Introduction

Breach and Attack Simulation (BAS) is an advanced and state-of-the-art computer security testing method that helps identify vulnerabilities or loopholes in security environments and set-ups by mimicking the likely attack paths and techniques used by threat actors. It is a safe and controlled way to test the security posture of an organization and its ability to detect and respond to attacks. It is also known as a Purple Team exercise. The goal of BAS is to identify the gaps in the security posture of an organization and to provide actionable insights to improve the security posture. It is a continuous process and should be performed regularly to ensure that the security posture of an organization is up to date and can withstand the latest threats.

The Infection Monkey is an open source security tool for testing a data center’s resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server. This is a great tool for testing the security of your network and servers. It is also a great tool for learning about network security and penetration testing.

The Monkey is consists of three components:

  • Infection Monkey: Self propagation tool
  • Monkey Island: Command and Control (C&C) server
  • Monkey Business: Integrates with orchestration

Monkey Components

Scenario

In this tutorial, we will use the Infection Monkey to test the security of a network. We will use the Monkey to infect a server and then use the Monkey to infect other servers on the network.

My setup is as follows:

  • Kali Linux 2023.3 with Infection Monkey (Attacker)
  • CentOS 7 (Victim)
  • IBM QRadar Community Edition (SIEM)

See the diagram below for a visual representation of the setup:

Attack Diagram

Steps

1. Install Infection Monkey

You can download the Infection Monkey from the official website . You can also install it from the GitHub repository . The Infection Monkey is available for Windows, Linux, Docker, AWS, and Azure. In this case I downloaded the Linux version from the GitHub repository.

Download Infection Monkey

Download the Infection Monkey AppImage from the GitHub repository:

wget https://github.com/guardicore/monkey/releases/download/v2.3.0/InfectionMonkey-v2.3.0.AppImage --no-check-certificate

Download Infection Monkey AppImage

--no-check-certificate is used to bypass the SSL certificate check. This is useful if you are using a self-signed certificate.

2. Make the AppImage executable

Make the AppImage executable with the following command:

chmod u+x InfectionMonkey-v2.3.0.AppImage

chmod u+x is used to make the AppImage executable for the current user.

Make the AppImage executable

3. Run the AppImage

Start Monkey Island by running the Infection Monkey AppImage package:

./InfectionMonkey-v2.3.0.AppImage

If you get errors related to FUSE, you may need to install FUSE 2.X first:

FUSE error

sudo apt update
sudo apt install libfuse2

Install FUSE 2.X

Docs: Fuse Troubleshooting

Note: If the error still occurs, you may need to redownload the AppImage it may be corrupted.

Then run the AppImage again:

./InfectionMonkey-v2.3.0.AppImage

Run the AppImage

4. Access Infection Monkey web UI

Open your browser and go to https://localhost:5000 to access the Infection Monkey web UI.

Note: If you are using a self-signed certificate, you will get a warning message. Click on the Advanced button and then click on the Proceed to localhost (unsafe) link or click on the Accept the Risk and Continue button if you are using Firefox.

Browser Warning

5. Register a new user

The account registration page will appear. Enter your username and password and click on the Let's go! button to register a new user. This account will be used to log in to Monkey Island and to import/export Monkey Island configuration.

Register a new user

Infection Monkey Dashboard

Infection Monkey Dashboard

6. Configure the Infection Monkey

Click on the Configuration or Configure Monkey button to configure the Infection Monkey.

Configure the Infection Monkey

You can configure the Propagation, Payloads, Credentials collectors, Masquerade, Polymorphism, Advanced, Exploiters, Network analysis, Credentials, and the General tab from the Configuration page. Configure the Infection Monkey according to your needs.

In this tutorial, we will configure the Infection Monkey to use the SSH Exploiter (Attempts a brute-force attack against SSH using known credentials, including SSH keys).

Enable the SSH Exploiter from the Exploiters tab.

Configure the Infection Monkey

Configure the credentials from the Credentials tab. This will be used by the SSH Exploiter to brute-force the SSH server.

Configure the Infection Monkey

You can enable the Scan Agent's networks from the Network analysis tab. This will allow the Infection Monkey to scan the network for other machines to infect.

Configure the Infection Monkey

If the exploiter or the payload are not there, you can install them from the Plugins tab.

Install Plugins

If you are done configuring the Infection Monkey, click on the Submit button to save the configuration.

7. Start the Infection Monkey

Go to the Run Monkey section and click on the From Island button to start the Infection Monkey to start the Monkey from the Monkey Island server.

Start the Infection Monkey

Or you can run the Infection Monkey on other machines by clicking on the Manual button and selecting the operating system of the machine you want to run the Infection Monkey on.

Linux:

Start the Infection Monkey on Linux

Windows:

Start the Infection Monkey on Windows

8. View the Infection Map

Go to the Infection Map section to view the Infection Map.

View the Infection Map

View the Infection Map

You can see the Infection Map of the Infection Monkey. The Infection Monkey has infected the CentOS 7 server and the IBM QRadar Community Edition server.

The network consists of 3 machines:

  • Kali Linux 2023.3 with Infection Monkey (Attacker) with IP address 192.168.211.130
  • CentOS 7 (Victim) with IP address 192.168.211.128
  • IBM QRadar Community Edition (SIEM) with IP address 192.168.211.129

Note: The Windows machine shown in the Infection Map is not part of the network. It is ther

9. View the Events

Go to the Events section to view the Agent Events.

View the Events

10. Monitor the Attack using a SIEM

In this tutorial, I will use IBM QRadar Community Edition as the SIEM. You can use other SIEMs such as Splunk, Elastic Stack, ArcSight, AlienVault, Azure Sentinel, etc.

IBM QRadar Community Edition

You can see the Infection Monkey has infected the CentOS 7 server and the IBM QRadar Community Edition server using the SSH Exploiter.

11. View the Security Reports

You can also export the Security Reports to a PDF file or print it.

View the Security Reports

View the Security Reports

Conclusion

In this tutorial, we have learned how to use the Infection Monkey to test the security of a network. We have also learned how to use the Infection Monkey to infect a server and then use the Infection Monkey to infect other servers on the network.

The Infection Monkey is a great tool for testing the security of your network and servers. It is also a great tool for learning about network security and penetration testing.

Some of the advantages of using the Infection Monkey are:

  1. Resilience testing
    • Simulates a real attacker
    • Propagate in-depth
  2. Scale
    • “Pentester” in every VLAN
    • Full coverage
  3. Automated tool
    • Continuous execution
    • Easy to use
  4. Open source
    • Free
    • Community support
  5. Integration
    • Monkey Business
    • Monkey Island API
  6. Reporting
    • Security reports
    • Security events
  7. Safe testing
    • Safely test your network or servers
    • The Infection Monkey is designed to be 100 percent safe, with no reconnaissance or propagation features that can impact server or network stability.

References