forked from p34709852/monkey
Merge pull request #2359 from guardicore/2318-powershell-bb-fix
2318 powershell bb fix
This commit is contained in:
commit
699f2210f4
|
@ -18,12 +18,6 @@ def pytest_addoption(parser):
|
|||
default=False,
|
||||
help="Use for no interaction with the cloud.",
|
||||
)
|
||||
parser.addoption(
|
||||
"--skip-powershell-reuse",
|
||||
action="store_true",
|
||||
default=False,
|
||||
help="Use to run PowerShell credentials reuse test.",
|
||||
)
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
|
@ -48,13 +42,3 @@ def gcp_machines_to_start(request: pytest.FixtureRequest) -> Mapping[str, Collec
|
|||
machines_to_start.setdefault(zone, set()).update(machines)
|
||||
|
||||
return machines_to_start
|
||||
|
||||
|
||||
def pytest_runtest_setup(item):
|
||||
if "skip_powershell_reuse" in item.keywords and item.config.getoption(
|
||||
"--skip-powershell-reuse"
|
||||
):
|
||||
pytest.skip(
|
||||
"Skipping powershell credentials reuse test because "
|
||||
"--skip-powershell-cached flag isn't specified."
|
||||
)
|
||||
|
|
|
@ -15,6 +15,7 @@ GCP_TEST_MACHINE_LIST = {
|
|||
"zerologon-25",
|
||||
],
|
||||
"europe-west1-b": [
|
||||
"powershell-3-44",
|
||||
"powershell-3-45",
|
||||
"powershell-3-46",
|
||||
"powershell-3-47",
|
||||
|
@ -35,7 +36,11 @@ DEPTH_2_A = {
|
|||
"europe-west3-a": [
|
||||
"sshkeys-11",
|
||||
"sshkeys-12",
|
||||
]
|
||||
],
|
||||
"europe-west1-b": [
|
||||
"powershell-3-46",
|
||||
"powershell-3-44",
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
|
@ -60,7 +65,6 @@ DEPTH_3_A = {
|
|||
],
|
||||
"europe-west1-b": [
|
||||
"powershell-3-45",
|
||||
"powershell-3-46",
|
||||
"powershell-3-47",
|
||||
"powershell-3-48",
|
||||
],
|
||||
|
@ -75,13 +79,6 @@ DEPTH_4_A = {
|
|||
],
|
||||
}
|
||||
|
||||
|
||||
POWERSHELL_EXPLOITER_REUSE = {
|
||||
"europe-west1-b": [
|
||||
"powershell-3-46",
|
||||
]
|
||||
}
|
||||
|
||||
ZEROLOGON = {
|
||||
"europe-west3-a": [
|
||||
"zerologon-25",
|
||||
|
@ -110,7 +107,6 @@ GCP_SINGLE_TEST_LIST = {
|
|||
"test_depth_1_a": DEPTH_1_A,
|
||||
"test_depth_3_a": DEPTH_3_A,
|
||||
"test_depth_4_a": DEPTH_4_A,
|
||||
"test_powershell_exploiter_credentials_reuse": POWERSHELL_EXPLOITER_REUSE,
|
||||
"test_zerologon_exploiter": ZEROLOGON,
|
||||
"test_credentials_reuse_ssh_key": CREDENTIALS_REUSE_SSH_KEY,
|
||||
"test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ,
|
||||
|
|
|
@ -15,7 +15,6 @@ from envs.monkey_zoo.blackbox.test_configurations import (
|
|||
depth_2_a_test_configuration,
|
||||
depth_3_a_test_configuration,
|
||||
depth_4_a_test_configuration,
|
||||
powershell_credentials_reuse_test_configuration,
|
||||
smb_pth_test_configuration,
|
||||
wmi_mimikatz_test_configuration,
|
||||
zerologon_test_configuration,
|
||||
|
@ -130,15 +129,6 @@ class TestMonkeyBlackbox:
|
|||
island_client, depth_4_a_test_configuration, "Depth4A test suite"
|
||||
)
|
||||
|
||||
# Not grouped because can only be ran on windows
|
||||
@pytest.mark.skip_powershell_reuse
|
||||
def test_powershell_exploiter_credentials_reuse(self, island_client):
|
||||
TestMonkeyBlackbox.run_exploitation_test(
|
||||
island_client,
|
||||
powershell_credentials_reuse_test_configuration,
