diff --git a/envs/monkey_zoo/blackbox/gcp_test_machine_list.py b/envs/monkey_zoo/blackbox/gcp_test_machine_list.py index ac25a4f4b..c7b2886c2 100644 --- a/envs/monkey_zoo/blackbox/gcp_test_machine_list.py +++ b/envs/monkey_zoo/blackbox/gcp_test_machine_list.py @@ -19,6 +19,9 @@ GCP_TEST_MACHINE_LIST = { "powershell-3-46", "powershell-3-47", "powershell-3-48", + "credentials-reuse-14", + "credentials-reuse-15", + "credentials-reuse-16", "log4j-logstash-55", "log4j-logstash-56", "log4j-solr-49", @@ -85,6 +88,14 @@ ZEROLOGON = { ], } +CREDENTIALS_REUSE_SSH_KEY = { + "europe-west1-b": [ + "credentials-reuse-14", + "credentials-reuse-15", + "credentials-reuse-16", + ], +} + WMI_AND_MIMIKATZ = { "europe-west3-a": [ "mimikatz-14", @@ -101,6 +112,7 @@ GCP_SINGLE_TEST_LIST = { "test_depth_4_a": DEPTH_4_A, "test_powershell_exploiter_credentials_reuse": POWERSHELL_EXPLOITER_REUSE, "test_zerologon_exploiter": ZEROLOGON, + "test_credentials_reuse_ssh_key": CREDENTIALS_REUSE_SSH_KEY, "test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ, "test_smb_pth": SMB_PTH, } diff --git a/envs/monkey_zoo/blackbox/test_blackbox.py b/envs/monkey_zoo/blackbox/test_blackbox.py index 4e937cf24..f140733ec 100644 --- a/envs/monkey_zoo/blackbox/test_blackbox.py +++ b/envs/monkey_zoo/blackbox/test_blackbox.py @@ -10,6 +10,7 @@ from envs.monkey_zoo.blackbox.island_client.monkey_island_client import MonkeyIs from envs.monkey_zoo.blackbox.island_client.test_configuration_parser import get_target_ips from envs.monkey_zoo.blackbox.log_handlers.test_logs_handler import TestLogsHandler from envs.monkey_zoo.blackbox.test_configurations import ( + credentials_reuse_ssh_key_test_configuration, depth_1_a_test_configuration, depth_2_a_test_configuration, depth_3_a_test_configuration, @@ -163,6 +164,11 @@ class TestMonkeyBlackbox: log_handler=log_handler, ).run() + def test_credentials_reuse_ssh_key(self, island_client): + TestMonkeyBlackbox.run_exploitation_test( + island_client, credentials_reuse_ssh_key_test_configuration, "Credentials_Reuse_SSH_Key" + ) + # Not grouped because conflicts with SMB. # Consider grouping when more depth 1 exploiters collide with group depth_1_a def test_wmi_and_mimikatz_exploiters(self, island_client): diff --git a/envs/monkey_zoo/blackbox/test_configurations/__init__.py b/envs/monkey_zoo/blackbox/test_configurations/__init__.py index 3cf03ef63..ba0beec74 100644 --- a/envs/monkey_zoo/blackbox/test_configurations/__init__.py +++ b/envs/monkey_zoo/blackbox/test_configurations/__init__.py @@ -7,3 +7,4 @@ from .powershell_credentials_reuse import powershell_credentials_reuse_test_conf from .smb_pth import smb_pth_test_configuration from .wmi_mimikatz import wmi_mimikatz_test_configuration from .zerologon import zerologon_test_configuration +from .credentials_reuse_ssh_key import credentials_reuse_ssh_key_test_configuration diff --git a/envs/monkey_zoo/blackbox/test_configurations/credentials_reuse_ssh_key.py b/envs/monkey_zoo/blackbox/test_configurations/credentials_reuse_ssh_key.py new file mode 100644 index 000000000..e383e0124 --- /dev/null +++ b/envs/monkey_zoo/blackbox/test_configurations/credentials_reuse_ssh_key.py @@ -0,0 +1,71 @@ +import dataclasses + +from