guardicore / monkey Goto Github PK

in case there is a configuration file we prefer it over the hard-coded configuration

The monkey should be able to scan a specific subnet (or several subnets) by listing the subnet in the config, and not by specific IPs

The user should be able to easily specify subnet pairs which shouldn't be accessible from one another.
The monkey should be able to detect whether or not they are accessible (given it's on one of the networks).
The monkey island should display all irregularities on the report.

The monkey should steal ssh keys and use them to propagate.

See:
https://mthbernardes.github.io/persistence/2018/01/10/stealing-ssh-credentials.html
https://mthbernardes.github.io/persistence/2018/02/10/stealing-ssh-credentials-another-approach.html

ImportError: No module named Queue
Failed to execute script pyi_rth_twisted

We should color code the telemetry as it's very noisy. Status reports (state, tunnel, system_info_collection), scan attempts, exploit attempts.

Maybe green/yellow/red.

reduce from 1MB in linux after cleaning unnecessary imports

Monkey should report to Monkey Island hosts that it found in the subnet (along with all available information) and report hosts that it unsuccessfully attacked.

Add the ability to pull the current state from a Monkey Island instance created by Business and display it without requiring user to open console to the machine.

Expected Behavior

We'd like to implement an exploit for the Oracle WebLogic vulnerability (CVE-2017-10271).

List of URLs we should cover

• /wls-wsat/CoordinatorPortType
• /wls-wsat/CoordinatorPortType11
• /wls-wsat/ParticipantPortType
• /wls-wsat/ParticipantPortType11
• /wls-wsat/RegistrationPortTypeRPC
• /wls-wsat/RegistrationPortTypeRPC11
• /wls-wsat/RegistrationRequesterPortType
• /wls-wsat/RegistrationRequesterPortType11

Exploit logic should be similar to the Shellshock module.

Expected Behavior

Not raise a TypeError

Actual Behavior

Raises a TypeError

Steps to Reproduce the Problem

1. Call _cast_by_example with a value which isn't None and example as a tuple with a minimum length of 1.

>>> _cast_by_example('value', ('example',))
Traceback (most recent call last):
  File "<input>", line 1, in <module>
  File "<input>", line 14, in _cast_by_example
TypeError: 'NoneType' object is not iterable

The problem is in this line:

The issue is calling tuple(None):

>>> tuple(None)
Traceback (most recent call last):
  File "<input>", line 1, in <module>
TypeError: 'NoneType' object is not iterable

Potential Fix

The problem line is almost exactly the same as this line (four lines below the problem line):

After looking at that, it seems like a potential fix would be either:

if value is None or value == (None,):
# or
if value is None or value == tuple([None]):

Both of these produce a tuple with one element which is None.

>>> (None,)
(None,)
>>> tuple([None])
(None,)

I didn't send a PR since I wasn't exactly sure if this would be correct and if so, which one of these would be preferred.

Reuse logged in users credentials when attempting to infect Windows machines by stealing tokens.

When viewing the admin page, mark in some way new monkeys that were just added so it will be easier to notice

When hpvm session expires (i.e. max timeout), ot when a real machine brutally disappears in the middle of the attack, monkey should skip this victim after a while and not stuck in a loop.

Example of the loop:
2015-08-31 00:15:23,292 [3788:DEBUG] exploit.new_smb_connection.385: SMB connect
ion to <VictimHost 200.200.200.8> on port 445 failed, trying port 139 ([Errno 10
060] A connection attempt failed because the connected party did not properly re
spond after a period of time, or established connection failed because connected
host has failed to respond (200.200.200.8:445))
2015-08-31 00:15:48,875 [3788:DEBUG] exploit.new_smb_connection.391: SMB connect
ion to <VictimHost 200.200.200.8> on port 139 failed as well ([Errno 10060] A co
nnection attempt failed because the connected party did not properly respond aft
er a period of time, or established connection failed because connected host has
failed to respond (200.200.200.8:139))
2015-08-31 00:16:10,450 [3788:DEBUG] exploit.new_smb_connection.385: SMB connect
ion to <VictimHost 200.200.200.8> on port 445 failed, trying port 139 ([Errno 10
060] A connection attempt failed because the connected party did not properly re
spond after a period of time, or established connection failed because connected
host has failed to respond (200.200.200.8:445))

