Create new user with a random password

.swm/tbxb2cGgUiJQ8Btma0fp.swm

@@ -38,18 +38,21 @@
                 "*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER",
                 "*from infection_monkey.config import WormConfiguration",
                 "*from infection_monkey.post_breach.pba import PBA",
+                "*from infection_monkey.utils.random_password_generator import get_random_password",
                 "*from infection_monkey.utils.users import get_commands_to_add_user",
                 "*",
                 "*",
                 "*class BackdoorUser(PBA):",
                 "*    def __init__(self):",
+                "*        remote_user_pwd = get_random_password()",
+                "*",
                 "*        linux_cmds, windows_cmds = get_commands_to_add_user(",
-                "*            WormConfiguration.user_to_add, WormConfiguration.remote_user_pass",
+                "*            WormConfiguration.user_to_add, remote_user_pwd",
                 "*        )",
+                "*",
                 "*        super(BackdoorUser, self).__init__(",
                 "*            POST_BREACH_BACKDOOR_USER, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds",
-                "*        )",
-                "*"
+                "*        )"
             ]
         },
         {
@@ -108,10 +111,10 @@
     "symbols": {},
     "file_version": "2.0.1",
     "meta": {
-        "app_version": "0.4.1-1",
+        "app_version": "0.4.4-0",
         "file_blobs": {
             "monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3",
-            "monkey/infection_monkey/post_breach/actions/add_user.py": "cae5a2428fa01b333a2e70365c9da1e189e31bc4",
+            "monkey/infection_monkey/post_breach/actions/add_user.py": "7e92eaf84bb507b51c17fe4f448e47a5ea1dd9e2",
             "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "dfc5945a362b88c1135f4476526c6c82977b02ee",
             "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "086dc85693ae02ddfa106099245c0f155139805c"
         }

CHANGELOG.md

@@ -41,3 +41,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Security
 - Address minor issues discovered by Dlint. #1075
+- Generate random passwords when creating a new user (create user PBA, ms08_67 exploit). #1174

monkey/infection_monkey/config.py

@@ -192,7 +192,6 @@ def as_dict(self):
 
     ms08_067_exploit_attempts = 5
     user_to_add = "Monkey_IUSER_SUPPORT"
-    remote_user_pass = "Password1!"
 
     # User and password dictionaries for exploits.
 

monkey/infection_monkey/example.conf

@@ -61,7 +61,6 @@
   "send_log_to_server": true,
   "ms08_067_exploit_attempts": 5,
   "user_to_add": "Monkey_IUSER_SUPPORT",
-  "remote_user_pass": "Password1!",
   "ping_scan_timeout": 10000,
   "smb_download_timeout": 300,
   "smb_service_name": "InfectionMonkey",

monkey/infection_monkey/exploit/win_ms08_067.py

@@ -25,6 +25,7 @@
 from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
 from infection_monkey.network.smbfinger import SMBFinger
 from infection_monkey.network.tools import check_tcp_port
+from infection_monkey.utils.random_password_generator import get_random_password
 
 LOG = getLogger(__name__)
 
@@ -230,6 +231,7 @@ def _exploit_host(self):
         )
 
         exploited = False
+        remote_user_pwd = get_random_password()
         for _ in range(self._config.ms08_067_exploit_attempts):
             exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version)
 
@@ -240,7 +242,7 @@ def _exploit_host(self):
                     "cmd /c (net user {} {} /add) &&"
                     " (net localgroup administrators {} /add)\r\n".format(
                         self._config.user_to_add,
-                        self._config.remote_user_pass,
+                        remote_user_pwd,
                         self._config.user_to_add,
                     ).encode()
                 )
@@ -264,7 +266,7 @@ def _exploit_host(self):
             src_path,
             self._config.dropper_target_path_win_32,
             self._config.user_to_add,
-            self._config.remote_user_pass,
+            remote_user_pwd,
         )
 
         if not remote_full_path:

monkey/infection_monkey/post_breach/actions/add_user.py

@@ -1,14 +1,18 @@
 from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER
 from infection_monkey.config import WormConfiguration
 from infection_monkey.post_breach.pba import PBA
+from infection_monkey.utils.random_password_generator import get_random_password
 from infection_monkey.utils.users import get_commands_to_add_user
 
 
 class BackdoorUser(PBA):
     def __init__(self):
+        remote_user_pwd = get_random_password()
+
         linux_cmds, windows_cmds = get_commands_to_add_user(
-            WormConfiguration.user_to_add, WormConfiguration.remote_user_pass
+            WormConfiguration.user_to_add, remote_user_pwd
         )
+
         super(BackdoorUser, self).__init__(
             POST_BREACH_BACKDOOR_USER, linux_cmd=" ".join(linux_cmds), windows_cmd=windows_cmds
         )

monkey/infection_monkey/utils/random_password_generator.py

@@ -0,0 +1,6 @@
+import secrets
+
+
+def get_random_password(length: int = 12) -> str:
+    password = secrets.token_urlsafe(length)
+    return password

monkey/monkey_island/cc/services/config_schema/internal.py

@@ -397,12 +397,6 @@
                             "default": "Monkey_IUSER_SUPPORT",
                             "description": "Username to add on successful exploit",
                         },
-                        "remote_user_pass": {
-                            "title": "Remote user password",
-                            "type": "string",
-                            "default": "Password1!",
-                            "description": "Password to use for created user",
-                        },
                     },
                 },
                 "sambacry": {