common.agent_configuration import AgentConfiguration, PluginConfiguration +from common.credentials import Credentials, Password, Username + +from .noop import noop_test_configuration +from .utils import ( + add_credential_collectors, + add_exploiters, + add_subnets, + add_tcp_ports, + replace_agent_configuration, + replace_propagation_credentials, + set_keep_tunnel_open_time, + set_maximum_depth, +) + + +# Tests: +# SSHCollector steals key from machine A(10.2.3.14), +# then B(10.2.4.15) exploits C(10.2.5.16) with that key +def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration: + brute_force = [ + PluginConfiguration(name="SSHExploiter", options={}), + ] + + return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[]) + + +def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration: + subnets = ["10.2.3.14", "10.2.4.15", "10.2.5.16"] + return add_subnets(agent_configuration, subnets) + + +def _add_credential_collectors(agent_configuration: AgentConfiguration) -> AgentConfiguration: + credential_collectors = [ + PluginConfiguration(name="SSHCollector", options={}), + ] + + return add_credential_collectors( + agent_configuration, credential_collectors=credential_collectors + ) + + +def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration: + ports = [22] + return add_tcp_ports(agent_configuration, ports) + + +test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 3) +test_agent_configuration = set_keep_tunnel_open_time(test_agent_configuration, 20) +test_agent_configuration = _add_exploiters(test_agent_configuration) +test_agent_configuration = _add_subnets(test_agent_configuration) +test_agent_configuration = _add_credential_collectors(test_agent_configuration) +test_agent_configuration = _add_tcp_ports(test_agent_configuration) + +CREDENTIALS = ( + Credentials(identity=Username(username="m0nk3y"), secret=None), + Credentials(identity=None, secret=Password(password="u26gbVQe")), + Credentials(identity=None, secret=Password(password="5BuYHeVl")), +) + +credentials_reuse_ssh_key_test_configuration = dataclasses.replace(noop_test_configuration) +replace_agent_configuration( + test_configuration=credentials_reuse_ssh_key_test_configuration, + agent_configuration=test_agent_configuration, +) +replace_propagation_credentials( + test_configuration=credentials_reuse_ssh_key_test_configuration, + propagation_credentials=CREDENTIALS, +) diff --git a/envs/monkey_zoo/docs/fullDocs.md b/envs/monkey_zoo/docs/fullDocs.md index 73efb2801..5b08146a9 100644 --- a/envs/monkey_zoo/docs/fullDocs.md +++ b/envs/monkey_zoo/docs/fullDocs.md @@ -28,6 +28,9 @@ This document describes Infection Monkey’s test network, how to deploy and use [Nr. 3-46 Powershell](#_Toc536021480)
[Nr. 3-47 Powershell](#_Toc536021481)
[Nr. 3-48 Powershell](#_Toc536021482)
+[Nr. 14 Credentials Reuse](#_Toc536121480)
+[Nr. 15 Credentials Reuse](#_Toc536121481)
+[Nr. 16 Credentials Reuse](#_Toc536121482)
[Nr. 3-49 Log4j Solr](#_Toc536021483)
[Nr. 3-50 Log4j Solr](#_Toc536021484)
[Nr. 3-51 Log4j Tomcat](#_Toc536021485)
@@ -874,6 +877,120 @@ Accessiable only through 3-45 Powershell using credentials reus + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Nr. 14 Credentials Reuse