At first monkey-island.service wouldn't start but fixed it by removing bson

sudo pip uninstall bson
sudo pip uninstall pymongo
sudo pip install pymongo

But isn't starting also and I have no idea how to fix it

● monkey-island.service - Monkey Island Service
   Loaded: loaded (/lib/systemd/system/monkey-island.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-05-17 21:47:00 CEST; 5min ago
 Main PID: 5428 (start_server.sh)
    Tasks: 4 (limit: 4915)
   Memory: 19.8M
      CPU: 403ms
   CGroup: /system.slice/monkey-island.service
           ├─5428 /bin/bash /var/monkey_island/ubuntu/systemd/start_server.sh
           └─5429 python main.py

May 17 21:47:00 Broadband systemd[1]: Started Monkey Island Service.

● monkey-mongo.service - Monkey Island Mongo Service
   Loaded: loaded (/lib/systemd/system/monkey-mongo.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2017-05-17 21:47:02 CEST; 5min ago
  Process: 5501 ExecStop=/var/monkey_island/bin/mongodb/bin/mongod --shutdown (code=exited, status=127)
  Process: 5500 ExecStart=/var/monkey_island/bin/mongodb/bin/mongod --quiet --dbpath /var/monkey_island/db (code=exited, status=127)
 Main PID: 5500 (code=exited, status=127)
      CPU: 3ms

May 17 21:47:02 Broadband systemd[1]: monkey-mongo.service: Control process exited, code=exited status=127
May 17 21:47:02 Broadband systemd[1]: monkey-mongo.service: Unit entered failed state.
May 17 21:47:02 Broadband systemd[1]: monkey-mongo.service: Failed with result 'exit-code'.
May 17 21:47:02 Broadband systemd[1]: monkey-mongo.service: Service hold-off time over, scheduling restart.
May 17 21:47:02 Broadband systemd[1]: Stopped Monkey Island Mongo Service.
May 17 21:47:02 Broadband systemd[1]: monkey-mongo.service: Start request repeated too quickly.
May 17 21:47:02 Broadband systemd[1]: Failed to start Monkey Island Mongo Service.
May 17 21:47:02 Broadband systemd[1]: monkey-mongo.service: Unit entered failed state.
May 17 21:47:02 Broadband systemd[1]: monkey-mongo.service: Failed with result 'exit-code'.

In slow/problematic environments, like we experienced with NSX11 setup, host (many times its the hpvm) might repeatedly abort the smb copy of the monkey (which is 5MB+ file). In that case monkey stays in an endless loop of copy retries.

Hi,
It seems that the Monkey agent detects services and hosts that do not exist on the network, related only to the SSHExploiter:

How can I provide more info?

Thanks,
Dvir

Ability to control the Monkey Island from the Business. Set configuration, start and stop tests.

Instead of crashing if the monkey deserializes an unknown configuration variable, send an error message to the current monkey server and keep on working.

On windows targets, when using relevent expolits

Add the ability to create future tests, such as "in two hours spin up a Monkey test in a random VLAN, run for 30 minutes and collect results."

Add an option to configure IPs that should never be probed.

the file range is named as a python keyword. we should rename it

update the procedure to install / run / stop an island. Might be nice to write an installation script.

Expected Behavior

We'd like to implement an exploit for the Struts RCE vulnerability (S2-045) as specified in https://cwiki.apache.org/confluence/display/WW/S2-045. We can assume the victim is running Linux.

Before trying to attack, we should map the victim HTTP server for common Struts2 pages and not assume a single fixed hardcoded URL.

