Config encrypt

CHANGELOG.md

@@ -48,3 +48,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Security
 - Address minor issues discovered by Dlint. #1075
 - Generate random passwords when creating a new user (create user PBA, ms08_67 exploit). #1174
+- Implemented configuration encryption/decryption. #1189, #1204

monkey/common/utils/exceptions.py

@@ -52,3 +52,7 @@ class FindingWithoutDetailsError(Exception):
 
 class DomainControllerNameFetchError(FailedExploitationError):
     """ Raise on failed attempt to extract domain controller's name """
+
+
+class InvalidConfigurationError(Exception):
+    """ Raise when configuration is invalid """

monkey/monkey_island/Pipfile

@@ -30,6 +30,7 @@ Flask = ">=1.1"
 Werkzeug = ">=1.0.1"
 ScoutSuite = {git = "https://github.com/guardicode/ScoutSuite"}
 PyJWT = "==1.7"
+pyaescrypt = "*"
 
 [dev-packages]
 virtualenv = ">=20.0.26"

monkey/monkey_island/cc/app.py

@@ -20,6 +20,8 @@
 )
 from monkey_island.cc.resources.bootloader import Bootloader
 from monkey_island.cc.resources.client_run import ClientRun
+from monkey_island.cc.resources.configuration_export import ConfigurationExport
+from monkey_island.cc.resources.configuration_import import ConfigurationImport
 from monkey_island.cc.resources.edge import Edge
 from monkey_island.cc.resources.environment import Environment
 from monkey_island.cc.resources.island_configuration import IslandConfiguration
@@ -131,6 +133,8 @@ def init_api_resources(api):
     )
     api.add_resource(MonkeyConfiguration, "/api/configuration", "/api/configuration/")
     api.add_resource(IslandConfiguration, "/api/configuration/island", "/api/configuration/island/")
+    api.add_resource(ConfigurationExport, "/api/configuration/export")
+    api.add_resource(ConfigurationImport, "/api/configuration/import")
     api.add_resource(
         MonkeyDownload,
         "/api/monkey/download",

monkey/monkey_island/cc/resources/configuration_export.py

@@ -0,0 +1,25 @@
+import json
+
+import flask_restful
+from flask import request
+
+from monkey_island.cc.resources.auth.auth import jwt_required
+from monkey_island.cc.services.config import ConfigService
+from monkey_island.cc.services.utils.encryption import encrypt_string
+
+
+class ConfigurationExport(flask_restful.Resource):
+    @jwt_required
+    def post(self):
+        data = json.loads(request.data)
+        should_encrypt = data["should_encrypt"]
+
+        plaintext_config = ConfigService.get_config()
+
+        config_export = plaintext_config
+        if should_encrypt:
+            password = data["password"]
+            plaintext_config = json.dumps(plaintext_config)
+            config_export = encrypt_string(plaintext_config, password)
+
+        return {"config_export": config_export, "encrypted": should_encrypt}

monkey/monkey_island/cc/resources/configuration_import.py

@@ -0,0 +1,98 @@
+import json
+import logging
+from dataclasses import dataclass
+from json.decoder import JSONDecodeError
+
+import flask_restful
+from flask import request
+
+from common.utils.exceptions import InvalidConfigurationError
+from monkey_island.cc.resources.auth.auth import jwt_required
+from monkey_island.cc.services.config import ConfigService
+from monkey_island.cc.services.utils.encryption import (
+    InvalidCiphertextError,
+    InvalidCredentialsError,
+    decrypt_ciphertext,
+    is_encrypted,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class ImportStatuses:
+    UNSAFE_OPTION_VERIFICATION_REQUIRED = "unsafe_options_verification_required"
+    INVALID_CONFIGURATION = "invalid_configuration"
+    INVALID_CREDENTIALS = "invalid_credentials"
+    IMPORTED = "imported"
+
+
+@dataclass
+class ResponseContents:
+    import_status: str = ImportStatuses.IMPORTED
+    message: str = ""
+    status_code: int = 200
+    config: str = ""
+    config_schema: str = ""
+
+    def form_response(self):
+        return self.__dict__
+
+
+class ConfigurationImport(flask_restful.Resource):
+    SUCCESS = False
+
+    @jwt_required
+    def post(self):
+        request_contents = json.loads(request.data)
+        try:
+            config = ConfigurationImport._get_plaintext_config_from_request(request_contents)
+            if request_contents["unsafeOptionsVerified"]:
+                ConfigurationImport.import_config(config)
+                return ResponseContents().form_response()
+            else:
+                return ResponseContents(
+                    config=json.dumps(config),
+                    config_schema=ConfigService.get_config_schema(),
+                    import_status=ImportStatuses.UNSAFE_OPTION_VERIFICATION_REQUIRED,
+                ).form_response()
+        except InvalidCredentialsError:
+            return ResponseContents(
+                import_status=ImportStatuses.INVALID_CREDENTIALS,
+                message="Invalid credentials provided",
+            ).form_response()
+        except InvalidConfigurationError:
+            return ResponseContents(
+                import_status=ImportStatuses.INVALID_CONFIGURATION,
+                message="Invalid configuration supplied. "
+                "Maybe the format is outdated or the file has been corrupted.",
+            ).form_response()
+
+    @staticmethod
+    def _get_plaintext_config_from_request(request_contents: dict) -> dict:
+        try:
+            config = request_contents["config"]
+            if ConfigurationImport.is_config_encrypted(request_contents["config"]):
+                config = decrypt_ciphertext(config, request_contents["password"])
+            return json.loads(config)
+        except (JSONDecodeError, InvalidCiphertextError):
+            logger.exception(
+                "Exception encountered when trying to extract plaintext configuration."
+            )
+            raise InvalidConfigurationError
+
+    @staticmethod
+    def import_config(config_json):
+        if not ConfigService.update_config(config_json, should_encrypt=True):
+            raise InvalidConfigurationError
+
+    @staticmethod
+    def is_config_encrypted(config: str):
+        try:
+            if config.startswith("{"):
+                return False
+            elif is_encrypted(config):
+                return True
+            else:
+                raise InvalidConfigurationError
+        except Exception:
+            raise InvalidConfigurationError

