-
Notifications
You must be signed in to change notification settings - Fork 777
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add brute-force exploiters' explanation pages #4269
base: develop
Are you sure you want to change the base?
Changes from 9 commits
0b6aa1c
e9c9ef0
2d6451a
ab3c12b
49cd5c0
77697ea
8cc3fbf
7627886
0a8f18d
dcff784
eb0ba49
11f24d8
471b6d4
2b246f1
d772980
c205e18
2d47105
45fa31f
774c803
d988a14
fd11557
29c2849
d69cc96
126be7e
bd6e568
ffd82c6
54b378b
e9d5ca4
1f8f525
a24271b
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
--- | ||
title: "MSSQL Exploiter" | ||
draft: false | ||
description: "Exploits MSSQL by taking advantage of insecure configuration" | ||
tags: ["exploiter", "mssql", "brute force"] | ||
pre: "<i class='fa fa-database'></i> " | ||
--- | ||
|
||
## MSSQL | ||
|
||
[MSSQL (Microsoft SQL Server)]( | ||
https://learn.microsoft.com/en-us/sql/sql-server/what-is-sql-server) is a | ||
relational database management system (RDBMS) developed by Microsoft whose | ||
functions include managing, storing, retrieving, manipulating, and analyzing | ||
data efficiently. | ||
|
||
[`xp_cmdshell`]( | ||
https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql) | ||
is a procedure in MSSQL that allows users to execute Windows shell commands | ||
from within the SQL Server environment. | ||
|
||
## Exploitation | ||
|
||
Machines with MSSQL that have `xp_cmdshell` enabled may be accessible to | ||
attackers if they come across the correct credentials. | ||
|
||
Infection Monkey's MSSQL exploiter uses brute-force to propagate to a victim | ||
by taking advantage of insecure MSSQL configuration. It leverages the | ||
`xp_cmdshell` feature to execute commands on the server. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I feel like these two paragraphs are basically building up to say the same thing. Maybe they can be combined. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd prefer keeping them separate. This is how it is in all the exploiter pages. The first paragraph says something about the service's vulnerability and the second explains how it works in Infection Monkey. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe, but most of them aren't paragraphs, they're standalone sentences. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Combining them in all pages |
||
|
||
![MSSQL Configuration]( | ||
/images/island/configuration-page/mssql-exploiter-configuration.png | ||
"MSSQL Configuration") | ||
|
||
### Credentials used | ||
|
||
The MSSQL exploiter will use [user-configured credentials]( | ||
/usage/configuration/credentials) as well as credentials collected from other | ||
victims for brute-forcing. All possible combinations of usernames and passwords | ||
are used, prioritizing pairs provided by the user in the configuration. | ||
|
||
## Mitigation | ||
|
||
1. Disable the `xp_cmdshell` option. | ||
shreyamalviya marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
To learn more about how to disable this feature, read [Microsoft's | ||
documentation]( | ||
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017). | ||
|
||
## See also | ||
- [MSSQL exploiter reference documentation](/reference/exploiters/mssql) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
--- | ||
title: "PowerShell Exploiter" | ||
draft: false | ||
description: "Exploits PowerShell Remoting" | ||
tags: ["exploiter", "powershell", "brute force"] | ||
pre: "<i class='fa fa-terminal'></i> " | ||
--- | ||
|
||
## PowerShell Remoting | ||
|
||
[PowerShell Remoting]( | ||
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity) | ||
is a PowerShell feature that enables connecting to Windows machines remotely in | ||
order to run arbitrary commands. It is commonly used by administrators to | ||
shreyamalviya marked this conversation as resolved.
Show resolved
Hide resolved
|
||
manage multiple systems in a network. | ||
|
||
## Exploitation | ||
|
||
Machines with PowerShell Remoting enabled may be accessible to attackers if | ||
they come across the correct credentials. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In general, I'm not sure I like the language, "if they come across the correct credentials." We should maybe come up with something that's a bit more explanatory. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
|
||
Infection Monkey's PowerShell exploiter uses brute-force to attempt to | ||
propagate to a victim through PowerShell Remoting. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Again, I think these two sentences are closely related enough to be one paragraph. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
|
||
![PowerShell Configuration]( | ||
/images/island/configuration-page/powershell-exploiter-configuration.png | ||
"PowerShell Configuration") | ||
|
||
### Credentials used | ||
|
||
The PowerShell exploiter can be run from both Linux and Windows attackers. On | ||
Windows attackers, the exploiter has the ability to use the cached username | ||
and/or password from the current user. On both Linux and Windows attackers, the | ||
exploiter uses all combinations of the [user-configured usernames and | ||
passwords](/usage/configuration/credentials), as well as LM or NT hashes that | ||
have been collected. Different combinations of | ||
shreyamalviya marked this conversation as resolved.
Show resolved
Hide resolved
|
||
credentials are attempted in the following order: | ||
|
||
1. **Cached username and password (Windows attacker only)** - The exploiter | ||
will use the stored credentials of the current user to attempt to log into | ||
the victim machine. | ||
|
||
1. **Brute force usernames with blank passwords** - Windows allows you to | ||
configure a user with a blank/empty password. The exploiter will attempt to | ||
log into the victim machine using each username set in the | ||
[configuration](/usage/configuration/credentials) with a | ||
shreyamalviya marked this conversation as resolved.
Show resolved
Hide resolved
|
||
blank password. | ||
|
||
In order for the attacker to connect with a blank password, the victim must | ||
have enabled basic authentication, http and no encryption. | ||
|
||
1. **Brute force usernames with cached password (Windows attacker only)** - The | ||
exploiter will attempt to log into the victim machine using each username | ||
set in the [configuration](/usage/configuration/credentials) and the current | ||
user's cached password. | ||
|
||
1. **Brute force usernames and passwords** - The exploiter will attempt to use | ||
all combinations of usernames and passwords that were set in the | ||
[configuration.](/usage/configuration/credentials) | ||
|
||
1. **Brute force usernames and LM hashes** - The exploiter will attempt to use | ||
all combinations of usernames that were set in the | ||
[configuration](/usage/configuration/credentials) and LM hashes that were | ||
collected from any other victims. | ||
|
||
1. **Brute force usernames and NT hashes** - The exploiter will attempt to use | ||
all combinations of usernames that were set in the | ||
[configuration](/usage/configuration/credentials) and NT hashes that were | ||
collected from any other victims. | ||
shreyamalviya marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
## Mitigation | ||
|
||
1. Restrict PowerShell remote command execution and/or harden the credentials | ||
of relevant users. | ||
|
||
More information about how to remediate security concerns related to PowerShell | ||
Remoting can be found [here]( | ||
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity). | ||
|
||
## See also | ||
- [PowerShell exploiter reference documentation](/reference/exploiters/powershell) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
--- | ||
title: "RDP Exploiter" | ||
draft: false | ||
description: "Exploits RDP" | ||
tags: ["exploiter", "rdp", "brute force"] | ||
pre: "<i class='fa fa-desktop'></i> " | ||
--- | ||
|
||
## RDP | ||
|
||
[RDP (Remote Desktop Protocol)]( | ||
https://learn.microsoft.com/en-us/windows/win32/termserv/remote-desktop-protocol) | ||
is a network communication protocol by Microsoft which enables users to connect | ||
to another computer over a network, providing a remote display and input | ||
capabilities to the user. It is commonly used for remote administration, remote | ||
technical support, and remote work access. | ||
|
||
## Exploitation | ||
|
||
Machines with RDP enabled may be accessible to attackers if | ||
they come across the correct credentials. | ||
|
||
Infection Monkey's RDP exploiter uses brute-force to attempt to | ||
propagate to a victim via RDP. | ||
|
||
![RDP Configuration]( | ||
/images/island/configuration-page/rdp-exploiter-configuration.png | ||
"RDP Configuration") | ||
|
||
### Credentials used | ||
|
||
The RDP exploiter will use [user-configured credentials]( | ||
/usage/configuration/credentials) as well as LM or NT hashes collected from | ||
other victims. Different combinations of credentials are attempted in the | ||
following order: | ||
|
||
1. **Brute force usernames and passwords** - The exploiter will attempt to use | ||
all combinations of usernames and passwords that were set in the | ||
[configuration](/usage/configuration/credentials) or collected from other | ||
victims. | ||
|
||
1. **Brute force usernames and NT hashes** - The exploiter will attempt to use | ||
all combinations of usernames and NT Hashes that were set in the | ||
[configuration](/usage/configuration/credentials) or collected from other | ||
victims. | ||
|
||
This only works on Windows 8.1 and Windows Server 2012 R2. You can read more | ||
[here](https://www.kali.org/blog/passing-hash-remote-desktop/). | ||
|
||
## Mitigation | ||
|
||
1. Change user passwords to complex passwords that are not shared with other | ||
computers on the network. | ||
|
||
For information about remediating RDP-related security risks, see | ||
[Microsoft's | ||
guidance](https://www.microsoft.com/en-us/security/blog/2020/04/16/security-guidance-remote-desktop-adoption/) | ||
|
||
## See also | ||
- [RDP exploiter reference documentation](/reference/exploiters/rdp) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
title: "SMB Exploiter" | ||
draft: false | ||
description: "Exploits SMB" | ||
tags: ["exploiter", "smb", "brute force"] | ||
pre: "<i class='fa fa-folder-open'></i> " | ||
--- | ||
|
||
## SMB | ||
|
||
[SMB (Server Message Block)](https://en.wikipedia.org/wiki/Server_Message_Block) | ||
