search

guardicore / monkey

Infection Monkey - An open-source adversary emulation platform
https://www.guardicore.com/infectionmonkey/
GNU General Public License v3.0
6.58k stars 767 forks source link

Drupal exploiter sometimes fails #1017

Closed mssalvatore closed 3 years ago

mssalvatore commented 3 years ago

Describe the bug

The Drupal exploiter fails roughly every other time.

To Reproduce

  1. Configure Infection Monkey with just the drupal exploiter
  2. Start the monkey from the Island
  3. If vulnerable drupal machine is exploited, clear drupal cache and run again
  4. Often, drupal exploitation fails with this message:

    2021-03-05 13:17:04,065 [2443:140524662614912:INFO] web_rce.get_ports_w.295: All default web ports are closed on "Victim Host 10.2.2.45: OS - [type-linux version-Ubuntu-4ubuntu0.3 ] Services - [tcp-22-{'display_name': 'SSH', 'port': 22, 'banner': 'SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3\r\n', 'name': 'ssh'} ] ICMP: True target monkey: None", skipping

Expected behavior

Vulnerable Drupal servers are able to be exploited consistently.

mssalvatore commented 3 years ago

web_rce.get_ports_w.295: All default web ports are closed on "Victim Host 10.2.2.45: OS - [type-linux version-Ubuntu-4ubuntu0.3 ] Services - [tcp-80-{'display_name': 'unknown(TCP)', 'port': 80} tcp-22-{'display_name': 'SSH', 'port': 22, 'banner': 'SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3\r\n', 'name': 'ssh'} ] ICMP: True target monkey: None", skipping

^ This message says "All default web ports are closed" but includes "tcp-80" in the set of discovered ports listed in self.host

mssalvatore commented 3 years ago

The cause was that the HTTP fingerprinter was timing out (1 second), but there was insufficient logging, which made the issue difficult to diagnose. Logging has been added in 43c5834d5.