Infection Monkey – Data Center Security Testing Framework
The Infection Monkey is an open source security tool for testing a data center’s resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server.

The framework is comprised of two parts:
- Monkey – A tool which infects other machines and propagates to them
- Monkey Island – A dedicated server to control and visualize the progress inside the data center
The framework uses the following techniques and exploits to propagate to other machines.
- Multiple propagation techniques:
- Predefined passwords
- Common logical exploits
- Password stealing using Mimikatz
- Multiple exploit methods:
- SSH
- SMB
- RDP
- WMI
- Shellshock
- Conficker
- SambaCry
- Elastic Search (CVE-2015-1427)
Currently there are two scanners, PingScanner
and TcpScanner
both inheriting from HostScanner
.TcpScanner
is the default scanner and it checks for open ports based on the tcp_target_ports
configuration setting.PingScanner
sends a ping message using the host OS utility ping
.
Implemented Fingerprint modules are:
-
SMBFinger
– Fingerprints target machines over SMB. Extracts computer name and OS version. -
SSHFinger
– Fingerprints target machines over SSH (port 22). Extracts the computer version and SSH banner. -
PingScanner
– Fingerprints using the machines TTL, to differentiate between Linux and Windows hosts. -
HTTPFinger
– Fingerprints over HTTP/HTTPS, using the ports listed inHTTP_PORTS
in the configuration. Returns the server type and if it supports SSL. -
MySQLFinger
– Fingerprints over MySQL (port 3306). Extracts MySQL banner info – Version, Major/Minor/Build and capabilities. -
ElasticFinger
– Fingerprints over ElasticSearch (port 9200). Extracts the cluster name, node name and node version.
You can read more and download this framework over here: https://github.com/guardicore/monkey