forked from p15670423/monkey
Merge pull request #1489 from guardicore/1462/powershell-re-use
PowerShell re-use credentials and second hop
This commit is contained in:
commit
a5587cd4ad
|
@ -7,13 +7,20 @@ from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemp
|
||||||
class PowerShell(ConfigTemplate):
|
class PowerShell(ConfigTemplate):
|
||||||
config_values = copy(BaseTemplate.config_values)
|
config_values = copy(BaseTemplate.config_values)
|
||||||
|
|
||||||
|
# TODO: Remove .\\ from exploit user list when DC name is added,
|
||||||
|
# for more context see https://github.com/guardicore/monkey/issues/1486
|
||||||
config_values.update(
|
config_values.update(
|
||||||
{
|
{
|
||||||
"basic.exploiters.exploiter_classes": ["PowerShellExploiter"],
|
"basic.exploiters.exploiter_classes": ["PowerShellExploiter"],
|
||||||
"basic_network.scope.subnet_scan_list": ["10.2.3.45", "10.2.3.46", "10.2.3.47"],
|
"basic_network.scope.subnet_scan_list": [
|
||||||
|
"10.2.3.45",
|
||||||
|
"10.2.3.46",
|
||||||
|
"10.2.3.47",
|
||||||
|
"10.2.3.48",
|
||||||
|
],
|
||||||
"basic.credentials.exploit_password_list": ["Passw0rd!"],
|
"basic.credentials.exploit_password_list": ["Passw0rd!"],
|
||||||
"basic_network.scope.depth": 2,
|
"basic_network.scope.depth": 2,
|
||||||
"basic.credentials.exploit_user_list": ["m0nk3y", "m0nk3y-user"],
|
"basic.credentials.exploit_user_list": ["m0nk3y", "m0nk3y-user", ".\\m0nk3y"],
|
||||||
"internal.classes.finger_classes": ["PingScanner"],
|
"internal.classes.finger_classes": ["PingScanner"],
|
||||||
"internal.network.tcp_scanner.HTTP_PORTS": [],
|
"internal.network.tcp_scanner.HTTP_PORTS": [],
|
||||||
"internal.network.tcp_scanner.tcp_target_ports": [],
|
"internal.network.tcp_scanner.tcp_target_ports": [],
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
from copy import copy
|
||||||
|
|
||||||
|
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
|
||||||
|
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
|
||||||
|
|
||||||
|
|
||||||
|
class PowerShellCredentialsReuse(ConfigTemplate):
|
||||||
|
config_values = copy(BaseTemplate.config_values)
|
||||||
|
|
||||||
|
config_values.update(
|
||||||
|
{
|
||||||
|
"basic.exploiters.exploiter_classes": ["PowerShellExploiter"],
|
||||||
|
"basic_network.scope.subnet_scan_list": [
|
||||||
|
"10.2.3.46",
|
||||||
|
],
|
||||||
|
"basic_network.scope.depth": 2,
|
||||||
|
"internal.classes.finger_classes": ["PingScanner"],
|
||||||
|
"internal.network.tcp_scanner.HTTP_PORTS": [],
|
||||||
|
"internal.network.tcp_scanner.tcp_target_ports": [],
|
||||||
|
}
|
||||||
|
)
|
|
@ -27,6 +27,12 @@ def pytest_addoption(parser):
|
||||||
default=False,
|
default=False,
|
||||||
help="If enabled performance tests will be run.",
|
help="If enabled performance tests will be run.",
|
||||||
)
|
)
|
||||||
|
parser.addoption(
|
||||||
|
"--skip-powershell-reuse",
|
||||||
|
action="store_true",
|
||||||
|
default=False,
|
||||||
|
help="Use to run PowerShell credentials reuse test.",
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture(scope="session")
|
@pytest.fixture(scope="session")
|
||||||
|
@ -51,3 +57,11 @@ def pytest_runtest_setup(item):
|
||||||
pytest.skip(
|
pytest.skip(
|
||||||
"Skipping performance test because " "--run-performance-tests flag isn't specified."
|
"Skipping performance test because " "--run-performance-tests flag isn't specified."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
if "skip_powershell_reuse" in item.keywords and item.config.getoption(
|
||||||
|
"--skip-powershell-reuse"
|
||||||
|
):
|
||||||
|
pytest.skip(
|
||||||
|
"Skipping powershell credentials reuse test because "
|
||||||
|
"--skip-powershell-cached flag isn't specified."
