forked from p15670423/monkey
Merge pull request #2322 from guardicore/2181-credential-reuse-ete
2181 credential reuse ete
This commit is contained in:
commit
18ceb6c279
|
@ -19,6 +19,9 @@ GCP_TEST_MACHINE_LIST = {
|
||||||
"powershell-3-46",
|
"powershell-3-46",
|
||||||
"powershell-3-47",
|
"powershell-3-47",
|
||||||
"powershell-3-48",
|
"powershell-3-48",
|
||||||
|
"credentials-reuse-14",
|
||||||
|
"credentials-reuse-15",
|
||||||
|
"credentials-reuse-16",
|
||||||
"log4j-logstash-55",
|
"log4j-logstash-55",
|
||||||
"log4j-logstash-56",
|
"log4j-logstash-56",
|
||||||
"log4j-solr-49",
|
"log4j-solr-49",
|
||||||
|
@ -85,6 +88,14 @@ ZEROLOGON = {
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
CREDENTIALS_REUSE_SSH_KEY = {
|
||||||
|
"europe-west1-b": [
|
||||||
|
"credentials-reuse-14",
|
||||||
|
"credentials-reuse-15",
|
||||||
|
"credentials-reuse-16",
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
||||||
WMI_AND_MIMIKATZ = {
|
WMI_AND_MIMIKATZ = {
|
||||||
"europe-west3-a": [
|
"europe-west3-a": [
|
||||||
"mimikatz-14",
|
"mimikatz-14",
|
||||||
|
@ -101,6 +112,7 @@ GCP_SINGLE_TEST_LIST = {
|
||||||
"test_depth_4_a": DEPTH_4_A,
|
"test_depth_4_a": DEPTH_4_A,
|
||||||
"test_powershell_exploiter_credentials_reuse": POWERSHELL_EXPLOITER_REUSE,
|
"test_powershell_exploiter_credentials_reuse": POWERSHELL_EXPLOITER_REUSE,
|
||||||
"test_zerologon_exploiter": ZEROLOGON,
|
"test_zerologon_exploiter": ZEROLOGON,
|
||||||
|
"test_credentials_reuse_ssh_key": CREDENTIALS_REUSE_SSH_KEY,
|
||||||
"test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ,
|
"test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ,
|
||||||
"test_smb_pth": SMB_PTH,
|
"test_smb_pth": SMB_PTH,
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,6 +10,7 @@ from envs.monkey_zoo.blackbox.island_client.monkey_island_client import MonkeyIs
|
||||||
from envs.monkey_zoo.blackbox.island_client.test_configuration_parser import get_target_ips
|
from envs.monkey_zoo.blackbox.island_client.test_configuration_parser import get_target_ips
|
||||||
from envs.monkey_zoo.blackbox.log_handlers.test_logs_handler import TestLogsHandler
|
from envs.monkey_zoo.blackbox.log_handlers.test_logs_handler import TestLogsHandler
|
||||||
from envs.monkey_zoo.blackbox.test_configurations import (
|
from envs.monkey_zoo.blackbox.test_configurations import (
|
||||||
|
credentials_reuse_ssh_key_test_configuration,
|
||||||
depth_1_a_test_configuration,
|
depth_1_a_test_configuration,
|
||||||
depth_2_a_test_configuration,
|
depth_2_a_test_configuration,
|
||||||
depth_3_a_test_configuration,
|
depth_3_a_test_configuration,
|
||||||
|
@ -163,6 +164,11 @@ class TestMonkeyBlackbox:
|
||||||
log_handler=log_handler,
|
log_handler=log_handler,
|
||||||
).run()
|
).run()
|
||||||
|
|
||||||
|
def test_credentials_reuse_ssh_key(self, island_client):
|
||||||
|
TestMonkeyBlackbox.run_exploitation_test(
|
||||||
|
island_client, credentials_reuse_ssh_key_test_configuration, "Credentials_Reuse_SSH_Key"
|
||||||
|
)
