Merge pull request #2322 from guardicore/2181-credential-reuse-ete

2181 credential reuse ete

envs/monkey_zoo/blackbox/gcp_test_machine_list.py

@@ -19,6 +19,9 @@ GCP_TEST_MACHINE_LIST = {
         "powershell-3-46",
         "powershell-3-47",
         "powershell-3-48",
+        "credentials-reuse-14",
+        "credentials-reuse-15",
+        "credentials-reuse-16",
         "log4j-logstash-55",
         "log4j-logstash-56",
         "log4j-solr-49",
@@ -85,6 +88,14 @@ ZEROLOGON = {
     ],
 }
 
+CREDENTIALS_REUSE_SSH_KEY = {
+    "europe-west1-b": [
+        "credentials-reuse-14",
+        "credentials-reuse-15",
+        "credentials-reuse-16",
+    ],
+}
+
 WMI_AND_MIMIKATZ = {
     "europe-west3-a": [
         "mimikatz-14",
@@ -101,6 +112,7 @@ GCP_SINGLE_TEST_LIST = {
     "test_depth_4_a": DEPTH_4_A,
     "test_powershell_exploiter_credentials_reuse": POWERSHELL_EXPLOITER_REUSE,
     "test_zerologon_exploiter": ZEROLOGON,
+    "test_credentials_reuse_ssh_key": CREDENTIALS_REUSE_SSH_KEY,
     "test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ,
     "test_smb_pth": SMB_PTH,
 }

envs/monkey_zoo/blackbox/test_blackbox.py

@@ -10,6 +10,7 @@ from envs.monkey_zoo.blackbox.island_client.monkey_island_client import MonkeyIs
 from envs.monkey_zoo.blackbox.island_client.test_configuration_parser import get_target_ips
 from envs.monkey_zoo.blackbox.log_handlers.test_logs_handler import TestLogsHandler
 from envs.monkey_zoo.blackbox.test_configurations import (
+    credentials_reuse_ssh_key_test_configuration,
     depth_1_a_test_configuration,
     depth_2_a_test_configuration,
     depth_3_a_test_configuration,
@@ -163,6 +164,11 @@ class TestMonkeyBlackbox:
             log_handler=log_handler,
         ).run()
 
+    def test_credentials_reuse_ssh_key(self, island_client):
+        TestMonkeyBlackbox.run_exploitation_test(
+            island_client, credentials_reuse_ssh_key_test_configuration, "Credentials_Reuse_SSH_Key"
+        )
+
     # Not grouped because conflicts with SMB.
     # Consider grouping when more depth 1 exploiters collide with group depth_1_a
     def test_wmi_and_mimikatz_exploiters(self, island_client):

envs/monkey_zoo/blackbox/test_configurations/__init__.py

@@ -7,3 +7,4 @@ from .powershell_credentials_reuse import powershell_credentials_reuse_test_conf
 from .smb_pth import smb_pth_test_configuration
 from .wmi_mimikatz import wmi_mimikatz_test_configuration
 from .zerologon import zerologon_test_configuration
+from .credentials_reuse_ssh_key import credentials_reuse_ssh_key_test_configuration

envs/monkey_zoo/blackbox/test_configurations/credentials_reuse_ssh_key.py

@@ -0,0 +1,71 @@
+import dataclasses
+
+from common.agent_configuration import AgentConfiguration, PluginConfiguration
+from common.credentials import Credentials, Password, Username
+
+from .noop import noop_test_configuration
+from .utils import (
+    add_credential_collectors,
+    add_exploiters,
+    add_subnets,
+    add_tcp_ports,
+    replace_agent_configuration,
+    replace_propagation_credentials,
+    set_keep_tunnel_open_time,
+    set_maximum_depth,
+)
+
+
+# Tests:
+#     SSHCollector steals key from machine A(10.2.3.14),
+#     then B(10.2.4.15) exploits C(10.2.5.16) with that key
+def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
+    brute_force = [
+        PluginConfiguration(name="SSHExploiter", options={}),
+    ]
+
+    return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[])
+
+
+def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
+    subnets = ["10.2.3.14", "10.2.4.15", "10.2.5.16"]
+    return add_subnets(agent_configuration, subnets)
+
+
+def _add_credential_collectors(agent_configuration: AgentConfiguration) -> AgentConfiguration:
+    credential_collectors = [
+        PluginConfiguration(name="SSHCollector", options={}),
+    ]
+
+    return add_credential_collectors(
+        agent_configuration, credential_collectors=credential_collectors
+    )
+
+
+def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
+    ports = [22]
+    return add_tcp_ports(agent_configuration, ports)
+
+
+test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 3)
+test_agent_configuration = set_keep_tunnel_open_time(test_agent_configuration, 20)
+test_agent_configuration = _add_exploiters(test_agent_configuration)
+test_agent_configuration = _add_subnets(test_agent_configuration)
+test_agent_configuration = _add_credential_collectors(test_agent_configuration)
+test_agent_configuration = _add_tcp_ports(test_agent_configuration)
+
+CREDENTIALS = (
+    Credentials(identity=Username(username="m0nk3y"), secret=None),
+    Credentials(identity=None, secret=Password(password="u26gbVQe")),
+    Credentials(identity=None, secret=Password(password="5BuYHeVl")),
+)
+
+credentials_reuse_ssh_key_test_configuration = dataclasses.replace(noop_test_configuration)
+replace_agent_configuration(
+    test_configuration=credentials_reuse_ssh_key_test_configuration,
+    agent_configuration=test_agent_configuration,
+)
+replace_propagation_credentials(
+    test_configuration=credentials_reuse_ssh_key_test_configuration,
+    propagation_credentials=CREDENTIALS,
+)

