Merge pull request #2359 from guardicore/2318-powershell-bb-fix

2318 powershell bb fix
This commit is contained in:
Mike Salvatore 2022-09-27 19:37:46 -04:00 committed by GitHub
commit 699f2210f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 86 additions and 88 deletions

View File

@ -18,12 +18,6 @@ def pytest_addoption(parser):
default=False, default=False,
help="Use for no interaction with the cloud.", help="Use for no interaction with the cloud.",
) )
parser.addoption(
"--skip-powershell-reuse",
action="store_true",
default=False,
help="Use to run PowerShell credentials reuse test.",
)
@pytest.fixture(scope="session") @pytest.fixture(scope="session")
@ -48,13 +42,3 @@ def gcp_machines_to_start(request: pytest.FixtureRequest) -> Mapping[str, Collec
machines_to_start.setdefault(zone, set()).update(machines) machines_to_start.setdefault(zone, set()).update(machines)
return machines_to_start return machines_to_start
def pytest_runtest_setup(item):
if "skip_powershell_reuse" in item.keywords and item.config.getoption(
"--skip-powershell-reuse"
):
pytest.skip(
"Skipping powershell credentials reuse test because "
"--skip-powershell-cached flag isn't specified."
)

View File

@ -15,6 +15,7 @@ GCP_TEST_MACHINE_LIST = {
"zerologon-25", "zerologon-25",
], ],
"europe-west1-b": [ "europe-west1-b": [
"powershell-3-44",
"powershell-3-45", "powershell-3-45",
"powershell-3-46", "powershell-3-46",
"powershell-3-47", "powershell-3-47",
@ -35,7 +36,11 @@ DEPTH_2_A = {
"europe-west3-a": [ "europe-west3-a": [
"sshkeys-11", "sshkeys-11",
"sshkeys-12", "sshkeys-12",
] ],
"europe-west1-b": [
"powershell-3-46",
"powershell-3-44",
],
} }
@ -60,7 +65,6 @@ DEPTH_3_A = {
], ],
"europe-west1-b": [ "europe-west1-b": [
"powershell-3-45", "powershell-3-45",
"powershell-3-46",
"powershell-3-47", "powershell-3-47",
"powershell-3-48", "powershell-3-48",
], ],
@ -75,13 +79,6 @@ DEPTH_4_A = {
], ],
} }
POWERSHELL_EXPLOITER_REUSE = {
"europe-west1-b": [
"powershell-3-46",
]
}
ZEROLOGON = { ZEROLOGON = {
"europe-west3-a": [ "europe-west3-a": [
"zerologon-25", "zerologon-25",
@ -110,7 +107,6 @@ GCP_SINGLE_TEST_LIST = {
"test_depth_1_a": DEPTH_1_A, "test_depth_1_a": DEPTH_1_A,
"test_depth_3_a": DEPTH_3_A, "test_depth_3_a": DEPTH_3_A,
"test_depth_4_a": DEPTH_4_A, "test_depth_4_a": DEPTH_4_A,
"test_powershell_exploiter_credentials_reuse": POWERSHELL_EXPLOITER_REUSE,
"test_zerologon_exploiter": ZEROLOGON, "test_zerologon_exploiter": ZEROLOGON,
"test_credentials_reuse_ssh_key": CREDENTIALS_REUSE_SSH_KEY, "test_credentials_reuse_ssh_key": CREDENTIALS_REUSE_SSH_KEY,
"test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ, "test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ,

View File

@ -15,7 +15,6 @@ from envs.monkey_zoo.blackbox.test_configurations import (
depth_2_a_test_configuration, depth_2_a_test_configuration,
depth_3_a_test_configuration, depth_3_a_test_configuration,
depth_4_a_test_configuration, depth_4_a_test_configuration,
powershell_credentials_reuse_test_configuration,
smb_pth_test_configuration, smb_pth_test_configuration,
wmi_mimikatz_test_configuration, wmi_mimikatz_test_configuration,
zerologon_test_configuration, zerologon_test_configuration,
@ -130,15 +129,6 @@ class TestMonkeyBlackbox:
island_client, depth_4_a_test_configuration, "Depth4A test suite" island_client, depth_4_a_test_configuration, "Depth4A test suite"
) )
# Not grouped because can only be ran on windows
@pytest.mark.skip_powershell_reuse
def test_powershell_exploiter_credentials_reuse(self, island_client):
TestMonkeyBlackbox.run_exploitation_test(
island_client,
powershell_credentials_reuse_test_configuration,
"PowerShell_Remoting_exploiter_credentials_reuse",
)
# Not grouped because it's slow # Not grouped because it's slow
def test_zerologon_exploiter(self, island_client): def test_zerologon_exploiter(self, island_client):
test_name = "Zerologon_exploiter" test_name = "Zerologon_exploiter"

View File

@ -3,7 +3,6 @@ from .depth_1_a import depth_1_a_test_configuration
from .depth_2_a import depth_2_a_test_configuration from .depth_2_a import depth_2_a_test_configuration
from .depth_3_a import depth_3_a_test_configuration from .depth_3_a import depth_3_a_test_configuration
from .depth_4_a import depth_4_a_test_configuration from .depth_4_a import depth_4_a_test_configuration
from .powershell_credentials_reuse import powershell_credentials_reuse_test_configuration
from .smb_pth import smb_pth_test_configuration from .smb_pth import smb_pth_test_configuration
from .wmi_mimikatz import wmi_mimikatz_test_configuration from .wmi_mimikatz import wmi_mimikatz_test_configuration
from .zerologon import zerologon_test_configuration from .zerologon import zerologon_test_configuration

View File

@ -6,6 +6,8 @@ from common.credentials import Credentials, Password, Username
from .noop import noop_test_configuration from .noop import noop_test_configuration
from .utils import ( from .utils import (
add_exploiters, add_exploiters,
add_fingerprinters,
add_http_ports,
add_subnets, add_subnets,
add_tcp_ports, add_tcp_ports,
replace_agent_configuration, replace_agent_configuration,
@ -16,30 +18,50 @@ from .utils import (
# Tests: # Tests:
# SSH password and key brute-force, key stealing (10.2.2.11, 10.2.2.12) # SSH password and key brute-force, key stealing (10.2.2.11, 10.2.2.12)
# Powershell credential reuse (logging in without credentials
# to an identical user on another machine)(10.2.3.44, 10.2.3.46)
def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration: def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
brute_force = [ brute_force = [
PluginConfiguration(name="SSHExploiter", options={}), PluginConfiguration(name="SSHExploiter", options={}),
PluginConfiguration(name="PowerShellExploiter", options={}),
] ]
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[]) vulnerability = [
PluginConfiguration(name="Log4ShellExploiter", options={}),
]
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=vulnerability)
def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration: def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
subnets = [ subnets = [
"10.2.2.11", "10.2.2.11",
"10.2.2.12", "10.2.2.12",
"10.2.3.44",
"10.2.3.46",
] ]
return add_subnets(agent_configuration, subnets) return add_subnets(agent_configuration, subnets)
def _add_fingerprinters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
fingerprinters = [PluginConfiguration(name="http", options={})]
return add_fingerprinters(agent_configuration, fingerprinters)
def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration: def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
ports = [22] ports = [22, 5985, 5986, 8080]
return add_tcp_ports(agent_configuration, ports) return add_tcp_ports(agent_configuration, ports)
def _add_http_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
return add_http_ports(agent_configuration, [8080])
test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 2) test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 2)
test_agent_configuration = _add_exploiters(test_agent_configuration) test_agent_configuration = _add_exploiters(test_agent_configuration)
test_agent_configuration = _add_subnets(test_agent_configuration) test_agent_configuration = _add_subnets(test_agent_configuration)
test_agent_configuration = _add_fingerprinters(test_agent_configuration)
test_agent_configuration = _add_tcp_ports(test_agent_configuration) test_agent_configuration = _add_tcp_ports(test_agent_configuration)
test_agent_configuration = _add_http_ports(test_agent_configuration)
CREDENTIALS = ( CREDENTIALS = (
Credentials(identity=Username(username="m0nk3y"), secret=None), Credentials(identity=Username(username="m0nk3y"), secret=None),

