From df2be07ffeb173fea7db56e724dfa9207c40dedd Mon Sep 17 00:00:00 2001
From: Jason Zeller <jlzeller@fhsu.edu>
Date: Wed, 13 Mar 2019 16:39:06 -0500
Subject: [PATCH] Renamed ncrack vulnerability to match jtr. Generated an
 example scenario for using crackable_user_accounts.

---
 .../manifests/account.pp                      |   2 +-
 .../manifests/init.pp                         |   4 +-
 .../ncrack_crackable_user_account.pp          |   1 +
 .../secgen_metadata.xml                       |   2 +-
 .../ncrack_user_account.pp                    |   1 -
 .../crackable_user_accounts.xml               | 103 ++++++++++++++++++
 6 files changed, 108 insertions(+), 5 deletions(-)
 rename modules/vulnerabilities/unix/system/{ncrack_user_account => ncrack_crackable_user_account}/manifests/account.pp (93%)
 rename modules/vulnerabilities/unix/system/{ncrack_user_account => ncrack_crackable_user_account}/manifests/init.pp (77%)
 create mode 100644 modules/vulnerabilities/unix/system/ncrack_crackable_user_account/ncrack_crackable_user_account.pp
 rename modules/vulnerabilities/unix/system/{ncrack_user_account => ncrack_crackable_user_account}/secgen_metadata.xml (97%)
 delete mode 100644 modules/vulnerabilities/unix/system/ncrack_user_account/ncrack_user_account.pp
 create mode 100644 scenarios/examples/vulnerability_examples/crackable_user_accounts.xml

diff --git a/modules/vulnerabilities/unix/system/ncrack_user_account/manifests/account.pp b/modules/vulnerabilities/unix/system/ncrack_crackable_user_account/manifests/account.pp
similarity index 93%
rename from modules/vulnerabilities/unix/system/ncrack_user_account/manifests/account.pp
rename to modules/vulnerabilities/unix/system/ncrack_crackable_user_account/manifests/account.pp
index d8c847623..16c69e9b5 100644
--- a/modules/vulnerabilities/unix/system/ncrack_user_account/manifests/account.pp
+++ b/modules/vulnerabilities/unix/system/ncrack_crackable_user_account/manifests/account.pp
@@ -1,4 +1,4 @@
-define ncrack_user_account::account($username, $password, $super_user, $strings_to_leak, $leaked_filenames) {
+define ncrack_crackable_user_account::account($username, $password, $super_user, $strings_to_leak, $leaked_filenames) {
   # ::accounts::user changes permissions on group, passwd, shadow etc. so needs to run before
   if defined('writable_groups::config') {
     include ::writable_groups::config
diff --git a/modules/vulnerabilities/unix/system/ncrack_user_account/manifests/init.pp b/modules/vulnerabilities/unix/system/ncrack_crackable_user_account/manifests/init.pp
similarity index 77%
rename from modules/vulnerabilities/unix/system/ncrack_user_account/manifests/init.pp
rename to modules/vulnerabilities/unix/system/ncrack_crackable_user_account/manifests/init.pp
index cc7042977..534e17f8c 100644
--- a/modules/vulnerabilities/unix/system/ncrack_user_account/manifests/init.pp
+++ b/modules/vulnerabilities/unix/system/ncrack_crackable_user_account/manifests/init.pp
@@ -1,10 +1,10 @@
-class ncrack_user_account::init {
+class ncrack_crackable_user_account::init {
   $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
 
   $account = parsejson($secgen_parameters['account'][0])
   $username = $account['username']
 
-  ::ncrack_user_account::account { "ncrack_user_account_$username":
+  ::ncrack_crackable_user_account::account { "ncrack_crackable_user_account_$username":
     username        => $username,
     password        => $secgen_parameters['password'][0],
     super_user      => str2bool($account['super_user']),
diff --git a/modules/vulnerabilities/unix/system/ncrack_crackable_user_account/ncrack_crackable_user_account.pp b/modules/vulnerabilities/unix/system/ncrack_crackable_user_account/ncrack_crackable_user_account.pp
new file mode 100644
index 000000000..61d041be5
--- /dev/null
+++ b/modules/vulnerabilities/unix/system/ncrack_crackable_user_account/ncrack_crackable_user_account.pp
@@ -0,0 +1 @@
+require ncrack_crackable_user_account::init
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/system/ncrack_user_account/secgen_metadata.xml b/modules/vulnerabilities/unix/system/ncrack_crackable_user_account/secgen_metadata.xml
similarity index 97%
rename from modules/vulnerabilities/unix/system/ncrack_user_account/secgen_metadata.xml
rename to modules/vulnerabilities/unix/system/ncrack_crackable_user_account/secgen_metadata.xml
index 897e99f1c..4d168c772 100644
--- a/modules/vulnerabilities/unix/system/ncrack_user_account/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/system/ncrack_crackable_user_account/secgen_metadata.xml
@@ -3,7 +3,7 @@
 <vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
-  <name>Crackable User Account</name>
+  <name>NCRACK Crackable User Account</name>
   <author>Jason Zeller</author>
   <module_license>MIT</module_license>
   <description>Unprivileged user account with a password from nCrack dictionary.</description>
diff --git a/modules/vulnerabilities/unix/system/ncrack_user_account/ncrack_user_account.pp b/modules/vulnerabilities/unix/system/ncrack_user_account/ncrack_user_account.pp
deleted file mode 100644
index e91c120e7..000000000
--- a/modules/vulnerabilities/unix/system/ncrack_user_account/ncrack_user_account.pp
+++ /dev/null
@@ -1 +0,0 @@
-require ncrack_user_account::init
\ No newline at end of file
diff --git a/scenarios/examples/vulnerability_examples/crackable_user_accounts.xml b/scenarios/examples/vulnerability_examples/crackable_user_accounts.xml
new file mode 100644
index 000000000..7878bd1a3
--- /dev/null
+++ b/scenarios/examples/vulnerability_examples/crackable_user_accounts.xml
@@ -0,0 +1,103 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+	<name>Crackable User Accounts Example</name>
+	<author>Jason Zeller</author>
+
+	<description>
+		This scenario gives examples of crackable user accounts based on certain passwords.
+	</description>
+
+	<type>ctf</type>
+	<difficulty>easy</difficulty>
+
+	<system>
+		<system_name>server</system_name>
+		<base platform="linux" type="server"/>
+
+    <!-- Generate ncrack_and jtr passwords for use with their respective vulnerability below -->
+    <input into_datastore="passwords">
+      <!-- The custom_list_password generator will take any filename from: lib/resources/passwordlists/ -->
+      <generator type="custom_list_password">
+        <input into="list_name">
+          <value>ncrackpassword.lst</value>
+        </input>
+      </generator>
+      <generator type="custom_list_password">
+        <input into="list_name">
+          <value>jtrpassword.lst</value>
+        </input>
+      </generator>
+    </input>
+
+    <!-- Generate a basic crackable user account using the random_weak_password generator -->
+    <!-- Generated password is not released as a flag -->
+    <vulnerability name="Crackable User Account"/>
+
+    <!-- Use ncrack_crackable_user_account vulnerability to add a user account to system -->
+    <!-- This vulnerability is designed for a hacker to use the 'ncrack' utility in Kali with a default password list-->
+    <!-- Hints for using this utility are available -->
+    <!-- See ncrack_crackable_user_account vulnerability for more information -->
+    <!-- This creates a flag that is the generated password from selected list: flag{password} -->
+    <vulnerability module_path=".*ncrack_crackable_user_account.*">
+      <input into="password">
+        <datastore access="0">passwords</datastore>
+      </input>
+      <input into="flag_password">
+        <generator type="concat_flag_generator">
+          <input into="strings_to_join">
+            <datastore access="0">passwords</datastore>
+          </input>
+        </generator>
+      </input>
+      <input into="leaked_filenames">
+        <value>flag_here</value>
+      </input>
+      <input into="strings_to_leak">
+        <value>So, you think you are an expert huh? I wonder if you can figure out my password.</value>
+        <value>This account password is also a flag. For example, if the password is "123456" the flag is: flag{123456}</value>
+        <value>Here is a flag for finding this message:</value>
+        <generator type="flag_generator"/>
+      </input>
+      <input into="account">
+        <generator type="account">
+          <input into="username">
+            <value>guest</value>
+          </input>
+        </generator>
+      </input>
+    </vulnerability>
+
+    <!-- Use jtr_crackable_user_account vulnerability to add a user account to system -->
+    <!-- This vulnerability is designed for a hacker to use the 'john' utility in Kali with a default password list -->
+    <!-- Hints for using this utility are available -->
+    <!-- See jtr_crackable_user_account vulnerability for more information -->
+    <!-- This creates a flag that is the generated password from selected list: flag{password} -->
+    <vulnerability module_path=".*jtr_crackable_user_account.*">
+      <input into="password">
+        <datastore access="1">passwords</datastore>
+      </input>
+      <input into="flag_password">
+        <generator type="concat_flag_generator">
+          <input into="strings_to_join">
+            <datastore access="1">passwords</datastore>
+          </input>
+        </generator>
+      </input>
+      <input into="leaked_filenames">
+        <value>flag_here</value>
+      </input>
+      <input into="strings_to_leak">
+        <value>So, you think you are an expert huh? I wonder if you can figure out my password.</value>
+        <value>This account password is also a flag. For example, if the password is "123456" the flag is: flag{123456}</value>
+        <value>Here is a flag for finding this message:</value>
+        <generator type="flag_generator"/>
+      </input>
+    </vulnerability>
+
+  </system>
+
+</scenario>