Skip to content

Conversation

VakarisZ
Copy link
Contributor

What does this PR do?

Fixes part of #1695

Add any further explanations here.

PR Checklist

  • Have you added an explanation of what your changes do and why you'd like to include them?
  • Is the TravisCI build passing?
  • Was the CHANGELOG.md updated to reflect the changes?
  • Was the documentation framework updated to reflect the changes?

Testing Checklist

  • Added relevant unit tests?
  • Have you successfully tested your changes locally? Elaborate:

    Tested by {Running the Monkey locally with relevant config/running Island/...}

  • If applicable, add screenshots or log transcripts of the feature working

Explain Changes

Are the commit messages enough? If not, elaborate.

@VakarisZ VakarisZ requested a review from mssalvatore February 22, 2022 13:44
from enum import Enum


class CredentialsType(Enum):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about the change from singular to plural here. In my understanding, credentials (plural) are made up of components, i.e. identities and secrets. A single identity or a single secret would be singular, not plural. Example: "What type of credential is this? It's a password."

We could consider changing this to CredentialComponentType to avoid ambiguity.

@@ -17,6 +17,9 @@ def __init__(self, credentials: Iterable[Credentials]):
"""
self._credentials = credentials

def send(self, log_data=True):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def send(self, log_data=True):
def send(self, _=None):

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Complains, because the method signature contains a parameter named log_data, not named _

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either way, we're implementing an interface method, we shouldn't change the interface even if we could

Comment on lines +28 to +34
if is_ssh_keypair(credential):
SECRET_PROCESSORS[CredentialsType.SSH_KEYPAIR.value](credential, credentials["monkey_guid"])
else:
for identity in credential["identities"]:
IDENTITY_PROCESSORS[identity["credential_type"]](identity)
for secret in credential["secrets"]:
SECRET_PROCESSORS[secret["credential_type"]](secret)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Credentials can contain multiple secrets. This logic assumes that if the Credentials contain an ssh keypair, they do not contain any other type of secrets, which would lead to those secrets never being processed.

)


def encrypt_system_info_ssh_keys(ssh_key: dict):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd recommend making this a pure function and returning a tuple instead of modifying the dict. It could help avoid bugs down the road.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I'm still working on it, this code is not even tested. I'm removing it for this PR and will implement in another

}


def parse_credentials(credentials: dict):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A general comment for all new code: Prefer Mapping to dict or Dict.

parse_credentials,
)

MIMIKATZ_TELEM_TEMPLATE = {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove the references to mimikatz? Does anything related to this processing care whether or not credentials were collected by mimikatz or some other mechanism?

@VakarisZ VakarisZ closed this Feb 22, 2022
@VakarisZ VakarisZ deleted the 1695-parsing-credential-telemetry branch February 22, 2022 14:05
@VakarisZ VakarisZ restored the 1695-parsing-credential-telemetry branch February 22, 2022 14:06
@VakarisZ VakarisZ deleted the 1695-parsing-credential-telemetry branch March 14, 2022 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants