Merge pull request #2322 from guardicore/2181-credential-reuse-ete

2181 credential reuse ete
This commit is contained in:
ilija-lazoroski 2022-09-21 13:58:12 +02:00 committed by GitHub
commit 18ceb6c279
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 280 additions and 7 deletions

View File

@ -19,6 +19,9 @@ GCP_TEST_MACHINE_LIST = {
"powershell-3-46", "powershell-3-46",
"powershell-3-47", "powershell-3-47",
"powershell-3-48", "powershell-3-48",
"credentials-reuse-14",
"credentials-reuse-15",
"credentials-reuse-16",
"log4j-logstash-55", "log4j-logstash-55",
"log4j-logstash-56", "log4j-logstash-56",
"log4j-solr-49", "log4j-solr-49",
@ -85,6 +88,14 @@ ZEROLOGON = {
], ],
} }
CREDENTIALS_REUSE_SSH_KEY = {
"europe-west1-b": [
"credentials-reuse-14",
"credentials-reuse-15",
"credentials-reuse-16",
],
}
WMI_AND_MIMIKATZ = { WMI_AND_MIMIKATZ = {
"europe-west3-a": [ "europe-west3-a": [
"mimikatz-14", "mimikatz-14",
@ -101,6 +112,7 @@ GCP_SINGLE_TEST_LIST = {
"test_depth_4_a": DEPTH_4_A, "test_depth_4_a": DEPTH_4_A,
"test_powershell_exploiter_credentials_reuse": POWERSHELL_EXPLOITER_REUSE, "test_powershell_exploiter_credentials_reuse": POWERSHELL_EXPLOITER_REUSE,
"test_zerologon_exploiter": ZEROLOGON, "test_zerologon_exploiter": ZEROLOGON,
"test_credentials_reuse_ssh_key": CREDENTIALS_REUSE_SSH_KEY,
"test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ, "test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ,
"test_smb_pth": SMB_PTH, "test_smb_pth": SMB_PTH,
} }

View File

@ -10,6 +10,7 @@ from envs.monkey_zoo.blackbox.island_client.monkey_island_client import MonkeyIs
from envs.monkey_zoo.blackbox.island_client.test_configuration_parser import get_target_ips from envs.monkey_zoo.blackbox.island_client.test_configuration_parser import get_target_ips
from envs.monkey_zoo.blackbox.log_handlers.test_logs_handler import TestLogsHandler from envs.monkey_zoo.blackbox.log_handlers.test_logs_handler import TestLogsHandler
from envs.monkey_zoo.blackbox.test_configurations import ( from envs.monkey_zoo.blackbox.test_configurations import (
credentials_reuse_ssh_key_test_configuration,
depth_1_a_test_configuration, depth_1_a_test_configuration,
depth_2_a_test_configuration, depth_2_a_test_configuration,
depth_3_a_test_configuration, depth_3_a_test_configuration,
@ -163,6 +164,11 @@ class TestMonkeyBlackbox:
log_handler=log_handler, log_handler=log_handler,
).run() ).run()
def test_credentials_reuse_ssh_key(self, island_client):
TestMonkeyBlackbox.run_exploitation_test(
island_client, credentials_reuse_ssh_key_test_configuration, "Credentials_Reuse_SSH_Key"
)
# Not grouped because conflicts with SMB. # Not grouped because conflicts with SMB.
# Consider grouping when more depth 1 exploiters collide with group depth_1_a # Consider grouping when more depth 1 exploiters collide with group depth_1_a
def test_wmi_and_mimikatz_exploiters(self, island_client): def test_wmi_and_mimikatz_exploiters(self, island_client):

View File

@ -7,3 +7,4 @@ from .powershell_credentials_reuse import powershell_credentials_reuse_test_conf
from .smb_pth import smb_pth_test_configuration from .smb_pth import smb_pth_test_configuration
from .wmi_mimikatz import wmi_mimikatz_test_configuration from .wmi_mimikatz import wmi_mimikatz_test_configuration
from .zerologon import zerologon_test_configuration from .zerologon import zerologon_test_configuration
from .credentials_reuse_ssh_key import credentials_reuse_ssh_key_test_configuration

View File

@ -0,0 +1,71 @@
import dataclasses
from common.agent_configuration import AgentConfiguration, PluginConfiguration
from common.credentials import Credentials, Password, Username
from .noop import noop_test_configuration
from .utils import (
add_credential_collectors,
add_exploiters,
add_subnets,
add_tcp_ports,
replace_agent_configuration,
replace_propagation_credentials,
set_keep_tunnel_open_time,
set_maximum_depth,
)
# Tests:
# SSHCollector steals key from machine A(10.2.3.14),
# then B(10.2.4.15) exploits C(10.2.5.16) with that key
def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
brute_force = [
PluginConfiguration(name="SSHExploiter", options={}),
]
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[])
def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
subnets = ["10.2.3.14", "10.2.4.15", "10.2.5.16"]
return add_subnets(agent_configuration, subnets)
def _add_credential_collectors(agent_configuration: AgentConfiguration) -> AgentConfiguration:
credential_collectors = [
PluginConfiguration(name="SSHCollector", options={}),
]
return add_credential_collectors(
agent_configuration, credential_collectors=credential_collectors
)
def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
ports = [22]
return add_tcp_ports(agent_configuration, ports)
test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 3)
test_agent_configuration = set_keep_tunnel_open_time(test_agent_configuration, 20)
test_agent_configuration = _add_exploiters(test_agent_configuration)
test_agent_configuration = _add_subnets(test_agent_configuration)
test_agent_configuration = _add_credential_collectors(test_agent_configuration)
test_agent_configuration = _add_tcp_ports(test_agent_configuration)
CREDENTIALS = (
Credentials(identity=Username(username="m0nk3y"), secret=None),
Credentials(identity=None, secret=Password(password="u26gbVQe")),
Credentials(identity=None, secret=Password(password="5BuYHeVl")),
)
credentials_reuse_ssh_key_test_configuration = dataclasses.replace(noop_test_configuration)
replace_agent_configuration(
test_configuration=credentials_reuse_ssh_key_test_configuration,
agent_configuration=test_agent_configuration,
)
replace_propagation_credentials(
test_configuration=credentials_reuse_ssh_key_test_configuration,
propagation_credentials=CREDENTIALS,
)

View File

@ -28,6 +28,9 @@ This document describes Infection Monkeys test network, how to deploy and use
[Nr. 3-46 Powershell](#_Toc536021480)<br> [Nr. 3-46 Powershell](#_Toc536021480)<br>
[Nr. 3-47 Powershell](#_Toc536021481)<br> [Nr. 3-47 Powershell](#_Toc536021481)<br>
[Nr. 3-48 Powershell](#_Toc536021482)<br> [Nr. 3-48 Powershell](#_Toc536021482)<br>
[Nr. 14 Credentials Reuse](#_Toc536121480)<br>
[Nr. 15 Credentials Reuse](#_Toc536121481)<br>
[Nr. 16 Credentials Reuse](#_Toc536121482)<br>
[Nr. 3-49 Log4j Solr](#_Toc536021483)<br> [Nr. 3-49 Log4j Solr](#_Toc536021483)<br>
[Nr. 3-50 Log4j Solr](#_Toc536021484)<br> [Nr. 3-50 Log4j Solr](#_Toc536021484)<br>
[Nr. 3-51 Log4j Tomcat](#_Toc536021485)<br> [Nr. 3-51 Log4j Tomcat](#_Toc536021485)<br>
@ -874,6 +877,120 @@ Accessiable only through <strong>3-45 Powershell</strong> using credentials reus
</tbody> </tbody>
</table> </table>
<table>
<thead>
<tr class="header">
<th><p><span id="_Toc536121480" class="anchor"></span>Nr. <strong>14</strong> Credentials Reuse</p>
<p>(10.2.3.14, 10.2.4.14)</p></th>
<th>(Exploitable)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>OS:</td>
<td><strong>Ubuntu 16.04.05 x64</strong></td>
</tr>
<tr class="even">
<td>Software:</td>
<td>OpenSSL</td>
</tr>
<tr class="odd">
<td>Default services port:</td>
<td>22</td>
</tr>
<tr class="even">
<td>Credentials:</td>
<td>m0nk3y:u26gbVQe</td>
</tr>
<tr class="odd">
<td>Servers config:</td>
<td>VPC network that can only access Credentials Reuse 15 and Island.</td>
</tr>
<tr class="even">
<td>Notes:</td>
<td>Accessible from the Island with password authentication</td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr class="header">
<th><p><span id="_Toc536121481" class="anchor"></span>Nr. <strong>15</strong> Credentials Reuse</p>
<p>(10.2.4.15, 10.2.5.15)</p></th>
<th>(Exploitable)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>OS:</td>
<td><strong>Ubuntu 16.04.05 x64</strong></td>
</tr>
<tr class="even">
<td>Software:</td>
<td>OpenSSL</td>
</tr>
<tr class="odd">
<td>Default services port:</td>
<td>22</td>
</tr>
<tr class="even">
<td>Credentials:</td>
<td>m0nk3y:5BuYHeVl</td>
</tr>
<tr class="odd">
<td>Servers config:</td>
<td>VPC network that can be only accessed by Credentials Reuse 14 and communicate to<br>
Credentials Reuse 16.
</td>
</tr>
<tr class="even">
<td>Notes:</td>
<td>Accessible from the Credentials Reuse 14 with password authentication</td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr class="header">
<th><p><span id="_Toc536121482" class="anchor"></span>Nr. <strong>16</strong> Credentials Reuse</p>
<p>(10.2.3.16, 10.2.5.16)</p></th>
<th>(Exploitable)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>OS:</td>
<td><strong>Ubuntu 16.04.05 x64</strong></td>
</tr>
<tr class="even">
<td>Software:</td>
<td>OpenSSL</td>
</tr>
<tr class="odd">
<td>Default services port:</td>
<td>22</td>
</tr>
<tr class="even">
<td>Credentials:</td>
<td>m0nk3y:lIZl6vTR</td>
</tr>
<tr class="odd">
<td>Servers config:</td>
<td>VPC network that can be only accessed by Credentials Reuse 15 and communicate to<br>
the Island.
</td>
</tr>
<tr class="even">
<td>Notes:</td>
<td>Accessible from the Credentials Reuse 15 with passwordless ssh key authentication.<br>
We use the ssh key that was stolen from Credentials Reuse 16</td>
</tr>
</tbody>
</table>
<table> <table>
<thead> <thead>
<tr class="header"> <tr class="header">

