Merge branch '4213-docs-exploiters-feature-pages_brute-force' into develop

Issue #4213
PR #4269

Author: mssalvatore

docs/content/features/exploiters/log4shell.md

@@ -17,7 +17,8 @@ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
 logging framework that is used to log messages within software, including
 information like error messages and user inputs in a program. Due to its
 widespread adoption, thousands of software packages and applications use
-Log4j, making them all vulnerable to Log4Shell.
+Log4j, making them all vulnerable to
+[Log4Shell](https://en.wikipedia.org/wiki/Log4Shell).
 
 ## Exploitation
 
@@ -37,7 +38,7 @@ to propagate to a victim machine.
 
 ### Services exploited
 
-Infection Monkey will attempt to exploit the Log4Shell vulnerability in the
+Infection Monkey attempts to exploit the Log4Shell vulnerability in the
 following services:
 
 - Apache Solr

docs/content/features/exploiters/mssql.md

@@ -0,0 +1,48 @@
+---
+title: "MSSQL Exploiter"
+draft: false
+description: "Exploits MSSQL by taking advantage of insecure configuration"
+tags: ["exploiter", "mssql", "brute force"]
+pre: "<i class='fa fa-database'></i> "
+---
+
+## MSSQL
+
+[MSSQL (Microsoft SQL Server)](
+https://learn.microsoft.com/en-us/sql/sql-server/what-is-sql-server) is a
+relational database management system (RDBMS) developed by Microsoft whose
+functions include managing, storing, retrieving, manipulating, and analyzing
+data efficiently. In addition to manipulating data stored within the database,
+the  [`xp_cmdshell`](
+https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql)
+procedure allows users to manipulate the host server by executing Windows shell
+commands from within the SQL Server environment.
+
+## Exploitation
+
+Because of the inherent security risks associated with `xp_cmdshell`, it is
+disabled by default. If `xp_cmdshell` has been enabled on an MSSQL instance,
+attackers who possess valid credentials can leverage MSSQL to run arbitrary commands
+on the server. Infection Monkey's MSSQL exploiter uses brute-force to
+authenticate with a victim's MSSQL server and uses `xp_cmdshell` to propagate
+to the victim server.
+
+![MSSQL Configuration](
+/images/island/configuration-page/mssql-exploiter-configuration.png
+"MSSQL Configuration")
+
+### Credentials used
+
+The MSSQL exploiter uses [user-configured credentials](
+/usage/configuration/credentials), as well as credentials collected from other
+victims for brute-forcing. All possible combinations of usernames and passwords
+are used, prioritizing pairs provided by the user in the configuration.
+
+## Mitigation
+
+The best approach to mitigate this attack is to disable the `xp_cmdshell`
+feature as described in [Microsoft's documentation](
+https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017).
+
+## See also
+- [MSSQL exploiter reference documentation](/reference/exploiters/mssql)

docs/content/features/exploiters/powershell.md

@@ -0,0 +1,86 @@
+---
+title: "PowerShell Exploiter"
+draft: false
+description: "Exploits PowerShell Remoting"
+tags: ["exploiter", "powershell", "brute force"]
+pre: "<i class='fa fa-terminal'></i> "
+---
+
+## PowerShell Remoting
+
+[PowerShell Remoting](
+https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity)
+is a PowerShell feature that enables connecting to Windows machines remotely in
+order to execute PowerShell commands on them. It is commonly used by
+administrators to manage multiple systems in a network.
+
+## Exploitation
+
+Attackers that can successfully authenticate via PowerShell Remoting are able
+to execute arbitrary commands on the victim machine. Infection Monkey's
+PowerShell exploiter uses brute-force to attempt to propagate to a victim
+via PowerShell Remoting.
+
+![PowerShell Configuration](
+/images/island/configuration-page/powershell-exploiter-configuration.png
+"PowerShell Configuration")
+
+### Credentials used
+
+The PowerShell exploiter can be run from both Linux and Windows attackers. On
+Windows attackers, the exploiter has the ability to use the cached username
+and/or password from the current user. When attacking from Linux or Windows,
+the exploiter uses all combinations of [user-configured credentials](
+/usage/configuration/credentials), as well as credentials collected from other
+victims. Different combinations of credentials are attempted in the following
+order:
+
+1. **Cached username and password (Windows attacker only)** - The exploiter
+   uses the stored credentials of the current user to attempt to log into
+   the victim machine.
+
+1. **Brute force usernames with blank passwords** - Windows allows you to
+   configure a user with a blank/empty password. The exploiter attempts to
+   log into the victim machine using usernames set in the
+   [configuration](/usage/configuration/credentials) or stolen from other
+   victims, and a blank password.
+
+   In order for the attacker to connect with a blank password, the victim must
+   have enabled basic authentication, http and no encryption.
+
+1. **Brute force usernames with cached password (Windows attacker only)** - The
+   exploiter attempts to log into the victim machine using usernames
+   set in the [configuration](/usage/configuration/credentials) or stolen from
+   other victims, and the current user's cached password.
+
+1. **Brute force usernames and passwords** - The exploiter attempts to use
+   all combinations of usernames and passwords that were set in the
+   [configuration](/usage/configuration/credentials) or stolen from other
+   victims.
+
+1. **Brute force usernames and LM hashes** - The exploiter attempts to use
+   all combinations of usernames and LM hashes that were set in the
+   [configuration](/usage/configuration/credentials) or stolen from other
+   victims.
+
+1. **Brute force usernames and NT hashes** - The exploiter attempts to use
+   all combinations of usernames and NT hashes that were set in the
+   [configuration](/usage/configuration/credentials) or stolen from other
+   victims.
+
+Note that techniques that use cached credentials, are only possible from
+Windows attackers.
+
+## Mitigation
+
+1. Restrict PowerShell remote command execution.
+1. Harden the credentials of relevant users by enforcing strong password
+   policies.
+1. Enable multi-factor authentication.
+
+More information about how to remediate security concerns related to PowerShell
+Remoting can be found [here](
+https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity).
+
+## See also
+- [PowerShell exploiter reference documentation](/reference/exploiters/powershell)