envs/monkey_zoo/docs/fullDocs.md

@@ -28,6 +28,9 @@ This document describes Infection Monkey’s test network, how to deploy and use
 [Nr. 3-46 Powershell](#_Toc536021480)<br>
 [Nr. 3-47 Powershell](#_Toc536021481)<br>
 [Nr. 3-48 Powershell](#_Toc536021482)<br>
+[Nr. 14 Credentials Reuse](#_Toc536121480)<br>
+[Nr. 15 Credentials Reuse](#_Toc536121481)<br>
+[Nr. 16 Credentials Reuse](#_Toc536121482)<br>
 [Nr. 3-49 Log4j Solr](#_Toc536021483)<br>
 [Nr. 3-50 Log4j Solr](#_Toc536021484)<br>
 [Nr. 3-51 Log4j Tomcat](#_Toc536021485)<br>
@@ -874,6 +877,120 @@ Accessiable only through <strong>3-45 Powershell</strong> using credentials reus
 </tbody>
 </table>
 
+<table>
+<thead>
+<tr class="header">
+<th><p><span id="_Toc536121480" class="anchor"></span>Nr. <strong>14</strong> Credentials Reuse</p>
+<p>(10.2.3.14, 10.2.4.14)</p></th>
+<th>(Exploitable)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td>OS:</td>
+<td><strong>Ubuntu 16.04.05 x64</strong></td>
+</tr>
+<tr class="even">
+<td>Software:</td>
+<td>OpenSSL</td>
+</tr>
+<tr class="odd">
+<td>Default service’s port:</td>
+<td>22</td>
+</tr>
+<tr class="even">
+<td>Credentials:</td>
+<td>m0nk3y:u26gbVQe</td>
+</tr>
+<tr class="odd">
+<td>Server’s config:</td>
+<td>VPC network that can only access Credentials Reuse 15 and Island.</td>
+</tr>
+<tr class="even">
+<td>Notes:</td>
+<td>Accessible from the Island with password authentication</td>
+</tr>
+</tbody>
+</table>
+
+<table>
+<thead>
+<tr class="header">
+<th><p><span id="_Toc536121481" class="anchor"></span>Nr. <strong>15</strong> Credentials Reuse</p>
+<p>(10.2.4.15, 10.2.5.15)</p></th>
+<th>(Exploitable)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td>OS:</td>
+<td><strong>Ubuntu 16.04.05 x64</strong></td>
+</tr>
+<tr class="even">
+<td>Software:</td>
+<td>OpenSSL</td>
+</tr>
+<tr class="odd">
+<td>Default service’s port:</td>
+<td>22</td>
+</tr>
+<tr class="even">
+<td>Credentials:</td>
+<td>m0nk3y:5BuYHeVl</td>
+</tr>
+<tr class="odd">
+<td>Server’s config:</td>
+<td>VPC network that can be only accessed by Credentials Reuse 14 and communicate to<br>
+Credentials Reuse 16.
+</td>
+</tr>
+<tr class="even">
+<td>Notes:</td>
+<td>Accessible from the Credentials Reuse 14 with password authentication</td>
+</tr>
+</tbody>
+</table>
+
+<table>
+<thead>
+<tr class="header">
+<th><p><span id="_Toc536121482" class="anchor"></span>Nr. <strong>16</strong> Credentials Reuse</p>
+<p>(10.2.3.16, 10.2.5.16)</p></th>
+<th>(Exploitable)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td>OS:</td>
+<td><strong>Ubuntu 16.04.05 x64</strong></td>
+</tr>
+<tr class="even">
+<td>Software:</td>
+<td>OpenSSL</td>
+</tr>
+<tr class="odd">
+<td>Default service’s port:</td>
+<td>22</td>
+</tr>
+<tr class="even">
+<td>Credentials:</td>
+<td>m0nk3y:lIZl6vTR</td>
+</tr>
+<tr class="odd">
+<td>Server’s config:</td>
+<td>VPC network that can be only accessed by Credentials Reuse 15 and communicate to<br>
+the Island.
+</td>
+</tr>
+<tr class="even">
+<td>Notes:</td>
+<td>Accessible from the Credentials Reuse 15 with passwordless ssh key authentication.<br>
+We use the ssh key that was stolen from Credentials Reuse 16</td>
+</tr>
+</tbody>
+</table>
+
+
 <table>
 <thead>
 <tr class="header">

envs/monkey_zoo/terraform/images.tf

@@ -63,6 +63,18 @@ data "google_compute_image" "powershell-3-45" {
   name = "powershell-3-45"
   project = local.monkeyzoo_project
 }
+data "google_compute_image" "credentials-reuse-14" {
+  name = "credentials-reuse-14"
+  project = local.monkeyzoo_project
+}
+data "google_compute_image" "credentials-reuse-15" {
+  name = "credentials-reuse-15"
+  project = local.monkeyzoo_project
+}
+data "google_compute_image" "credentials-reuse-16" {
+  name = "credentials-reuse-16"
+  project = local.monkeyzoo_project
+}
 data "google_compute_image" "log4j-solr-49" {
   name = "log4j-solr-49"
   project = local.monkeyzoo_project

envs/monkey_zoo/terraform/monkey_zoo.tf

@@ -44,6 +44,18 @@ resource "google_compute_subnetwork" "tunneling2-main" {
   network         = google_compute_network.tunneling2.self_link
 }
 
+resource "google_compute_subnetwork" "credential-reuse" {
+  name = "${local.resource_prefix}credential-reuse"
+  ip_cidr_range   = "10.2.4.0/24"
+  network         = google_compute_network.credential-reuse.self_link
+}
+
+resource "google_compute_subnetwork" "credential-reuse2" {
+  name = "${local.resource_prefix}credential-reuse2"
+  ip_cidr_range   = "10.2.5.0/24"
+  network         = google_compute_network.credential-reuse2.self_link
+}
+
 resource "google_compute_instance_from_template" "hadoop-2" {
   name = "${local.resource_prefix}hadoop-2"
   source_instance_template = local.default_ubuntu
@@ -309,23 +321,65 @@ resource "google_compute_instance_from_template" "powershell-3-45" {
     auto_delete = true
   }
   network_interface {
-    subnetwork="${local.resource_prefix}monkeyzoo-main"
+    subnetwork="${local.resource_prefix}monkeyzoo-main-1"
     network_ip="10.2.3.45"
   }
 }
 
-resource "google_compute_instance_from_template" "powershell-3-45" {
-  name = "${local.resource_prefix}powershell-3-45"
-  source_instance_template = local.default_windows
+resource "google_compute_instance_from_template" "credentials-reuse-14" {
+  name = "${local.resource_prefix}credentials-reuse-14"
+  source_instance_template = local.default_linux
   boot_disk{
     initialize_params {
-      image = data.google_compute_image.powershell-3-45.self_link
+      image = data.google_compute_image.credentials-reuse-14.self_link
     }
     auto_delete = true
   }
   network_interface {
-    subnetwork="${local.resource_prefix}monkeyzoo-main"
-    network_ip="10.2.3.45"
+    subnetwork="${local.resource_prefix}monkeyzoo-main-1"
+    network_ip="10.2.3.14"
+  }
+  network_interface {
+    subnetwork="${local.resource_prefix}credential-reuse"
+    network_ip="10.2.4.14"
+  }
+}
+
+resource "google_compute_instance_from_template" "credentials-reuse-15" {
+  name = "${local.resource_prefix}credentials-reuse-15"
+  source_instance_template = local.default_linux
+  boot_disk{
+    initialize_params {
+      image = data.google_compute_image.credentials-reuse-15.self_link
+    }
+    auto_delete = true
+  }
+  network_interface {
+    subnetwork="${local.resource_prefix}credential-reuse"
+    network_ip="10.2.4.15"
+  }
+  network_interface {
+    subnetwork="${local.resource_prefix}credential-reuse2"
+    network_ip="10.2.5.15"
+  }
+}
+
+resource "google_compute_instance_from_template" "credentials-reuse-16" {
+  name = "${local.resource_prefix}credentials-reuse-16"
+  source_instance_template = local.default_linux
+  boot_disk{
+    initialize_params {
+      image = data.google_compute_image.credentials-reuse-16.self_link
+    }
+    auto_delete = true
+  }
+  network_interface {
+    subnetwork="${local.resource_prefix}credential-reuse2"
+    network_ip="10.2.5.16"
+  }
+  network_interface {
+    subnetwork="${local.resource_prefix}monkeyzoo-main-1"
+    network_ip="10.2.3.16"
   }
 }