|
||||||
|
|
||||||
# Not grouped because conflicts with SMB.
|
# Not grouped because conflicts with SMB.
|
||||||
# Consider grouping when more depth 1 exploiters collide with group depth_1_a
|
# Consider grouping when more depth 1 exploiters collide with group depth_1_a
|
||||||
def test_wmi_and_mimikatz_exploiters(self, island_client):
|
def test_wmi_and_mimikatz_exploiters(self, island_client):
|
||||||
|
|
|
@ -7,3 +7,4 @@ from .powershell_credentials_reuse import powershell_credentials_reuse_test_conf
|
||||||
from .smb_pth import smb_pth_test_configuration
|
from .smb_pth import smb_pth_test_configuration
|
||||||
from .wmi_mimikatz import wmi_mimikatz_test_configuration
|
from .wmi_mimikatz import wmi_mimikatz_test_configuration
|
||||||
from .zerologon import zerologon_test_configuration
|
from .zerologon import zerologon_test_configuration
|
||||||
|
from .credentials_reuse_ssh_key import credentials_reuse_ssh_key_test_configuration
|
||||||
|
|
|
@ -0,0 +1,71 @@
|
||||||
|
import dataclasses
|
||||||
|
|
||||||
|
from common.agent_configuration import AgentConfiguration, PluginConfiguration
|
||||||
|
from common.credentials import Credentials, Password, Username
|
||||||
|
|
||||||
|
from .noop import noop_test_configuration
|
||||||
|
from .utils import (
|
||||||
|
add_credential_collectors,
|
||||||
|
add_exploiters,
|
||||||
|
add_subnets,
|
||||||
|
add_tcp_ports,
|
||||||
|
replace_agent_configuration,
|
||||||
|
replace_propagation_credentials,
|
||||||
|
set_keep_tunnel_open_time,
|
||||||
|
set_maximum_depth,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
# Tests:
|
||||||
|
# SSHCollector steals key from machine A(10.2.3.14),
|
||||||
|
# then B(10.2.4.15) exploits C(10.2.5.16) with that key
|
||||||
|
def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||||
|
brute_force = [
|
||||||
|
PluginConfiguration(name="SSHExploiter", options={}),
|
||||||
|
]
|
||||||
|
|
||||||
|
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[])
|
||||||
|
|
||||||
|
|
||||||
|
def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||||
|
subnets = ["10.2.3.14", "10.2.4.15", "10.2.5.16"]
|
||||||
|
return add_subnets(agent_configuration, subnets)
|
||||||
|
|
||||||
|
|
||||||
|
def _add_credential_collectors(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||||
|
credential_collectors = [
|
||||||
|
PluginConfiguration(name="SSHCollector", options={}),
|
||||||
|
]
|
||||||
|
|
||||||
|
return add_credential_collectors(
|
||||||
|
agent_configuration, credential_collectors=credential_collectors
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||||
|
ports = [22]
|
||||||
|
return add_tcp_ports(agent_configuration, ports)
|
||||||
|
|
||||||
|
|
||||||
|
test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 3)
|
||||||
|
test_agent_configuration = set_keep_tunnel_open_time(test_agent_configuration, 20)
|
||||||
|
test_agent_configuration = _add_exploiters(test_agent_configuration)
|
||||||
|
test_agent_configuration = _add_subnets(test_agent_configuration)
|
||||||
|
test_agent_configuration = _add_credential_collectors(test_agent_configuration)
|
||||||
|
test_agent_configuration = _add_tcp_ports(test_agent_configuration)
|
||||||
|
|
||||||
|
CREDENTIALS = (
|
||||||
|
Credentials(identity=Username(username="m0nk3y"), secret=None),
|
||||||
|
Credentials(identity=None, secret=Password(password="u26gbVQe")),
|
||||||
|
Credentials(identity=None, secret=Password(password="5BuYHeVl")),
|
||||||
|
)
|
||||||
|
|
||||||
|
credentials_reuse_ssh_key_test_configuration = dataclasses.replace(noop_test_configuration)
|
||||||
|
replace_agent_configuration(
|
||||||
|
test_configuration=credentials_reuse_ssh_key_test_configuration,
|
||||||
|
agent_configuration=test_agent_configuration,
|
||||||
|
)
|
||||||
|
replace_propagation_credentials(
|
||||||
|
test_configuration=credentials_reuse_ssh_key_test_configuration,
|
||||||
|
propagation_credentials=CREDENTIALS,
|
||||||
|
)
|
|
@ -28,6 +28,9 @@ This document describes Infection Monkey’s test network, how to deploy and use
|
||||||
[Nr. 3-46 Powershell](#_Toc536021480)<br>
|
[Nr. 3-46 Powershell](#_Toc536021480)<br>
|
||||||
[Nr. 3-47 Powershell](#_Toc536021481)<br>
|
[Nr. 3-47 Powershell](#_Toc536021481)<br>
|
||||||
[Nr. 3-48 Powershell](#_Toc536021482)<br>
|
[Nr. 3-48 Powershell](#_Toc536021482)<br>
|
||||||
|
[Nr. 14 Credentials Reuse](#_Toc536121480)<br>
