forked from p15670423/monkey
Merge pull request #1427 from guardicore/1246/powershell-documentation
Documentation for PowerShell exploiter
This commit is contained in:
commit
13b1904cf7
|
@ -0,0 +1,55 @@
|
|||
---
|
||||
title: "PowerShell"
|
||||
date: 2021-08-24T12:19:21+03:00
|
||||
draft: false
|
||||
tags: ["exploit", "windows"]
|
||||
---
|
||||
|
||||
### Description
|
||||
|
||||
This exploiter uses brute-force to propagate to a victim through PowerShell
|
||||
Remoting using Windows Remote Management (WinRM).
|
||||
|
||||
See Microsoft's documentation for more on [PowerShell Remoting
|
||||
Protocol](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1)
|
||||
and [Windows Remote
|
||||
Management](https://docs.microsoft.com/en-us/windows/win32/winrm/portal).
|
||||
|
||||
|
||||
##### Credentials used
|
||||
|
||||
The PowerShell exploiter can be run from both Linux and Windows attackers. On
|
||||
Windows attackers, the exploiter has the ability to use the cached username
|
||||
and/or password from the current user. On both Linux and Windows attackers, the
|
||||
exploiter uses all combinations of the [user-configured usernames and
|
||||
passwords]({{< ref "/usage/configuration/basic-credentials" >}}). Different
|
||||
combinations of credentials are attempted in the following order:
|
||||
|
||||
1. **Cached username and password (Windows attacker only)** - The exploiter will
|
||||
use the stored credentials of the current user to attempt to log into the
|
||||
victim machine.
|
||||
|
||||
1. **Brute force usernames with blank passwords** - Windows allows you to
|
||||
configure a user with a blank/empty password. The exploiter will attempt to
|
||||
log into the victim machine using each username set in the
|
||||
[configuration]({{< ref "/usage/configuration/basic-credentials" >}}) with a
|
||||
blank password.
|
||||
|
||||
In order for the attacker to connect with a blank password, the victim must
|
||||
have enabled basic authentication, http and no encryption.
|
||||
|
||||
1. **Brute force usernames with cached password (Windows attacker only)** - The
|
||||
exploiter will attempt to log into the victim machine using each username
|
||||
set in the [configuration]({{< ref "/usage/configuration/basic-credentials"
|
||||
>}}) and the current user's cached password.
|
||||
|
||||
1. **Brute force usernames and passwords** - The exploiter will attempt to use
|
||||
all combinations of usernames and passwords that were set in the
|
||||
[configuration.]({{< ref "/usage/configuration/basic-credentials" >}})
|
||||
|
||||
|
||||
#### Securing PowerShell Remoting
|
||||
|
||||
Information about how to remediate security concerns related to PowerShell
|
||||
Remoting can be found
|
||||
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).
|
|
@ -30,8 +30,11 @@ This document describes Infection Monkey’s test network, how to deploy and use
|
|||
[Nr. 22 Scan](#_Toc526517197)<br>
|
||||
[Nr. 23 Struts2](#_Toc536021476)<br>
|
||||
[Nr. 24 Struts2](#_Toc536021477)<br>
|
||||
[Nr. 250 MonkeyIsland](#_Toc536021478)<br>
|
||||
[Nr. 251 MonkeyIsland](#_Toc536021479)<br>
|
||||
[Nr. 25 Zerologon](#_Toc536021478)<br>
|
||||
[Nr. 3-45 Powershell](#_Toc536021479)<br>
|
||||
[Nr. 3-46 Powershell](#_Toc536021480)<br>
|
||||
[Nr. 250 MonkeyIsland](#_Toc536021481)<br>
|
||||
[Nr. 251 MonkeyIsland](#_Toc536021482)<br>
|
||||
[Network topography](#network-topography)<br>
|
||||
|
||||
# Warning\!
|
||||
|
@ -117,7 +120,7 @@ To deploy the network run:<br>
|
|||
|
||||
# Using islands:
|
||||
|
||||
###How to get into the islands:
|
||||
### How to get into the islands:
|
||||
|
||||
**island-linux-250:** SSH from GCP
|
||||
|
||||
|
@ -125,9 +128,9 @@ To deploy the network run:<br>
|
|||
island-windows-251. Set password for your account and then RDP into
|
||||
the island.
