Download Latest Version Infection Monkey v2.3.0 source code.zip (19.6 MB)
Email in envelope

Get an email when there's a new version of Infection Monkey

Home / v2.1.0
Name Modified Size InfoDownloads / Week
Parent folder
Infection Monkey v2.1.0 source code.tar.gz 2023-04-19 17.5 MB
0
Infection Monkey v2.1.0 source code.zip 2023-04-19 18.7 MB
0
README.md 2023-04-19 2.6 kB
0
InfectionMonkey-docker-v2.1.0.tgz 2023-04-18 212.7 MB
0
InfectionMonkey-v2.1.0.exe 2023-04-18 184.3 MB
0
InfectionMonkey-v2.1.0.AppImage 2023-04-18 198.9 MB
0
monkey-linux-64 2023-04-18 28.7 MB
0
monkey-windows-64.exe 2023-04-18 27.6 MB
0
Totals: 8 Items   688.3 MB 0

Highlights

Infection Monkey version 2.1.0 introduces security, user experience, and tech stack enhancements.

Security

  • All API endpoints now require authentication and authorization.
  • Users can now log out.
  • Minor security weaknesses, such as a local DoS error and a potential XSS vulnerability, have been mitigated.

User Experience

  • Users are no longer logged out of the Web UI while working. They will be logged out automatically only when idle.
  • Brute force exploitation using stolen credentials is now faster.
  • The Docker image can now be installed simply with sudo docker pull infectionmonkey/monkey-island:latest.

Tech Stack

  • The Island and Agent have been upgraded from Python 3.7 to 3.11.2.
  • The MongoDB dependency has been upgraded from version 4.x to 6.x.

Changelog

Added

  • Logout button. [#3063]
  • An option to the Hadoop exploiter to try all discovered HTTP ports. [#2136]
  • GET /api/agent-otp. [#3076]
  • POST /api/agent-otp-login endpoint. [#3076]
  • A smarter brute-forcing strategy for SMB exploiter. [#3039]
  • POST /api/refresh-authentication-token endpoint that allows refreshing of the access token. [#3181]

Changed

  • Migrated the hard-coded SMB exploiter to a plugin. [#2952]
  • Python version from 3.7 to 3.11.2. [#2705]
  • MSI installer is now build with InnoSetup. [#1911]

Fixed

  • A UI deficiency where invalid configurations could be submitted to the backend. [#1301], [#2989]
  • Notification spam bug. [#2731]
  • Agent propagator crashes if exploiters malfunction. [#2992]
  • Configuration order not preserved in debugging output. [#2860]
  • A bug in the Hadoop exploiter that resulted in speculative execution of multiple agents. [#2758]
  • Formatting of the manual run command when copy/pasting from the web UI. [#3115]
  • A bug where plugins received an incorrect agent ID. [#3119]
  • Random logouts when the UI is being actively used. [#2049], [#3079], [#3137]

Security

  • Fixed plaintext private key in SSHKey pair list in UI. [#2950]
  • Upgraded MongoDB version from 4.x to 6.0.4. [#2706]
  • Replaced the SystemSingleton component, which could allow local users to execute a DoS attack against agents. [#2817]
  • Replaced our bespoke authentication solution with flask-security-too. [#2049], [#2157], [#3078], [#3138]
  • Enforced access control around sensitive API endpoints. [#2049], [#2157]
  • Upgraded 3rd-party dependencies. [#2705], [#2970], [#2865], [#3125]
  • Fixed a potential XSS issue in exploiter plugins. [#3081]
Source: README.md, updated 2023-04-19