diff --git a/.swm/tbxb2cGgUiJQ8Btma0fp.swm b/.swm/tbxb2cGgUiJQ8Btma0fp.swm index d6a1b742b..50ad35ca0 100644 --- a/.swm/tbxb2cGgUiJQ8Btma0fp.swm +++ b/.swm/tbxb2cGgUiJQ8Btma0fp.swm @@ -38,18 +38,21 @@ "*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER", "*from infection_monkey.config import WormConfiguration", "*from infection_monkey.post_breach.pba import PBA", + "*from infection_monkey.utils.random_password_generator import get_random_password", "*from infection_monkey.utils.users import get_commands_to_add_user", "*", "*", "*class BackdoorUser(PBA):", "* def __init__(self):", + "* random_password = get_random_password()", + "*", "* linux_cmds, windows_cmds = get_commands_to_add_user(", - "* WormConfiguration.user_to_add, WormConfiguration.remote_user_pass", + "* WormConfiguration.user_to_add, random_password", "* )", + "*", "* super(BackdoorUser, self).__init__(", "* POST_BREACH_BACKDOOR_USER, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds", - "* )", - "*" + "* )" ] }, { @@ -108,10 +111,10 @@ "symbols": {}, "file_version": "2.0.1", "meta": { - "app_version": "0.4.1-1", + "app_version": "0.4.4-0", "file_blobs": { "monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3", - "monkey/infection_monkey/post_breach/actions/add_user.py": "cae5a2428fa01b333a2e70365c9da1e189e31bc4", + "monkey/infection_monkey/post_breach/actions/add_user.py": "26b048a492fcb6d319fc0c01d2f4a0bd302ecbc8", "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "dfc5945a362b88c1135f4476526c6c82977b02ee", "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "086dc85693ae02ddfa106099245c0f155139805c" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 90ab8a7d8..bf105794e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,3 +41,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Security - Address minor issues discovered by Dlint. #1075 +- Generate random passwords when creating a new user (create user PBA, ms08_67 exploit). #1174 diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py index ad37bf837..d00d55814 100644 --- a/monkey/infection_monkey/config.py +++ b/monkey/infection_monkey/config.py @@ -192,7 +192,6 @@ class Configuration(object): ms08_067_exploit_attempts = 5 user_to_add = "Monkey_IUSER_SUPPORT" - remote_user_pass = "Password1!" # User and password dictionaries for exploits. diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf index b27f2f3cc..774d69aed 100644 --- a/monkey/infection_monkey/example.conf +++ b/monkey/infection_monkey/example.conf @@ -61,7 +61,6 @@ "send_log_to_server": true, "ms08_067_exploit_attempts": 5, "user_to_add": "Monkey_IUSER_SUPPORT", - "remote_user_pass": "Password1!", "ping_scan_timeout": 10000, "smb_download_timeout": 300, "smb_service_name": "InfectionMonkey", diff --git a/monkey/infection_monkey/exploit/win_ms08_067.py b/monkey/infection_monkey/exploit/win_ms08_067.py index 16b971cd8..2d005e543 100644 --- a/monkey/infection_monkey/exploit/win_ms08_067.py +++ b/monkey/infection_monkey/exploit/win_ms08_067.py @@ -25,6 +25,7 @@ from infection_monkey.exploit.tools.smb_tools import SmbTools from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS from infection_monkey.network.smbfinger import SMBFinger from infection_monkey.network.tools import check_tcp_port +from infection_monkey.utils.random_password_generator import get_random_password LOG = getLogger(__name__) @@ -230,6 +231,7 @@ class Ms08_067_Exploiter(HostExploiter): ) exploited = False + random_password = get_random_password() for _ in range(self._config.ms08_067_exploit_attempts): exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version) @@ -240,7 +242,7 @@ class Ms08_067_Exploiter(HostExploiter): "cmd /c (net user {} {} /add) &&" " (net localgroup administrators {} /add)\r\n".format( self._config.user_to_add, - self._config.remote_user_pass, + random_password, self._config.user_to_add, ).encode() ) @@ -264,7 +266,7 @@ class Ms08_067_Exploiter(HostExploiter): src_path, self._config.dropper_target_path_win_32, self._config.user_to_add, - self._config.remote_user_pass, + random_password, ) if not remote_full_path: diff --git a/monkey/infection_monkey/post_breach/actions/add_user.py b/monkey/infection_monkey/post_breach/actions/add_user.py index cae5a2428..26b048a49 100644 --- a/monkey/infection_monkey/post_breach/actions/add_user.py +++ b/monkey/infection_monkey/post_breach/actions/add_user.py @@ -1,14 +1,18 @@ from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER from infection_monkey.config import WormConfiguration from infection_monkey.post_breach.pba import PBA +from infection_monkey.utils.random_password_generator import get_random_password from infection_monkey.utils.users import get_commands_to_add_user class BackdoorUser(PBA): def __init__(self): + random_password = get_random_password() + linux_cmds, windows_cmds = get_commands_to_add_user( - WormConfiguration.user_to_add, WormConfiguration.remote_user_pass + WormConfiguration.user_to_add, random_password ) + super(BackdoorUser, self).__init__( POST_BREACH_BACKDOOR_USER, linux_cmd=" ".join(linux_cmds), windows_cmd=windows_cmds ) diff --git a/monkey/infection_monkey/utils/random_password_generator.py b/monkey/infection_monkey/utils/random_password_generator.py new file mode 100644 index 000000000..273343c22 --- /dev/null +++ b/monkey/infection_monkey/utils/random_password_generator.py @@ -0,0 +1,8 @@ +import secrets + +SECRET_BYTE_LENGTH = 32 + + +def get_random_password(length: int = SECRET_BYTE_LENGTH) -> str: + password = secrets.token_urlsafe(length) + return password diff --git a/monkey/monkey_island/cc/services/config_schema/internal.py b/monkey/monkey_island/cc/services/config_schema/internal.py index c42992d1b..1ce1c864b 100644 --- a/monkey/monkey_island/cc/services/config_schema/internal.py +++ b/monkey/monkey_island/cc/services/config_schema/internal.py @@ -397,12 +397,6 @@ INTERNAL = { "default": "Monkey_IUSER_SUPPORT", "description": "Username to add on successful exploit", }, - "remote_user_pass": { - "title": "Remote user password", - "type": "string", - "default": "Password1!", - "description": "Password to use for created user", - }, }, }, "sambacry": { diff --git a/monkey/tests/infection_monkey/utils/test_random_password_generator.py b/monkey/tests/infection_monkey/utils/test_random_password_generator.py new file mode 100644 index 000000000..bdd97cdfd --- /dev/null +++ b/monkey/tests/infection_monkey/utils/test_random_password_generator.py @@ -0,0 +1,13 @@ +from infection_monkey.utils.random_password_generator import get_random_password + + +def test_get_random_password__length(): + password_byte_length = len(get_random_password().encode()) + # 32 is the recommended secure byte length for secrets + assert password_byte_length >= 32 + + +def test_get_random_password__randomness(): + random_password1 = get_random_password() + random_password2 = get_random_password() + assert not random_password1 == random_password2