|
||||
|
||||
###These are most common steps on monkey islands:
|
||||
### These are most common steps on monkey islands:
|
||||
|
||||
####island-linux-250:
|
||||
#### island-linux-250:
|
||||
|
||||
To run monkey island:<br>
|
||||
`sudo /usr/run\_island.sh`<br>
|
||||
|
@ -142,7 +145,7 @@ Update all requirements using deployment script:<br>
|
|||
1\. `cd /usr/infection_monkey/deployment_scripts`<br>
|
||||
2\. `./deploy_linux.sh "/usr/infection_monkey" "develop"`<br>
|
||||
|
||||
####island-windows-251:
|
||||
#### island-windows-251:
|
||||
|
||||
To run monkey island:<br>
|
||||
Execute C:\\run\_monkey\_island.bat as administrator
|
||||
|
@ -156,8 +159,8 @@ To update repository:<br>
|
|||
3\. `git pull` (updates develop branch)<br>
|
||||
|
||||
Update all requirements using deployment script:<br>
|
||||
1. `cd C:\infection_monkey\deployment_scripts`<br>
|
||||
2. `./run_script.bat "C:\infection_monkey" "develop"`
|
||||
1\. `cd C:\infection_monkey\deployment_scripts`<br>
|
||||
2\. `./run_script.bat "C:\infection_monkey" "develop"`<br>
|
||||
|
||||
# Running tests:
|
||||
|
||||
|
@ -276,10 +279,6 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td><a href="https://www.elastic.co/guide/en/elasticsearch/reference/1.4/_index_and_query_a_document.html">Quick</a> tutorial on how to add entries (was useful when setting up).</td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
@ -357,10 +356,6 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
@ -433,10 +428,6 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td>Vulnerable app is under /cgi-bin/test.cgi</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
@ -613,10 +604,6 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
@ -653,10 +640,6 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td>Don’t add this machine’s credentials to exploit configuration.</td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
@ -695,10 +678,6 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
@ -765,10 +744,6 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td>If you change this machine’s IP it won’t get exploited.</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
@ -839,10 +814,6 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
@ -985,10 +956,6 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td>Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.)</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
@ -1093,17 +1060,13 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th><p>Nr. <strong>25</strong> ZeroLogon</p>
|
||||
<th><p><span id="_Toc536021478" class="anchor"></span>Nr. <strong>25</strong> ZeroLogon </p>
|
||||
<p>(10.2.2.25)</p></th>
|
||||
<th>(Vulnerable)</th>
|
||||
</tr>
|
||||
|
@ -1123,7 +1086,63 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<table>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th><p><span id="_Toc536021478" class="anchor"></span>Nr. <strong>250 MonkeyIsland</strong></p>
|
||||
<th><p><span id="_Toc536021479" class="anchor"></span>Nr. <strong>3-45 Powershell</strong></p>
|
||||
<p>(10.2.3.45)</p></th>
|
||||
<th>(Vulnerable)</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td>OS:</td>
|
||||
<td><strong>Windows Server 2016 x64</strong></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td>Software:</td>
|
||||
<td>WinRM service</td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td>Default server’s port:</td>
|
||||
<td>-</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td>Notes:</td>
|
||||
<td>User: m0nk3y, Password: Passw0rd!<br>User: m0nk3y-user, No Password.</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th><p><span id="_Toc536021480" class="anchor"></span>Nr. <strong>3-46 Powershell</strong></p>
|
||||
<p>(10.2.3.46)</p></th>
|
||||
<th>(Vulnerable)</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td>OS:</td>
|
||||
<td><strong>Windows Server 2016 x64</strong></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td>Software:</td>
|
||||
<td>WinRM service</td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td>Default server’s port:</td>
|
||||
<td>-</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td>Notes:</td>
|
||||
<td>User: m0nk3y, Password: Passw0rd!</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th><p><span id="_Toc536021481" class="anchor"></span>Nr. <strong>250 MonkeyIsland</strong></p>
|
||||
<p>(10.2.2.250)</p></th>
|
||||
<th></th>
|
||||
</tr>
|
||||
|
@ -1149,20 +1168,18 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td>Only accessible trough GCP</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th><p><span id="_Toc536021478" class="anchor"></span>Nr. <strong>251 MonkeyIsland</strong></p>
|
||||
<th><p><span id="_Toc536021482" class="anchor"></span>Nr. <strong>251 MonkeyIsland</strong></p>
|
||||
<p>(10.2.2.251)</p></th>
|
||||
<th></th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td>OS:</td>
|
||||
<td><strong>Windows Server 2016 x64</strong></td>
|
||||
|
@ -1183,13 +1200,9 @@ fullTest.conf is a good config to start, because it covers all machines.
|
|||
<td>Notes:</td>
|
||||
<td>Only accessible trough GCP</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
# Network topography:
|
||||
|
||||
<img src="/envs/monkey_zoo/docs/images/networkTopography.jpeg" >
|
||||
<img src="/envs/monkey_zoo/docs/images/networkTopography.jpg" >
|
||||
|
|
Loading…
Reference in New Issue