Skip to content

Commit

Permalink
Merge branch '4213-docs-exploiters-feature-pages_vuln' into develop
Browse files Browse the repository at this point in the history
Issue #4213
PR #4247
  • Loading branch information
mssalvatore committed Jul 23, 2024
2 parents 96fc9ff + 7b0c18f commit e723cd6
Show file tree
Hide file tree
Showing 12 changed files with 325 additions and 4 deletions.
5 changes: 2 additions & 3 deletions docs/content/features/credentials_collectors/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,8 @@ collectors to steal credentials. Any stolen credentials are then sent to the
Monkey Island, where they become immediately available for any Agent to use.

After the reconnaissance phase, the Agent will begin the propagation phase and
attempt to compromise other hosts on the network. Exploiters are Infection
Monkey plugins that attempt to spread copies of the Agent throughout the
network. Some exploiters can use the credentials stolen by credentials
attempt to compromise other hosts on the network using [exploiters](
/features/exploiters). Some exploiters can use the credentials stolen by credentials
collectors to gain access to other systems on the network. First, the exploiter
will query the Monkey Island to retrieve credentials that were configured by
the user and any credentials that were stolen by credentials collectors. Next,
Expand Down
44 changes: 44 additions & 0 deletions docs/content/features/exploiters/_index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
title: "Exploiters"
chapter: true
pre: "<i class='fas fa-ethernet'></i> "
---

# Exploiters

Exploiters are Infection Monkey plugins that attempt to infect machines
throughout the network by spreading copies of the Agent.

## Mimicking attackers

During the propagation phase of an attack, attackers exploit the
vulnerabilities that were identified in the reconnaissance phase to compromise
networked systems. By exploiting the identified vulnerabilities, attackers are
able to gain unauthorized access to systems, escalate privileges, or execute
malicious actions.

## How exploiters work

After the Infection Monkey Agent completes the reconnaissance phase, it begins
the propagation phase. In this phase, the Agent attempts to spread itself to
as many systems on the network as possible. It does this by using the enabled
exploiters to achieve remote code execution (RCE) on a vulnerable system; this
step is known as "exploitation". After exploitation, the Agent completes the
propagation phase by copying itself to the compromised system and launching a
new Agent process.

Infection Monkey has several exploiters that mimic real-world attack vectors.
Some exploiters are based on vulnerabilities while others use brute-force
tactics to gain access. The majority of exploiters pose little or no risk to
the performance or availability of targeted systems. Exploiters that are known
to adversely impact production workloads are clearly marked as "unsafe" in the
Monkey Island.

![Plugin marked as unsafe](/images/island/plugins-page/unsafe-plugin.png
"Plugin marked as unsafe")

## Techniques

Infection Monkey offers the following exploiters:

{{% children /%}}
44 changes: 44 additions & 0 deletions docs/content/features/exploiters/hadoop.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
title: "Hadoop Exploiter"
draft: false
description: "Exploits Hadoop servers"
tags: ["exploiter", "hadoop", "yarn"]
pre: "<i class='fa fa-feather-pointed'></i> "
---

## Apache Hadoop

[Apache Hadoop](https://hadoop.apache.org/) is a widely-used framework for
distributed storage and processing of large data sets. Hadoop YARN is a
component of the Hadoop ecosystem which is used for job scheduling/monitoring
and cluster resource management.

## Exploitation

Hadoop servers with YARN are susceptible to RCE (remote
code execution) attacks. The [Hadoop YARN ResourceManager REST API](
https://apache.github.io/hadoop/hadoop-yarn/hadoop-yarn-site/WebServicesIntro.html
) enables users to submit a new application with launch context, which allows
arbitrary commands to be executed once the application is submitted
successfully. By default, Hadoop YARN opens the RPC service to the public,
giving attackers the ability to execute arbitrary commands and control the
target server.

Infection Monkey's Hadoop exploiter works by submitting a new application to
YARN. This application's launch context includes a custom command to download
and execute the Agent on the compromised machine.

![Hadoop Configuration](
/images/island/configuration-page/hadoop-exploiter-configuration.png
"Hadoop Configuration")

## Mitigation

1. Hadoop recommends [updating security related settings appropriately](
https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html#Configuration
). In this case, enabling Kerberos authentication is particularly valuable.

1. Allow only trusted connections to the Hadoop RPC service port.

## See also
- [Hadoop exploiter reference documentation](/reference/exploiters/hadoop)
64 changes: 64 additions & 0 deletions docs/content/features/exploiters/log4shell.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
---
title: "Log4Shell Exploiter"
draft: false
description: "Exploits the Log4Shell vulnerability"
tags: ["exploiter", "log4shell", "log4j", "cve-2021-44228"]
pre: "<i class='fa fa-mug-hot'></i> "
---

{{% notice info %}}
The Log4Shell exploiter exploits [CVE-2021-44228](
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
{{% /notice %}}

## Apache Log4j

[Apache Log4j](https://logging.apache.org/log4j/) is an open-source Java
logging framework that is used to log messages within software, including
information like error messages and user inputs in a program. Due to its
widespread adoption, thousands of software packages and applications use
Log4j, making them all vulnerable to Log4Shell.

## Exploitation

Some versions of Apache Log4j have a logging feature called "Message Lookup
Substitution" enabled by default. This allows replacing certain special strings
by dynamically-generated strings at the time of logging. If log messages or log
message parameters can be controlled by an attacker, arbitrary code can be
executed. This vulnerability was nicknamed
"[Log4Shell](https://en.wikipedia.org/wiki/Log4Shell)".

Infection Monkey's Log4Shell exploiter takes advantage of this vulnerability
to propagate to a victim machine.

![Log4Shell Configuration](
/images/island/configuration-page/log4shell-exploiter-configuration.png
"Log4Shell Configuration")

### Services exploited

Infection Monkey will attempt to exploit the Log4Shell vulnerability in the
following services:

- Apache Solr
- Apache Tomcat
- Logstash

**Note**: Even if none of these services are running in your environment,
running the Log4Shell exploiter can be a good way to test your IDS/IPS or EDR
solutions. These solutions should detect that Infection Monkey is attempting to
exploit the Log4Shell vulnerability and raise an appropriate alert.

## Mitigation

Learn more about this vulnerability and potential mitigations [here](
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228).

## See also
- [Log4Shell exploiter reference
documentation](/reference/exploiters/log4shell)
- [Infection Monkey's Log4Shell blog
post](https://www.akamai.com/blog/security/infection-monkey-new-log4shell-simulation)
- [Quantifying Log4Shell: Vulnerability on a Massive
scale](https://www.akamai.com/blog/security/quantifying-log4shell-vulnerability-on-a-massive-scale)
- [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
70 changes: 70 additions & 0 deletions docs/content/features/exploiters/snmp.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
---
title: "SNMP Exploiter"
draft: false
description: "Exploits the SNMP vulnerability"
tags: ["exploiter", "snmp", "cve-2020-15862"]
pre: "<i class='fa fa-network-wired'></i> "
---

{{% notice info %}}
The SNMP exploiter exploits [CVE-2020-15862](
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15862).
{{% /notice %}}

## SNMP

[SNMP (Simple Network Management Protocol)](
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol) is an
application-layer protocol used to monitor and manage devices connected over
an IP network such as routers, switches, firewalls, load balancers, servers,
cameras, printers, and wireless devices. An SNMP-managed network consists of
management stations, each having its own local database with information about
the network, know as the MIB (Management Information Base). EXTEND MIB is a
specific part of the MIB that allows administrators to extend functionality by
defining custom MIB objects linked to shell commands or scripts. An SNMP
community string is a form of authentication used to manage access to network
devices and to specify what type of operations can be performed. It is
essentially a plaintext password providing access to network devices'
configurations.

## Exploitation

On some Linux systems, NET-SNMP-EXTEND-MIB is supported by default. This allows
non-root users with access to a read-write community string to run arbitrary
commands on the victim as root.

In versions 1 and 2c of the SNMP protocol, the only means of authentication is
the community string. In these versions of SNMP, community strings are sent as
plaintext in all requests. Version 3 adds user-based authentication and
encryption to the SNMP protocol.

Infection Monkey's SNMP exploiter uses version 2c of the SNMP protocol. It
executes brute-force attacks against SNMP servers by using usernames and
passwords provided by the user (see [configuration](/usage/configuration) for
instructions) as SNMP community strings.

