Infection Monkey是一款由以色列安全公司GuardiCore在2016黑帽大会上发布的数据中心安全检测工具，其主要用于数据中心边界及内部服务器安全性的自动化检测。该工具在架构上，则分为Monkey（扫描及漏洞利用端）以及C&C服务器（相当于reporter，但仅仅只是用于收集monkey探测的信息）

安装部署

Monkey Island安装包：infection_monkey_1.5_deb

monkey程序：monkey-linux-64

Note: Port 5000 must be available for the island to work

Setup - Run following commands:

1 2	sudo dpkg -i monkey_island.deb sudo apt-get install -f

Start Infecting
Open https://<Server IP>:5000 with your favorite web browser and follow the instructions

运行monkey
可以选择直接在monkey island server上运行monkey，也可以在别的机器上运行。数据都会被汇总到island这里。

1.在c&c服务器本机上运行

./monkey-linux-64 m0nk3y -c config.bin -s 127.0.0.1:5000

然后就可以在https://127.0.0.1:5000 看到UI界面了

2.在别的机器上运行，在运行monkey的时候需要告诉它c&c服务器的ip和端口

curl -O -k https://192.168.2.136:5000/api/monkey/download/monkey-linux-64; chmod +x monkey-linux-64; ./monkey-linux-64 m0nk3y -s 192.168.2.136:5000

配置

直接在monkey island的页面上就可以进行配置，比如暴力枚举用户名和密码

运行结果

在虚拟机上（ip:192.168.105.127）运行了monkey，它会和island有communication，还会搜索同样网段的主机，看看有没有可以利用的漏洞。并且，当一个monkey感染了别的机器之后，被感染的机器也会接着感染其他机器，不断扩散感染的范围。

被利用的机器会留下记录，infection map可视化展现网络搜索的结果，被感染的连接是红色的线。

数据存储

查看代码发现是用pymongo作为数据库的

安装pip install Flask-PyMongo，sudo apt install mongodb-clients，sudo apt install pymongo

输入mongo可以进入数据库

tangmingyu@tangmingyu-QiTianM610-D529:~$ mongo
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.0.7
WARNING: shell and server versions do not match
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
	http://docs.mongodb.org/
Questions? Try the support group
	http://groups.google.com/group/mongodb-user
Server has startup warnings:
2018-11-15T15:03:17.376+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2018-11-15T15:03:17.376+0800 I CONTROL  [initandlisten]
> show dbs
local         0.078GB
monkeyisland  0.078GB
> use monkeyisland
switched to db monkeyisland

随后可以查看数据库以及其中的collection的数据和状态。

教程见 http://www.cnblogs.com/TankMa/archive/2011/06/08/2074947.html

>  db.getCollectionNames();
[
	"config",
	"edge",
	"fs.chunks",
	"fs.files",
	"log",
	"monkey",
	"node",
	"report",
	"system.indexes",
	"telemetry"
]
> db.monkey.distinct("hostname")
[
	"tangmingyu-QiTianM610-D529",----------------------------我的台式机
	"ubuntu16.04tangmngyu",      ----------------------------我的虚拟机
	"wangao008",
	"ihome2",
	"ihome-test2",
	"sp02",
	"wangao002",
	"wangao001",
	"jskdep",
	"wangao004",
	"ForDockerMigration",
	"1112223322",
	"wangao006",
	"zabbix",
	"HCAPI-grpbqflvte",
	"sp01",
	"hy-i-safbkiruqw",
	"ihome5",
	"jsk-docker",
	"wangao007",
	"wangao009",
	"master",
	"net01",
	"wangao010",
	"sp03",
	"wangao005",
	"ubuntu16.04jiangjh",
	"ceph2",
	"ceph1",
	"tensorflow",
	"wangao003"
]
>

