Merge pull request #1174 from guardicore/create-user-with-random-pwd

Create new user with a random password
2021-05-18 10:06:19 +03:00 · 2021-05-18 10:06:19 +03:00 · 085a1334fa
parent ce6b658a15 58b04ecb91
commit 085a1334fa
9 changed files with 39 additions and 16 deletions
--- a/.swm/tbxb2cGgUiJQ8Btma0fp.swm
+++ b/.swm/tbxb2cGgUiJQ8Btma0fp.swm
@ -38,18 +38,21 @@
                "*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER",
                "*from infection_monkey.config import WormConfiguration",
                "*from infection_monkey.post_breach.pba import PBA",
+                "*from infection_monkey.utils.random_password_generator import get_random_password",
                "*from infection_monkey.utils.users import get_commands_to_add_user",
                "*",
                "*",
                "*class BackdoorUser(PBA):",
                "*    def __init__(self):",
+                "*        random_password = get_random_password()",
+                "*",
                "*        linux_cmds, windows_cmds = get_commands_to_add_user(",
-                "*            WormConfiguration.user_to_add, WormConfiguration.remote_user_pass",
+                "*            WormConfiguration.user_to_add, random_password",
                "*        )",
+                "*",
                "*        super(BackdoorUser, self).__init__(",
                "*            POST_BREACH_BACKDOOR_USER, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds",
-                "*        )",
-                "*"
+                "*        )"
            ]
        },
        {
@ -108,10 +111,10 @@
    "symbols": {},
    "file_version": "2.0.1",
    "meta": {
-        "app_version": "0.4.1-1",
+        "app_version": "0.4.4-0",
        "file_blobs": {
            "monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3",
-            "monkey/infection_monkey/post_breach/actions/add_user.py": "cae5a2428fa01b333a2e70365c9da1e189e31bc4",
+            "monkey/infection_monkey/post_breach/actions/add_user.py": "26b048a492fcb6d319fc0c01d2f4a0bd302ecbc8",
            "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "dfc5945a362b88c1135f4476526c6c82977b02ee",
            "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "086dc85693ae02ddfa106099245c0f155139805c"
        }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -41,3 +41,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

 ### Security
 - Address minor issues discovered by Dlint. #1075
+- Generate random passwords when creating a new user (create user PBA, ms08_67 exploit). #1174
--- a/monkey/infection_monkey/config.py
+++ b/monkey/infection_monkey/config.py
@ -192,7 +192,6 @@ class Configuration(object):

    ms08_067_exploit_attempts = 5
    user_to_add = "Monkey_IUSER_SUPPORT"
-    remote_user_pass = "Password1!"

    # User and password dictionaries for exploits.

--- a/monkey/infection_monkey/example.conf
+++ b/monkey/infection_monkey/example.conf
@ -61,7 +61,6 @@
  "send_log_to_server": true,
  "ms08_067_exploit_attempts": 5,
  "user_to_add": "Monkey_IUSER_SUPPORT",
-  "remote_user_pass": "Password1!",
  "ping_scan_timeout": 10000,
  "smb_download_timeout": 300,
  "smb_service_name": "InfectionMonkey",
--- a/monkey/infection_monkey/exploit/win_ms08_067.py
+++ b/monkey/infection_monkey/exploit/win_ms08_067.py
@ -25,6 +25,7 @@ from infection_monkey.exploit.tools.smb_tools import SmbTools
 from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
 from infection_monkey.network.smbfinger import SMBFinger
 from infection_monkey.network.tools import check_tcp_port
+from infection_monkey.utils.random_password_generator import get_random_password

 LOG = getLogger(__name__)

@ -230,6 +231,7 @@ class Ms08_067_Exploiter(HostExploiter):
        )

        exploited = False
+        random_password = get_random_password()
        for _ in range(self._config.ms08_067_exploit_attempts):
            exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version)

@ -240,7 +242,7 @@ class Ms08_067_Exploiter(HostExploiter):
                    "cmd /c (net user {} {} /add) &&"
                    " (net localgroup administrators {} /add)\r\n".format(
                        self._config.user_to_add,
-                        self._config.remote_user_pass,
+                        random_password,
                        self._config.user_to_add,
                    ).encode()
                )
@ -264,7 +266,7 @@ class Ms08_067_Exploiter(HostExploiter):
            src_path,
            self._config.dropper_target_path_win_32,
            self._config.user_to_add,
-            self._config.remote_user_pass,
+            random_password,
        )

        if not remote_full_path:
--- a/monkey/infection_monkey/post_breach/actions/add_user.py
+++ b/monkey/infection_monkey/post_breach/actions/add_user.py
@ -1,14 +1,18 @@
 from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER
 from infection_monkey.config import WormConfiguration
 from infection_monkey.post_breach.pba import PBA
+from infection_monkey.utils.random_password_generator import get_random_password
 from infection_monkey.utils.users import get_commands_to_add_user


 class BackdoorUser(PBA):
    def __init__(self):
+        random_password = get_random_password()
+
        linux_cmds, windows_cmds = get_commands_to_add_user(
-            WormConfiguration.user_to_add, WormConfiguration.remote_user_pass
+            WormConfiguration.user_to_add, random_password
        )
+
        super(BackdoorUser, self).__init__(
            POST_BREACH_BACKDOOR_USER, linux_cmd=" ".join(linux_cmds), windows_cmd=windows_cmds
        )
--- a/monkey/infection_monkey/utils/random_password_generator.py
+++ b/monkey/infection_monkey/utils/random_password_generator.py
@ -0,0 +1,8 @@
+import secrets
+
+SECRET_BYTE_LENGTH = 32
+
+
+def get_random_password(length: int = SECRET_BYTE_LENGTH) -> str:
+    password = secrets.token_urlsafe(length)
+    return password
--- a/monkey/monkey_island/cc/services/config_schema/internal.py
+++ b/monkey/monkey_island/cc/services/config_schema/internal.py
@ -397,12 +397,6 @@ INTERNAL = {
                            "default": "Monkey_IUSER_SUPPORT",
                            "description": "Username to add on successful exploit",
                        },
-                        "remote_user_pass": {
-                            "title": "Remote user password",
-                            "type": "string",
-                            "default": "Password1!",
-                            "description": "Password to use for created user",
-                        },
                    },
                },
                "sambacry": {
--- a/monkey/tests/infection_monkey/utils/test_random_password_generator.py
+++ b/monkey/tests/infection_monkey/utils/test_random_password_generator.py
@ -0,0 +1,13 @@
+from infection_monkey.utils.random_password_generator import get_random_password
+
+
+def test_get_random_password__length():
+    password_byte_length = len(get_random_password().encode())
+    # 32 is the recommended secure byte length for secrets
+    assert password_byte_length >= 32
+
+
+def test_get_random_password__randomness():
+    random_password1 = get_random_password()
+    random_password2 = get_random_password()
+    assert not random_password1 == random_password2