In case there is no link to the island, there might be an option that after successfully exploiting some hosts on the network one of them can be used as a new valid tunnel

Currently, the monkey can't tell if the target windows machine is 32bit or 64bit, so the 32bit version is used for both.
There are several problems with this. In order to solve the issue, the monkey should upgrade to 64bit after it's started

It's one giant file, should be split.

add lines to show which monkey tunneled through which, for helping diagnose the exploitation route

Similar to the vSphere feature, add the ability to create a Monkey Island server in an AWS network

If report has been generated, and after it a new monkey started running, the map V disappears but the report's V stays. We want to fix that

No reason to force the user to click "update" after they click save on the JSON.

Windows 64 builds fail when using Shellshock, with the following error
2016-09-05 13:52:31,088 [11988:ERROR] monkey.start.173: Exception while attacking <VictimHost 10.0.1.160> using ShellShockExploiter: Gevent is required for grequests.

This doesn't happen in other builds.

Add the ability to find network boxes such as switches and routers and other non endpoints and see if they're vulnerable using our current exploits without actually running the monkey.
Can maybe propagate using a scratch payload that just says "I'm here".

Add ability to scan for Apache HTTP servers and scan them for vulnerable CGI pages and attempt to attack.

Monkey Island currently outputs to console. We want to write to a log as well, and be able to access it from the island's interface

each time host is successfully exploited, the exploited host will locally save info about the attacker using an incremental trace log, so it will be possible from one log to trace back to "patient zero".

The Monkey Island's DB has a lot of data useful for debugging and for general analysis. Exporting the data should be easy, and accessible through the island's interface

Hey guys,
I'm trying to wrap my head around the installation process:
Currently, your git readme file refers to the Setup page in the Wiki.
The setup page refers to the blog, where there is completely no installation steps.
The only installation steps i've found are in the monkey\monkey_island\readme.txt, and they are messy.

1. I suggest to get all the info in one place.
2. I recommend on creating an installation script for Debian and Ubuntu (using bash).
3. Explaining more on the folders hierarchy as it is unclear.

Thank you very much, can't wait to try it.
Dviros.

Most of the functionality doesn't require root permissions, but a verification is needed.
Sample issue to check: when listening on a port, don't choose a low number.

Should have the option to support multiple users.

for example when the host is no longer relevant (dead old monkey)

SSH and Shellshock exploiters do not respect this file and overwrite existing monkeys

Browsing to / should lead to admin page.

Expected Behavior

https://github.com/guardicore/monkey/tree/master/monkey_island says => run run.sh (located under /linux)

Actual Behavior

There is no "run.sh"

Steps to Reproduce the Problem

:~/monkey/monkey_island/linux# ls -alh
total 28K
drwxr-xr-x 3 root root 4.0K Feb 8 18:57 .
drwxr-xr-x 6 root root 4.0K Feb 9 20:11 ..
-rw-r--r-- 1 root root 102 Feb 8 18:57 clear_db.sh
-rw-r--r-- 1 root root 303 Feb 8 18:57 create_certificate.sh
-rw-r--r-- 1 root root 265 Feb 8 18:57 install.sh
-rw-r--r-- 1 root root 265 Feb 8 18:57 monkey.sh
drwxr-xr-x 3 root root 4.0K Feb 8 18:57 ubuntu

Specifications

• Version: Kali 2018.1
• Platform:
• Subsystem:

Add multiple kill triggers to allow stopping the Monkey's operation.

1. Add a crossplatform "kill file" that if found, prevents the Monkey from running in any configuration.
2. Add a "safe list" in the C&C server to be checked by the Monkey before every attack attempt, if the machine is found in the list, no attack.
3. The monkey will also check it's not on the safe list upon starting up.

for example running the metasploit on the island and create TCP tunnels from it to target hosts

even if the current host couldn't connect to the island we still want the user to know this host is vulnerable, so display some UI indication to the user could be usefull