Merge branch '4212-docs-credentials-collector-explanation' into develop

Issue #4212
PR #4240

docs/config/_default/config.toml

@@ -38,7 +38,7 @@ theme = "learn"
   # Order sections in menu by "weight" or "title". Default to "weight"
   ordersectionsby = "weight"
   # Provide a list of custom css files to load relative from the `static/` folder in the site root.
-  custom_css = ["css/labels.css", "css/shadow-around-images.css", "css/table-of-contents.css", "css/tooltip.css"]
+  custom_css = ["css/chapters.css", "css/labels.css", "css/shadow-around-images.css", "css/table-of-contents.css", "css/tooltip.css"]
 
 [outputs]
   home = ["HTML", "RSS", "JSON"]

docs/content/features/credentials_collectors/_index.md

@@ -0,0 +1,43 @@
+---
+title: "Credentials Collectors"
+chapter: true
+pre: "<i class='fas fa-key'></i> "
+---
+
+# Credentials Collectors
+
+Credentials Collectors attempt to steal credentials from systems that the
+Infection Monkey Agent has infected.
+
+## Mimicking attackers
+
+In real-world network attacks, malicious actors often attempt to extract
+credentials from compromised systems. Stolen credentials enable attackers to
+penetrate deeper into the environment in many ways, such as lateral movement,
+privilege escalation, data theft, and persistence. To mimic this behavior,
+Infection Monkey has multiple plugins, called "credentials collectors", that
+steal credentials from compromised hosts.
+
+## How credentials collectors work
+
+When an Infection Monkey Agent is started, it begins the reconnaissance phase
+of its attack. The first step in this phase is to use all enabled credentials
+collectors to steal credentials. Any stolen credentials are then sent to the
+Monkey Island, where they become immediately available for any Agent to use.
+
+After the reconnaissance phase, the Agent will begin the propagation phase and
+attempt to compromise other hosts on the network. Exploiters are Infection
+Monkey plugins that attempt to spread copies of the Agent throughout the
+network. Some exploiters can use the credentials stolen by credentials
+collectors to gain access to other systems on the network. First, the exploiter
+will query the Monkey Island to retrieve credentials that were configured by
+the user and any credentials that were stolen by credentials collectors. Next,
+the exploiters will use the stolen credentials to attempt to authenticate with
+a target system. If authentication is successful, the exploiter will execute
+the Agent on the target system, spreading the infection throughout the network.
+
+## Techniques
+To read more about the techniques Infection Monkey can use to steal
+credentials, click the links below:
+
+{{% children /%}}

docs/content/features/credentials_collectors/chrome.md

@@ -0,0 +1,19 @@
+---
+title: "Chrome Credentials Collector"
+draft: false
+description: "Collects credentials from Chrome-based browsers"
+tags: ["credentials collector", "chrome", "linux", "windows"]
+pre: "<i class='fa fa-chrome'></i> "
+---
+
+## Description
+
+By default, Chromium-based browsers store saved usernames and passwords in a
+recoverable format. Stealing browser credentials can enable access to sensitive
+personal and business accounts leading to data exfiltration, identity theft,
+financial loss, etc. Users often reuse credentials across accounts which can
+support lateral movement and persistence.
+
+The Chrome Credentials Collector steals saved credentials from Chromium-based
+browsers. On Linux, it targets Google Chrome and Chromium. On Windows, it
+targets Google Chrome and Microsoft Edge.

docs/content/features/credentials_collectors/mimikatz.md

@@ -0,0 +1,22 @@
+---
+title: "Mimikatz Credentials Collector"
+draft: false
+description: "Collects credentials from Windows Credential Manager"
+tags: ["credentials collector", "mimikatz", "windows"]
+pre: "<i class='fa fa-cat'></i> "
+---
+
+## Description
+
+[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool
+widely used by attackers to extract credentials, including plaintext passwords,
+hashes, PINs, and Kerberos tickets, from memory. The extracted credentials can
+then be used to escalate privileges or move laterally through a network.
+
+Infection Monkey's Mimikatz Credentials Collector uses
+[pypykatz](https://github.com/skelsec/pypykatz), a pure-Python implementation
+of [mimikatz](https://github.com/gentilkiwi/mimikatz).
+
+![Mimikatz
+Configuration](/images/island/configuration-page/mimikatz-credentials-collector-configuration.png
+"Mimikatz configuration")

docs/content/features/credentials_collectors/ssh.md

@@ -0,0 +1,36 @@
+---
+title: "SSH Credentials Collector"
+draft: false
+description: "Collects SSH keys from Linux users"
+tags: ["credentials collector", "ssh", "linux"]
+pre: "<i class='fa fa-terminal'></i> "
+---
+
+## Description
+
+SSH public/private key pairs are credentials that allow users to remotely
+access systems using the [Secure Shell Protocol
+(SSH)](https://en.wikipedia.org/wiki/Secure_Shell). Stealing them could enable
+an attacker to:
+
+- Gain access to sensitive systems
+- Steal data
+- Move laterally through the network
+- Escalate their privileges
+- Establish a persistent presence
+
+While SSH key pairs can be encrypted to mitigate this risk, many users skip this
+step and trade security for convenience. This leaves the SSH keys vulnerable to
+theft. Infection Monkey's SSH Credentials Collector seeks out and steals
+unprotected SSH key pairs. After compromising a Linux host, the SSH Credentials
+Collector will locate the `$HOME/.ssh` directory for each user and attempt to
+steal unencrypted SSH key pairs from it.
+
+The SSH Credentials Collector will attempt to steal any key pair matching all
+of the following criteria:
+
+- The key pair is stored in `$HOME/.ssh` for any user on the system.
+- The key pair is readable by the user running the Infection Monkey Agent.
+- The key pair is not encrypted.
+- The key pair is stored in one of the supported formats (RSA, DSA, EC, or
+  ECDSA).

docs/static/css/chapters.css

@@ -0,0 +1,4 @@
+#chapter h2 ~ p {
+    text-align: left;
+    font-size: 17px;
+}

monkey/agent_plugins/credentials_collectors/mimikatz/manifest.yaml

@@ -6,5 +6,5 @@ target_operating_systems:
   - windows
 title: Mimikatz Credentials Collector
 version: 2.0.0
-description: Collects credentials from Windows Credential Manager using Mimikatz.
+description: Collects credentials from memory on Windows hosts using Mimikatz.
 safe: true

monkey/tests/data_for_tests/agent_plugin/agent_plugin_repository_index.yml

@@ -2,7 +2,7 @@ compatible_infection_monkey_version: development
 plugins:
   Credentials_Collector:
     Mimikatz:
-    - description: Collects credentials from Windows Credential Manager using Mimikatz.
+    - description: Collects credentials from memory on Windows hosts using Mimikatz.
       name: Mimikatz
       resource_path: Mimikatz-credentials_collector-v1.0.2.tar
       safe: true

monkey/tests/unit_tests/monkey_island/cc/services/agent_plugin_service/test_agent_plugin_service.py

@@ -67,7 +67,7 @@
             "resource_path": "Mimikatz-credentials_collector-v1.0.2.tar",
             # SHA of PLUGIN_ARCHIVE
             "sha256": "315f5bdb76d078c43b8ac0064e4a0164612b1fce77c869345bfc94c75894edd3",
-            "description": "Collects credentials from Windows Credential Manager using Mimikatz.",
+            "description": "Collects credentials from memory on Windows hosts using Mimikatz.",
             "version": "1.0.2",
             "safe": True,
         }