![SNMP Configuration](
/images/island/configuration-page/snmp-exploiter-configuration.png
"SNMP Configuration")

## Mitigation

1. Use SNMPv3 with the authPriv security level, if possible.

1. Treat community strings as passwords.

1. Enable the read-only build option (NETSNMP_NO_WRITE_SUPPORT).

1. Configure SNMP to use read-only community strings.

1. Apply security updates to your Net-SNMP installation.

1. Limit access over SNMP to trusted hosts.

Note that even with only read access, an SNMP server can still expose crucial
information about the network.

## See also
- [SNMP exploiter reference documentation](/reference/exploiters/snmp)
- [The L in Linux Stands for Lateral
Movement](https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh)
100 changes: 100 additions & 0 deletions docs/content/features/exploiters/zerologon.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
---
title: "Zerologon Exploiter"
draft: false
description: "Exploits the Zerologon vulnerability"
tags: ["exploiter", "zerologon", "cve-2020-1472"]
pre: "<i class='fa fa-right-to-bracket'></i> "
---

{{% notice warning %}}
This exploiter is [unsafe for production](#a-note-on-safety)!
{{% /notice %}}

{{% notice info %}}
The Zerologon exploiter exploits [CVE-2020-1472](
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).
{{% /notice %}}

## Netlogon Remote Protocol

The [Netlogon Remote Protocol (MS-NRPC)](
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc) is a
Windows Server process that authenticates users and other services within a
domain. If the Netlogon service is interrupted, the functionality of the domain
controller, whose responsibilities include user authentication, authorization,
and account management, is severely affected.

## Exploitation

Due to a flaw in the cryptographic authentication scheme of Netlogon, an
attacker can bypass authentication and gain administrator-level privileges to
an unpatched machine, including a domain controller, effectively granting the
attacker control over the entire domain.

Infection Monkey's Zerologon exploiter takes advantage of this vulnerability to
steal credentials from the domain controller, which are then used to propagate
to the machine using one of the brute force exploiters (for example, the SMB
exploiter).

![Zerologon Configuration](
/images/island/configuration-page/zerologon-exploiter-configuration.png
"Zerologon Configuration")

## Mitigation

To download the relevant security update and read more, click [here](
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).

## A note on safety

This exploiter is not safe for production or other sensitive environments.
During successful exploitation, the Zerologon exploiter:

* Will temporarily change the target domain controller's password.
* May break the target domain controller's communication with other systems in
the network, affecting functionality.
* May change the administrator's password.
* Will *attempt* to revert all changes.

While the Zerologon exploiter is usually successful in reverting its changes
and restoring the original passwords, it sometimes fails. Restoring passwords
manually after the Zerologon exploiter has run is nontrivial. For information
on restoring the original passwords, see [manually restoring your password](
#manually-restoring-your-password).

To minimize the risk posed by this exploiter, it is recommended that this
exploiter be run _only_ against VMs with a recent snapshot and _only_ in
testing or staging environments.

## Manually restoring your password

This exploiter attempts to restore the original passwords after exploitation.
It is usually successful, but it sometimes fails. If this exploiter has changed
a password but was unable to restore the original, you can try the following
methods to restore the original password.

### Restore the VM from a recent snapshot

If the affected system is a virtual machine, the simplest way to restore it to
a working state is to revert to a recent snapshot.

### Restore the administrator's password

If you are unable to log in as the administrator, you can follow the
instructions
[here](https://www.top-password.com/knowledge/reset-windows-server-2019-password.html)
to regain access to the system.

### Use Reset-ComputerMachinePassword

If you are able to log in as the administrator, you can use the
[Reset-ComputerMachinePassword](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1)
powershell command to restore the domain controller's password.

### Try a Zerologon password restoration tool
If all other approaches fail, you can try the tools and steps found
[here](https://github.com/risksense/zerologon).

## See also
- [Zerologon exploiter reference
documentation](/reference/exploiters/zerologon)
2 changes: 1 addition & 1 deletion docs/content/reference/exploiters/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@ tags: ["reference", "exploit"]

# Exploiters

The Infection Monkey uses various remote code execution (RCE) exploiters. To our best knowledge, most of these pose no risk to performance or services on victim machines. This documentation serves as a quick introduction to the exploiters currently implemented and the vulnerabilities they use:
Exploiters enable Infection Monkey to propagate itself.

{{% children /%}}
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit e723cd6

Please sign in to comment.