Merge branch 'release/1.13.0'

CHANGELOG.md

@@ -5,6 +5,15 @@ file.
 The format is based on [Keep a
 Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [1.13.0] - 2022-01-25
+### Added
+- A new exploiter that allows propagation via the Log4Shell vulnerability
+ (CVE-2021-44228). #1663
+
+### Fixed
+- Exploiters attempting to start servers listening on privileged ports,
+  resulting in failed propagation. 8f53a5c
+
 ## [1.12.0] - 2021-10-27
 ### Added
 - A new exploiter that allows propagation via PowerShell Remoting. #1246

docs/content/reference/exploiters/Log4Shell.md

@@ -0,0 +1,37 @@
+---
+title: "Log4Shell"
+date: 2022-01-12T14:07:23+05:30
+draft: false
+tags: ["exploit", "linux", "windows"]
+---
+
+The Log4Shell exploiter exploits
+[CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
+
+
+### Description
+
+Some versions of Apache Log4j, a Java logging framework, have a logging feature
+called "Message Lookup Substitution" enabled by default. This allows replacing
+certain special strings by dynamically-generated strings at the time of
+logging. If log messages or log message parameters can be controlled by an
+attacker, arbitrary code can be executed. The Log4Shell exploiter takes
+advantage of this vulnerability to propagate to a victim machine.
+
+You can learn more about this vulnerability and potential mitigations
+[here](https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0_.28Java_8.29).
+
+
+### Services exploited
+
+The Infection Monkey will attempt to exploit the Log4Shell vulnerability in the
+following services:
+
+- Apache Solr
+- Apache Tomcat
+- Logstash
+
+**Note**: Even if none of these services are running in your environment,
+running the Log4Shell exploiter can be a good way to test your IDS/IPS or EDR
+solutions. These solutions should detect that the Infection Monkey is attempting
+to exploit the Log4Shell vulnerability and raise an appropriate alert.

docs/content/setup/aws.md

@@ -24,12 +24,7 @@ When ready, you can browse to the Infection Monkey running on the fresh deployme
 
 `https://{public-ip}:5000`
 
-You will be presented with a login page. Enter the username **monkey**, and the
-new EC2 instance's **instance ID** for your password. To find your instance ID,
-go to the EC2 console and select your instance. It should appear in the details
-pane below.
-
-![AWS instance ID](../../images/setup/aws/aws-instance-id.png "AWS instance ID")
+To login to the machine, use *ubuntu* username.
 
 ## Integration with AWS services
 

docs/content/setup/docker.md

@@ -23,13 +23,13 @@ The Infection Monkey Docker container works on Linux only. It is not compatible
 1. Extract the Monkey Island Docker tarball:
 
     ```bash
-    tar -xvzf InfectionMonkey-docker-v1.12.0.tgz
+    tar -xvzf InfectionMonkey-docker-v1.13.0.tgz
     ```
 
 1. Load the Monkey Island Docker image:
 
     ```bash
-    sudo docker load -i InfectionMonkey-docker-v1.12.0.tar
+    sudo docker load -i InfectionMonkey-docker-v1.13.0.tar
     ```
 
 ### 2. Start MongoDB
@@ -64,7 +64,7 @@ been signed by a private certificate authority.
         --interactive \
         --name monkey-island \
         --network=host \
-        guardicore/monkey-island:VERSION
+        guardicore/monkey-island:v1.13.0
     ```
 
 ### 3b. Start Monkey Island with user-provided certificate
@@ -91,7 +91,7 @@ any volumes associated with the previous version.
         --network=host \
         --user "$(id -u ${USER}):$(id -g ${USER})" \
         --volume "$(realpath ./monkey_island_data)":/monkey_island_data \
-        guardicore/monkey-island:VERSION --setup-only
+        guardicore/monkey-island:v1.13.0 --setup-only
     ```
 
 1. Move your `.crt` and `.key` files to `./monkey_island_data`.
@@ -134,7 +134,7 @@ any volumes associated with the previous version.
         --network=host \
         --user "$(id -u ${USER}):$(id -g ${USER})" \
         --volume "$(realpath ./monkey_island_data)":/monkey_island_data \
-        guardicore/monkey-island:VERSION
+        guardicore/monkey-island:v1.13.0
     ```
 
 ### 4. Accessing Monkey Island

docs/content/setup/linux.md

@@ -23,18 +23,18 @@ installed, but the ones that we've tested are:
 - Ubuntu Focal 20.04
 - Ubuntu Hirsute 21.04
 
-On Windows, AppImage can be run in WSL.
+On Windows, AppImage can be run in WSL 2.
 
 
 ## Deployment
 
 1. Make the AppImage package executable:
     ```bash
-    chmod u+x InfectionMonkey-v1.12.0.AppImage
+    chmod u+x InfectionMonkey-v1.13.0.AppImage
     ```
 1. Start Monkey Island by running the Infection Monkey AppImage package:
     ```bash
-    ./InfectionMonkey-v1.12.0.AppImage
+    ./InfectionMonkey-v1.13.0.AppImage
     ```
 1. Access the Monkey Island web UI by pointing your browser at
    `https://localhost:5000`.
@@ -59,7 +59,7 @@ private certificate authority.
    `server_config.json` file.
 