is a network protocol primarily used in Windows for inter-process communication, | ||
and providing shared access to files, printers, and serial ports between nodes | ||
on a network. | ||
shreyamalviya marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
## Exploitation | ||
|
||
Machines with SMB enabled may be accessible to attackers if | ||
they come across the correct credentials. | ||
|
||
Infection Monkey's SMB exploiter uses brute-force to attempt to | ||
propagate to a victim via SMB. | ||
|
||
![SMB Configuration]( | ||
/images/island/configuration-page/smb-exploiter-configuration.png | ||
"SMB Configuration") | ||
|
||
### Credentials used | ||
|
||
The SMB exploiter will use [user-configured credentials]( | ||
/usage/configuration/credentials) as well as credentials collected from other | ||
victims for brute-forcing. All possible combinations of usernames, passwords, | ||
LM hashes, and NT hashes are used, prioritizing pairs provided by the user in | ||
the configuration. | ||
|
||
## Mitigation | ||
|
||
1. Change user passwords to complex passwords that are not shared with other | ||
computers on the network. | ||
|
||
## See also | ||
- [SMB exploiter reference documentation](/reference/exploiters/smb) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
--- | ||
title: "SSH Exploiter" | ||
draft: false | ||
description: "Exploits SSH" | ||
tags: ["exploiter", "ssh", "brute force"] | ||
pre: "<i class='fa fa-terminal'></i> " | ||
--- | ||
|
||
## SSH | ||
|
||
[SSH (Secure Shell)](https://en.wikipedia.org/wiki/Secure_Shell) is a network | ||
protocol designed for Unix-like operating systems that provides a secure way to | ||
access a remote computer over an unsecured network. | ||
|
||
## Exploitation | ||
|
||
Machines with SSH enabled may be accessible to attackers if | ||
they come across the correct credentials. | ||
|
||
Infection Monkey's SSH exploiter uses brute-force to attempt to | ||
propagate to a victim via SSH. | ||
|
||
![SSH Configuration]( | ||
/images/island/configuration-page/ssh-exploiter-configuration.png | ||
"SSH Configuration") | ||
|
||
### Credentials used | ||
|
||
The SSH exploiter will use [user-configured credentials]( | ||
/usage/configuration/credentials) as well as credentials collected from other | ||
victims for brute-forcing. All possible combinations of usernames, passwords, | ||
and SSH keypairs are used, prioritizing pairs provided by the user in the | ||
configuration. | ||
|
||
## Mitigation | ||
|
||
1. Change user passwords to complex passwords that are not shared with other | ||
computers on the network. | ||
|
||
1. Protect private keys with a pass phrase. | ||
shreyamalviya marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
## See also | ||
- [SSH exploiter reference documentation](/reference/exploiters/ssh) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
--- | ||
title: "WMI Exploiter" | ||
draft: false | ||
description: "Exploits WMI" | ||
tags: ["exploiter", "wmi", "brute force"] | ||
pre: "<i class='fa fa-toolbox'></i> " | ||
--- | ||
|
||
## WMI | ||
|
||
[WMI (Windows Management Instrumentation)]( | ||
https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page) is a set | ||
of tools and extensions in Windows for managing and querying system information, | ||
configurations, and operations. Administrators use WMI to manage local and | ||
remote environments by monitoring system health, automating administrative | ||
functions, managing network resources, etc. | ||
shreyamalviya marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
## Exploitation | ||
|
||
Machines with WMI enabled may be accessible to attackers if | ||
they come across the correct credentials. | ||
|
||
Infection Monkey's WMI exploiter uses brute-force to attempt to | ||
propagate to a victim via WMI. | ||
|
||
![WMI Configuration]( | ||
/images/island/configuration-page/wmi-exploiter-configuration.png | ||
"WMI Configuration") | ||
|
||
### Credentials used | ||
|
||
The WMI exploiter will use [user-configured credentials]( | ||
/usage/configuration/credentials) as well as credentials collected from other | ||
victims for brute-forcing. All possible combinations of usernames, passwords, | ||
LM hashes, and NT hashes are used, prioritizing pairs provided by the user in | ||
the configuration. | ||
|
||
## Mitigation | ||
|
||
1. Change user passwords to complex passwords that are not shared with other | ||
computers on the network. | ||
|
||
## See also | ||
- [WMI exploiter reference documentation](/reference/exploiters/wmi) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe:
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It makes it sound so haphazard. We could just say "if they are able to authenticate with the service."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"if they are able to authenticate with the service" suggests they have the right credentials +
xp_cmdshell
was enabled, it feels wrong to say "may be accessible" with that. I'm having trouble thinking of a better sentence.