We’re proud to announce the release of a new version of the Infection Monkey, Guardicore’s free, open-source Breach and Attack Simulation (BAS) tool. Release 1.6 introduces several new features and a few bug fixes. As always, thanks to all contributors for their valuable feedback and code contributions.
Infection Monkey Version 1.6 Highlights
Uncover Pass the Hash and credentials stealing risks in your network
Major use case: Detect cached credentials that allow attackers to spread to critical servers
The Monkey can now detect potential attack paths between computers within the same domain or workgroup using credentials reuse, pass-the-hash technique and cached logins. These are the most popular ways to move laterally across Windows machines inside the data center. For example, an admin that establishes an RDP connection to a server with the domain admin credentials might put the entire network at risk. An attacker that gains access to this server can potentially steal the credentials from the machine’s cache and reuse them to further propagate inside the network.
To detect these types of attacks, the Monkey cross references information such as cached credentials and passwords hashes with machines that serve as key points in your network.
The Monkey analyses this information to detect machines at risk and alerts about them in the Monkey report.
One way to use this new feature is to run the Monkey on your environment’s Windows machines to collect information on stored credentials and report on different issues. If you prefer not to simulate a full active attack, you can run the Monkey in a lock-down mode by disabling the Monkey’s propagation modules.
Monkey equipped with new attack capabilities
Major use case: Identify the risk of unpatched servers in your environment
With each new Monkey version we add support for more network attacks. The Monkey is now able to exploit machines that are vulnerable to a new set of exploits and misconfiguration attacks. We picked these vulnerabilities due to their high prevalence in large networks.
- Struts2 Multipart file upload vulnerability (CVE-2017-5638)
Apache Struts, an open-source web application framework for developing Java web applications, is vulnerable to code injection leading to remote code execution.
- Oracle WebLogic cross platform attack (CVE-2017-10271)
A remote user can exploit a flaw in the Oracle WebLogic Server WLS Security component to gain elevated privileges.
- Elasticsearch Groovy attack (CVE 2015-1427)
A vulnerability in the Elasticsearch Groovy scripting engine allows an attacker to execute remote shell commands with the privileges of the Elasticsearch user. In this Monkey version we added support for Windows machines.
- Hadoop cluster remote code execution
A vulnerability in the YARN Resource Manager, the framework designed to administer the computing resources in the Hadoop cluster, allows an unauthenticated attacker to access the YARN resource manager.
Monkey alerts on cross segment traffic
Major use case: Test your network segmentation
We added a feature that allows the Monkey to detect potential communication paths between network segments. By testing access from one subnet to another, the Monkey can check if your segmentation policy rules are properly enforced.
To use this feature, define what part of your segmentation policy you want to test in the Configuration panel, under Basic – Network, Network Analysis. In this section, list networks that should not be accessible from each other. If the Monkey reaches any of these networks, it will try to communicate across the segments and alert on success.
In this example image, we listed 3 subnets (10.15.0.0/16, 10.50.0.0/16, 18.104.22.168/32) that should not be accessible from each other. If the Monkey reaches a machine in any of these networks, it will try to communicate across the segments and alert on it as you can see in the figure below:
Infection Monkey Availability and Support
The Infection Monkey is free and can be downloaded here. Source code is available from the GitHub repository. Our Monkey now has a dedicated Slack channel – you’re invited to join and be part of the Monkey community. We encourage you to take the Infection Monkey for a spin inside your network and let us know how it was!