|
||||||
|
[Nr. 15 Credentials Reuse](#_Toc536121481)<br>
|
||||||
|
[Nr. 16 Credentials Reuse](#_Toc536121482)<br>
|
||||||
[Nr. 3-49 Log4j Solr](#_Toc536021483)<br>
|
[Nr. 3-49 Log4j Solr](#_Toc536021483)<br>
|
||||||
[Nr. 3-50 Log4j Solr](#_Toc536021484)<br>
|
[Nr. 3-50 Log4j Solr](#_Toc536021484)<br>
|
||||||
[Nr. 3-51 Log4j Tomcat](#_Toc536021485)<br>
|
[Nr. 3-51 Log4j Tomcat](#_Toc536021485)<br>
|
||||||
|
@ -874,6 +877,120 @@ Accessiable only through <strong>3-45 Powershell</strong> using credentials reus
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
<table>
|
||||||
|
<thead>
|
||||||
|
<tr class="header">
|
||||||
|
<th><p><span id="_Toc536121480" class="anchor"></span>Nr. <strong>14</strong> Credentials Reuse</p>
|
||||||
|
<p>(10.2.3.14, 10.2.4.14)</p></th>
|
||||||
|
<th>(Exploitable)</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>OS:</td>
|
||||||
|
<td><strong>Ubuntu 16.04.05 x64</strong></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Software:</td>
|
||||||
|
<td>OpenSSL</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>Default service’s port:</td>
|
||||||
|
<td>22</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Credentials:</td>
|
||||||
|
<td>m0nk3y:u26gbVQe</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>Server’s config:</td>
|
||||||
|
<td>VPC network that can only access Credentials Reuse 15 and Island.</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Notes:</td>
|
||||||
|
<td>Accessible from the Island with password authentication</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<table>
|
||||||
|
<thead>
|
||||||
|
<tr class="header">
|
||||||
|
<th><p><span id="_Toc536121481" class="anchor"></span>Nr. <strong>15</strong> Credentials Reuse</p>
|
||||||
|
<p>(10.2.4.15, 10.2.5.15)</p></th>
|
||||||
|
<th>(Exploitable)</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>OS:</td>
|
||||||
|
<td><strong>Ubuntu 16.04.05 x64</strong></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Software:</td>
|
||||||
|
<td>OpenSSL</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>Default service’s port:</td>
|
||||||
|
<td>22</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Credentials:</td>
|
||||||
|
<td>m0nk3y:5BuYHeVl</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>Server’s config:</td>
|
||||||
|
<td>VPC network that can be only accessed by Credentials Reuse 14 and communicate to<br>
|
||||||
|
Credentials Reuse 16.
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Notes:</td>
|
||||||
|
<td>Accessible from the Credentials Reuse 14 with password authentication</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<table>
|
||||||
|
<thead>
|
||||||
|
<tr class="header">
|
||||||
|
<th><p><span id="_Toc536121482" class="anchor"></span>Nr. <strong>16</strong> Credentials Reuse</p>
|
||||||
|
<p>(10.2.3.16, 10.2.5.16)</p></th>
|
||||||
|
<th>(Exploitable)</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>OS:</td>
|
||||||
|
<td><strong>Ubuntu 16.04.05 x64</strong></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Software:</td>
|
||||||
|
<td>OpenSSL</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>Default service’s port:</td>
|
||||||
|
<td>22</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Credentials:</td>
|
||||||
|
<td>m0nk3y:lIZl6vTR</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>Server’s config:</td>
|
||||||
|
<td>VPC network that can be only accessed by Credentials Reuse 15 and communicate to<br>
|
||||||
|
the Island.
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Notes:</td>
|
||||||
|
<td>Accessible from the Credentials Reuse 15 with passwordless ssh key authentication.<br>
|
||||||
|
We use the ssh key that was stolen from Credentials Reuse 16</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<thead>
|
<thead>
|
||||||
<tr class="header">
|
<tr class="header">
|
||||||
|
|
|
@ -63,6 +63,18 @@ data "google_compute_image" "powershell-3-45" {
|
||||||
name = "powershell-3-45"
|
name = "powershell-3-45"
|
||||||
project = local.monkeyzoo_project
|
project = local.monkeyzoo_project
|
||||||
}
|
}
|
||||||
|
data "google_compute_image" "credentials-reuse-14" {
|
||||||
|
name = "credentials-reuse-14"
|
||||||
|
project = local.monkeyzoo_project
|
||||||
|
}
|
||||||
|
data "google_compute_image" "credentials-reuse-15" {
|
||||||
|
name = "credentials-reuse-15"
|
||||||
|
project = local.monkeyzoo_project
