
 import infection_monkey.config
-from infection_monkey.network import HostFinger
-from infection_monkey.model.host import VictimHost
+from infection_monkey.network.HostFinger import HostFinger
 import logging

 LOG = logging.getLogger(__name__)
@ -21,7 +20,6 @@ class HTTPFinger(HostFinger):
        pass

    def get_host_fingerprint(self, host):
-        assert isinstance(host, VictimHost)
        from requests import head
        from requests.exceptions import Timeout, ConnectionError
        from contextlib import closing
--- a/monkey/infection_monkey/network/mssql_fingerprint.py
+++ b/monkey/infection_monkey/network/mssql_fingerprint.py
@ -2,8 +2,7 @@ import errno
 import logging
 import socket

-from infection_monkey.model.host import VictimHost
-from infection_monkey.network import HostFinger
+from infection_monkey.network.HostFinger import HostFinger
 import infection_monkey.config

 __author__ = 'Maor Rayzin'
@ -30,7 +29,6 @@ class MSSQLFinger(HostFinger):
                Discovered server information written to the Host info struct.
                True if success, False otherwise.
        """
-        assert isinstance(host, VictimHost)

        # Create a UDP socket and sets a timeout
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
--- a/monkey/infection_monkey/network/mysqlfinger.py
+++ b/monkey/infection_monkey/network/mysqlfinger.py
@ -2,8 +2,7 @@ import logging
 import socket

 import infection_monkey.config
-from infection_monkey.model.host import VictimHost
-from infection_monkey.network import HostFinger
+from infection_monkey.network.HostFinger import HostFinger
 from infection_monkey.network.tools import struct_unpack_tracker, struct_unpack_tracker_string

 MYSQL_PORT = 3306
@ -28,7 +27,6 @@ class MySQLFinger(HostFinger):
        :param host:
        :return: Success/failure, data is saved in the host struct
        """
-        assert isinstance(host, VictimHost)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(self.SOCKET_TIMEOUT)

--- a/monkey/infection_monkey/network/network_scanner.py
+++ b/monkey/infection_monkey/network/network_scanner.py
@ -6,7 +6,8 @@ from common.network.network_range import NetworkRange
 from infection_monkey.config import WormConfiguration
 from infection_monkey.model.victim_host_generator import VictimHostGenerator
 from infection_monkey.network.info import local_ips, get_interfaces_ranges
-from infection_monkey.network import TcpScanner, PingScanner
+from infection_monkey.network.tcp_scanner import TcpScanner
+from infection_monkey.network.ping_scanner import PingScanner

 LOG = logging.getLogger(__name__)

--- a/monkey/infection_monkey/network/ping_scanner.py
+++ b/monkey/infection_monkey/network/ping_scanner.py
@ -5,8 +5,9 @@ import subprocess
 import sys

 import infection_monkey.config
+from infection_monkey.network.HostFinger import HostFinger
+from infection_monkey.network.HostScanner import HostScanner
 from infection_monkey.model.host import VictimHost
-from infection_monkey.network import HostScanner, HostFinger

 __author__ = 'itamar'

@ -28,7 +29,6 @@ class PingScanner(HostScanner, HostFinger):
        self._ttl_regex = re.compile(TTL_REGEX_STR, re.IGNORECASE)

    def is_host_alive(self, host):
-        assert isinstance(host, VictimHost)

        timeout = self._config.ping_scan_timeout
        if not "win32" == sys.platform:
@ -42,7 +42,6 @@ class PingScanner(HostScanner, HostFinger):
                                    stderr=self._devnull)

    def get_host_fingerprint(self, host):
-        assert isinstance(host, VictimHost)

        timeout = self._config.ping_scan_timeout
        if not "win32" == sys.platform:
--- a/monkey/infection_monkey/network/smbfinger.py
+++ b/monkey/infection_monkey/network/smbfinger.py
@ -3,8 +3,7 @@ import struct
 import logging
 from odict import odict