|
||||||
|
)
|
||||||
|
|
|
@ -25,5 +25,6 @@ GCP_TEST_MACHINE_LIST = {
|
||||||
"powershell-3-45",
|
"powershell-3-45",
|
||||||
"powershell-3-46",
|
"powershell-3-46",
|
||||||
"powershell-3-47",
|
"powershell-3-47",
|
||||||
|
"powershell-3-48",
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,9 @@ from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop
|
||||||
from envs.monkey_zoo.blackbox.config_templates.mssql import Mssql
|
from envs.monkey_zoo.blackbox.config_templates.mssql import Mssql
|
||||||
from envs.monkey_zoo.blackbox.config_templates.performance import Performance
|
from envs.monkey_zoo.blackbox.config_templates.performance import Performance
|
||||||
from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell
|
from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell
|
||||||
|
from envs.monkey_zoo.blackbox.config_templates.powershell_credentials_reuse import (
|
||||||
|
PowerShellCredentialsReuse,
|
||||||
|
)
|
||||||
from envs.monkey_zoo.blackbox.config_templates.shellshock import ShellShock
|
from envs.monkey_zoo.blackbox.config_templates.shellshock import ShellShock
|
||||||
from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz
|
from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz
|
||||||
from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth
|
from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth
|
||||||
|
@ -166,6 +169,14 @@ class TestMonkeyBlackbox:
|
||||||
island_client, PowerShell, "PowerShell_Remoting_exploiter"
|
island_client, PowerShell, "PowerShell_Remoting_exploiter"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@pytest.mark.skip_powershell_reuse
|
||||||
|
def test_powershell_exploiter_credentials_reuse(self, island_client):
|
||||||
|
TestMonkeyBlackbox.run_exploitation_test(
|
||||||
|
island_client,
|
||||||
|
PowerShellCredentialsReuse,
|
||||||
|
"PowerShell_Remoting_exploiter_credentials_reuse",
|
||||||
|
)
|
||||||
|
|
||||||
def test_smb_and_mimikatz_exploiters(self, island_client):
|
def test_smb_and_mimikatz_exploiters(self, island_client):
|
||||||
TestMonkeyBlackbox.run_exploitation_test(
|
TestMonkeyBlackbox.run_exploitation_test(
|
||||||
island_client, SmbMimikatz, "SMB_exploiter_mimikatz"
|
island_client, SmbMimikatz, "SMB_exploiter_mimikatz"
|
||||||
|
|
|
@ -34,8 +34,9 @@ This document describes Infection Monkey’s test network, how to deploy and use
|
||||||
[Nr. 3-45 Powershell](#_Toc536021479)<br>
|
[Nr. 3-45 Powershell](#_Toc536021479)<br>
|
||||||
[Nr. 3-46 Powershell](#_Toc536021480)<br>
|
[Nr. 3-46 Powershell](#_Toc536021480)<br>
|
||||||
[Nr. 3-47 Powershell](#_Toc536021481)<br>
|
[Nr. 3-47 Powershell](#_Toc536021481)<br>
|
||||||
[Nr. 250 MonkeyIsland](#_Toc536021482)<br>
|
[Nr. 3-48 Powershell](#_Toc536021482)<br>
|
||||||
[Nr. 251 MonkeyIsland](#_Toc536021483)<br>
|
[Nr. 250 MonkeyIsland](#_Toc536021483)<br>
|
||||||
|
[Nr. 251 MonkeyIsland](#_Toc536021484)<br>
|
||||||
[Network topography](#network-topography)<br>
|
[Network topography](#network-topography)<br>
|
||||||
|
|
||||||
# Warning\!
|
# Warning\!
|
||||||
|
@ -1171,7 +1172,35 @@ fullTest.conf is a good config to start, because it covers all machines.
|
||||||
<table>
|
<table>
|
||||||
<thead>
|
<thead>
|
||||||
<tr class="header">
|
<tr class="header">
|
||||||
<th><p><span id="_Toc536021482" class="anchor"></span>Nr. <strong>250 MonkeyIsland</strong></p>
|
<th><p><span id="_Toc536021482" class="anchor"></span>Nr. <strong>3-48 Powershell</strong></p>
|
||||||
|
<p>(10.2.3.48)</p></th>
|
||||||
|
<th>(Vulnerable)</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>OS:</td>
|
||||||
|
<td><strong>Windows Server 2019 x64</strong></td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Software:</td>
|
||||||
|
<td>WinRM service</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="odd">
|
||||||
|
<td>Default server’s port:</td>
|
||||||
|
<td>-</td>
|
||||||
|
</tr>
|
||||||
|
<tr class="even">
|
||||||
|
<td>Notes:</td>
|
||||||
|
<td>User: m0nk3y, Password: Passw0rd!</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<table>
|
||||||
|
<thead>
|
||||||
|
<tr class="header">
|
||||||
|
<th><p><span id="_Toc536021483" class="anchor"></span>Nr. <strong>250 MonkeyIsland</strong></p>
|
||||||
<p>(10.2.2.250)</p></th>
|
<p>(10.2.2.250)</p></th>
|
||||||
<th></th>
|
<th></th>
|
||||||
</tr>
|
</tr>
|
||||||
|
@ -1203,7 +1232,7 @@ fullTest.conf is a good config to start, because it covers all machines.
