From 8dc72b2aae15e08aafb7c6679109ae5bf67d561b Mon Sep 17 00:00:00 2001 From: Shreya Date: Mon, 17 May 2021 18:53:32 +0530 Subject: [PATCH 1/8] Swimm: update exercise Add a simple Post Breach action (id: tbxb2cGgUiJQ8Btma0fp). --- .swm/tbxb2cGgUiJQ8Btma0fp.swm | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.swm/tbxb2cGgUiJQ8Btma0fp.swm b/.swm/tbxb2cGgUiJQ8Btma0fp.swm index d6a1b742bcd..ce4eed6efd8 100644 --- a/.swm/tbxb2cGgUiJQ8Btma0fp.swm +++ b/.swm/tbxb2cGgUiJQ8Btma0fp.swm @@ -38,18 +38,20 @@ "*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER", "*from infection_monkey.config import WormConfiguration", "*from infection_monkey.post_breach.pba import PBA", + "*from infection_monkey.utils.random_password_generator import get_random_password", "*from infection_monkey.utils.users import get_commands_to_add_user", "*", "*", "*class BackdoorUser(PBA):", "* def __init__(self):", + "* remote_user_pwd = get_random_password()", + "*", "* linux_cmds, windows_cmds = get_commands_to_add_user(", - "* WormConfiguration.user_to_add, WormConfiguration.remote_user_pass", + "* WormConfiguration.user_to_add, remote_user_pwd", "* )", "* super(BackdoorUser, self).__init__(", "* POST_BREACH_BACKDOOR_USER, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds", - "* )", - "*" + "* )" ] }, { @@ -108,7 +110,7 @@ "symbols": {}, "file_version": "2.0.1", "meta": { - "app_version": "0.4.1-1", + "app_version": "0.4.4-0", "file_blobs": { "monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3", "monkey/infection_monkey/post_breach/actions/add_user.py": "cae5a2428fa01b333a2e70365c9da1e189e31bc4", From 51b996ce1874589f741a78cf25703f4f572cf60b Mon Sep 17 00:00:00 2001 From: Shreya Date: Mon, 17 May 2021 18:54:45 +0530 Subject: [PATCH 2/8] Generate password randomly when creating a new user for Create User PBA and exploit MS08_67 using https://docs.python.org/3.7/library/secrets.html#secrets.token_urlsafe --- monkey/infection_monkey/config.py | 1 - monkey/infection_monkey/example.conf | 1 - monkey/infection_monkey/exploit/win_ms08_067.py | 6 ++++-- monkey/infection_monkey/post_breach/actions/add_user.py | 6 +++++- monkey/infection_monkey/utils/random_password_generator.py | 6 ++++++ monkey/monkey_island/cc/services/config_schema/internal.py | 6 ------ 6 files changed, 15 insertions(+), 11 deletions(-) create mode 100644 monkey/infection_monkey/utils/random_password_generator.py diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py index ad37bf837a9..d00d5581457 100644 --- a/monkey/infection_monkey/config.py +++ b/monkey/infection_monkey/config.py @@ -192,7 +192,6 @@ def as_dict(self): ms08_067_exploit_attempts = 5 user_to_add = "Monkey_IUSER_SUPPORT" - remote_user_pass = "Password1!" # User and password dictionaries for exploits. diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf index b27f2f3cca1..774d69aedd7 100644 --- a/monkey/infection_monkey/example.conf +++ b/monkey/infection_monkey/example.conf @@ -61,7 +61,6 @@ "send_log_to_server": true, "ms08_067_exploit_attempts": 5, "user_to_add": "Monkey_IUSER_SUPPORT", - "remote_user_pass": "Password1!", "ping_scan_timeout": 10000, "smb_download_timeout": 300, "smb_service_name": "InfectionMonkey", diff --git a/monkey/infection_monkey/exploit/win_ms08_067.py b/monkey/infection_monkey/exploit/win_ms08_067.py index 16b971cd80a..8e6daa8f4b0 100644 --- a/monkey/infection_monkey/exploit/win_ms08_067.py +++ b/monkey/infection_monkey/exploit/win_ms08_067.py @@ -25,6 +25,7 @@ from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS from infection_monkey.network.smbfinger import SMBFinger from infection_monkey.network.tools import check_tcp_port +from infection_monkey.utils.random_password_generator import get_random_password LOG = getLogger(__name__) @@ -230,6 +231,7 @@ def _exploit_host(self): ) exploited = False + remote_user_pwd = get_random_password() for _ in range(self._config.ms08_067_exploit_attempts): exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version) @@ -240,7 +242,7 @@ def _exploit_host(self): "cmd /c (net user {} {} /add) &&" " (net localgroup administrators {} /add)\r\n".format( self._config.user_to_add, - self._config.remote_user_pass, + remote_user_pwd, self._config.user_to_add, ).encode() ) @@ -264,7 +266,7 @@ def _exploit_host(self): src_path, self._config.dropper_target_path_win_32, self._config.user_to_add, - self._config.remote_user_pass, + remote_user_pwd, ) if not remote_full_path: diff --git a/monkey/infection_monkey/post_breach/actions/add_user.py b/monkey/infection_monkey/post_breach/actions/add_user.py index cae5a2428fa..7e92eaf84bb 100644 --- a/monkey/infection_monkey/post_breach/actions/add_user.py +++ b/monkey/infection_monkey/post_breach/actions/add_user.py @@ -1,14 +1,18 @@ from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER from infection_monkey.config import WormConfiguration from infection_monkey.post_breach.pba import PBA +from infection_monkey.utils.random_password_generator import get_random_password from infection_monkey.utils.users import get_commands_to_add_user class BackdoorUser(PBA): def __init__(self): + remote_user_pwd = get_random_password() + linux_cmds, windows_cmds = get_commands_to_add_user( - WormConfiguration.user_to_add, WormConfiguration.remote_user_pass + WormConfiguration.user_to_add, remote_user_pwd ) + super(BackdoorUser, self).__init__( POST_BREACH_BACKDOOR_USER, linux_cmd=" ".join(linux_cmds), windows_cmd=windows_cmds ) diff --git a/monkey/infection_monkey/utils/random_password_generator.py b/monkey/infection_monkey/utils/random_password_generator.py new file mode 100644 index 00000000000..d205a9a018b --- /dev/null +++ b/monkey/infection_monkey/utils/random_password_generator.py @@ -0,0 +1,6 @@ +import secrets + + +def get_random_password(length: int = 12) -> str: + password = secrets.token_urlsafe(length) + return password diff --git a/monkey/monkey_island/cc/services/config_schema/internal.py b/monkey/monkey_island/cc/services/config_schema/internal.py index c42992d1b73..1ce1c864b1d 100644 --- a/monkey/monkey_island/cc/services/config_schema/internal.py +++ b/monkey/monkey_island/cc/services/config_schema/internal.py @@ -397,12 +397,6 @@ "default": "Monkey_IUSER_SUPPORT", "description": "Username to add on successful exploit", }, - "remote_user_pass": { - "title": "Remote user password", - "type": "string", - "default": "Password1!", - "description": "Password to use for created user", - }, }, }, "sambacry": { From 6e0c5eb8281e45ec8316a7c56af3bfa07501cdac Mon Sep 17 00:00:00 2001 From: Shreya Date: Mon, 17 May 2021 19:11:42 +0530 Subject: [PATCH 3/8] Swimm: update exercise Add a simple Post Breach action (id: tbxb2cGgUiJQ8Btma0fp). --- .swm/tbxb2cGgUiJQ8Btma0fp.swm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.swm/tbxb2cGgUiJQ8Btma0fp.swm b/.swm/tbxb2cGgUiJQ8Btma0fp.swm index ce4eed6efd8..4416742d47a 100644 --- a/.swm/tbxb2cGgUiJQ8Btma0fp.swm +++ b/.swm/tbxb2cGgUiJQ8Btma0fp.swm @@ -49,6 +49,7 @@ "* linux_cmds, windows_cmds = get_commands_to_add_user(", "* WormConfiguration.user_to_add, remote_user_pwd", "* )", + "*", "* super(BackdoorUser, self).__init__(", "* POST_BREACH_BACKDOOR_USER, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds", "* )" @@ -113,7 +114,7 @@ "app_version": "0.4.4-0", "file_blobs": { "monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3", - "monkey/infection_monkey/post_breach/actions/add_user.py": "cae5a2428fa01b333a2e70365c9da1e189e31bc4", + "monkey/infection_monkey/post_breach/actions/add_user.py": "7e92eaf84bb507b51c17fe4f448e47a5ea1dd9e2", "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "dfc5945a362b88c1135f4476526c6c82977b02ee", "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "086dc85693ae02ddfa106099245c0f155139805c" } From 1d544d162a4eb98365373c14574e2b9e74b6c707 Mon Sep 17 00:00:00 2001 From: Shreya Date: Mon, 17 May 2021 19:17:45 +0530 Subject: [PATCH 4/8] Update CHANGELOG (generate random pwds) --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90ab8a7d876..bf105794e12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,3 +41,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Security - Address minor issues discovered by Dlint. #1075 +- Generate random passwords when creating a new user (create user PBA, ms08_67 exploit). #1174 From 636a201d19a6e95f8bfd28560a61c112cd248204 Mon Sep 17 00:00:00 2001 From: Shreya Date: Mon, 17 May 2021 22:48:01 +0530 Subject: [PATCH 5/8] Set default password length to 32 in `get_random_password()` --- monkey/infection_monkey/utils/random_password_generator.