Today we are releasing the Infection Monkey, our inhouse tool for testing a data center’s resiliency to perimeter breaches and internal server infection. The Infection Monkey is a new open source security testing tool that we’ve developed at Guardicore to test the resiliency of modern data centers to attack. Being good sports, we are sharing it with the security community. Just pick a random machine, release the Infection Monkey and see where it ends up. Use our Monkey to test whether your security systems can detect, stop and contain real threats. The monkey is benign and does not pose any risk to your network.
In our Black Hat 2016 session we will show how using the Infection Monkey for in-house penetration testing can be of great value to security teams, explain why this tool is important and present some use cases on how to use the tool in real-world security testing scenarios.
What is the Infection Monkey?
The Infection Monkey is a cyber security testing tool, capable of wandering around the deepest parts of the data center. It will spin up an infected virtual machine inside random parts of your data center, to test for potential security failures. It behaves more like a random hacker than a vulnerability scanner. The Monkey attempts to move around the data center by leveraging different lateral movement methods typical of a real attacker who has already compromised an internal system. When it successfully reaches another machine, it means that there’s a security failure that should be fixed.
The Infection Monkey’s high level operation is simple. It is designed to scan the network, check for open ports and fingerprint machines using multiple network protocols. After detecting accessible machines, it attempts to attack every single machine using a variety of methods including intelligent password guessing and basic exploits. Infection Monkey is a work in progress and we have ways to go to fully realize its benefits.
The Monkey’s actions are designed to be completely safe for use in a production network. The amount of network traffic generated is very small and all the exploits used were written to prevent any damage to the target or attacker. After all, you do not really want to take your data center down. Do you?
Here’s a glimpse of what running the Infection Monkey in an unsecured network looks like [Figure 1]. Its command and control UI visualizes its spreading path and what you get is a ’spreading graph’ that demonstrates the effect vulnerable segments have on your entire network.
The Monkey provides detailed information, about the specific vulnerability abused, much like the pen testing report we are all familiar with. Use this auto generated report to make quick decisions and enforce tighter security policies. Here is the telemetry [Figure 2] of a successful SMB brute force attack conducted with a default password:
Just click Go
Setting up the Monkey in a live environment is simple, fun and safe. We describe here the entire installation process on a clean Ubuntu 16.04 server distribution.
- Unpack the tarball
- tar -xf infection_monkey.tgz
- Install the Monkey Island
- apt-get install -f ./monkey_island.deb
- Verify the Monkey service is functional
- systemctl status monkey-*
- You should see monkey-mongo and monkey-island as services
- Access the Monkey’s Island GUI by browsing to https://[monkey-Address]:5000/admin/index.html
To configure the Monkey, modify the configuration JSON file (example.conf) as follows:
- The command_servers parameter must be modified to specify the Monkey Island server address (including port).
- Optional: To Control the Monkey’s spread modify the following three variables:
- Setting local_network_scan to false will prevent the Monkey from scanning any local interfaces.
- To attack specific IPs, set the the range_class variable to “FixedRange” and specify in range_fixed the exact IPs you want attacked (for example, “192.168.1.45”,”weakServer.domain.local”).
Now copy the modified fields into the Monkey Island’s configuration window (not in this particular order).
Important Note: Click Update to update the configuration on the server.
The Monkey can be run in two ways:
- With the Monkey Island as the initial attacker. This will use the Monkey Island server as a starting position for the Monkey, from which it will expand based on the configuration.
- Running the Monkey from a machine elsewhere network.
- Download the appropriate Monkey executable (Linux/Windows and matching 32/64 bitness) using the following path https://[server-address]/api/monkey/download/[binary]. The binary name can be one of the following:
Example command wget –no-check-certificate https://[serveraddress]/api/monkey/download/monkey-linux-32
- Execute the Monkey from the console, passing the server address as a parameter and the magic keyword for execution.
Example “./monkey m0nk3y -s 220.127.116.11:5000”
Once executed, the Monkey will instantly start working while the C&C server will allow you to track its progress.
If you want to end the Monkey’s infection, Set the Allow running button to OFF.
How Do I Get the Infection Monkey?
Download the Infection Monkey as a precompiled binary and a compatible C&C server from our website at www.infectionmonkey.com. Then, following the included README you can quickly begin running it in any environment.
The Monkey is developed on GitHub under the GPLv3 license. Contributions are welcome!
We invite you to join our Infection Monkey project, contribute code and open issues and feature requests.