From 844d244d672943da3db1595cc1b90dddbcc2ae24 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Fri, 17 Sep 2021 11:43:06 -0400 Subject: [PATCH] Agent: Use NTLM specifically for PowerShell if using pass-the-hash --- .../exploit/powershell_utils/auth_options.py | 11 +++++++++-- .../exploit/powershell_utils/test_auth_options.py | 15 +++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/powershell_utils/auth_options.py b/monkey/infection_monkey/exploit/powershell_utils/auth_options.py index 925a34169..1f53c1df5 100644 --- a/monkey/infection_monkey/exploit/powershell_utils/auth_options.py +++ b/monkey/infection_monkey/exploit/powershell_utils/auth_options.py @@ -1,9 +1,10 @@ from dataclasses import dataclass -from infection_monkey.exploit.powershell_utils.credentials import Credentials +from infection_monkey.exploit.powershell_utils.credentials import Credentials, SecretType AUTH_BASIC = "basic" AUTH_NEGOTIATE = "negotiate" +AUTH_NTLM = "ntlm" ENCRYPTION_AUTO = "auto" ENCRYPTION_NEVER = "never" @@ -29,7 +30,13 @@ def _get_ssl(credentials: Credentials, use_ssl): def _get_auth_type(credentials: Credentials): - return AUTH_BASIC if credentials.secret == "" else AUTH_NEGOTIATE + if credentials.secret == "": + return AUTH_BASIC + + if credentials.secret_type in {SecretType.LM_HASH, SecretType.NT_HASH}: + return AUTH_NTLM + + return AUTH_NEGOTIATE def _get_encryption(credentials: Credentials): diff --git a/monkey/tests/unit_tests/infection_monkey/exploit/powershell_utils/test_auth_options.py b/monkey/tests/unit_tests/infection_monkey/exploit/powershell_utils/test_auth_options.py index 0aa770ea6..ce5449051 100644 --- a/monkey/tests/unit_tests/infection_monkey/exploit/powershell_utils/test_auth_options.py +++ b/monkey/tests/unit_tests/infection_monkey/exploit/powershell_utils/test_auth_options.py @@ -2,6 +2,7 @@ from infection_monkey.exploit.powershell_utils.auth_options import ( AUTH_BASIC, AUTH_NEGOTIATE, + AUTH_NTLM, ENCRYPTION_AUTO, ENCRYPTION_NEVER, get_auth_options, @@ -11,6 +12,8 @@ from infection_monkey.exploit.powershell_utils.credentials import Credentials, S CREDENTIALS_WITH_PASSWORD = Credentials("user1", "password1", SecretType.PASSWORD) CREDENTIALS_EMPTY_PASSWORD = Credentials("user2", "", SecretType.PASSWORD) CREDENTIALS_NONE_PASSWORD = Credentials("user3", None, SecretType.CACHED) +CREDENTIALS_LM_HASH = Credentials("user4", "LM_HASH:NONE", SecretType.LM_HASH) +CREDENTIALS_NT_HASH = Credentials("user5", "NONE:NT_HASH", SecretType.NT_HASH) def test_get_auth_options__ssl_true_with_password(): @@ -67,6 +70,18 @@ def test_get_auth_options__auth_type_none_password(): assert auth_options.auth_type == AUTH_NEGOTIATE +def test_get_auth_options__auth_type_with_LM_hash(): + auth_options = get_auth_options(CREDENTIALS_LM_HASH, use_ssl=False) + + assert auth_options.auth_type == AUTH_NTLM + + +def test_get_auth_options__auth_type_with_NT_hash(): + auth_options = get_auth_options(CREDENTIALS_NT_HASH, use_ssl=False) + + assert auth_options.auth_type == AUTH_NTLM + + def test_get_auth_options__encryption_with_password(): auth_options = get_auth_options(CREDENTIALS_WITH_PASSWORD, use_ssl=False)