|
||||||
<table>
|
<table>
|
||||||
<thead>
|
<thead>
|
||||||
<tr class="header">
|
<tr class="header">
|
||||||
<th><p><span id="_Toc536021483" class="anchor"></span>Nr. <strong>251 MonkeyIsland</strong></p>
|
<th><p><span id="_Toc536021484" class="anchor"></span>Nr. <strong>251 MonkeyIsland</strong></p>
|
||||||
<p>(10.2.2.251)</p></th>
|
<p>(10.2.2.251)</p></th>
|
||||||
<th></th>
|
<th></th>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
|
@ -57,6 +57,10 @@ data "google_compute_image" "mssql-16" {
|
||||||
name = "mssql-16"
|
name = "mssql-16"
|
||||||
project = local.monkeyzoo_project
|
project = local.monkeyzoo_project
|
||||||
}
|
}
|
||||||
|
data "google_compute_image" "powershell-3-48" {
|
||||||
|
name = "powershell-3-48"
|
||||||
|
project = local.monkeyzoo_project
|
||||||
|
}
|
||||||
data "google_compute_image" "powershell-3-47" {
|
data "google_compute_image" "powershell-3-47" {
|
||||||
name = "powershell-3-47"
|
name = "powershell-3-47"
|
||||||
project = local.monkeyzoo_project
|
project = local.monkeyzoo_project
|
||||||
|
|
|
@ -313,6 +313,21 @@ resource "google_compute_instance_from_template" "mssql-16" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_compute_instance_from_template" "powershell-3-48" {
|
||||||
|
name = "${local.resource_prefix}powershell-3-48"
|
||||||
|
source_instance_template = local.default_windows
|
||||||
|
boot_disk{
|
||||||
|
initialize_params {
|
||||||
|
image = data.google_compute_image.powershell-3-48.self_link
|
||||||
|
}
|
||||||
|
auto_delete = true
|
||||||
|
}
|
||||||
|
network_interface {
|
||||||
|
subnetwork="${local.resource_prefix}monkeyzoo-main-1"
|
||||||
|
network_ip="10.2.3.48"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "google_compute_instance_from_template" "powershell-3-47" {
|
resource "google_compute_instance_from_template" "powershell-3-47" {
|
||||||
name = "${local.resource_prefix}powershell-3-47"
|
name = "${local.resource_prefix}powershell-3-47"
|
||||||
source_instance_template = local.default_windows
|
source_instance_template = local.default_windows
|
||||||
|
|
|
@ -36,7 +36,9 @@ def get_credentials(
|
||||||
|
|
||||||
|
|
||||||
# On Windows systems, when username == None and password == None, the current user's credentials
|
# On Windows systems, when username == None and password == None, the current user's credentials
|
||||||
# will be used to attempt to log into the victim.
|
# will be used to attempt to log into the victim only on the first hop, from island
|
||||||
|
# to a machine. Propagating after the first hop is not possible at the moment.
|
||||||
|
# See this: https://security.stackexchange.com/questions/120422/powershell-and-cached-credentials
|
||||||
def _get_empty_credentials(is_windows: bool) -> List[Credentials]:
|
def _get_empty_credentials(is_windows: bool) -> List[Credentials]:
|
||||||
if is_windows:
|
if is_windows:
|
||||||
return [Credentials(username=None, secret=None, secret_type=SecretType.CACHED)]
|
return [Credentials(username=None, secret=None, secret_type=SecretType.CACHED)]
|
||||||
|
@ -44,7 +46,7 @@ def _get_empty_credentials(is_windows: bool) -> List[Credentials]:
|
||||||
return []
|
return []
|
||||||
|
|
||||||
|
|
||||||
# On Windows systems, when password == None, the current user's password will bu used to attempt to
|
# On Windows systems, when password == None, the current user's password will be used to attempt to
|
||||||
# log into the victim.
|
# log into the victim.
|
||||||
def _get_username_only_credentials(usernames: List[str], is_windows: bool) -> List[Credentials]:
|
def _get_username_only_credentials(usernames: List[str], is_windows: bool) -> List[Credentials]:
|
||||||
credentials = [
|
credentials = [
|
||||||
|
|
Loading…
Reference in New Issue