|
||||||
|
}
|
||||||
|
data "google_compute_image" "credentials-reuse-16" {
|
||||||
|
name = "credentials-reuse-16"
|
||||||
|
project = local.monkeyzoo_project
|
||||||
|
}
|
||||||
data "google_compute_image" "log4j-solr-49" {
|
data "google_compute_image" "log4j-solr-49" {
|
||||||
name = "log4j-solr-49"
|
name = "log4j-solr-49"
|
||||||
project = local.monkeyzoo_project
|
project = local.monkeyzoo_project
|
||||||
|
|
|
@ -44,6 +44,18 @@ resource "google_compute_subnetwork" "tunneling2-main" {
|
||||||
network = google_compute_network.tunneling2.self_link
|
network = google_compute_network.tunneling2.self_link
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_compute_subnetwork" "credential-reuse" {
|
||||||
|
name = "${local.resource_prefix}credential-reuse"
|
||||||
|
ip_cidr_range = "10.2.4.0/24"
|
||||||
|
network = google_compute_network.credential-reuse.self_link
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_compute_subnetwork" "credential-reuse2" {
|
||||||
|
name = "${local.resource_prefix}credential-reuse2"
|
||||||
|
ip_cidr_range = "10.2.5.0/24"
|
||||||
|
network = google_compute_network.credential-reuse2.self_link
|
||||||
|
}
|
||||||
|
|
||||||
resource "google_compute_instance_from_template" "hadoop-2" {
|
resource "google_compute_instance_from_template" "hadoop-2" {
|
||||||
name = "${local.resource_prefix}hadoop-2"
|
name = "${local.resource_prefix}hadoop-2"
|
||||||
source_instance_template = local.default_ubuntu
|
source_instance_template = local.default_ubuntu
|
||||||
|
@ -309,23 +321,65 @@ resource "google_compute_instance_from_template" "powershell-3-45" {
|
||||||
auto_delete = true
|
auto_delete = true
|
||||||
}
|
}
|
||||||
network_interface {
|
network_interface {
|
||||||
subnetwork="${local.resource_prefix}monkeyzoo-main"
|
subnetwork="${local.resource_prefix}monkeyzoo-main-1"
|
||||||
network_ip="10.2.3.45"
|
network_ip="10.2.3.45"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_instance_from_template" "powershell-3-45" {
|
resource "google_compute_instance_from_template" "credentials-reuse-14" {
|
||||||
name = "${local.resource_prefix}powershell-3-45"
|
name = "${local.resource_prefix}credentials-reuse-14"
|
||||||
source_instance_template = local.default_windows
|
source_instance_template = local.default_linux
|
||||||
boot_disk{
|
boot_disk{
|
||||||
initialize_params {
|
initialize_params {
|
||||||
image = data.google_compute_image.powershell-3-45.self_link
|
image = data.google_compute_image.credentials-reuse-14.self_link
|
||||||
}
|
}
|
||||||
auto_delete = true
|
auto_delete = true
|
||||||
}
|
}
|
||||||
network_interface {
|
network_interface {
|
||||||
subnetwork="${local.resource_prefix}monkeyzoo-main"
|
subnetwork="${local.resource_prefix}monkeyzoo-main-1"
|
||||||
network_ip="10.2.3.45"
|
network_ip="10.2.3.14"
|
||||||
|
}
|
||||||
|
network_interface {
|
||||||
|
subnetwork="${local.resource_prefix}credential-reuse"
|
||||||
|
network_ip="10.2.4.14"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_compute_instance_from_template" "credentials-reuse-15" {
|
||||||
|
name = "${local.resource_prefix}credentials-reuse-15"
|
||||||
|
source_instance_template = local.default_linux
|
||||||
|
boot_disk{
|
||||||
|
initialize_params {
|
||||||
|
image = data.google_compute_image.credentials-reuse-15.self_link
|
||||||
|
}
|
||||||
|
auto_delete = true
|
||||||
|
}
|
||||||
|
network_interface {
|
||||||
|
subnetwork="${local.resource_prefix}credential-reuse"
|
||||||
|
network_ip="10.2.4.15"
|
||||||
|
}
|
||||||
|
network_interface {
|
||||||
|
subnetwork="${local.resource_prefix}credential-reuse2"
|
||||||
|
network_ip="10.2.5.15"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_compute_instance_from_template" "credentials-reuse-16" {
|
||||||
|
name = "${local.resource_prefix}credentials-reuse-16"
|
||||||
|
source_instance_template = local.default_linux
|
||||||
|
boot_disk{
|
||||||
|
initialize_params {
|
||||||
|
image = data.google_compute_image.credentials-reuse-16.self_link
|
||||||
|
}
|
||||||
|
auto_delete = true
|
||||||
|
}
|
||||||
|
network_interface {
|
||||||
|
subnetwork="${local.resource_prefix}credential-reuse2"
|
||||||
|
network_ip="10.2.5.16"
|
||||||
|
}
|
||||||
|
network_interface {
|
||||||
|
subnetwork="${local.resource_prefix}monkeyzoo-main-1"
|
||||||
|
network_ip="10.2.3.16"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue