From 455cb08fbe403d41e775827206fa02e4a0700ee5 Mon Sep 17 00:00:00 2001 From: Jason Zeller Date: Wed, 13 Mar 2019 15:25:15 -0500 Subject: [PATCH] Replaced individual list generators with generic that allows future use. Added ncrack vulnerability. --- lib/helpers/constants.rb | 1 + .../jtrpassword.lst | 0 .../ncrackpassword.lst | 0 .../custom_list_password.pp} | 0 .../manifests/.no_puppet | 0 .../secgen_local/local.rb | 35 ++++++++++++ .../secgen_metadata.xml | 14 +++-- .../jtr_list_password/secgen_local/local.rb | 15 ----- .../jtr_list_password/secgen_metadata.xml | 19 ------- .../ncrack_list_password/manifests/.no_puppet | 0 .../ncrack_list_password.pp | 0 .../secgen_local/local.rb | 15 ----- .../secgen_metadata.xml | 6 +- .../ncrack_user_account/manifests/account.pp | 51 +++++++++++++++++ .../ncrack_user_account/manifests/init.pp | 14 +++++ .../ncrack_user_account.pp | 1 + .../ncrack_user_account/secgen_metadata.xml | 55 +++++++++++++++++++ 17 files changed, 172 insertions(+), 54 deletions(-) rename lib/resources/{wordlists => passwordlists}/jtrpassword.lst (100%) rename lib/resources/{wordlists => passwordlists}/ncrackpassword.lst (100%) rename modules/generators/passwords/{jtr_list_password/jtr_list_password.pp => custom_list_password/custom_list_password.pp} (100%) rename modules/generators/passwords/{jtr_list_password => custom_list_password}/manifests/.no_puppet (100%) create mode 100644 modules/generators/passwords/custom_list_password/secgen_local/local.rb rename modules/generators/passwords/{ncrack_list_password => custom_list_password}/secgen_metadata.xml (57%) delete mode 100644 modules/generators/passwords/jtr_list_password/secgen_local/local.rb delete mode 100644 modules/generators/passwords/jtr_list_password/secgen_metadata.xml delete mode 100644 modules/generators/passwords/ncrack_list_password/manifests/.no_puppet delete mode 100644 modules/generators/passwords/ncrack_list_password/ncrack_list_password.pp delete mode 100644 modules/generators/passwords/ncrack_list_password/secgen_local/local.rb create mode 100644 modules/vulnerabilities/unix/system/ncrack_user_account/manifests/account.pp create mode 100644 modules/vulnerabilities/unix/system/ncrack_user_account/manifests/init.pp create mode 100644 modules/vulnerabilities/unix/system/ncrack_user_account/ncrack_user_account.pp create mode 100644 modules/vulnerabilities/unix/system/ncrack_user_account/secgen_metadata.xml diff --git a/lib/helpers/constants.rb b/lib/helpers/constants.rb index 91a60ad14..5f5fc865d 100644 --- a/lib/helpers/constants.rb +++ b/lib/helpers/constants.rb @@ -44,6 +44,7 @@ WORDLISTS_DIR = "#{ROOT_DIR}/lib/resources/wordlists" LINELISTS_DIR = "#{ROOT_DIR}/lib/resources/linelists" BLACKLISTED_WORDS_FILE = "#{ROOT_DIR}/lib/resources/blacklisted_words/blacklist.txt" IMAGES_DIR = "#{ROOT_DIR}/lib/resources/images" +PASSWORDLISTS_DIR = "#{ROOT_DIR}/lib/resources/passwordlists" # Path to build puppet modules STDLIB_PUPPET_DIR = "#{MODULES_DIR}build/puppet/stdlib" diff --git a/lib/resources/wordlists/jtrpassword.lst b/lib/resources/passwordlists/jtrpassword.lst similarity index 100% rename from lib/resources/wordlists/jtrpassword.lst rename to lib/resources/passwordlists/jtrpassword.lst diff --git a/lib/resources/wordlists/ncrackpassword.lst b/lib/resources/passwordlists/ncrackpassword.lst similarity index 100% rename from lib/resources/wordlists/ncrackpassword.lst rename to lib/resources/passwordlists/ncrackpassword.lst diff --git a/modules/generators/passwords/jtr_list_password/jtr_list_password.pp b/modules/generators/passwords/custom_list_password/custom_list_password.pp similarity index 100% rename from modules/generators/passwords/jtr_list_password/jtr_list_password.pp rename to modules/generators/passwords/custom_list_password/custom_list_password.pp diff --git a/modules/generators/passwords/jtr_list_password/manifests/.no_puppet b/modules/generators/passwords/custom_list_password/manifests/.no_puppet similarity index 100% rename from modules/generators/passwords/jtr_list_password/manifests/.no_puppet rename to modules/generators/passwords/custom_list_password/manifests/.no_puppet diff --git a/modules/generators/passwords/custom_list_password/secgen_local/local.rb b/modules/generators/passwords/custom_list_password/secgen_local/local.rb new file mode 100644 index 000000000..ad579c7b3 --- /dev/null +++ b/modules/generators/passwords/custom_list_password/secgen_local/local.rb @@ -0,0 +1,35 @@ +#!/usr/bin/ruby +require_relative '../../../../../lib/objects/local_string_generator.rb' + +class CustomPasswordGenerator < StringGenerator + attr_accessor :list_name + + def initialize + super + self.module_name = 'Custom List Password Generator' + self.list_name = '' + end + + def generate + self.outputs << File.readlines("#{PASSWORDLISTS_DIR}/#{list_name}").sample.chomp + end + + def get_options_array + super + [['--list_name', GetoptLong::REQUIRED_ARGUMENT]] + end + + def process_options(opt, arg) + super + case opt + when '--list_name' + self.list_name << arg; + end + end + + def encoding_print_string + 'list_name: ' + self.list_name.to_s + print_string_padding + end + +end + +CustomPasswordGenerator.new.run \ No newline at end of file diff --git a/modules/generators/passwords/ncrack_list_password/secgen_metadata.xml b/modules/generators/passwords/custom_list_password/secgen_metadata.xml similarity index 57% rename from modules/generators/passwords/ncrack_list_password/secgen_metadata.xml rename to modules/generators/passwords/custom_list_password/secgen_metadata.xml index b735831bb..8b3b4ce5c 100644 --- a/modules/generators/passwords/ncrack_list_password/secgen_metadata.xml +++ b/modules/generators/passwords/custom_list_password/secgen_metadata.xml @@ -2,18 +2,24 @@ - nCrack Password List Generator + Custom List Generator Jason Zeller MIT - Password randomly selected from nCrack default.pwd password file from Kali 2018.3, located at: - /usr/share/ncrack/default.pwd + Allows you to specify custom password list to generate from. + Available password lists are located in: lib/resources/passwordlists password_generator - ncrack_password + custom_list_password linux windows + list_name + + + jtrpassword.lst + + generated_passwords \ No newline at end of file diff --git a/modules/generators/passwords/jtr_list_password/secgen_local/local.rb b/modules/generators/passwords/jtr_list_password/secgen_local/local.rb deleted file mode 100644 index 73bf68516..000000000 --- a/modules/generators/passwords/jtr_list_password/secgen_local/local.rb +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/ruby -require_relative '../../../../../lib/objects/local_string_generator.rb' - -class JtRPasswordGenerator < StringGenerator - def initialize - super - self.module_name = 'JtR Password List Generator' - end - - def generate - self.outputs << File.readlines("#{WORDLISTS_DIR}/jtrpassword.lst").sample.chomp - end -end - -JtRPasswordGenerator.new.run \ No newline at end of file diff --git a/modules/generators/passwords/jtr_list_password/secgen_metadata.xml b/modules/generators/passwords/jtr_list_password/secgen_metadata.xml deleted file mode 100644 index fda5a18db..000000000 --- a/modules/generators/passwords/jtr_list_password/secgen_metadata.xml +++ /dev/null @@ -1,19 +0,0 @@ - - - JtR Password List Generator - Jason Zeller - MIT - Password randomly selected from John the Ripper password file from Kali 2018.3, located at: - /usr/share/john/password.lst - - - password_generator - jtr_password - linux - windows - - generated_passwords - - \ No newline at end of file diff --git a/modules/generators/passwords/ncrack_list_password/manifests/.no_puppet b/modules/generators/passwords/ncrack_list_password/manifests/.no_puppet deleted file mode 100644 index e69de29bb..000000000 diff --git a/modules/generators/passwords/ncrack_list_password/ncrack_list_password.pp b/modules/generators/passwords/ncrack_list_password/ncrack_list_password.pp deleted file mode 100644 index e69de29bb..000000000 diff --git a/modules/generators/passwords/ncrack_list_password/secgen_local/local.rb b/modules/generators/passwords/ncrack_list_password/secgen_local/local.rb deleted file mode 100644 index 6537a087c..000000000 --- a/modules/generators/passwords/ncrack_list_password/secgen_local/local.rb +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/ruby -require_relative '../../../../../lib/objects/local_string_generator.rb' - -class NcrackPasswordGenerator < StringGenerator - def initialize - super - self.module_name = 'nCrack Password List Generator' - end - - def generate - self.outputs << File.readlines("#{WORDLISTS_DIR}/ncrackpassword.lst").sample.chomp - end -end - -NcrackPasswordGenerator.new.run \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/jtr_crackable_user_account/secgen_metadata.xml b/modules/vulnerabilities/unix/system/jtr_crackable_user_account/secgen_metadata.xml index