-
Notifications
You must be signed in to change notification settings - Fork 791
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch '4213-docs-exploiters-feature-pages_vuln' into develop
- Loading branch information
Showing
12 changed files
with
325 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
--- | ||
title: "Exploiters" | ||
chapter: true | ||
pre: "<i class='fas fa-ethernet'></i> " | ||
--- | ||
|
||
# Exploiters | ||
|
||
Exploiters are Infection Monkey plugins that attempt to infect machines | ||
throughout the network by spreading copies of the Agent. | ||
|
||
## Mimicking attackers | ||
|
||
During the propagation phase of an attack, attackers exploit the | ||
vulnerabilities that were identified in the reconnaissance phase to compromise | ||
networked systems. By exploiting the identified vulnerabilities, attackers are | ||
able to gain unauthorized access to systems, escalate privileges, or execute | ||
malicious actions. | ||
|
||
## How exploiters work | ||
|
||
After the Infection Monkey Agent completes the reconnaissance phase, it begins | ||
the propagation phase. In this phase, the Agent attempts to spread itself to | ||
as many systems on the network as possible. It does this by using the enabled | ||
exploiters to achieve remote code execution (RCE) on a vulnerable system; this | ||
step is known as "exploitation". After exploitation, the Agent completes the | ||
propagation phase by copying itself to the compromised system and launching a | ||
new Agent process. | ||
|
||
Infection Monkey has several exploiters that mimic real-world attack vectors. | ||
Some exploiters are based on vulnerabilities while others use brute-force | ||
tactics to gain access. The majority of exploiters pose little or no risk to | ||
the performance or availability of targeted systems. Exploiters that are known | ||
to adversely impact production workloads are clearly marked as "unsafe" in the | ||
Monkey Island. | ||
|
||
![Plugin marked as unsafe](/images/island/plugins-page/unsafe-plugin.png | ||
"Plugin marked as unsafe") | ||
|
||
## Techniques | ||
|
||
Infection Monkey offers the following exploiters: | ||
|
||
{{% children /%}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
--- | ||
title: "Hadoop Exploiter" | ||
draft: false | ||
description: "Exploits Hadoop servers" | ||
tags: ["exploiter", "hadoop", "yarn"] | ||
pre: "<i class='fa fa-feather-pointed'></i> " | ||
--- | ||
|
||
## Apache Hadoop | ||
|
||
[Apache Hadoop](https://hadoop.apache.org/) is a widely-used framework for | ||
distributed storage and processing of large data sets. Hadoop YARN is a | ||
component of the Hadoop ecosystem which is used for job scheduling/monitoring | ||
and cluster resource management. | ||
|
||
## Exploitation | ||
|
||
Hadoop servers with YARN are susceptible to RCE (remote | ||
code execution) attacks. The [Hadoop YARN ResourceManager REST API]( | ||
https://apache.github.io/hadoop/hadoop-yarn/hadoop-yarn-site/WebServicesIntro.html | ||
) enables users to submit a new application with launch context, which allows | ||
arbitrary commands to be executed once the application is submitted | ||
successfully. By default, Hadoop YARN opens the RPC service to the public, | ||
giving attackers the ability to execute arbitrary commands and control the | ||
target server. | ||
|
||
Infection Monkey's Hadoop exploiter works by submitting a new application to | ||
YARN. This application's launch context includes a custom command to download | ||
and execute the Agent on the compromised machine. | ||
|
||
![Hadoop Configuration]( | ||
/images/island/configuration-page/hadoop-exploiter-configuration.png | ||
"Hadoop Configuration") | ||
|
||
## Mitigation | ||
|
||
1. Hadoop recommends [updating security related settings appropriately]( | ||
https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html#Configuration | ||
). In this case, enabling Kerberos authentication is particularly valuable. | ||
|
||
1. Allow only trusted connections to the Hadoop RPC service port. | ||
|
||
## See also | ||
- [Hadoop exploiter reference documentation](/reference/exploiters/hadoop) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
--- | ||
title: "Log4Shell Exploiter" | ||
draft: false | ||
description: "Exploits the Log4Shell vulnerability" | ||
tags: ["exploiter", "log4shell", "log4j", "cve-2021-44228"] | ||
pre: "<i class='fa fa-mug-hot'></i> " | ||
--- | ||
|
||
{{% notice info %}} | ||
The Log4Shell exploiter exploits [CVE-2021-44228]( | ||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228). | ||
{{% /notice %}} | ||
|
||
## Apache Log4j | ||
|
||
[Apache Log4j](https://logging.apache.org/log4j/) is an open-source Java | ||
logging framework that is used to log messages within software, including | ||
information like error messages and user inputs in a program. Due to its | ||
widespread adoption, thousands of software packages and applications use | ||
Log4j, making them all vulnerable to Log4Shell. | ||
|
||
## Exploitation | ||
|
||
Some versions of Apache Log4j have a logging feature called "Message Lookup | ||
Substitution" enabled by default. This allows replacing certain special strings | ||
by dynamically-generated strings at the time of logging. If log messages or log | ||
message parameters can be controlled by an attacker, arbitrary code can be | ||
executed. This vulnerability was nicknamed | ||
"[Log4Shell](https://en.wikipedia.org/wiki/Log4Shell)". | ||
|
||
Infection Monkey's Log4Shell exploiter takes advantage of this vulnerability | ||
to propagate to a victim machine. | ||
|
||
![Log4Shell Configuration]( | ||
/images/island/configuration-page/log4shell-exploiter-configuration.png | ||
"Log4Shell Configuration") | ||
|
||
### Services exploited | ||
|
||
Infection Monkey will attempt to exploit the Log4Shell vulnerability in the | ||
following services: | ||
|
||
- Apache Solr | ||
- Apache Tomcat | ||
- Logstash | ||
|
||
**Note**: Even if none of these services are running in your environment, | ||
running the Log4Shell exploiter can be a good way to test your IDS/IPS or EDR | ||
solutions. These solutions should detect that Infection Monkey is attempting to | ||
exploit the Log4Shell vulnerability and raise an appropriate alert. | ||
|
||
## Mitigation | ||
|
||
Learn more about this vulnerability and potential mitigations [here]( | ||
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228). | ||
|
||
## See also | ||
- [Log4Shell exploiter reference | ||
documentation](/reference/exploiters/log4shell) | ||
- [Infection Monkey's Log4Shell blog | ||
post](https://www.akamai.com/blog/security/infection-monkey-new-log4shell-simulation) | ||
- [Quantifying Log4Shell: Vulnerability on a Massive | ||
scale](https://www.akamai.com/blog/security/quantifying-log4shell-vulnerability-on-a-massive-scale) | ||
- [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
--- | ||
title: "SNMP Exploiter" | ||
draft: false | ||
description: "Exploits the SNMP vulnerability" | ||
tags: ["exploiter", "snmp", "cve-2020-15862"] | ||
pre: "<i class='fa fa-network-wired'></i> " | ||
--- | ||
|
||
{{% notice info %}} | ||
The SNMP exploiter exploits [CVE-2020-15862]( | ||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15862). | ||
{{% /notice %}} | ||
|
||
## SNMP | ||
|
||
[SNMP (Simple Network Management Protocol)]( | ||
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol) is an | ||
application-layer protocol used to monitor and manage devices connected over | ||
an IP network such as routers, switches, firewalls, load balancers, servers, | ||
cameras, printers, and wireless devices. An SNMP-managed network consists of | ||
management stations, each having its own local database with information about | ||
the network, know as the MIB (Management Information Base). EXTEND MIB is a | ||
specific part of the MIB that allows administrators to extend functionality by | ||
defining custom MIB objects linked to shell commands or scripts. An SNMP | ||
community string is a form of authentication used to manage access to network | ||
devices and to specify what type of operations can be performed. It is | ||
essentially a plaintext password providing access to network devices' | ||
configurations. | ||
|
||
## Exploitation | ||
|
||
On some Linux systems, NET-SNMP-EXTEND-MIB is supported by default. This allows | ||
non-root users with access to a read-write community string to run arbitrary | ||
commands on the victim as root. | ||
|
||
In versions 1 and 2c of the SNMP protocol, the only means of authentication is | ||
the community string. In these versions of SNMP, community strings are sent as | ||
plaintext in all requests. Version 3 adds user-based authentication and | ||
encryption to the SNMP protocol. | ||
|
||
Infection Monkey's SNMP exploiter uses version 2c of the SNMP protocol. It | ||
executes brute-force attacks against SNMP servers by using usernames and | ||
passwords provided by the user (see [configuration](/usage/configuration) for | ||
instructions) as SNMP community strings. | ||
|
||
![SNMP Configuration]( | ||
/images/island/configuration-page/snmp-exploiter-configuration.png | ||
"SNMP Configuration") | ||
|
||
## Mitigation | ||
|
||
1. Use SNMPv3 with the authPriv security level, if possible. | ||
|
||
1. Treat community strings as passwords. | ||
|
||
1. Enable the read-only build option (NETSNMP_NO_WRITE_SUPPORT). | ||
|
||
1. Configure SNMP to use read-only community strings. | ||
|
||
1. Apply security updates to your Net-SNMP installation. | ||
|
||
1. Limit access over SNMP to trusted hosts. | ||
|
||
Note that even with only read access, an SNMP server can still expose crucial | ||
information about the network. | ||
|
||
## See also | ||
- [SNMP exploiter reference documentation](/reference/exploiters/snmp) | ||
- [The L in Linux Stands for Lateral | ||
Movement](https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
