BB: Change powershell credential reuse test to a dedicated machine

Island shouldn't be part of the test, so powershell credential reuse was moved to powershell 46(exploited via log4shell) and powershell 44(exploited via credential reuse from powershell 46)
This commit is contained in:
vakarisz 2022-09-26 12:19:32 +03:00
parent 036a382e95
commit 031a0ab426
8 changed files with 86 additions and 70 deletions

View File

@ -15,6 +15,7 @@ GCP_TEST_MACHINE_LIST = {
"zerologon-25", "zerologon-25",
], ],
"europe-west1-b": [ "europe-west1-b": [
"powershell-3-44",
"powershell-3-45", "powershell-3-45",
"powershell-3-46", "powershell-3-46",
"powershell-3-47", "powershell-3-47",
@ -35,7 +36,12 @@ DEPTH_2_A = {
"europe-west3-a": [ "europe-west3-a": [
"sshkeys-11", "sshkeys-11",
"sshkeys-12", "sshkeys-12",
] ],
"europe-west1-b": [
"powershell-3-46",
"powershell-3-44",
],
} }
@ -75,13 +81,6 @@ DEPTH_4_A = {
], ],
} }
POWERSHELL_EXPLOITER_REUSE = {
"europe-west1-b": [
"powershell-3-46",
]
}
ZEROLOGON = { ZEROLOGON = {
"europe-west3-a": [ "europe-west3-a": [
"zerologon-25", "zerologon-25",
@ -110,7 +109,6 @@ GCP_SINGLE_TEST_LIST = {
"test_depth_1_a": DEPTH_1_A, "test_depth_1_a": DEPTH_1_A,
"test_depth_3_a": DEPTH_3_A, "test_depth_3_a": DEPTH_3_A,
"test_depth_4_a": DEPTH_4_A, "test_depth_4_a": DEPTH_4_A,
"test_powershell_exploiter_credentials_reuse": POWERSHELL_EXPLOITER_REUSE,
"test_zerologon_exploiter": ZEROLOGON, "test_zerologon_exploiter": ZEROLOGON,
"test_credentials_reuse_ssh_key": CREDENTIALS_REUSE_SSH_KEY, "test_credentials_reuse_ssh_key": CREDENTIALS_REUSE_SSH_KEY,
"test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ, "test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ,

View File

@ -15,7 +15,6 @@ from envs.monkey_zoo.blackbox.test_configurations import (
depth_2_a_test_configuration, depth_2_a_test_configuration,
depth_3_a_test_configuration, depth_3_a_test_configuration,
depth_4_a_test_configuration, depth_4_a_test_configuration,
powershell_credentials_reuse_test_configuration,
smb_pth_test_configuration, smb_pth_test_configuration,
wmi_mimikatz_test_configuration, wmi_mimikatz_test_configuration,
zerologon_test_configuration, zerologon_test_configuration,
@ -130,15 +129,6 @@ class TestMonkeyBlackbox:
island_client, depth_4_a_test_configuration, "Depth4A test suite" island_client, depth_4_a_test_configuration, "Depth4A test suite"
) )
# Not grouped because can only be ran on windows
@pytest.mark.skip_powershell_reuse
def test_powershell_exploiter_credentials_reuse(self, island_client):
TestMonkeyBlackbox.run_exploitation_test(
island_client,
powershell_credentials_reuse_test_configuration,
"PowerShell_Remoting_exploiter_credentials_reuse",
)
# Not grouped because it's slow # Not grouped because it's slow
def test_zerologon_exploiter(self, island_client): def test_zerologon_exploiter(self, island_client):
test_name = "Zerologon_exploiter" test_name = "Zerologon_exploiter"

View File

@ -3,7 +3,6 @@ from .depth_1_a import depth_1_a_test_configuration
from .depth_2_a import depth_2_a_test_configuration from .depth_2_a import depth_2_a_test_configuration
from .depth_3_a import depth_3_a_test_configuration from .depth_3_a import depth_3_a_test_configuration
from .depth_4_a import depth_4_a_test_configuration from .depth_4_a import depth_4_a_test_configuration
from .powershell_credentials_reuse import powershell_credentials_reuse_test_configuration
from .smb_pth import smb_pth_test_configuration from .smb_pth import smb_pth_test_configuration
from .wmi_mimikatz import wmi_mimikatz_test_configuration from .wmi_mimikatz import wmi_mimikatz_test_configuration
from .zerologon import zerologon_test_configuration from .zerologon import zerologon_test_configuration

