Introduction
Breach and Attack Simulation (BAS) is an advanced and state-of-the-art computer security testing method that helps identify vulnerabilities or loopholes in security environments and set-ups by mimicking the likely attack paths and techniques used by threat actors. It is a safe and controlled way to test the security posture of an organization and its ability to detect and respond to attacks. It is also known as a Purple Team exercise. The goal of BAS is to identify the gaps in the security posture of an organization and to provide actionable insights to improve the security posture. It is a continuous process and should be performed regularly to ensure that the security posture of an organization is up to date and can withstand the latest threats.
The Infection Monkey is an open source security tool for testing a data center’s resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server. This is a great tool for testing the security of your network and servers. It is also a great tool for learning about network security and penetration testing.
The Monkey is consists of three components:
- Infection Monkey: Self propagation tool
- Monkey Island: Command and Control (C&C) server
- Monkey Business: Integrates with orchestration
Scenario
In this tutorial, we will use the Infection Monkey to test the security of a network. We will use the Monkey to infect a server and then use the Monkey to infect other servers on the network.
My setup is as follows:
- Kali Linux 2023.3 with Infection Monkey (Attacker)
- CentOS 7 (Victim)
- IBM QRadar Community Edition (SIEM)
See the diagram below for a visual representation of the setup:
Steps
1. Install Infection Monkey
You can download the Infection Monkey from the official website . You can also install it from the GitHub repository . The Infection Monkey is available for Windows, Linux, Docker, AWS, and Azure. In this case I downloaded the Linux version from the GitHub repository.
Download the Infection Monkey AppImage from the GitHub repository:
wget https://github.com/guardicore/monkey/releases/download/v2.3.0/InfectionMonkey-v2.3.0.AppImage --no-check-certificate
--no-check-certificate
is used to bypass the SSL certificate check. This is useful if you are using a self-signed certificate.
2. Make the AppImage executable
Make the AppImage executable with the following command:
chmod u+x InfectionMonkey-v2.3.0.AppImage
chmod u+x is used to make the AppImage executable for the current user.
3. Run the AppImage
Start Monkey Island by running the Infection Monkey AppImage package:
./InfectionMonkey-v2.3.0.AppImage
If you get errors related to FUSE, you may need to install FUSE 2.X first:
sudo apt update
sudo apt install libfuse2
Docs: Fuse Troubleshooting
Note: If the error still occurs, you may need to redownload the AppImage it may be corrupted.
Then run the AppImage again:
./InfectionMonkey-v2.3.0.AppImage
4. Access Infection Monkey web UI
Open your browser and go to https://localhost:5000
to access the Infection Monkey web UI.
Note: If you are using a self-signed certificate, you will get a warning message. Click on the Advanced button and then click on the Proceed to localhost (unsafe) link or click on the Accept the Risk and Continue button if you are using Firefox.
5. Register a new user
The account registration page will appear. Enter your username and password and click on the Let's go!
button to register a new user.
This account will be used to log in to Monkey Island and to import/export Monkey Island configuration.
Infection Monkey Dashboard
6. Configure the Infection Monkey
Click on the Configuration
or Configure Monkey
button to configure the Infection Monkey.
You can configure the Propagation, Payloads, Credentials collectors, Masquerade, Polymorphism, Advanced, Exploiters, Network analysis, Credentials, and the General tab from the Configuration page. Configure the Infection Monkey according to your needs.
In this tutorial, we will configure the Infection Monkey to use the SSH Exploiter (Attempts a brute-force attack against SSH using known credentials, including SSH keys).
Enable the SSH Exploiter from the Exploiters
tab.
Configure the credentials from the Credentials
tab. This will be used by the SSH Exploiter to brute-force the SSH server.
You can enable the Scan Agent's networks
from the Network analysis
tab. This will allow the Infection Monkey to scan the network for other machines to infect.
If the exploiter or the payload are not there, you can install them from the Plugins
tab.
If you are done configuring the Infection Monkey, click on the Submit
button to save the configuration.
7. Start the Infection Monkey
Go to the Run Monkey
section and click on the From Island
button to start the Infection Monkey to start the Monkey from the Monkey Island server.
Or you can run the Infection Monkey on other machines by clicking on the Manual
button and selecting the operating system of the machine you want to run the Infection Monkey on.
Linux:
Windows:
8. View the Infection Map
Go to the Infection Map
section to view the Infection Map.
You can see the Infection Map of the Infection Monkey. The Infection Monkey has infected the CentOS 7
server and the IBM QRadar Community Edition
server.
The network consists of 3 machines:
- Kali Linux 2023.3 with Infection Monkey (Attacker) with IP address
192.168.211.130
- CentOS 7 (Victim) with IP address
192.168.211.128
- IBM QRadar Community Edition (SIEM) with IP address
192.168.211.129
Note: The Windows machine shown in the Infection Map is not part of the network. It is ther
9. View the Events
Go to the Events
section to view the Agent Events.
10. Monitor the Attack using a SIEM
In this tutorial, I will use IBM QRadar Community Edition as the SIEM. You can use other SIEMs such as Splunk, Elastic Stack, ArcSight, AlienVault, Azure Sentinel, etc.
You can see the Infection Monkey has infected the CentOS 7
server and the IBM QRadar Community Edition
server using the SSH Exploiter.
11. View the Security Reports
You can also export the Security Reports to a PDF file or print it.
Conclusion
In this tutorial, we have learned how to use the Infection Monkey to test the security of a network. We have also learned how to use the Infection Monkey to infect a server and then use the Infection Monkey to infect other servers on the network.
The Infection Monkey is a great tool for testing the security of your network and servers. It is also a great tool for learning about network security and penetration testing.
Some of the advantages of using the Infection Monkey are:
- Resilience testing
- Simulates a real attacker
- Propagate in-depth
- Scale
- “Pentester” in every VLAN
- Full coverage
- Automated tool
- Continuous execution
- Easy to use
- Open source
- Free
- Community support
- Integration
- Monkey Business
- Monkey Island API
- Reporting
- Security reports
- Security events
- Safe testing
- Safely test your network or servers
- The Infection Monkey is designed to be 100 percent safe, with no reconnaissance or propagation features that can impact server or network stability.
References
- Infection Monkey Documentation
- Unleash the Infection Monkey: A Modern Alternative to Pen-Tests @ Black Hat USA 2016
- Making Breach & Attack Simulation Accessible and Actionable with Infection Monkey by Shay Nehmad @ Red Team Village
- Tutorial: Breach and Attack Simulation (BAS) with Infection Monkey by Semi Yulianto @ YouTube
- Integrating Adversary Emulation using Infection Monkey with Azure Sentinel by Sartaj Ahmed Shaik @ Medium
- Breach & Attack Simulation – What is that? by Priyank Gahlot @ LinkedIn
- Difference Between Breach and Attack Simulation(BAS), Red teaming, and VAPT by Raghav S. @ LinkedIn
- Automated Breach and Attack Simulation by Renier Steyn @ LinkedIn
- Infection monkey - Automated Penetration Testing and Breach-Attack Simulation by Motasem Hamdan @ YouTube
- Fuse Troubleshooting @ AppImage Docs
- Breach and attack simulation (BAS) @ Wikipedia
- Breach and Attack Simulation (BAS) @ dig8labs