monkey/monkey_island/cc/services/utils/encryption.py

@@ -0,0 +1,59 @@
+import base64
+import io
+import logging
+
+import pyAesCrypt
+
+BUFFER_SIZE = pyAesCrypt.crypto.bufferSizeDef
+
+logger = logging.getLogger(__name__)
+
+
+def encrypt_string(plaintext: str, password: str) -> str:
+    plaintext_stream = io.BytesIO(plaintext.encode())
+    ciphertext_stream = io.BytesIO()
+
+    pyAesCrypt.encryptStream(plaintext_stream, ciphertext_stream, password, BUFFER_SIZE)
+
+    ciphertext_b64 = base64.b64encode(ciphertext_stream.getvalue())
+    logger.info("String encrypted.")
+
+    return ciphertext_b64.decode()
+
+
+def decrypt_ciphertext(ciphertext: str, password: str) -> str:
+    ciphertext = base64.b64decode(ciphertext)
+    ciphertext_stream = io.BytesIO(ciphertext)
+    plaintext_stream = io.BytesIO()
+
+    ciphertext_stream_len = len(ciphertext_stream.getvalue())
+
+    try:
+        pyAesCrypt.decryptStream(
+            ciphertext_stream,
+            plaintext_stream,
+            password,
+            BUFFER_SIZE,
+            ciphertext_stream_len,
+        )
+    except ValueError as ex:
+        if str(ex).startswith("Wrong password"):
+            logger.info("Wrong password provided for decryption.")
+            raise InvalidCredentialsError
+        else:
+            logger.info("The corrupt ciphertext provided.")
+            raise InvalidCiphertextError
+    return plaintext_stream.getvalue().decode("utf-8")
+
+
+def is_encrypted(ciphertext: str) -> bool:
+    ciphertext = base64.b64decode(ciphertext)
+    return ciphertext.startswith(b"AES")
+
+
+class InvalidCredentialsError(Exception):
+    """ Raised when password for decryption is invalid """
+
+
+class InvalidCiphertextError(Exception):
+    """ Raised when ciphertext is corrupted """

monkey/monkey_island/cc/ui/src/components/configuration-components/ExportConfigModal.tsx

@@ -1,17 +1,17 @@
 import {Button, Modal, Form} from 'react-bootstrap';
 import React, {useState} from 'react';
 
+import FileSaver from 'file-saver';
 import AuthComponent from '../AuthComponent';
 import '../../styles/components/configuration-components/ExportConfigModal.scss';
 
 
 type Props = {
   show: boolean,
-  onClick: () => void
+  onHide: () => void
 }
 
 const ConfigExportModal = (props: Props) => {
-  // TODO implement the back end
   const configExportEndpoint = '/api/configuration/export';
 
   const [pass, setPass] = useState('');
@@ -33,11 +33,25 @@ const ConfigExportModal = (props: Props) => {
         })
       }
     )
+      .then(res => res.json())
+      .then(res => {
+        let configToExport = res['config_export'];
+        if (res['encrypted']) {
+          configToExport = new Blob([configToExport]);
+        } else {
+          configToExport = new Blob(
+            [JSON.stringify(configToExport, null, 2)],
+            {type: 'text/plain;charset=utf-8'}
+            );
+        }
+        FileSaver.saveAs(configToExport, 'monkey.conf');
+        props.onHide();
+      })
   }
 
   return (
     <Modal show={props.show}
-           onHide={props.onClick}
+           onHide={props.onHide}
            size={'lg'}
            className={'config-export-modal'}>
       <Modal.Header closeButton>
@@ -105,7 +119,7 @@ const ExportPlaintextChoiceField = (props: {
       />
       <p className={`export-warning text-secondary`}>
         Configuration may contain stolen credentials or sensitive data.<br/>
-        It is advised to use password encryption.
+        It is recommended that you use the <b>Encrypt with a password</b> option.
       </p>
     </div>
   )