View File

@ -6,6 +6,8 @@ from common.credentials import Credentials, Password, Username
from .noop import noop_test_configuration from .noop import noop_test_configuration
from .utils import ( from .utils import (
add_exploiters, add_exploiters,
add_fingerprinters,
add_http_ports,
add_subnets, add_subnets,
add_tcp_ports, add_tcp_ports,
replace_agent_configuration, replace_agent_configuration,
@ -16,30 +18,50 @@ from .utils import (
# Tests: # Tests:
# SSH password and key brute-force, key stealing (10.2.2.11, 10.2.2.12) # SSH password and key brute-force, key stealing (10.2.2.11, 10.2.2.12)
# Powershell credential reuse (logging in without credentials
# to an identical user on another machine)(10.2.3.44, 10.2.3.46)
def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration: def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
brute_force = [ brute_force = [
PluginConfiguration(name="SSHExploiter", options={}), PluginConfiguration(name="SSHExploiter", options={}),
PluginConfiguration(name="PowerShellExploiter", options={}),
] ]
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[]) vulnerability = [
PluginConfiguration(name="Log4ShellExploiter", options={}),
]
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=vulnerability)
def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration: def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
subnets = [ subnets = [
"10.2.2.11", "10.2.2.11",
"10.2.2.12", "10.2.2.12",
"10.2.3.44",
"10.2.3.46",
] ]
return add_subnets(agent_configuration, subnets) return add_subnets(agent_configuration, subnets)
def _add_fingerprinters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
fingerprinters = [PluginConfiguration(name="http", options={})]
return add_fingerprinters(agent_configuration, fingerprinters)
def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration: def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
ports = [22] ports = [22, 5985, 5986, 8080]
return add_tcp_ports(agent_configuration, ports) return add_tcp_ports(agent_configuration, ports)
def _add_http_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
return add_http_ports(agent_configuration, [8080])
test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 2) test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 2)
test_agent_configuration = _add_exploiters(test_agent_configuration) test_agent_configuration = _add_exploiters(test_agent_configuration)
test_agent_configuration = _add_subnets(test_agent_configuration) test_agent_configuration = _add_subnets(test_agent_configuration)
test_agent_configuration = _add_fingerprinters(test_agent_configuration)
test_agent_configuration = _add_tcp_ports(test_agent_configuration) test_agent_configuration = _add_tcp_ports(test_agent_configuration)
test_agent_configuration = _add_http_ports(test_agent_configuration)
CREDENTIALS = ( CREDENTIALS = (
Credentials(identity=Username(username="m0nk3y"), secret=None), Credentials(identity=Username(username="m0nk3y"), secret=None),

View File

@ -1,44 +0,0 @@
import dataclasses
from common.agent_configuration import AgentConfiguration, PluginConfiguration
from .noop import noop_test_configuration
from .utils import (
add_exploiters,
add_subnets,
add_tcp_ports,
replace_agent_configuration,
set_maximum_depth,
)
def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
brute_force = [
PluginConfiguration(name="PowerShellExploiter", options={}),
]
return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[])
def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
subnets = [
"10.2.3.46",
]
return add_subnets(agent_configuration, subnets)
def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
ports = [5985, 5986]
return add_tcp_ports(agent_configuration, ports)
test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 1)
test_agent_configuration = _add_exploiters(test_agent_configuration)
test_agent_configuration = _add_subnets(test_agent_configuration)
test_agent_configuration = _add_tcp_ports(test_agent_configuration)
powershell_credentials_reuse_test_configuration = dataclasses.replace(noop_test_configuration)
replace_agent_configuration(
test_configuration=powershell_credentials_reuse_test_configuration,
agent_configuration=test_agent_configuration,
)

View File

@ -759,6 +759,38 @@ This prevents ssh exploitation, but allows tunneling.</td>
</tbody> </tbody>
</table> </table>
<table>
<thead>
<tr class="header">
<th><p><span id="_Toc536021479" class="anchor"></span>Nr. <strong>3-44 Powershell</strong></p>
<p>(10.2.3.44)</p></th>
<th>(Vulnerable)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>OS:</td>
<td><strong>Windows Server 2016 x64</strong></td>
</tr>
<tr class="even">
<td>Software:</td>
<td>WinRM service</td>
</tr>
<tr class="odd">
<td>Default servers port: 5985, 5986</td>
<td>-</td>
</tr>
<tr class="even">
<td>Notes:</td>
<td>User: m0nk3y, Password: nPj8rbc3<br>
Accessible using the same m0nk3y user from powershell-3-46,
in other words powershell exploiter can exploit
this machine without credentials as long as the user running the agent has
the same credentials on both machines</td>
</tr>
</tbody>
</table>
<table> <table>
<thead> <thead>
<tr class="header"> <tr class="header">
@ -804,17 +836,17 @@ Accessibale through Island using m0nk3y-user.</td>
<tr class="even"> <tr class="even">
<td>Software:</td> <td>Software:</td>
<td>WinRM service</td> <td>WinRM service</td>
<td>Tomcat 8.0.36</td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td>Default servers port:</td> <td>Default servers port:8080</td>
<td>-</td> <td>-</td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td>Notes:</td> <td>Notes:</td>
<td>User: m0nk3y, Password: nPj8rbc3<br> <td>User: m0nk3y, Password: nPj8rbc3<br>
Accessible using the same m0nk3y user from island, in other words powershell exploiter can exploit Exploited from island via log4shell(tomcat). Then uses cached powershell credentials to
this machine without credentials as long as the user running the agent is the same on both propagate to powershell-3-44</td>
machines</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

View File

@ -59,6 +59,10 @@ data "google_compute_image" "powershell-3-46" {
name = "powershell-3-46" name = "powershell-3-46"
project = local.monkeyzoo_project project = local.monkeyzoo_project
} }
data "google_compute_image" "powershell-3-44" {
name = "powershell-3-44"
project = local.monkeyzoo_project
}
data "google_compute_image" "powershell-3-45" { data "google_compute_image" "powershell-3-45" {
name = "powershell-3-45" name = "powershell-3-45"
project = local.monkeyzoo_project project = local.monkeyzoo_project

View File

@ -311,6 +311,21 @@ resource "google_compute_instance_from_template" "powershell-3-46" {
} }
} }
resource "google_compute_instance_from_template" "powershell-3-44" {
name = "${local.resource_prefix}powershell-3-44"
source_instance_template = local.default_windows
boot_disk{
initialize_params {
image = data.google_compute_image.powershell-3-44.self_link
}
auto_delete = true
}
network_interface {
subnetwork="${local.resource_prefix}monkeyzoo-main-1"
network_ip="10.2.3.44"
}
}
resource "google_compute_instance_from_template" "powershell-3-45" { resource "google_compute_instance_from_template" "powershell-3-45" {
name = "${local.resource_prefix}powershell-3-45" name = "${local.resource_prefix}powershell-3-45"
source_instance_template = local.default_windows source_instance_template = local.default_windows