     ```bash
-    ./InfectionMonkey-v1.12.0.AppImage --setup-only
+    ./InfectionMonkey-v1.13.0.AppImage --setup-only
     ```
 
 1. (Optional but recommended) Move your `.crt` and `.key` files to
@@ -95,7 +95,7 @@ private certificate authority.
 
 1. Start Monkey Island by running the Infection Monkey AppImage package:
     ```bash
-    ./InfectionMonkey-v1.12.0.AppImage
+    ./InfectionMonkey-v1.13.0.AppImage
     ```
 
 1. Access the Monkey Island web UI by pointing your browser at

docs/content/usage/file-checksums.md

@@ -35,6 +35,19 @@ $ sha256sum monkey-linux-64
 
 ## Latest version checksums
 
+| Filename                                             | Type              | Version | SHA256                                                             |
+|------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
+| monkey-windows-64.exe                                | Windows Agent     | 1.13.0  | `3EDD20DE2247047C8A822C84145981936CE2FD0BDF843EB5CA777CA4D2478B35` |
+| monkey-windows-32.exe                                | Windows Agent     | 1.13.0  | `7497907E3CF4FFEB121A7795BFA16709800E6E0F99770F64AF7FFF684ECBA6D6` |
+| monkey-linux-64                                      | Linux Agent       | 1.13.0  | `F21E709CB7BA8DAF90B908AF5FE485BA43866C325D3C7CE1EB07E8A2323E07C1` |
+| monkey-linux-32                                      | Linux Agent       | 1.13.0  | `24C5779825F26C76A8910794836647096F4BB4B47CFD6AD213CC48116D140FAB` |
+| InfectionMonkey-v1.13.0.AppImage                     | Linux Package     | 1.13.0  | `CDED4E8394A4D2A809BA9B74B924AEA590317515B9B032BA8005A93DFCE1C861` |
+| InfectionMonkey-docker-v1.13.0.tgz                   | Docker            | 1.13.0  | `342701BA8EC5B754C59685896FC3DCDBB93362FFFAD0EC7F9E2E5B99DA26F5EC` |
+| InfectionMonkey-v1.13.0.exe                          | Windows Installer | 1.13.0  | `D35ED6CAF21AC786D9A438510282FA07AEF812590A5E6405A01F2B06661B33B9` |
+
+
+## Older checksums
+
 | Filename                                             | Type              | Version | SHA256                                                             |
 |------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
 | monkey-windows-64.exe                                | Windows Agent     | 1.12.0  | `02e5e051a96e2ca61ae8e661b3a5828ee53a0fc00aca6502d5c73a46754f0d07` |
@@ -44,12 +57,6 @@ $ sha256sum monkey-linux-64
 | InfectionMonkey-v1.12.0.AppImage                     | Linux Package     | 1.12.0  | `1325f2aa1d0c27aec2e2f9864ed53c53c524bd208313f87ea6606f59c90ff310` |
 | InfectionMonkey-docker-v1.12.0.tgz                   | Docker            | 1.12.0  | `dcaf669411d55ea6883920597af4a35f3735a286801e08b6ef047cc91ff32769` |
 | InfectionMonkey-v1.12.0.exe                          | Windows Installer | 1.12.0  | `4d6e0373be3615a4b97721a07d2a854f6316d1ce8c4ff6d6495aac3a8f2c6a69` |
-
-
-## Older checksums
-
-| Filename                                             | Type              | Version | SHA256                                                             |
-|------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
 | monkey-windows-64.exe                                | Windows Agent     | 1.11.0  | `12c55377381a8fc7d8ff731db52302ef2f8bb894d8712769e5a91a140ba22b0a` |
 | monkey-windows-32.exe                                | Windows Agent     | 1.11.0  | `e006b26663f59b92bad8d49b034cd8101dd481f881e3c4839a9c1e64fd99e849` |
 | monkey-linux-64                                      | Linux Agent       | 1.11.0  | `fb4c979ce6c29bb458be50a44cc6839650826b831da849da69a05dfefdc66462` |

envs/monkey_zoo/blackbox/config_templates/log4j_logstash.py

@@ -0,0 +1,16 @@
+from copy import copy
+
+from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
+from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
+
+
+class Log4jLogstash(ConfigTemplate):
+
+    config_values = copy(BaseTemplate.config_values)
+
+    config_values.update(
+        {
+            "basic.exploiters.exploiter_classes": ["Log4ShellExploiter"],
+            "basic_network.scope.subnet_scan_list": ["10.2.3.55", "10.2.3.56"],
+        }
+    )