可以查看到单个monkey的记录，对应ip的电脑里会多了一个monkey程序。

（”dropper_target_path_linux” : “/tmp/monkey”）

{ "_id" : ObjectId("5bed72ec75a7506811b413f5"), "guid" : "90520746230011", "description" : "Linux wangao007 4.4.0-121-generic #145-Ubuntu SMP Fri Apr 13 13:47:23 UTC 2018 x86_64 x86_64", "parent" : [ [ "90520744009513", "SSHExploiter" ] ], "ip_addresses" : [ "192.168.105.144" ], "hostname" : "wangao007", "dead" : false, "keepalive" : ISODate("2018-11-15T21:21:49.055Z"), "modifytime" : ISODate("2018-11-15T21:21:52.141Z"), "config" : { "ms08_067_remote_user_add" : "Monkey_IUSER_SUPPORT", "scanner_class" : "TcpScanner", "tcp_target_ports" : [ 22, 2222, 445, 135, 3389, 80, 8080, 443, 8008, 3306, 9200 ], "singleton_mutex_name" : "{2384ec59-0df8-4ab9-918c-843740924a28}", "send_log_to_server" : true, "max_iterations" : 1, "keep_tunnel_open_time" : 60, "kill_file_path_linux" : "/var/run/monkey.not", "serialize_config" : false, "HTTP_PORTS" : [ 80, 8080, 443, 8008 ], "sambacry_folder_paths_to_guess" : [ "/", "/mnt", "/tmp", "/storage", "/export", "/share", "/shares", "/home" ], "ms08_067_remote_user_pass" : "Password1!", "skip_exploit_if_file_exist" : false, "retry_failed_explotation" : true, "subnet_scan_list" : [ ], "dropper_target_path_linux" : "/tmp/monkey", "local_network_scan" : true, "dropper_log_path_windows" : "%temp%\\~df1562.tmp", "rdp_use_vbs_download" : true, "extract_azure_creds" : true, "timeout_between_iterations" : 100, "victims_max_find" : 30, "dropper_date_reference_path_windows" : "%windir%\\system32\\kernel32.dll", "kill_file_path_windows" : "%windir%\\monkey.not", "exploiter_classes" : [ "SmbExploiter", "WmiExploiter", "SSHExploiter", "ShellShockExploiter", "SambaCryExploiter", "ElasticGroovyExploiter" ], "command_servers" : [ "192.168.2.136:5000", "192.168.185.1:5000", "172.16.93.1:5000" ], "internet_services" : [ "monkey.guardicore.com", "www.google.com" ], "sambacry_trigger_timeout" : 5, "use_file_logging" : true, "current_server" : "192.168.2.136:5000", "mimikatz_dll_name" : "mk.dll", "exploit_ntlm_hash_list" : [ ], "monkey_log_path_linux" : "/tmp/user-1563", "alive" : true, "ms08_067_exploit_attempts" : 5, "smb_download_timeout" : 300, "dropper_target_path_win_64" : "C:\\Windows\\monkey64.exe", "tcp_scan_interval" : 200, "monkey_log_path_windows" : "%temp%\\~df1563.tmp", "dropper_set_date" : true, "sambacry_shares_not_to_check" : [ "IPC$", "print$" ], "self_delete_in_cleanup" : false, "smb_service_name" : "InfectionMonkey", "exploit_password_list" : [ "6psjn5wNKU9gYWdwJavL7VWXiq8Z7NNzOySmjTj8koxisr4aP9AK0RnhmH5fYzi8", "w4s/FSqV94NxBV61XaiwW5/6ef98NanHidm6WwsQ8MrxT54kY2lKh03yB8aDh9AH", "Iv4377mN0Jn9ILAbfzzhA9QB6E7jI1JDaF1kLuayVYD7JZvtur7Xcf93l0PjE4yZ" ], "dropper_target_path_win_32" : "C:\\Windows\\monkey32.exe", "victims_max_exploit" : 7, "exploit_user_list" : [ "wangao123", "root", "user" ], "dropper_date_reference_path_linux" : "/bin/sh", "dropper_log_path_linux" : "/tmp/user-1562", "collect_system_info" : true, "finger_classes" : [ "SMBFinger", "SSHFinger", "PingScanner", "HTTPFinger", "MySQLFinger", "ElasticFinger" ], "ping_scan_timeout" : 1000, "dropper_try_move_first" : true, "tcp_scan_timeout" : 3000, "exploit_lm_hash_list" : [ ], "blocked_ips" : [ ], "tcp_scan_get_banner" : true, "depth" : 2 }, "creds" : [ { "password" : "sk1qBra0IGaRMO58vx8Maqc+xuKIP7e46YHSpuT8ogikYHQOxjtd/jeWRDcAkq0q", "user" : "root" }, { "password" : "aD6GvJnZ63EFtOB2xHJuFlMdTEYx+7O5L8sfSeR4z68gXvdCv7dbj/Z9HIYRuOpW", "user" : "root" } ], "internet_access" : false }

扫描到的monkey就说明它的账户名和密码就是我们的尝试列表里的，虽然它没直接把密码写上去，而是加密了。