+

(10.2.3.14, 10.2.4.14)

(Exploitable)
OS:Ubuntu 16.04.05 x64
Software:OpenSSL
Default service’s port:22
Credentials:m0nk3y:u26gbVQe
Server’s config:VPC network that can only access Credentials Reuse 15 and Island.
Notes:Accessible from the Island with password authentication
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Nr. 15 Credentials Reuse

+

(10.2.4.15, 10.2.5.15)

(Exploitable)
OS:Ubuntu 16.04.05 x64
Software:OpenSSL
Default service’s port:22
Credentials:m0nk3y:5BuYHeVl
Server’s config:VPC network that can be only accessed by Credentials Reuse 14 and communicate to
+Credentials Reuse 16. +
Notes:Accessible from the Credentials Reuse 14 with password authentication
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Nr. 16 Credentials Reuse

+

(10.2.3.16, 10.2.5.16)

(Exploitable)
OS:Ubuntu 16.04.05 x64
Software:OpenSSL
Default service’s port:22
Credentials:m0nk3y:lIZl6vTR
Server’s config:VPC network that can be only accessed by Credentials Reuse 15 and communicate to
+the Island. +
Notes:Accessible from the Credentials Reuse 15 with passwordless ssh key authentication.
+We use the ssh key that was stolen from Credentials Reuse 16
+ + diff --git a/envs/monkey_zoo/terraform/images.tf b/envs/monkey_zoo/terraform/images.tf index a33953252..767935f61 100644 --- a/envs/monkey_zoo/terraform/images.tf +++ b/envs/monkey_zoo/terraform/images.tf @@ -63,6 +63,18 @@ data "google_compute_image" "powershell-3-45" { name = "powershell-3-45" project = local.monkeyzoo_project } +data "google_compute_image" "credentials-reuse-14" { + name = "credentials-reuse-14" + project = local.monkeyzoo_project +} +data "google_compute_image" "credentials-reuse-15" { + name = "credentials-reuse-15" + project = local.monkeyzoo_project +} +data "google_compute_image" "credentials-reuse-16" { + name = "credentials-reuse-16" + project = local.monkeyzoo_project +} data "google_compute_image" "log4j-solr-49" { name = "log4j-solr-49" project = local.monkeyzoo_project diff --git a/envs/monkey_zoo/terraform/monkey_zoo.tf b/envs/monkey_zoo/terraform/monkey_zoo.tf index a15e6b9f4..553a85076 100644 --- a/envs/monkey_zoo/terraform/monkey_zoo.tf +++ b/envs/monkey_zoo/terraform/monkey_zoo.tf @@ -44,6 +44,18 @@ resource "google_compute_subnetwork" "tunneling2-main" { network = google_compute_network.tunneling2.self_link } +resource "google_compute_subnetwork" "credential-reuse" { + name = "${local.resource_prefix}credential-reuse" + ip_cidr_range = "10.2.4.0/24" + network = google_compute_network.credential-reuse.self_link +} + +resource "google_compute_subnetwork" "credential-reuse2" { + name = "${local.resource_prefix}credential-reuse2" + ip_cidr_range = "10.2.5.0/24" + network = google_compute_network.credential-reuse2.self_link +} + resource "google_compute_instance_from_template" "hadoop-2" { name = "${local.resource_prefix}hadoop-2" source_instance_template = local.default_ubuntu @@ -309,23 +321,65 @@ resource "google_compute_instance_from_template" "powershell-3-45" { auto_delete = true } network_interface { - subnetwork="${local.resource_prefix}monkeyzoo-main" + subnetwork="${local.resource_prefix}monkeyzoo-main-1" network_ip="10.2.3.45" } } -resource "google_compute_instance_from_template" "powershell-3-45" { - name = "${local.resource_prefix}powershell-3-45" - source_instance_template = local.default_windows +resource "google_compute_instance_from_template" "credentials-reuse-14" { + name = "${local.resource_prefix}credentials-reuse-14" + source_instance_template = local.default_linux boot_disk{ initialize_params { - image = data.google_compute_image.powershell-3-45.self_link + image = data.google_compute_image.credentials-reuse-14.self_link } auto_delete = true } network_interface { - subnetwork="${local.resource_prefix}monkeyzoo-main" - network_ip="10.2.3.45" + subnetwork="${local.resource_prefix}monkeyzoo-main-1" + network_ip="10.2.3.14" + } + network_interface { + subnetwork="${local.resource_prefix}credential-reuse" + network_ip="10.2.4.14" + } +} + +resource "google_compute_instance_from_template" "credentials-reuse-15" { + name = "${local.resource_prefix}credentials-reuse-15" + source_instance_template = local.default_linux + boot_disk{ + initialize_params { + image = data.google_compute_image.credentials-reuse-15.self_link + } + auto_delete = true + } + network_interface { + subnetwork="${local.resource_prefix}credential-reuse" + network_ip="10.2.4.15" + } + network_interface { + subnetwork="${local.resource_prefix}credential-reuse2" + network_ip="10.2.5.15" + } +} + +resource "google_compute_instance_from_template" "credentials-reuse-16" { + name = "${local.resource_prefix}credentials-reuse-16" + source_instance_template = local.default_linux + boot_disk{ + initialize_params { + image = data.google_compute_image.credentials-reuse-16.self_link + } + auto_delete = true + } + network_interface { + subnetwork="${local.resource_prefix}credential-reuse2" + network_ip="10.2.5.16" + } + network_interface { + subnetwork="${local.resource_prefix}monkeyzoo-main-1" + network_ip="10.2.3.16" } }