-from infection_monkey.network import HostFinger
-from infection_monkey.model.host import VictimHost
+from infection_monkey.network.HostFinger import HostFinger

 SMB_PORT = 445
 SMB_SERVICE = 'tcp-445'
@ -114,7 +113,6 @@ class SMBFinger(HostFinger):
        self._config = WormConfiguration

    def get_host_fingerprint(self, host):
-        assert isinstance(host, VictimHost)

        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
--- a/monkey/infection_monkey/network/sshfinger.py
+++ b/monkey/infection_monkey/network/sshfinger.py
@ -1,8 +1,7 @@
 import re

 import infection_monkey.config
-from infection_monkey.model.host import VictimHost
-from infection_monkey.network import HostFinger
+from infection_monkey.network.HostFinger import HostFinger
 from infection_monkey.network.tools import check_tcp_port

 SSH_PORT = 22
@ -34,7 +33,6 @@ class SSHFinger(HostFinger):
                break

    def get_host_fingerprint(self, host):
-        assert isinstance(host, VictimHost)

        for name, data in list(host.services.items()):
            banner = data.get('banner', '')
--- a/monkey/infection_monkey/network/tcp_scanner.py
+++ b/monkey/infection_monkey/network/tcp_scanner.py
@ -2,7 +2,8 @@ from itertools import zip_longest
 from random import shuffle

 import infection_monkey.config
-from infection_monkey.network import HostScanner, HostFinger
+from infection_monkey.network.HostFinger import HostFinger
+from infection_monkey.network.HostScanner import HostScanner
 from infection_monkey.network.tools import check_tcp_ports, tcp_port_to_service

 __author__ = 'itamar'
--- a/monkey/infection_monkey/post_breach/actions/init.py
+++ b/monkey/infection_monkey/post_breach/actions/init.py
@ -1,11 +0,0 @@
-from os.path import dirname, basename, isfile, join
-import glob
-
-
-def get_pba_files():
-    """
-    Gets all files under current directory(/actions)
-    :return: list of all files without .py ending
-    """
-    files = glob.glob(join(dirname(__file__), "*.py"))
-    return [basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')]
--- a/monkey/infection_monkey/post_breach/pba.py
+++ b/monkey/infection_monkey/post_breach/pba.py
@ -6,7 +6,8 @@ from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
 from infection_monkey.utils.environment import is_windows_os
 from infection_monkey.config import WormConfiguration
 from infection_monkey.telemetry.attack.t1064_telem import T1064Telem
-
+from infection_monkey.utils.plugins.plugin import Plugin
+import infection_monkey.post_breach.actions
 LOG = logging.getLogger(__name__)

 __author__ = 'VakarisZ'
@ -14,11 +15,19 @@ __author__ = 'VakarisZ'
 EXECUTION_WITHOUT_OUTPUT = "(PBA execution produced no output)"


-class PBA(object):
+class PBA(Plugin):
    """
    Post breach action object. Can be extended to support more than command execution on target machine.
    """

+    @staticmethod
+    def base_package_name():
+        return infection_monkey.post_breach.actions.__package__
+
+    @staticmethod
+    def base_package_file():
+        return infection_monkey.post_breach.actions.__file__
+
    def __init__(self, name="unknown", linux_cmd="", windows_cmd=""):
        """
        :param name: Name of post breach action.
--- a/monkey/infection_monkey/post_breach/post_breach_handler.py
+++ b/monkey/infection_monkey/post_breach/post_breach_handler.py
@ -1,9 +1,8 @@
 import logging
-import inspect
-import importlib
-from infection_monkey.post_breach.pba import PBA
-from infection_monkey.post_breach.actions import get_pba_files
+from typing import Sequence
+
 from infection_monkey.utils.environment import is_windows_os
+from infection_monkey.post_breach.pba import PBA

 LOG = logging.getLogger(__name__)

@ -34,25 +33,8 @@ class PostBreach(object):
        LOG.info("All PBAs executed. Total {} executed.".format(len(self.pba_list)))

