def _encrypt_or_decrypt_config(config, is_decrypt=False):
for config_arr_as_array in ENCRYPTED_CONFIG_VALUES:
config_arr = config
parent_config_arr = None
# Because the config isn't flat, this for-loop gets the actual config value out of
# the config
for config_key_part in config_arr_as_array:
parent_config_arr = config_arr
config_arr = config_arr[config_key_part]
if isinstance(config_arr, collections.abc.Sequence) and not isinstance(config_arr, str):
for i in range(len(config_arr)):
# Check if array of shh key pairs and then decrypt
if isinstance(config_arr[i], dict) and "public_key" in config_arr[i]:
config_arr[i] = (
ConfigService.decrypt_ssh_key_pair(config_arr[i])
if is_decrypt
else ConfigService.decrypt_ssh_key_pair(config_arr[i], True)
)
else:
config_arr[i] = (
get_encryptor().dec(config_arr[i])
if is_decrypt
else get_encryptor().enc(config_arr[i])
)
else:
parent_config_arr[config_arr_as_array[-1]] = (
get_encryptor().dec(config_arr)
if is_decrypt
else get_encryptor().enc(config_arr)
)
def decrypt_ssh_key_pair(pair, encrypt=False):
if encrypt:
pair["public_key"] = get_encryptor().enc(pair["public_key"])
pair["private_key"] = get_encryptor().enc(pair["private_key"])
else:
pair["public_key"] = get_encryptor().dec(pair["public_key"])
pair["private_key"] = get_encryptor().dec(pair["private_key"])
return pair
def encrypt_exploit_creds(telemetry_json):
attempts = telemetry_json["data"]["attempts"]
for i in range(len(attempts)):
for field in ["password", "lm_hash", "ntlm_hash"]:
credential = attempts[i][field]
if len(credential) > 0:
attempts[i][field] = get_encryptor().enc(credential)
def censor_hash(hash_, plain_chars=5):
"""
Decrypts and obfuscates hash by only showing a part of it
:param hash_: Hash to obfuscate
:param plain_chars: How many chars of hash should be shown
:return: Obfuscated string
"""
if not hash_:
return ""
hash_ = get_encryptor().dec(hash_)
return hash_[0:plain_chars] + " ..."
def censor_password(password, plain_chars=3, secret_chars=5):
"""
Decrypts and obfuscates password by changing characters to *
:param password: Password or string to obfuscate
:param plain_chars: How many plain-text characters should be kept at the start of the string
:param secret_chars: How many * symbols should be used to hide the remainder of the password
:return: Obfuscated string e.g. Pass****
"""
if not password:
return ""
password = get_encryptor().dec(password)
return password[0:plain_chars] + "*" * secret_chars
def add_item_to_config_set_if_dont_exist(item_path_array, item_value, should_encrypt):
item_key = ".".join(item_path_array)
items_from_config = ConfigService.get_config_value(item_path_array, False, should_encrypt)
if item_value in items_from_config:
return
if should_encrypt:
item_value = get_encryptor().enc(item_value)
mongo.db.config.update(
{"name": "newconfig"}, {"$addToSet": {item_key: item_value}}, upsert=False
)
mongo.db.monkey.update(
{}, {"$addToSet": {"config." + item_key.split(".")[-1]: item_value}}, multi=True
)
def get_config_value(config_key_as_arr, is_initial_config=False, should_decrypt=True):
"""
Get a specific config value.
:param config_key_as_arr: The config key as an array. e.g. ['basic', 'credentials',
'exploit_password_list'].
:param is_initial_config: If True, returns the value of the initial config instead of the
current config.
:param should_decrypt: If True, the value of the config key will be decrypted
(if it's in the list of encrypted config values).
:return: The value of the requested config key.
"""
config_key = functools.reduce(lambda x, y: x + "." + y, config_key_as_arr)
config = mongo.db.config.find_one(
{"name": "initial" if is_initial_config else "newconfig"}, {config_key: 1}
)
for config_key_part in config_key_as_arr:
config = config[config_key_part]
if should_decrypt:
if config_key_as_arr in ENCRYPTED_CONFIG_VALUES:
if isinstance(config, str):
config = get_encryptor().dec(config)
elif isinstance(config, list):
config = [get_encryptor().dec(x) for x in config]
return config
def decrypt_flat_config(flat_config, is_island=False):
"""
Same as decrypt_config but for a flat configuration
"""
keys = [config_arr_as_array[-1] for config_arr_as_array in ENCRYPTED_CONFIG_VALUES]
for key in keys:
if isinstance(flat_config[key], collections.Sequence) and not isinstance(
flat_config[key], str
):
# Check if we are decrypting ssh key pair
if (
flat_config[key]
and isinstance(flat_config[key][0], dict)
and "public_key" in flat_config[key][0]
):
flat_config[key] = [
ConfigService.decrypt_ssh_key_pair(item) for item in flat_config[key]
]
else:
flat_config[key] = [get_encryptor().dec(item) for item in flat_config[key]]
else:
flat_config[key] = get_encryptor().dec(flat_config[key])
return flat_config
def test_is_aws_keys_setup(tmp_path):
# Mock default configuration
ConfigService.init_default_config()
mongo.db = MockObject()
mongo.db.config = MockObject()
ConfigService.encrypt_config(ConfigService.default_config)
mongo.db.config.find_one = MagicMock(
return_value=ConfigService.default_config)
assert not is_aws_keys_setup()
# Make sure noone changed config path and broke this function
initialize_encryptor(tmp_path)
bogus_key_value = get_encryptor().enc("bogus_aws_key")
dpath.util.set(ConfigService.default_config,
AWS_KEYS_PATH + ["aws_secret_access_key"], bogus_key_value)
dpath.util.set(ConfigService.default_config,
AWS_KEYS_PATH + ["aws_access_key_id"], bogus_key_value)
assert is_aws_keys_setup()
def encrypt_system_info_ssh_keys(ssh_info):
for idx, user in enumerate(ssh_info):
for field in ["public_key", "private_key", "known_hosts"]:
if ssh_info[idx][field]:
ssh_info[idx][field] = get_encryptor().enc(
ssh_info[idx][field])
def test_aes_cbc_enc_dec(data_for_tests_dir):
initialize_encryptor(data_for_tests_dir)
assert get_encryptor().dec(get_encryptor().enc(PLAINTEXT)) == PLAINTEXT
def test_aes_cbc_decryption(data_for_tests_dir):
initialize_encryptor(data_for_tests_dir)
assert get_encryptor().dec(CYPHERTEXT) == PLAINTEXT
def test_aes_cbc_encryption(data_for_tests_dir):
initialize_encryptor(data_for_tests_dir)
assert get_encryptor().enc(PLAINTEXT) != PLAINTEXT
def _set_aws_key(key_type: str, key_value: str):
path_to_keys = AWS_KEYS_PATH
encrypted_key = get_encryptor().enc(key_value)
ConfigService.set_config_value(path_to_keys + [key_type], encrypted_key)