envs/monkey_zoo/blackbox/config_templates/log4j_solr.py

@@ -0,0 +1,16 @@
+from copy import copy
+
+from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
+from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
+
+
+class Log4jSolr(ConfigTemplate):
+
+    config_values = copy(BaseTemplate.config_values)
+
+    config_values.update(
+        {
+            "basic.exploiters.exploiter_classes": ["Log4ShellExploiter"],
+            "basic_network.scope.subnet_scan_list": ["10.2.3.49", "10.2.3.50"],
+        }
+    )

envs/monkey_zoo/blackbox/config_templates/log4j_tomcat.py

@@ -0,0 +1,16 @@
+from copy import copy
+
+from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
+from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
+
+
+class Log4jTomcat(ConfigTemplate):
+
+    config_values = copy(BaseTemplate.config_values)
+
+    config_values.update(
+        {
+            "basic.exploiters.exploiter_classes": ["Log4ShellExploiter"],
+            "basic_network.scope.subnet_scan_list": ["10.2.3.51", "10.2.3.52"],
+        }
+    )

envs/monkey_zoo/blackbox/config_templates/performance.py

@@ -26,6 +26,7 @@ class Performance(ConfigTemplate):
             "MSSQLExploiter",
             "PowerShellExploiter",
             "ZerologonExploiter",
+            "Log4ShellExploiter",
         ],
         "basic_network.network_analysis.inaccessible_subnets": [
             "10.2.2.0/30",
@@ -59,5 +60,11 @@ class Performance(ConfigTemplate):
             "10.2.2.23",
             "10.2.2.24",
             "10.2.2.25",
+            "10.2.3.55",
+            "10.2.3.56",
+            "10.2.3.49",
+            "10.2.3.50",
+            "10.2.3.51",
+            "10.2.3.52",
         ],
     }

envs/monkey_zoo/blackbox/gcp_test_machine_list.py

@@ -26,5 +26,11 @@
         "powershell-3-46",
         "powershell-3-47",
         "powershell-3-48",
+        "log4j-logstash-55",
+        "log4j-logstash-56",
+        "log4j-solr-49",
+        "log4j-solr-50",
+        "log4j-tomcat-51",
+        "log4j-tomcat-52",
     ],
 }

envs/monkey_zoo/blackbox/test_blackbox.py

@@ -11,6 +11,9 @@
 from envs.monkey_zoo.blackbox.config_templates.drupal import Drupal
 from envs.monkey_zoo.blackbox.config_templates.elastic import Elastic
 from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop
+from envs.monkey_zoo.blackbox.config_templates.log4j_logstash import Log4jLogstash
+from envs.monkey_zoo.blackbox.config_templates.log4j_solr import Log4jSolr
+from envs.monkey_zoo.blackbox.config_templates.log4j_tomcat import Log4jTomcat
 from envs.monkey_zoo.blackbox.config_templates.mssql import Mssql
 from envs.monkey_zoo.blackbox.config_templates.performance import Performance
 from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell
@@ -198,7 +201,22 @@ def test_weblogic_exploiter(self, island_client):
         TestMonkeyBlackbox.run_exploitation_test(island_client, Weblogic, "Weblogic_exploiter")
 
     def test_shellshock_exploiter(self, island_client):
-        TestMonkeyBlackbox.run_exploitation_test(island_client, ShellShock, "Shellschock_exploiter")
+        TestMonkeyBlackbox.run_exploitation_test(island_client, ShellShock, "Shellshock_exploiter")
+
+    def test_log4j_solr_exploiter(self, island_client):
+        TestMonkeyBlackbox.run_exploitation_test(
+            island_client, Log4jSolr, "Log4Shell_Solr_exploiter"
+        )
+
+    def test_log4j_tomcat_exploiter(self, island_client):
+        TestMonkeyBlackbox.run_exploitation_test(
+            island_client, Log4jTomcat, "Log4Shell_tomcat_exploiter"
+        )
+
+    def test_log4j_logstash_exploiter(self, island_client):
+        TestMonkeyBlackbox.run_exploitation_test(
+            island_client, Log4jLogstash, "Log4Shell_logstash_exploiter"
+        )
 
     def test_tunneling(self, island_client):
         TestMonkeyBlackbox.run_exploitation_test(

envs/monkey_zoo/blackbox/utils/config_generation_script.py

@@ -6,6 +6,9 @@
 from envs.monkey_zoo.blackbox.config_templates.drupal import Drupal
 from envs.monkey_zoo.blackbox.config_templates.elastic import Elastic
 from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop
+from envs.monkey_zoo.blackbox.config_templates.log4j_logstash import Log4jLogstash
+from envs.monkey_zoo.blackbox.config_templates.log4j_solr import Log4jSolr
+from envs.monkey_zoo.blackbox.config_templates.log4j_tomcat import Log4jTomcat
 from envs.monkey_zoo.blackbox.config_templates.mssql import Mssql
 from envs.monkey_zoo.blackbox.config_templates.performance import Performance
 from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell
@@ -53,6 +56,9 @@
     WmiPth,
     Zerologon,
     Drupal,
+    Log4jLogstash,
+    Log4jTomcat,
+    Log4jSolr,
 ]