hadoop-2 agent not shutting down #2758
Description
Describe the bug
It seems that agents run on hadoop-2 do not always shut down properly. Sometimes it doesn't send an AgentShutdownEvent and the Island needs to mark it as stopped when it starts receiving heartbeats
To Reproduce
Steps to reproduce the behavior:
- Import the configuration from the Configuration section below
- Start all the target machines in the Zoo
- After a significant number of machines have been compromised, hit the
kill button. You may want to try waiting more or less time before hitting the kill button - Watch the map and the Island log. You may see hadoop-2 stay green after all other agents have stopped. Inspect the Island log for log entries that say no heartbeat was received an the agent is being marked as dead
Note
This is an intermittent behavior, so you may need to run a few times or vary when you hit the stop button in order to observe the behavior. It may also affect machines other than hadoop-2; a thorough log analysis is required.
Configuration
{
"metadata": {
"encrypted": false
},
"configuration": {
"keep_tunnel_open_time": 20,
"credential_collectors": [
{
"name": "MimikatzCollector",
"options": {}
},
{
"name": "SSHCollector",
"options": {}
}
],
"payloads": [
{
"name": "ransomware",
"options": {
"encryption": {
"enabled": true,
"file_extension": ".m0nk3y",
"directories": {
"linux_target_dir": "",
"windows_target_dir": ""
}
},
"other_behaviors": {
"readme": true
}
}
}
],
"propagation": {
"maximum_depth": 3,
"network_scan": {
"tcp": {
"timeout": 0.8,
"ports": [
22,
80,
135,
443,
445,
2222,
3306,
3389,
5985,
5986,
7001,
8008,
8080,
8088,
8983,
9600
]
},
"icmp": {
"timeout": 1
},
"fingerprinters": [
{
"name": "http",
"options": {}
},
{
"name": "ssh",
"options": {}
}
],
"targets": {
"blocked_ips": [],
"inaccessible_subnets": [],
"scan_my_networks": false,
"subnets": [
"10.2.2.9",
"10.2.1.10",
"10.2.0.10",
"10.2.0.11",
"10.2.0.12",
"10.2.3.14",
"10.2.4.15",
"10.2.5.16",
"10.2.2.0-10.2.2.32",
"10.2.3.30-10.2.3.56"
]
}
},
"exploitation": {
"options": {
"http_ports": [
80,
443,
7001,
8008,
8080,
8983,
9600
]
},
"brute_force": [
{
"name": "SSHExploiter",
"options": {}
},
{
"name": "WmiExploiter",
"options": {
"smb_download_timeout": 30
}
}
],
"vulnerability": [
{
"name": "Log4ShellExploiter",
"options": {}
},
{
"name": "HadoopExploiter",
"options": {}
}
]
},
"general": {
"maximum_depth": 3
}
},
"advanced": {
"keep_tunnel_open_time": 20
}
},
"credentials": {
"exploit_user_list": [
"m0nk3y"
],
"exploit_password_list": [
"3Q=(Ge(+&w]*",
"`))jU7L(w}",
"t67TC5ZDmz",
"u26gbVQe",
"5BuYHeVl"
],
"exploit_lm_hash_list": [],
"exploit_ntlm_hash_list": [
"d0f0132b308a0c4e5d1029cc06f48692",
"5da0889ea2081aa79f6852294cba4a5e",
"50c9987a6bf1ac59398df9f911122c9b"
],
"exploit_ssh_keys": []
}
}
Tasks remaining
- Manually run an agent and send
SIGTERM. Verify that the agent shuts itself down cleanly - Run the test and confirm that hadoop is issuing the
SIGTERM- Set hadoop log level to debug/trace/etc.
- Pull the hadoop logs and find evidence of
SIGTERMand/orSIGKILL