Island: Strip credentials out of config before sending to agent

The credentials for credential reuse attacks will now be retrieved by
the agent via a new endpoint that returns only credentials in order to
reduce unnecessary network traffic (issue #1538).

Author: mssalvatore

monkey/monkey_island/cc/resources/monkey.py

@@ -31,7 +31,7 @@ def get(self, guid=None, config_format=None, **kw):
             if config_format == "legacy":
                 ConfigService.decrypt_flat_config(monkey_json["config"])
             else:
-                ConfigService.format_config_for_agent(monkey_json["config"])
+                ConfigService.format_flat_config_for_agent(monkey_json["config"])
 
             return monkey_json
 

monkey/monkey_island/cc/services/config.py

@@ -435,5 +435,18 @@ def get_config_propagation_credentials():
         }
 
     @staticmethod
-    def format_config_for_agent(config: Dict):
-        ConfigService.decrypt_flat_config(config)
+    def format_flat_config_for_agent(config: Dict):
+        ConfigService._remove_credentials_from_flat_config(config)
+
+    @staticmethod
+    def _remove_credentials_from_flat_config(config: Dict):
+        fields_to_remove = {
+            "exploit_lm_hash_list",
+            "exploit_ntlm_hash_list",
+            "exploit_password_list",
+            "exploit_ssh_keys",
+            "exploit_user_list",
+        }
+
+        for field in fields_to_remove:
+            config.pop(field, None)

monkey/tests/unit_tests/monkey_island/cc/services/test_config.py

@@ -6,10 +6,6 @@
 # monkey/monkey_island/cc/ui/src/components/pages/RunMonkeyPage/RunOptions.js
 
 
-class MockClass:
-    pass
-
-
 @pytest.fixture(scope="function", autouse=True)
 def mock_port(monkeypatch, PORT):
     monkeypatch.setattr("monkey_island.cc.services.config.ISLAND_PORT", PORT)
@@ -27,3 +23,13 @@ def test_set_server_ips_in_config_current_server(config, IPS, PORT):
     ConfigService.set_server_ips_in_config(config)
     expected_config_current_server = f"{IPS[0]}:{PORT}"
     assert config["internal"]["island_server"]["current_server"] == expected_config_current_server
+
+
+def test_format_config_for_agent__credentials_removed(flat_monkey_config):
+    ConfigService.format_flat_config_for_agent(flat_monkey_config)
+
+    assert "exploit_lm_hash_list" not in flat_monkey_config
+    assert "exploit_ntlm_hash_list" not in flat_monkey_config
+    assert "exploit_password_list" not in flat_monkey_config
+    assert "exploit_ssh_keys" not in flat_monkey_config
+    assert "exploit_user_list" not in flat_monkey_config