docs/content/features/exploiters/rdp.md

@@ -0,0 +1,63 @@
+---
+title: "RDP Exploiter"
+draft: false
+description: "Exploits RDP"
+tags: ["exploiter", "rdp", "brute force"]
+pre: "<i class='fa fa-desktop'></i> "
+---
+
+## RDP
+
+[RDP (Remote Desktop Protocol)](
+https://learn.microsoft.com/en-us/windows/win32/termserv/remote-desktop-protocol)
+is a network communication protocol by Microsoft that enables users to connect
+to remote computers over a network, providing a remote display and input
+capabilities to the user. It is commonly used for remote administration, remote
+technical support, and remote work access.
+
+## Exploitation
+
+Attackers that can successfully authenticate to a machine via RDP can run
+arbitrary commands on the victim machine. This allows the attacker to perform
+actions such as installing malware, exfiltrating data, or pivoting and moving
+laterally through the network. Infection Monkey's RDP exploiter uses
+brute-force to attempt to propagate to a victim via RDP.
+
+![RDP Configuration](
+/images/island/configuration-page/rdp-exploiter-configuration.png
+"RDP Configuration")
+
+### Credentials used
+
+The RDP exploiter uses [user-configured credentials](
+/usage/configuration/credentials) as well as credentials collected from
+other victims. Different combinations of credentials are attempted in the
+following order:
+
+1. **Brute force usernames and passwords** - The exploiter attempts to use
+   all combinations of usernames and passwords that were set in the
+   [configuration](/usage/configuration/credentials) or stolen from other
+   victims.
+
+1. **Brute force usernames and NT hashes** - The exploiter attempts to use
+   all combinations of usernames and NT hashes that were set in the
+   [configuration](/usage/configuration/credentials) or stolen from other
+   victims.
+
+   This only works on Windows 8.1 and Windows Server 2012 R2. You can read more
+   about this limitation
+   [here](https://www.kali.org/blog/passing-hash-remote-desktop/).
+
+## Mitigation
+
+1. Change user passwords to complex passwords that are not shared with other
+   computers on the network.
+2. [Enable multi-factor authentication for
+   RDP](https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-plan-mfa).
+
+For information about remediating RDP-related security risks, see
+[Microsoft's
+guidance](https://www.microsoft.com/en-us/security/blog/2020/04/16/security-guidance-remote-desktop-adoption/)
+
+## See also
+- [RDP exploiter reference documentation](/reference/exploiters/rdp)

docs/content/features/exploiters/smb.md

@@ -0,0 +1,44 @@
+---
+title: "SMB Exploiter"
+draft: false
+description: "Exploits SMB"
+tags: ["exploiter", "smb", "brute force"]
+pre: "<i class='fa fa-folder-open'></i> "
+---
+
+## SMB
+
+[SMB (Server Message Block)](https://en.wikipedia.org/wiki/Server_Message_Block)
+is a network protocol primarily used in Windows for sharing and communication
+between computers on a network. Besides resource sharing, SMB supports remote
+procedure calls (RPC), which allows executing arbitrary commands on remote
+systems using command line utilities such as `psexec` and `smbexec`. This is
+generally used for administrative tasks and remote management.
+
+## Exploitation
+
+Attackers that can successfully authenticate to a machine via the SMB service
+can run arbitrary commands on the victim machine. This allows the attacker to
+perform actions such as installing malware, exfiltrating data, or pivoting and
+moving laterally through the network. Infection Monkey's SMB exploiter uses
+brute-force to attempt to propagate to a victim via SMB.
+
+![SMB Configuration](
+/images/island/configuration-page/smb-exploiter-configuration.png
+"SMB Configuration")
+
+### Credentials used
+
+The SMB exploiter uses [user-configured credentials](
+/usage/configuration/credentials) as well as credentials collected from other
+victims for brute-forcing. All possible combinations of usernames, passwords,
+LM hashes, and NT hashes are used, prioritizing pairs provided by the user in
+the configuration.
+
+## Mitigation
+
+1. Change user passwords to complex passwords that are not shared with other
+   computers on the network.
+
+## See also
+- [SMB exploiter reference documentation](/reference/exploiters/smb)

docs/content/features/exploiters/ssh.md

@@ -0,0 +1,48 @@
+---
+title: "SSH Exploiter"
+draft: false
+description: "Exploits SSH"
+tags: ["exploiter", "ssh", "brute force"]
+pre: "<i class='fa fa-terminal'></i> "
+---
+
+## SSH
+
+[SSH (Secure Shell)](https://en.wikipedia.org/wiki/Secure_Shell) is a network
+protocol designed for Unix-like operating systems that provides a secure way to
+access a remote computer over an unsecured network. After establishing an
+encrypted connection to a remote machine, it can be used to execute arbitrary
+commands directly through the SSH terminal or by specifying commands in the SSH
+client. This allows for secure remote administration and automation of tasks on
+the target system.
+
+## Exploitation
+
+Attackers that can successfully authenticate to a machine via SSH can run
+arbitrary commands on the victim machine. This allows the attacker to perform
+actions such as installing malware, exfiltrating data, or pivoting and moving
+laterally through the network. Infection Monkey's SSH exploiter uses
+brute-force to attempt to propagate to a victim via SSH.
+
+![SSH Configuration](
+/images/island/configuration-page/ssh-exploiter-configuration.png
+"SSH Configuration")
+
+### Credentials used
+
+The SSH exploiter uses [user-configured credentials](
+/usage/configuration/credentials) as well as credentials collected from other
+victims for brute-forcing. All possible combinations of usernames, passwords,
+and SSH keypairs are used, prioritizing pairs provided by the user in the
+configuration.
+
+## Mitigation
+
+1. Change user passwords to complex passwords that are not shared with other
+computers on the network.
+
+1. [Store private keys securely.](
+https://www.ssldragon.com/blog/best-practices-to-store-the-private-key/)
+
+## See also
+- [SSH exploiter reference documentation](/reference/exploiters/ssh)

docs/content/features/exploiters/wmi.md

@@ -0,0 +1,45 @@
+---
+title: "WMI Exploiter"
+draft: false
+description: "Exploits WMI"
+tags: ["exploiter", "wmi", "brute force"]
+pre: "<i class='fa fa-toolbox'></i> "
+---
+
+## WMI
+
+[WMI (Windows Management Instrumentation)](
+https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page) is a set
+of tools and extensions in Windows for managing and querying system information,
+configurations, and operations. WMI's command line utilities and scripting
+capabilities are used by administrators to run arbitrary commands on local and
+remote environments for monitoring system health, automating administrative
+functions, managing network resources, etc.
+
+## Exploitation
+
+Attackers that can successfully authenticate to a machine via WMI can run
+arbitrary commands on the victim machine. This allows the attacker to perform
+actions such as installing malware, exfiltrating data, or pivoting and moving
+laterally through the network. Infection Monkey's WMI exploiter uses
+brute-force to attempt to propagate to a victim via WMI.
+
+![WMI Configuration](
+/images/island/configuration-page/wmi-exploiter-configuration.png
+"WMI Configuration")
+
+### Credentials used
+
+The WMI exploiter uses [user-configured credentials](
+/usage/configuration/credentials) as well as credentials collected from other
+victims for brute-forcing. All possible combinations of usernames, passwords,
+LM hashes, and NT hashes are used, prioritizing pairs provided by the user in
+the configuration.
+
+## Mitigation
+
+Change user passwords to complex passwords that are not shared with other
+computers on the network.
+
+## See also
+- [WMI exploiter reference documentation](/reference/exploiters/wmi)