Skip to content

Infection Monkey v2.1.0

Compare
Choose a tag to compare
@mssalvatore mssalvatore released this 20 Apr 11:35
· 4406 commits to develop since this release

Highlights

Infection Monkey version 2.1.0 introduces security, user experience, and tech stack enhancements.

Security

  • All API endpoints now require authentication and authorization.
  • Users can now log out.
  • Minor security weaknesses, such as a local DoS error and a potential XSS vulnerability, have been mitigated.

User Experience

  • Users are no longer logged out of the Web UI while working. They will be logged out automatically only when idle.
  • Brute force exploitation using stolen credentials is now faster.
  • The Docker image can now be installed simply with sudo docker pull infectionmonkey/monkey-island:latest.

Tech Stack

  • The Island and Agent have been upgraded from Python 3.7 to 3.11.2.
  • The MongoDB dependency has been upgraded from version 4.x to 6.x.

Changelog

Added

  • Logout button. #3063
  • An option to the Hadoop exploiter to try all discovered HTTP ports. #2136
  • GET /api/agent-otp. #3076
  • POST /api/agent-otp-login endpoint. #3076
  • A smarter brute-forcing strategy for SMB exploiter. #3039
  • POST /api/refresh-authentication-token endpoint that allows refreshing of
    the access token. #3181

Changed

  • Migrated the hard-coded SMB exploiter to a plugin. #2952
  • Python version from 3.7 to 3.11.2. #2705
  • MSI installer is now build with InnoSetup. #1911

Fixed

  • A UI deficiency where invalid configurations could be submitted to the
    backend. #1301, #2989
  • Notification spam bug. #2731
  • Agent propagator crashes if exploiters malfunction. #2992
  • Configuration order not preserved in debugging output. #2860
  • A bug in the Hadoop exploiter that resulted in speculative execution of
    multiple agents. #2758
  • Formatting of the manual run command when copy/pasting from the web UI. #3115
  • A bug where plugins received an incorrect agent ID. #3119
  • Random logouts when the UI is being actively used. #2049, #3079, #3137

Security

  • Fixed plaintext private key in SSHKey pair list in UI. #2950
  • Upgraded MongoDB version from 4.x to 6.0.4. #2706
  • Replaced the SystemSingleton component, which could allow local users to
    execute a DoS attack against agents. #2817
  • Replaced our bespoke authentication solution with flask-security-too.
    #2049, #2157, #3078, #3138
  • Enforced access control around sensitive API endpoints. #2049, #2157
  • Upgraded 3rd-party dependencies. #2705, #2970, #2865, #3125
  • Fixed a potential XSS issue in exploiter plugins. #3081