View File

@ -34,7 +34,6 @@ def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
subnets = [ subnets = [
"10.2.2.9", "10.2.2.9",
"10.2.3.45", "10.2.3.45",
"10.2.3.46",
"10.2.3.47", "10.2.3.47",
"10.2.3.48", "10.2.3.48",
"10.2.1.10", "10.2.1.10",

View File

@ -1,44 +0,0 @@
import dataclasses
from common.agent_configuration import AgentConfiguration, PluginConfiguration
from .noop import noop_test_configuration
from .utils import (
add_exploiters,
add_subnets,
add_tcp_ports,
replace_agent_configuration,
set_maximum_depth,
)
def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
brute_force = [
PluginConfiguration(name="PowerShellExploiter", options={}),
]
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[])
def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
subnets = [
"10.2.3.46",
]
return add_subnets(agent_configuration, subnets)
def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
ports = [5985, 5986]
return add_tcp_ports(agent_configuration, ports)
test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 1)
test_agent_configuration = _add_exploiters(test_agent_configuration)
test_agent_configuration = _add_subnets(test_agent_configuration)
test_agent_configuration = _add_tcp_ports(test_agent_configuration)
powershell_credentials_reuse_test_configuration = dataclasses.replace(noop_test_configuration)
replace_agent_configuration(
test_configuration=powershell_credentials_reuse_test_configuration,
agent_configuration=test_agent_configuration,
)

View File

@ -759,6 +759,38 @@ This prevents ssh exploitation, but allows tunneling.</td>
</tbody> </tbody>
</table> </table>
<table>
<thead>
<tr class="header">
<th><p><span id="_Toc536021479" class="anchor"></span>Nr. <strong>3-44 Powershell</strong></p>
<p>(10.2.3.44)</p></th>
<th>(Vulnerable)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>OS:</td>
<td><strong>Windows Server 2016 x64</strong></td>
</tr>
<tr class="even">
<td>Software:</td>
<td>WinRM service</td>
</tr>
<tr class="odd">
<td>Default servers port: 5985, 5986</td>
<td>-</td>
</tr>
<tr class="even">
<td>Notes:</td>
<td>User: m0nk3y, Password: nPj8rbc3<br>
Accessible using the same m0nk3y user from powershell-3-46,
in other words powershell exploiter can exploit
this machine without credentials as long as the user running the agent has
the same credentials on both machines</td>
</tr>
</tbody>
</table>
<table> <table>
<thead> <thead>
<tr class="header"> <tr class="header">
@ -804,17 +836,17 @@ Accessibale through Island using m0nk3y-user.</td>
<tr class="even"> <tr class="even">
<td>Software:</td> <td>Software:</td>
<td>WinRM service</td> <td>WinRM service</td>
<td>Tomcat 8.0.36</td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td>Default servers port:</td> <td>Default servers port:8080</td>
<td>-</td> <td>-</td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td>Notes:</td> <td>Notes:</td>
<td>User: m0nk3y, Password: nPj8rbc3<br> <td>User: m0nk3y, Password: nPj8rbc3<br>
Accessible using the same m0nk3y user from island, in other words powershell exploiter can exploit Exploited from island via log4shell(tomcat). Then uses cached powershell credentials to
this machine without credentials as long as the user running the agent is the same on both propagate to powershell-3-44</td>
machines</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

Binary file not shown.

After

Width:  |  Height:  |  Size: 13 KiB

View File

@ -0,0 +1 @@
<mxfile host="app.diagrams.net" modified="2022-09-23T15:01:54.105Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" etag="spZrDzUM2aBFwquXRZY8" version="20.3.0" type="device"><diagram id="YCekmHjAy1LVhBsJn630" name="Page-1">7VjbjpswEP2aSO1DEGBIyOPmst1WqZRqpV6eVg444K3B1Di3/fraYC4OyXajJKKqKuWBGXuM58zxGZMemMS7Dwym0WcaINKzzWDXA9OebVuObffkzwz2hWc4cgpHyHCgJtWOR/yClNNU3jUOUKZN5JQSjlPd6dMkQT7XfJAxutWnrSjR35rCELUcjz4kbe83HPCo8HquWfsfEA6j8s2WqUZiWE5WjiyCAd02XGDWAxNGKS+e4t0EEQleiUsRd39itNoYQwl/S4CN5unz0yd7/JBEwfPw69MX8KuvVsn4vkwYBSJ/ZVLGIxrSBJJZ7R0zuk4CJFc1hVXPmVOaCqclnM+I870qJlxzKlwRj4kaFRtm++8qPjd+SMOw3dKe7pqj072yVpiQCSWU5VsFK89Hvi/8GWf0J2qMLD3XcWVEkZ7M6SRqJQR0zXz0ClSKyByyEPHXIHWq4opTgWiMRAoikCECOd7oG4GKnmE1T4XeMQb3jQkpxQnPGisvpENMUCfNBopm6pzZgwM2nDdfPBQ7OBE9PIh2R8ZIz6jAScVpCzdQqV05Wc8gbqkrG0jWCtI5DZ3HSMS+4zT2IX9/lNtzuBQSpfEREhwm4tkXnECCQeMNYhwLDbhTAzEOgoL6KMMvcJmvJ+mlqiIWd8c9d1oRTi6AdlqllUCp4FoWmlQ8fUTbdFKr98WxsSxPq8agsM4j3BGGaIv2HX0Bulpl6DalbVX2Y0ZgErTKqQvRNsIcPaYwP8Rb0Y30Ip8sTEsLTmI9OiC9U5F+W7eGqgFEjbbgmafR1+A7FyvQiX7vMM/l2zBLsxBwz1Vmrd/S2DeMBWJYpC6P2fTKAm05b1RouwuBBgNLYw+wLhFcYLYEt8DndoLrdntVMNzmZcH6m28KbyciuJCJF2lH2ScaQrugW8SyqAj2GQpE7hiSfEvrDP0bDbVg8kmVNw1rqHc+cFk/vX3HLAnXqGRaVbIP+o6o9IAITMZLJp5CnuN66LHEVcIAhjPovNGCwWGnNTvus2UODYRbKFUfeBKkAArwS8Qa6OgClNAEtdVqdu/d23IykUdrQTPMMT16nuYHE5aUi7vvkQPHpd62zyVdc4ITsZ3y41nuVuSRypTiXSi/6Y0NQjA24uxpi5Mg/6C+Ro0d57CjtWvsHCkxGBnerYo87KLFXbHxlFf2m9+ALoMZ/EGtnHPUyulcrSrV2eus7U6s2u3gv1hdtSFZtxQrYdb/ChZXhPq/VTD7DQ==</diagram></mxfile>

View File

@ -59,6 +59,10 @@ data "google_compute_image" "powershell-3-46" {
name = "powershell-3-46" name = "powershell-3-46"
project = local.monkeyzoo_project project = local.monkeyzoo_project
} }
data "google_compute_image" "powershell-3-44" {
name = "powershell-3-44"
project = local.monkeyzoo_project
}
data "google_compute_image" "powershell-3-45" { data "google_compute_image" "powershell-3-45" {
name = "powershell-3-45" name = "powershell-3-45"
project = local.monkeyzoo_project project = local.monkeyzoo_project

View File

@ -311,6 +311,21 @@ resource "google_compute_instance_from_template" "powershell-3-46" {
} }
} }
resource "google_compute_instance_from_template" "powershell-3-44" {
name = "${local.resource_prefix}powershell-3-44"
source_instance_template = local.default_windows
boot_disk{
initialize_params {
image = data.google_compute_image.powershell-3-44.self_link
}
auto_delete = true
}
network_interface {
subnetwork="${local.resource_prefix}monkeyzoo-main-1"
network_ip="10.2.3.44"
}
}
resource "google_compute_instance_from_template" "powershell-3-45" { resource "google_compute_instance_from_template" "powershell-3-45" {
name = "${local.resource_prefix}powershell-3-45" name = "${local.resource_prefix}powershell-3-45"
source_instance_template = local.default_windows source_instance_template = local.default_windows