d23b7a542..0ecac7379 100644 --- a/modules/vulnerabilities/unix/system/jtr_crackable_user_account/secgen_metadata.xml +++ b/modules/vulnerabilities/unix/system/jtr_crackable_user_account/secgen_metadata.xml @@ -26,7 +26,11 @@ - + + + jtrpassword.lst + + diff --git a/modules/vulnerabilities/unix/system/ncrack_user_account/manifests/account.pp b/modules/vulnerabilities/unix/system/ncrack_user_account/manifests/account.pp new file mode 100644 index 000000000..d8c847623 --- /dev/null +++ b/modules/vulnerabilities/unix/system/ncrack_user_account/manifests/account.pp @@ -0,0 +1,51 @@ +define ncrack_user_account::account($username, $password, $super_user, $strings_to_leak, $leaked_filenames) { + # ::accounts::user changes permissions on group, passwd, shadow etc. so needs to run before + if defined('writable_groups::config') { + include ::writable_groups::config + $writable_groups = [File['/etc/group']] + } else { $writable_groups = [] } + + if defined('writable_passwd::config') { + include ::writable_passwd::config + $writable_passwd = [File['/etc/passwd']] + } else { $writable_passwd = [] } + + if defined('writable_shadow::config') { + include ::writable_shadow::config + $writable_shadow = [File['/etc/shadow']] + } else { $writable_shadow = [] } + + $misconfigurations = concat($writable_groups, $writable_passwd, $writable_shadow) + + # Add user account + ::accounts::user { $username: + shell => '/bin/bash', + password => pw_hash($password, 'SHA-512', 'mysalt'), + managehome => true, + before => $misconfigurations, + } + + # sort groups if sudo add to conf + if $super_user { + exec { "add-$username-to-sudoers": + path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'], + command => "echo '$username ALL=(ALL) ALL' >> /etc/sudoers", + } + } + + if $password == '' { + exec { "remove_password_from_account_$username": + command => "/usr/bin/passwd -d $username", + require => Accounts::User[$username], + } + } + + # Leak strings in a text file in the users home directory + ::secgen_functions::leak_files { "$username-file-leak": + storage_directory => "/home/$username/", + leaked_filenames => $leaked_filenames, + strings_to_leak => $strings_to_leak, + owner => $username, + leaked_from => "accounts_$username", + } +} \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/ncrack_user_account/manifests/init.pp b/modules/vulnerabilities/unix/system/ncrack_user_account/manifests/init.pp new file mode 100644 index 000000000..cc7042977 --- /dev/null +++ b/modules/vulnerabilities/unix/system/ncrack_user_account/manifests/init.pp @@ -0,0 +1,14 @@ +class ncrack_user_account::init { + $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file) + + $account = parsejson($secgen_parameters['account'][0]) + $username = $account['username'] + + ::ncrack_user_account::account { "ncrack_user_account_$username": + username => $username, + password => $secgen_parameters['password'][0], + super_user => str2bool($account['super_user']), + strings_to_leak => $secgen_parameters['strings_to_leak'], + leaked_filenames => $secgen_parameters['leaked_filenames'] + } +} \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/ncrack_user_account/ncrack_user_account.pp b/modules/vulnerabilities/unix/system/ncrack_user_account/ncrack_user_account.pp new file mode 100644 index 000000000..e91c120e7 --- /dev/null +++ b/modules/vulnerabilities/unix/system/ncrack_user_account/ncrack_user_account.pp @@ -0,0 +1 @@ +require ncrack_user_account::init \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/ncrack_user_account/secgen_metadata.xml b/modules/vulnerabilities/unix/system/ncrack_user_account/secgen_metadata.xml new file mode 100644 index 000000000..897e99f1c --- /dev/null +++ b/modules/vulnerabilities/unix/system/ncrack_user_account/secgen_metadata.xml @@ -0,0 +1,55 @@ + + + + Crackable User Account + Jason Zeller + MIT + Unprivileged user account with a password from nCrack dictionary. + + system + user_rwx + local + linux + + leaked_filenames + strings_to_leak + account + password + flag_password + username + + + + + + + + + ncrackpassword.lst + + + + + + + + + + + + + + + Password is susceptible to cracking. + Use nCrack to crack password. If you don't know the username, try using the /usr/share/ncrack/minimal.usr dictionary. + Use the following command: 'ncrack -v --user username -P /usr/share/ncrack/default.pwd host_ip:22' + + + utilities/unix/system/accounts + + + + + \ No newline at end of file