monkey/envs/monkey_zoo/docs/fullDocs.md

23 KiB
Raw Blame History

This document describes Infection Monkeys test network, how to deploy and use it.

Warning!
Introduction
Getting started
Using islands
Running tests
Machines legend
Machines
Nr. 2 Hadoop
Nr. 3 Hadoop
Nr. 4 Elastic
Nr. 5 Elastic
Nr. 6 Sambacry
Nr. 7 Sambacry
Nr. 8 Shellshock
Nr. 9 Tunneling M1
Nr. 10 Tunneling M2
Nr. 11 SSH key steal
Nr. 12 SSH key steal
Nr. 13 RDP grinder
Nr. 14 Mimikatz
Nr. 15 Mimikatz
Nr. 16 MsSQL
Nr. 17 Upgrader
Nr. 18 WebLogic
Nr. 19 WebLogic
Nr. 20 SMB
Nr. 21 Scan
Nr. 22 Scan
Nr. 23 Struts2
Nr. 24 Struts2
Nr. 250 MonkeyIsland
Nr. 251 MonkeyIsland
Network topography

Warning!

This project builds an intentionally vulnerable network. Make sure not to add production servers to the same network and leave it closed to the public.

Introduction:

MonkeyZoo is a Google Cloud Platform network deployed with terraform. Terraform scripts allows you to quickly setup a network thats full of vulnerable machines to regression test monkeys exploiters, evaluate scanning times in a real-world scenario and many more.

Getting started:

Requirements:

  1. Have terraform installed.
  2. Have a Google Cloud Platform account (upgraded if you want to test whole network at once).

To deploy:

  1. Configure service account for your project:

    a. Create a service account and name it “your_name-monkeyZoo-user”

    b. Give these permissions to your service account:

    Compute Engine -> Compute Network Admin and Compute Engine -> Compute Instance Admin and Compute Engine -> Compute Security Admin and Service Account User

    or

    Project -> Owner

    c. Download its Service account key. Select JSON format.

  2. Get these permissions in monkeyZoo project for your service account (ask monkey developers to add them):

    a. Compute Engine -> Compute image user

  3. Change configurations located in the ../monkey/envs/monkey_zoo/terraform/config.tf file (dont forget to link to your service account key file):

    provider "google" {

    project = "project-28054666"

    region = "europe-west3"

    zone = "europe-west3-b"

    credentials = "${file("project-92050661-9dae6c5a02fc.json")}"

    }

    service_account_email="test@project-925243.iam.gserviceaccount.com"

  4. Run terraform init

To deploy the network run:
terraform plan (review the changes it will make on GCP)
terraform apply (creates 2 networks for machines)
terraform apply (adds machines to these networks)

Using islands:

###How to get into the islands:

island-linux-250: SSH from GCP

island-windows-251: In GCP/VM instances page click on island-windows-251. Set password for your account and then RDP into the island.

###These are most common steps on monkey islands:

####island-linux-250:

To run monkey island:
sudo /usr/run\_island.sh

To run monkey:
sudo /usr/run\_monkey.sh

To update repository:
git pull /usr/infection_monkey

Update all requirements using deployment script:
1. cd /usr/infection_monkey/deployment_scripts
2. ./deploy_linux.sh "/usr/infection_monkey" "develop"

####island-windows-251:

To run monkey island:
Execute C:\run_monkey_island.bat as administrator

To run monkey:
Execute C:\run_monkey.bat as administrator

To update repository:
1. Open cmd as an administrator
2. cd C:\infection_monkey
3. git pull (updates develop branch)

Update all requirements using deployment script:

  1. cd C:\infection_monkey\deployment_scripts
  2. ./run_script.bat "C:\infection_monkey" "develop"

Running tests:

Once you start monkey island you can import test configurations from ../monkey/envs/configs.

fullTest.conf is a good config to start, because it covers all machines.

Machines:

Nr. 2 Hadoop

(10.2.2.2)

(Vulnerable)
OS: Ubuntu 16.04.05 x64
Software:

JDK,

Hadoop 2.9.1

Default servers port: 8020
Servers config: Single node cluster
Scan results: Machine exploited using Hadoop exploiter
Notes:

Nr. 3 Hadoop

(10.2.2.3)

(Vulnerable)
OS: Windows 10 x64
Software:

JDK,

Hadoop 2.9.1

Default servers port: 8020
Servers config: Single node cluster
Scan results: Machine exploited using Hadoop exploiter
Notes:

Nr. 4 Elastic

(10.2.2.4)

(Vulnerable)
OS: Ubuntu 16.04.05 x64
Software:

JDK,

Elastic 1.4.2

Default servers port: 9200
Servers config: Default
Scan results: Machine exploited using Elastic exploiter
Notes: Quick tutorial on how to add entries (was useful when setting up).

Nr. 5 Elastic

(10.2.2.5)

(Vulnerable)
OS: Windows 10 x64
Software:

JDK,

Elastic 1.4.2

Default servers port: 9200
Servers config: Default
Scan results: Machine exploited using Elastic exploiter
Notes: Quick tutorial on how to add entries (was useful when setting up).

Nr. 6 Sambacry

(10.2.2.6)

(Not implemented)
OS: Ubuntu 16.04.05 x64
Software: Samba > 3.5.0 and < 4.6.4, 4.5.10 and 4.4.14
Default servers port: -
Root password: ;^TK`9XN_x^
Servers config:
Scan results: Machine exploited using Sambacry exploiter
Notes:

Nr. 7 Sambacry

(10.2.2.7)

(Not implemented)
OS: Ubuntu 16.04.05 x32
Software: Samba > 3.5.0 and < 4.6.4, 4.5.10 and 4.4.14
Default servers port: -
Root password: *.&A7/W}Rc$
Servers config:
Scan results: Machine exploited using Sambacry exploiter
Notes:

Nr. 8 Shellshock

(10.2.2.8)

(Vulnerable)
OS: Ubuntu 12.04 LTS x64
Software: Apache2, bash 4.2.
Default servers port: 80
Scan results: Machine exploited using Shellshock exploiter
Notes: Vulnerable app is under /cgi-bin/test.cgi

Nr. 9 Tunneling M1

(10.2.2.9, 10.2.1.9)

(Vulnerable)
OS: Ubuntu 16.04.05 x64
Software: OpenSSL
Default services port: 22
Root password: `))jU7L(w}
Servers config: Default
Notes:

Nr. 10 Tunneling M2

(10.2.1.10)

(Exploitable)
OS: Ubuntu 16.04.05 x64
Software: OpenSSL
Default services port: 22
Root password: 3Q=(Ge(+&w]*
Servers config: Default
Notes: Accessible only trough Nr.9

Nr. 11 SSH key steal.

(10.2.2.11)

(Vulnerable)
OS: Ubuntu 16.04.05 x64
Software: OpenSSL
Default connection port: 22
Root password: ^NgDvY59~8
Servers config: SSH keys to connect to NR. 11
Notes:

Nr. 12 SSH key steal.

(10.2.2.12)

(Exploitable)
OS: Ubuntu 16.04.05 x64
Software: OpenSSL
Default connection port: 22
Root password: u?Sj5@6(-C
Servers config: SSH configured to allow connection from NR.10
Notes: Dont add this machines credentials to exploit configuration.

Nr. 13 RDP grinder

(10.2.2.13)

(Not implemented)
OS: Windows 10 x64
Software: -
Default connection port: 3389
Root password: 2}p}aR]&=M
Servers config:

Remote desktop enabled

Admin users credentials:

m0nk3y, 2}p}aR]&=M

Notes:

Nr. 14 Mimikatz

(10.2.2.14)

(Vulnerable)
OS: Windows 10 x64
Software: -
Admin password: Ivrrw5zEzs
Servers config:

Has cached mimikatz-15 RDP credentials

SMB turned on

Notes:

Nr. 15 Mimikatz

(10.2.2.15)

(Exploitable)
OS: Windows 10 x64
Software: -
Admin password: pAJfG56JX><
Servers config:

Its credentials are cashed at mimikatz-14

SMB turned on

Notes: If you change this machines IP it wont get exploited.

Nr. 16 MsSQL

(10.2.2.16)

(Vulnerable)
OS: Windows 10 x64
Software: MSSQL Server
Default service port: 1433
Servers config:

xp_cmdshell feature enabled in MSSQL server

SQL server auth. creds:

m0nk3y : Xk8VDTsC

Notes:

Enabled SQL server browser service

Enabled remote connections

Changed default password

Nr. 17 Upgrader

(10.2.2.17)

(Not implemented)
OS: Windows 10 x64
Default service port: 445
Root password: U??7ppG_
Servers config: Turn on SMB
Notes:

Nr. 18 WebLogic

(10.2.2.18)

(Vulnerable)
OS: Ubuntu 16.04.05 x64
Software:

JDK,

Oracle WebLogic server 12.2.1.2

Default servers port: 7001
Admin domain credentials: weblogic : B74Ot0c4
Servers config: Default
Notes:

Nr. 19 WebLogic

(10.2.2.19)

(Vulnerable)
OS: Windows 10 x64
Software:

JDK,

Oracle WebLogic server 12.2.1.2

Default servers port: 7001
Admin servers credentials: weblogic : =ThS2d=m(`B
Servers config: Default
Notes:

Nr. 20 SMB

(10.2.2.20)

(Vulnerable)
OS: Windows 10 x64
Software: -
Default services port: 445
Root password: YbS,<tpS.2av
Servers config: SMB turned on
Notes:

Nr. 21 Scan

(10.2.2.21)

(Secure)
OS: Ubuntu 16.04.05 x64
Software: Apache tomcat 7.0.92
Default servers port: 8080
Servers config: Default
Notes: Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.)

Nr. 22 Scan

(10.2.2.22)

(Secure)
OS: Windows 10 x64
Software: Apache tomcat 7.0.92
Default servers port: 8080
Servers config: Default
Notes: Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.)

Nr. 23 Struts2

(10.2.2.23)

(Vulnerable)
OS: Ubuntu 16.04.05 x64
Software:

JDK,

struts2 2.3.15.1,

tomcat 9.0.0.M9

Default servers port: 8080
Servers config: Default
Notes:

Nr. 24 Struts2

(10.2.2.24)

(Vulnerable)
OS: Windows 10 x64
Software:

JDK,

struts2 2.3.15.1,

tomcat 9.0.0.M9

Default servers port: 8080
Servers config: Default
Notes:

Nr. 250 MonkeyIsland

(10.2.2.250)

OS: Ubuntu 16.04.05 x64
Software: MonkeyIsland server, git, mongodb etc.
Default servers port: 22, 443
Private key passphrase: -
Notes: Only accessible trough GCP

Nr. 251 MonkeyIsland

(10.2.2.251)

OS: Windows Server 2016 x64
Software: MonkeyIsland server, git, mongodb etc.
Default servers port: 3389, 443
Private key passphrase: -
Notes: Only accessible trough GCP

Network topography: