Lucene search

K
pentestitBlackPENTESTIT:F5DFB26B34C75683830E664CBD58178F
HistoryDec 03, 2018 - 10:28 p.m.

UPDATE: Infection Monkey 1.6.1

2018-12-0322:28:53
Black
pentestit.com
4058
infection monkey
breach and attack simulation
aws security hub
cross segment traffic
pass the hash
ssh key stealing
struts2 vulnerability
oracle weblogic cve
elasticgroovy attack
hadoop cluster rce
code improvements
mimikatz
monkey island
shellshock attack
attack techniques

EPSS

0.972

Percentile

99.8%

PenTestIT RSS Feed

Iā€™m sure you must have read my previous post title the List of Adversary Emulation Tools. In that post, I briefly mentioned about the Guardicore Infection Monkey. Good news now is that it has been updated! We now have Infection Monkey 1.6.1. An important change about this version is that this is an AWS only version.

[Infection Monkey 1.6.1](< http://pentestit.com/update-infection-monkey-1-6-1/&gt;)

What is Infection Monkey?

> The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. It operates in much the same way a real attacker would - starting from a random location in the network and propagating from there, while looking for all possible paths of exploitation.

Infection Monkey 1.6.1 Changes:

Infection Monkey 1.6.1 has now been integrated with the AWS Security Hub. This allows anyone to verify and test the resilience of their AWS environment and correlate this information with the native security solutions and benchmark score!

Additionally, I missed posting about another release - Infection Monkey 1.6 which is also important. Hence, Iā€™m posting about it here:

Infection Monkey 1.6 Change Log:

New Features:

  • Detect cross segment traffic! The Monkey can now easily test whether two network segments are properly separated. PR #120.
  • The Monkey can analyse your domain for possible Pass the Hash attacks. By cross referencing information collected by Mimikatz, the Monkey can now detect usage of identical passwords, cached logins with access to critical servers and more. #170
  • SSH key stealing. The monkey will now steal accessible SSH keys and use them when connecting to SSH servers, PR #138.
  • Implement a cross platform attack for Struts2 Multi-part file upload vulnerability, PR #179.
  • Implement a cross platform attack for Oracle Web Logic CVE-2017-10271, PR #180.
  • ElasticGroovy attack now supports Windows victims, PR #181.
  • Hadoop cluster RCE - Abuse unauthenticated access to YARN resource manager, PR #182.

Code improvements:

  • Weā€™ve refactored the codebase, so now itā€™s easier to share code between the Monkey and the Monkey Island components. PR #145.
  • Mimikatz is now bundled into a password protected ZIP file and extracted only if required. Makes deployment easier with AV software. PR #169.
  • Monkey Island now properly logs itself to a file and console. So if you got bugs, itā€™ll now be easier to figure them out. PR #139.
  • Systemd permissions are now properly locked down
  • Fixed a situation where a successful shellshock attack could freeze the attacking Monkey. #200

In other words, the Monkey can now detect potential attack paths between computers within the same domain or workgroup using credentials reuse, pass-the-hash technique and cached logins. In addition to the already existing attacks, Infection Monkey 1.6.1 now includes support for the Struts2 Multipart file upload vulnerability (CVE-2017-5638), Oracle WebLogic Server WLS Security component vulnerability (CVE-2017-10271), Elasticsearch Groovy attack (CVE 2015-1427) & the Hadoop YARN Resource Manager remote code execution vulnerability.

Lotā€™s of exciting stuff from the guys at Guardicore Labs. Really good work!

Download Infection Monkey 1.6.1:

The following Infection Monkey 1.6.1 files are available for download:

  1. infection_monkey_1.6.1_AWS_only.zip
  2. infection_monkey_1.6.1_AWS_only.tar.gz

Get them here.

The post UPDATE: Infection Monkey 1.6.1 appeared first on PenTestIT.