--- | ||
title: "Zerologon Exploiter" | ||
draft: false | ||
description: "Exploits the Zerologon vulnerability" | ||
tags: ["exploiter", "zerologon", "cve-2020-1472"] | ||
pre: "<i class='fa fa-right-to-bracket'></i> " | ||
--- | ||
|
||
{{% notice warning %}} | ||
This exploiter is [unsafe for production](#a-note-on-safety)! | ||
{{% /notice %}} | ||
|
||
{{% notice info %}} | ||
The Zerologon exploiter exploits [CVE-2020-1472]( | ||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472). | ||
{{% /notice %}} | ||
|
||
## Netlogon Remote Protocol | ||
|
||
The [Netlogon Remote Protocol (MS-NRPC)]( | ||
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc) is a | ||
Windows Server process that authenticates users and other services within a | ||
domain. If the Netlogon service is interrupted, the functionality of the domain | ||
controller, whose responsibilities include user authentication, authorization, | ||
and account management, is severely affected. | ||
|
||
## Exploitation | ||
|
||
Due to a flaw in the cryptographic authentication scheme of Netlogon, an | ||
attacker can bypass authentication and gain administrator-level privileges to | ||
an unpatched machine, including a domain controller, effectively granting the | ||
attacker control over the entire domain. | ||
|
||
Infection Monkey's Zerologon exploiter takes advantage of this vulnerability to | ||
steal credentials from the domain controller, which are then used to propagate | ||
to the machine using one of the brute force exploiters (for example, the SMB | ||
exploiter). | ||
|
||
![Zerologon Configuration]( | ||
/images/island/configuration-page/zerologon-exploiter-configuration.png | ||
"Zerologon Configuration") | ||
|
||
## Mitigation | ||
|
||
To download the relevant security update and read more, click [here]( | ||
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472). | ||
|
||
## A note on safety | ||
|
||
This exploiter is not safe for production or other sensitive environments. | ||
During successful exploitation, the Zerologon exploiter: | ||
|
||
* Will temporarily change the target domain controller's password. | ||
* May break the target domain controller's communication with other systems in | ||
the network, affecting functionality. | ||
* May change the administrator's password. | ||
* Will *attempt* to revert all changes. | ||
|
||
While the Zerologon exploiter is usually successful in reverting its changes | ||
and restoring the original passwords, it sometimes fails. Restoring passwords | ||
manually after the Zerologon exploiter has run is nontrivial. For information | ||
on restoring the original passwords, see [manually restoring your password]( | ||
#manually-restoring-your-password). | ||
|
||
To minimize the risk posed by this exploiter, it is recommended that this | ||
exploiter be run _only_ against VMs with a recent snapshot and _only_ in | ||
testing or staging environments. | ||
|
||
## Manually restoring your password | ||
|
||
This exploiter attempts to restore the original passwords after exploitation. | ||
It is usually successful, but it sometimes fails. If this exploiter has changed | ||
a password but was unable to restore the original, you can try the following | ||
methods to restore the original password. | ||
|
||
### Restore the VM from a recent snapshot | ||
|
||
If the affected system is a virtual machine, the simplest way to restore it to | ||
a working state is to revert to a recent snapshot. | ||
|
||
### Restore the administrator's password | ||
|
||
If you are unable to log in as the administrator, you can follow the | ||
instructions | ||
[here](https://www.top-password.com/knowledge/reset-windows-server-2019-password.html) | ||
to regain access to the system. | ||
|
||
### Use Reset-ComputerMachinePassword | ||
|
||
If you are able to log in as the administrator, you can use the | ||
[Reset-ComputerMachinePassword](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1) | ||
powershell command to restore the domain controller's password. | ||
|
||
### Try a Zerologon password restoration tool | ||
If all other approaches fail, you can try the tools and steps found | ||
[here](https://github.com/risksense/zerologon). | ||
|
||
## See also | ||
- [Zerologon exploiter reference | ||
documentation](/reference/exploiters/zerologon) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+304 KB
docs/static/images/island/configuration-page/hadoop-exploiter-configuration.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+303 KB
docs/static/images/island/configuration-page/log4shell-exploiter-configuration.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+287 KB
docs/static/images/island/configuration-page/snmp-exploiter-configuration.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+357 KB
docs/static/images/island/configuration-page/zerologon-exploiter-configuration.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.