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/monkey/infection_monkey/utils/random_password_generator.py b/monkey/infection_monkey/utils/random_password_generator.py index d205a9a018b..273343c2237 100644 --- a/monkey/infection_monkey/utils/random_password_generator.py +++ b/monkey/infection_monkey/utils/random_password_generator.py @@ -1,6 +1,8 @@ import secrets +SECRET_BYTE_LENGTH = 32 -def get_random_password(length: int = 12) -> str: + +def get_random_password(length: int = SECRET_BYTE_LENGTH) -> str: password = secrets.token_urlsafe(length) return password From fc82b2a9dcec0cee0284f41977701382305be2e5 Mon Sep 17 00:00:00 2001 From: Shreya Date: Mon, 17 May 2021 22:51:14 +0530 Subject: [PATCH 6/8] Replace "remote_user_pwd" with "random_password" --- monkey/infection_monkey/exploit/win_ms08_067.py | 6 +++--- monkey/infection_monkey/post_breach/actions/add_user.py | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/monkey/infection_monkey/exploit/win_ms08_067.py b/monkey/infection_monkey/exploit/win_ms08_067.py index 8e6daa8f4b0..2d005e5430e 100644 --- a/monkey/infection_monkey/exploit/win_ms08_067.py +++ b/monkey/infection_monkey/exploit/win_ms08_067.py @@ -231,7 +231,7 @@ def _exploit_host(self): ) exploited = False - remote_user_pwd = get_random_password() + random_password = get_random_password() for _ in range(self._config.ms08_067_exploit_attempts): exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version) @@ -242,7 +242,7 @@ def _exploit_host(self): "cmd /c (net user {} {} /add) &&" " (net localgroup administrators {} /add)\r\n".format( self._config.user_to_add, - remote_user_pwd, + random_password, self._config.user_to_add, ).encode() ) @@ -266,7 +266,7 @@ def _exploit_host(self): src_path, self._config.dropper_target_path_win_32, self._config.user_to_add, - remote_user_pwd, + random_password, ) if not remote_full_path: diff --git a/monkey/infection_monkey/post_breach/actions/add_user.py b/monkey/infection_monkey/post_breach/actions/add_user.py index 7e92eaf84bb..26b048a492f 100644 --- a/monkey/infection_monkey/post_breach/actions/add_user.py +++ b/monkey/infection_monkey/post_breach/actions/add_user.py @@ -7,10 +7,10 @@ class BackdoorUser(PBA): def __init__(self): - remote_user_pwd = get_random_password() + random_password = get_random_password() linux_cmds, windows_cmds = get_commands_to_add_user( - WormConfiguration.user_to_add, remote_user_pwd + WormConfiguration.user_to_add, random_password ) super(BackdoorUser, self).__init__( From c77965585c09dcc1fd6c02199eeda18aaa84cb84 Mon Sep 17 00:00:00 2001 From: Shreya Date: Mon, 17 May 2021 22:54:19 +0530 Subject: [PATCH 7/8] Swimm: update exercise Add a simple Post Breach action (id: tbxb2cGgUiJQ8Btma0fp). --- .swm/tbxb2cGgUiJQ8Btma0fp.swm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.swm/tbxb2cGgUiJQ8Btma0fp.swm b/.swm/tbxb2cGgUiJQ8Btma0fp.swm index 4416742d47a..50ad35ca08c 100644 --- a/.swm/tbxb2cGgUiJQ8Btma0fp.swm +++ b/.swm/tbxb2cGgUiJQ8Btma0fp.swm @@ -44,10 +44,10 @@ "*", "*class BackdoorUser(PBA):", "* def __init__(self):", - "* remote_user_pwd = get_random_password()", + "* random_password = get_random_password()", "*", "* linux_cmds, windows_cmds = get_commands_to_add_user(", - "* WormConfiguration.user_to_add, remote_user_pwd", + "* WormConfiguration.user_to_add, random_password", "* )", "*", "* super(BackdoorUser, self).__init__(", @@ -114,7 +114,7 @@ "app_version": "0.4.4-0", "file_blobs": { "monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3", - "monkey/infection_monkey/post_breach/actions/add_user.py": "7e92eaf84bb507b51c17fe4f448e47a5ea1dd9e2", + "monkey/infection_monkey/post_breach/actions/add_user.py": "26b048a492fcb6d319fc0c01d2f4a0bd302ecbc8", "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "dfc5945a362b88c1135f4476526c6c82977b02ee", "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "086dc85693ae02ddfa106099245c0f155139805c" } From 58b04ecb918562f1a06330aa58ae93d28db8fa75 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Tue, 18 May 2021 10:03:59 +0300 Subject: [PATCH 8/8] Added unit test of random password generator --- .../utils/test_random_password_generator.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 monkey/tests/infection_monkey/utils/test_random_password_generator.py diff --git a/monkey/tests/infection_monkey/utils/test_random_password_generator.py b/monkey/tests/infection_monkey/utils/test_random_password_generator.py new file mode 100644 index 00000000000..bdd97cdfd85 --- /dev/null +++ b/monkey/tests/infection_monkey/utils/test_random_password_generator.py @@ -0,0 +1,13 @@ +from infection_monkey.utils.random_password_generator import get_random_password + + +def test_get_random_password__length(): + password_byte_length = len(get_random_password().encode()) + # 32 is the recommended secure byte length for secrets + assert password_byte_length >= 32 + + +def test_get_random_password__randomness(): + random_password1 = get_random_password() + random_password2 = get_random_password() + assert not random_password1 == random_password2