View File

@ -63,6 +63,18 @@ data "google_compute_image" "powershell-3-45" {
name = "powershell-3-45" name = "powershell-3-45"
project = local.monkeyzoo_project project = local.monkeyzoo_project
} }
data "google_compute_image" "credentials-reuse-14" {
name = "credentials-reuse-14"
project = local.monkeyzoo_project
}
data "google_compute_image" "credentials-reuse-15" {
name = "credentials-reuse-15"
project = local.monkeyzoo_project
}
data "google_compute_image" "credentials-reuse-16" {
name = "credentials-reuse-16"
project = local.monkeyzoo_project
}
data "google_compute_image" "log4j-solr-49" { data "google_compute_image" "log4j-solr-49" {
name = "log4j-solr-49" name = "log4j-solr-49"
project = local.monkeyzoo_project project = local.monkeyzoo_project

View File

@ -44,6 +44,18 @@ resource "google_compute_subnetwork" "tunneling2-main" {
network = google_compute_network.tunneling2.self_link network = google_compute_network.tunneling2.self_link
} }
resource "google_compute_subnetwork" "credential-reuse" {
name = "${local.resource_prefix}credential-reuse"
ip_cidr_range = "10.2.4.0/24"
network = google_compute_network.credential-reuse.self_link
}
resource "google_compute_subnetwork" "credential-reuse2" {
name = "${local.resource_prefix}credential-reuse2"
ip_cidr_range = "10.2.5.0/24"
network = google_compute_network.credential-reuse2.self_link
}
resource "google_compute_instance_from_template" "hadoop-2" { resource "google_compute_instance_from_template" "hadoop-2" {
name = "${local.resource_prefix}hadoop-2" name = "${local.resource_prefix}hadoop-2"
source_instance_template = local.default_ubuntu source_instance_template = local.default_ubuntu
@ -309,23 +321,65 @@ resource "google_compute_instance_from_template" "powershell-3-45" {
auto_delete = true auto_delete = true
} }
network_interface { network_interface {
subnetwork="${local.resource_prefix}monkeyzoo-main" subnetwork="${local.resource_prefix}monkeyzoo-main-1"
network_ip="10.2.3.45" network_ip="10.2.3.45"
} }
} }
resource "google_compute_instance_from_template" "powershell-3-45" { resource "google_compute_instance_from_template" "credentials-reuse-14" {
name = "${local.resource_prefix}powershell-3-45" name = "${local.resource_prefix}credentials-reuse-14"
source_instance_template = local.default_windows source_instance_template = local.default_linux
boot_disk{ boot_disk{
initialize_params { initialize_params {
image = data.google_compute_image.powershell-3-45.self_link image = data.google_compute_image.credentials-reuse-14.self_link
} }
auto_delete = true auto_delete = true
} }
network_interface { network_interface {
subnetwork="${local.resource_prefix}monkeyzoo-main" subnetwork="${local.resource_prefix}monkeyzoo-main-1"
network_ip="10.2.3.45" network_ip="10.2.3.14"
}
network_interface {
subnetwork="${local.resource_prefix}credential-reuse"
network_ip="10.2.4.14"
}
}
resource "google_compute_instance_from_template" "credentials-reuse-15" {
name = "${local.resource_prefix}credentials-reuse-15"
source_instance_template = local.default_linux
boot_disk{
initialize_params {
image = data.google_compute_image.credentials-reuse-15.self_link
}
auto_delete = true
}
network_interface {
subnetwork="${local.resource_prefix}credential-reuse"
network_ip="10.2.4.15"
}
network_interface {
subnetwork="${local.resource_prefix}credential-reuse2"
network_ip="10.2.5.15"
}
}
resource "google_compute_instance_from_template" "credentials-reuse-16" {
name = "${local.resource_prefix}credentials-reuse-16"
source_instance_template = local.default_linux
boot_disk{
initialize_params {
image = data.google_compute_image.credentials-reuse-16.self_link
}
auto_delete = true
}
network_interface {
subnetwork="${local.resource_prefix}credential-reuse2"
network_ip="10.2.5.16"
}
network_interface {
subnetwork="${local.resource_prefix}monkeyzoo-main-1"
network_ip="10.2.3.16"
} }
} }