    @staticmethod
-    def config_to_pba_list():
+    def config_to_pba_list() -> Sequence[PBA]:
        """
-        Passes config to each post breach action class and aggregates results into a list.
        :return: A list of PBA objects.
        """
-        pba_list = []
-        pba_files = get_pba_files()
-        # Go through all of files in ./actions
-        for pba_file in pba_files:
-            # Import module from that file
-            module = importlib.import_module(PATH_TO_ACTIONS + pba_file)
-            # Get all classes in a module
-            pba_classes = [m[1] for m in inspect.getmembers(module, inspect.isclass)
-                           if ((m[1].__module__ == module.__name__) and issubclass(m[1], PBA))]
-            # Get post breach action object from class
-            for pba_class in pba_classes:
-                LOG.debug("Checking if should run PBA {}".format(pba_class.__name__))
-                if pba_class.should_run(pba_class.__name__):
-                    pba = pba_class()
-                    pba_list.append(pba)
-                    LOG.debug("Added PBA {} to PBA list".format(pba_class.__name__))
-        return pba_list
+        return PBA.get_instances()
--- a/monkey/infection_monkey/pyinstaller_hooks/hook-infection_monkey.network.py
+++ b/monkey/infection_monkey/pyinstaller_hooks/hook-infection_monkey.network.py
@ -0,0 +1,4 @@
+from PyInstaller.utils.hooks import collect_submodules, collect_data_files
+
+hiddenimports = collect_submodules('infection_monkey.network')
+datas = (collect_data_files('infection_monkey.network', include_py_files=True))
--- a/monkey/infection_monkey/utils/plugins/init.py
+++ b/monkey/infection_monkey/utils/plugins/init.py
--- a/monkey/infection_monkey/utils/plugins/plugin.py
+++ b/monkey/infection_monkey/utils/plugins/plugin.py
@ -0,0 +1,65 @@
+import importlib
+import inspect
+import logging
+from abc import ABCMeta, abstractmethod
+from os.path import dirname, basename, isfile, join
+import glob
+from typing import Sequence, TypeVar, Type
+
+LOG = logging.getLogger(__name__)
+
+
+def _get_candidate_files(base_package_file):
+    files = glob.glob(join(dirname(base_package_file), "*.py"))
+    return [basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')]
+
+
+Plugin_type = TypeVar('Plugin_type', bound='Plugin')
+
+
+class Plugin(metaclass=ABCMeta):
+
+    @staticmethod
+    @abstractmethod
+    def should_run(class_name: str) -> bool:
+        raise NotImplementedError()
+
+    @classmethod
+    def get_instances(cls) -> Sequence[Type[Plugin_type]]:
+        """
+        Returns the type objects from base_package_spec.
+        base_package name and file must refer to the same package otherwise bad results
+        :return: A list of parent_class objects.
+        """
+        objects = []
+        candidate_files = _get_candidate_files(cls.base_package_file())
+        LOG.info("looking for classes of type {} in {}".format(cls.__name__, cls.base_package_name()))
+        # Go through all of files
+        for file in candidate_files:
+            # Import module from that file
+            module = importlib.import_module('.' + file, cls.base_package_name())
+            # Get all classes in a module
+            # m[1] because return object is (name,class)
+            classes = [m[1] for m in inspect.getmembers(module, inspect.isclass)
+                       if ((m[1].__module__ == module.__name__) and issubclass(m[1], cls))]
+            # Get object from class
+            for class_object in classes:
+                LOG.debug("Checking if should run object {}".format(class_object.__name__))
+                try:
+                    if class_object.should_run(class_object.__name__):
+                        instance = class_object()
+                        objects.append(instance)
+                        LOG.debug("Added {} to list".format(class_object.__name__))
+                except Exception as e:
+                    LOG.warning("Exception {} when checking if {} should run".format(str(e), class_object.__name__))
+        return objects
+
+    @staticmethod
+    @abstractmethod
+    def base_package_file():
+        pass
+
+    @staticmethod
+    @abstractmethod
+    def base_package_name():
+        pass