Sambacry (CVE-2017-7494) is an interesting vulnerability in Samba (SMB) servers that allows for remote code execution given write access to a share along with active NT pipes support.
The Monkey attacks vulnerable Linux SMB shares by brute forcing connections to shares, uploading a small shared object dropper and triggering by opening a path such as "/home/user/share/sc_module.so".
CVE-2014-6271, more commonly known as Shellshock, is a command injection vulnerability in the Bash shell. This vulnerability allows attackers to run arbitrary shell code when “concatenated to the end of function definitions stored in the values of environment variables.” A common attack vector is CGI-based web servers that handle document requests by calling shell scripts.
The Infection Monkey attacks vulnerable servers by attacking web servers, enumerating common CGI based web pages such as “dcforum/dcforum.cgi” and trying to trigger the vulnerability. If successful, the Monkey uses shell commands to collect machine architecture, download the Monkey dropper to the victim, turn it into an executable file and execute it.
ElasticGroovy (CVE-2015-1427) is yet another Java data deserialization vulnerability, dating back to 2015 in ElasticSearch, a popular search and analytics database. Using this vulnerability, an attacker can instance arbitrary Java classes and from there, typically executes system commands using the Java.lang.System class.
The Infection Monkey finds vulnerable servers listening on the ElasticSearch default port (9200) and attempts to trigger the vulnerability. If successful, the Monkey uses shell commands to collect machine architecture, download the Monkey dropper to the victim, turn it into an executable file and execute it.
Struts2 remote code execution vulnerability (S2-045) appears on older versions of Struts2 framework. In this vulnerability attacker can insert system commands into malicious payload which then executes those commands on the vulnerable machine.
Infection monkey checks if host is vulnerable to this attack and crafts required commands (either for windows or for linux machine). Those commands are then sent to the server and get executed propagating infection monkey to the vulnerable machine.
Oracle weblogic server’s vulnerability (CVE-2017-10271) is a blind remote code execution vulnerability exploited by sending malicious packets to server’s components.
Infection monkey sets up a server that listens for incoming traffic. It then sends malicious packets to various server’s components with commands that forces the server to respond to monkey. If monkey gets the response it waited from the host it is deemed exploitable and monkey proceeds to sending the actual propagation commands.
Brute forcing common passwords is common, so common in fact that many systems refuse to accept users with passwords appearing on a top 10 most common list. For this reason, the Infection Monkey also contains credential stealing code.
In Windows, the Infection Monkey bundles a custom version of Mimikatz, an incredibly popular tool to extract secrets from Windows such as plain text passwords, hash, PIN code and kerberos tickets from memory. The Monkey extracts plaintext passwords and hashes and securely spreads them to different Monkey instances in the network to use in further attacks.
On Linux machines, the Infection Monkey scrapes all accessible SSH key pairs and attempts to use them when brute forcing SSH logins.
Hadoop is a framework used to control distributed systems and it’s default configuration allows to remotely execute tasks.
Infections monkey creates a task on a found hadoop server to execute monkey’s propagation commands. This task then gets executed on one of the nodes in distributed system and that node gets exploited.
An effective attack technique is simply brute forcing logins that end up providing system access. The Monkey uses this technique to try and break into machines accessible over SSH, WMI and SMB. The tool tries both common hard coded passwords and credentials and keypairs stolen from victim machines.
When the Infection Monkey successfully connects over SSH to a victim machine, it collects machine information such as architecture and kernel type.Then, it copies a Monkey dropper to the victim machine using SFTP and executes it.
Once the Infection Monkey successfully connects over SMB, it copies a 32-bit version of the Monkey to the victim. To execute code on the victim, the attacking Monkey creates a new Windows Service on the victim machine and starts the Monkey through the service.
Once the Infection Monkey successfully connects over WMI, it starts by using the Win32_Process WMI class to check if the Monkey is already running on the victim. If not, it copies the Monkey over and starts it up, again using the Win32_Process object.
How many users in your domain have Contoso123456! as their password? How many of them also have access to your organisational Exchange server?
The Monkey can now detect potential attack paths between computers within the same domain or workgroup using credentials reuse, pass-the-hash technique and cached logins. These are the most popular ways to move laterally across Windows machines inside the data center. For example, an admin that establishes an RDP connection to a server with the domain admin credentials might put the entire network at risk. An attacker that gains access to this server can potentially steal the credentials from the machine’s cache and reuse them to further propagate inside the network.
To detect these types of attacks, the Monkey cross references information such as cached credentials and passwords hashes with machines that serve as key points in your network. It does this using a custom version of Mimikatz, an incredibly popular tool to extract secrets from Windows such as plain text passwords, hash, PIN code and kerberos tickets from memory.
By testing access from one subnet to another, the Monkey can check if your segmentation policy rules are properly enforced.
The Monkey can accept a list of network segments which should be strictly separated from each other, for example, dev and prod subnets.
If the Monkey reaches a machine in any of these networks, it will try to communicate across the segments and alert on it.
A typical problem for malware in modern networks is network segmentation, preventing internal machines from connecting to the internet or in the Monkey’s case, the Monkey Island server. In this case, the Infection Monkey will simulate malware by attempting to tunnel its way home.
Tunneling can indicate several security failures
At the end of a Monkey test run, if Monkeys successfully tunneled traffic, the Monkey will alert on this and recommend implementing tighter segmentation rules to prevent attackers from using such tunnels.
The tunneling feature requires two working Monkeys in the same subnet. The first, the relayer, is a Monkey with a working connection to the Monkey Island. This is done using either a TCP tunnel or an HTTP proxy while waiting for incoming messages on the local multicast address. The second is an isolated Monkey that doesn’t have direct access to the Monkey Island. The isolated Monkey sends a message to its local multicast address looking for tunnels.
The relaying Monkey returns its direct address and port to the isolated Monkey, used for tunneling to the Island. This tunnel can be extended into a long chain, allowing Monkeys residing deep inside segmented networks to transmit information to the Island and keep operating.
Please fill out this form to receive an email with a link to the Infection Monkey package/image.