|
||||
"PowerShell_Remoting_exploiter_credentials_reuse",
|
||||
)
|
||||
|
||||
# Not grouped because it's slow
|
||||
def test_zerologon_exploiter(self, island_client):
|
||||
test_name = "Zerologon_exploiter"
|
||||
|
|
|
@ -3,7 +3,6 @@ from .depth_1_a import depth_1_a_test_configuration
|
|||
from .depth_2_a import depth_2_a_test_configuration
|
||||
from .depth_3_a import depth_3_a_test_configuration
|
||||
from .depth_4_a import depth_4_a_test_configuration
|
||||
from .powershell_credentials_reuse import powershell_credentials_reuse_test_configuration
|
||||
from .smb_pth import smb_pth_test_configuration
|
||||
from .wmi_mimikatz import wmi_mimikatz_test_configuration
|
||||
from .zerologon import zerologon_test_configuration
|
||||
|
|
|
@ -6,6 +6,8 @@ from common.credentials import Credentials, Password, Username
|
|||
from .noop import noop_test_configuration
|
||||
from .utils import (
|
||||
add_exploiters,
|
||||
add_fingerprinters,
|
||||
add_http_ports,
|
||||
add_subnets,
|
||||
add_tcp_ports,
|
||||
replace_agent_configuration,
|
||||
|
@ -16,30 +18,50 @@ from .utils import (
|
|||
|
||||
# Tests:
|
||||
# SSH password and key brute-force, key stealing (10.2.2.11, 10.2.2.12)
|
||||
# Powershell credential reuse (logging in without credentials
|
||||
# to an identical user on another machine)(10.2.3.44, 10.2.3.46)
|
||||
def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||
brute_force = [
|
||||
PluginConfiguration(name="SSHExploiter", options={}),
|
||||
PluginConfiguration(name="PowerShellExploiter", options={}),
|
||||
]
|
||||
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[])
|
||||
vulnerability = [
|
||||
PluginConfiguration(name="Log4ShellExploiter", options={}),
|
||||
]
|
||||
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=vulnerability)
|
||||
|
||||
|
||||
def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||
subnets = [
|
||||
"10.2.2.11",
|
||||
"10.2.2.12",
|
||||
"10.2.3.44",
|
||||
"10.2.3.46",
|
||||
]
|
||||
return add_subnets(agent_configuration, subnets)
|
||||
|
||||
|
||||
def _add_fingerprinters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||
fingerprinters = [PluginConfiguration(name="http", options={})]
|
||||
|
||||
return add_fingerprinters(agent_configuration, fingerprinters)
|
||||
|
||||
|
||||
def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||
ports = [22]
|
||||
ports = [22, 5985, 5986, 8080]
|
||||
return add_tcp_ports(agent_configuration, ports)
|
||||
|
||||
|
||||
def _add_http_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||
return add_http_ports(agent_configuration, [8080])
|
||||
|
||||
|
||||
test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 2)
|
||||
test_agent_configuration = _add_exploiters(test_agent_configuration)
|
||||
test_agent_configuration = _add_subnets(test_agent_configuration)
|
||||
test_agent_configuration = _add_fingerprinters(test_agent_configuration)
|
||||
test_agent_configuration = _add_tcp_ports(test_agent_configuration)
|
||||
test_agent_configuration = _add_http_ports(test_agent_configuration)
|
||||
|
||||
CREDENTIALS = (
|
||||
Credentials(identity=Username(username="m0nk3y"), secret=None),
|
||||
|
|
|
@ -34,7 +34,6 @@ def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
|||
subnets = [
|
||||
"10.2.2.9",
|
||||
"10.2.3.45",
|
||||
"10.2.3.46",
|
||||
"10.2.3.47",
|
||||
"10.2.3.48",
|
||||
"10.2.1.10",
|
||||
|
|
|
@ -1,44 +0,0 @@
|
|||
import dataclasses
|
||||
|
||||
from common.agent_configuration import AgentConfiguration, PluginConfiguration
|
||||
|
||||
from .noop import noop_test_configuration
|
||||
from .utils import (
|
||||
add_exploiters,
|
||||
add_subnets,
|
||||
add_tcp_ports,
|
||||
replace_agent_configuration,
|
||||
set_maximum_depth,
|
||||
)
|
||||
|
||||
|
||||
def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||
brute_force = [
|
||||
PluginConfiguration(name="PowerShellExploiter", options={}),
|
||||
]
|
||||
|
||||
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[])
|
||||
|
||||
|
||||
def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||
subnets = [
|
||||
"10.2.3.46",
|
||||
]
|
||||
return add_subnets(agent_configuration, subnets)
|
||||
|
||||
|
||||
def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
|
||||
ports = [5985, 5986]
|
||||
return add_tcp_ports(agent_configuration, ports)
|
||||
|
||||
|
||||
test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 1)
|
||||
test_agent_configuration = _add_exploiters(test_agent_configuration)
|
||||
test_agent_configuration = _add_subnets(test_agent_configuration)
|
||||
test_agent_configuration = _add_tcp_ports(test_agent_configuration)
|
||||
|
||||
powershell_credentials_reuse_test_configuration = dataclasses.replace(noop_test_configuration)
|
||||
replace_agent_configuration(
|
||||
test_configuration=powershell_credentials_reuse_test_configuration,
|
||||
agent_configuration=test_agent_configuration,
|
||||
)
|
|
@ -759,6 +759,38 @@ This prevents ssh exploitation, but allows tunneling.</td>
|
|||
</tbody>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th><p><span id="_Toc536021479" class="anchor"></span>Nr. <strong>3-44 Powershell</strong></p>
|
||||
<p>(10.2.3.44)</p></th>
|
||||
<th>(Vulnerable)</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td>OS:</td>
|
||||
<td><strong>Windows Server 2016 x64</strong></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td>Software:</td>
|
||||
<td>WinRM service</td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td>Default server’s port: 5985, 5986</td>
|
||||
<td>-</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td>Notes:</td>
|
||||
<td>User: m0nk3y, Password: nPj8rbc3<br>
|
||||
Accessible using the same m0nk3y user from powershell-3-46,
|
||||
in other words powershell exploiter can exploit
|
||||
this machine without credentials as long as the user running the agent has
|
||||
the same credentials on both machines</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
|
@ -804,17 +836,17 @@ Accessibale through Island using m0nk3y-user.</td>
|
|||
<tr class="even">
|
||||
<td>Software:</td>
|
||||
<td>WinRM service</td>
|
||||
<td>Tomcat 8.0.36</td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td>Default server’s port:</td>
|
||||
<td>Default server’s port:8080</td>
|
||||
<td>-</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td>Notes:</td>
|
||||
<td>User: m0nk3y, Password: nPj8rbc3<br>
|
||||
Accessible using the same m0nk3y user from island, in other words powershell exploiter can exploit
|
||||
this machine without credentials as long as the user running the agent is the same on both
|
||||
machines</td>
|
||||
Exploited from island via log4shell(tomcat). Then uses cached powershell credentials to
|
||||
propagate to powershell-3-44</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 13 KiB |
|
@ -0,0 +1 @@
|
|||
<mxfile host="app.diagrams.net" modified="2022-09-23T15:01:54.105Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" etag="spZrDzUM2aBFwquXRZY8" version="20.3.0" type="device"><diagram id="YCekmHjAy1LVhBsJn630" name="Page-1">7VjbjpswEP2aSO1DEGBIyOPmst1WqZRqpV6eVg444K3B1Di3/fraYC4OyXajJKKqKuWBGXuM58zxGZMemMS7Dwym0WcaINKzzWDXA9OebVuObffkzwz2hWc4cgpHyHCgJtWOR/yClNNU3jUOUKZN5JQSjlPd6dMkQT7XfJAxutWnrSjR35rCELUcjz4kbe83HPCo8HquWfsfEA6j8s2WqUZiWE5WjiyCAd02XGDWAxNGKS+e4t0EEQleiUsRd39itNoYQwl/S4CN5unz0yd7/JBEwfPw69MX8KuvVsn4vkwYBSJ/ZVLGIxrSBJJZ7R0zuk4CJFc1hVXPmVOaCqclnM+I870qJlxzKlwRj4kaFRtm++8qPjd+SMOw3dKe7pqj072yVpiQCSWU5VsFK89Hvi/8GWf0J2qMLD3XcWVEkZ7M6SRqJQR0zXz0ClSKyByyEPHXIHWq4opTgWiMRAoikCECOd7oG4GKnmE1T4XeMQb3jQkpxQnPGisvpENMUCfNBopm6pzZgwM2nDdfPBQ7OBE9PIh2R8ZIz6jAScVpCzdQqV05Wc8gbqkrG0jWCtI5DZ3HSMS+4zT2IX9/lNtzuBQSpfEREhwm4tkXnECCQeMNYhwLDbhTAzEOgoL6KMMvcJmvJ+mlqiIWd8c9d1oRTi6AdlqllUCp4FoWmlQ8fUTbdFKr98WxsSxPq8agsM4j3BGGaIv2HX0Bulpl6DalbVX2Y0ZgErTKqQvRNsIcPaYwP8Rb0Y30Ip8sTEsLTmI9OiC9U5F+W7eGqgFEjbbgmafR1+A7FyvQiX7vMM/l2zBLsxBwz1Vmrd/S2DeMBWJYpC6P2fTKAm05b1RouwuBBgNLYw+wLhFcYLYEt8DndoLrdntVMNzmZcH6m28KbyciuJCJF2lH2ScaQrugW8SyqAj2GQpE7hiSfEvrDP0bDbVg8kmVNw1rqHc+cFk/vX3HLAnXqGRaVbIP+o6o9IAITMZLJp5CnuN66LHEVcIAhjPovNGCwWGnNTvus2UODYRbKFUfeBKkAArwS8Qa6OgClNAEtdVqdu/d23IykUdrQTPMMT16nuYHE5aUi7vvkQPHpd62zyVdc4ITsZ3y41nuVuSRypTiXSi/6Y0NQjA24uxpi5Mg/6C+Ro0d57CjtWvsHCkxGBnerYo87KLFXbHxlFf2m9+ALoMZ/EGtnHPUyulcrSrV2eus7U6s2u3gv1hdtSFZtxQrYdb/ChZXhPq/VTD7DQ==</diagram></mxfile>
|
|
@ -59,6 +59,10 @@ data "google_compute_image" "powershell-3-46" {
|
|||
name = "powershell-3-46"
|
||||
project = local.monkeyzoo_project
|
||||
}
|
||||
data "google_compute_image" "powershell-3-44" {
|
||||
name = "powershell-3-44"
|
||||
project = local.monkeyzoo_project
|
||||
}
|
||||
data "google_compute_image" "powershell-3-45" {
|
||||
name = "powershell-3-45"
|
||||
project = local.monkeyzoo_project
|
||||
|
|
|
@ -311,6 +311,21 @@ resource "google_compute_instance_from_template" "powershell-3-46" {
|
|||
}
|
||||
}
|
||||
|
||||
resource "google_compute_instance_from_template" "powershell-3-44" {
|
||||
name = "${local.resource_prefix}powershell-3-44"
|
||||
source_instance_template = local.default_windows
|
||||
boot_disk{
|
||||
initialize_params {
|
||||
image = data.google_compute_image.powershell-3-44.self_link
|
||||
}
|
||||
auto_delete = true
|
||||
}
|
||||
network_interface {
|
||||
subnetwork="${local.resource_prefix}monkeyzoo-main-1"
|
||||
network_ip="10.2.3.44"
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_instance_from_template" "powershell-3-45" {
|
||||
name = "${local.resource_prefix}powershell-3-45"
|
||||
source_instance_template = local.default_windows
|
||||
|
|
Loading…
Reference in New Issue