Merge branch '3577-smb-packer-scripts' into develop

Issue #3577 PR #3581
guardicore · Aug 11, 2023 · 7ae50cc · 7ae50cc
2 parents 610f807 + d46f426
commit 7ae50cc
Show file tree

Hide file tree

Showing 3 changed files with 128 additions and 3 deletions.
diff --git a/envs/monkey_zoo/packer/setup_mimikatz_15.yml b/envs/monkey_zoo/packer/setup_mimikatz_15.yml
@@ -0,0 +1,48 @@
+---
+- name: Create a mimikatz-15 machine image
+  hosts: all
+  vars:
+    ansible_remote_tmp: C:\Windows\Temp
+  tasks:
+    - name: Create user
+      win_user:
+        name: m0nk3y
+        password: pAJfG56JX><
+        password_never_expires: yes
+        state: present
+        update_password: on_create
+        groups_action: add
+        groups:
+          - Administrators
+          - "Remote Desktop Users"
+
+    - name: Enable SMBv1
+      ansible.windows.win_optional_feature:
+        name: SMB1Protocol
+        state: present
+
+    - name: Disable SMBv2 using win_regedit
+      ansible.windows.win_regedit:
+        path: HKLM:\System\CurrentControlSet\Services\LanmanServer\Parameters
+        name: SMB2
+        data: 0
+        type: dword
+        state: present
+
+    - name: Allow port 445 SMB
+      win_command:
+        cmd: netsh advfirewall firewall add rule name="Allow Port 445" dir=in action=allow protocol=TCP localport=445
+
+    - name: Change the hostname to mimikatz-15
+      ansible.windows.win_hostname:
+        name: mimikatz-15
+      register: res
+
+    - name: Reboot
+      ansible.windows.win_reboot:
+      when: res.reboot_required
+
+    - name: Delete packer_user
+      win_user:
+        name: packer_user
+        state: absent
diff --git a/envs/monkey_zoo/packer/smb.pkr.hcl b/envs/monkey_zoo/packer/smb.pkr.hcl
@@ -0,0 +1,77 @@
+packer {
+  required_plugins {
+    googlecompute = {
+      source  = "github.com/hashicorp/googlecompute"
+      version = "~> 1"
+    }
+    ansible = {
+      source  = "github.com/hashicorp/ansible"
+      version = "~> 1"
+    }
+  }
+}
+
+variable "project_id" {
+    type = string
+}
+variable "zone" {
+    type = string
+    default = "europe-west3-a"
+}
+variable "machine_type" {
+    type = string
+    default = "e2-standard-4"
+}
+variable "source_image" {
+    type = string
+    default = "windows-server-2016-dc-v20211216"
+}
+variable "account_file" {
+    type = string
+}
+variable "packer_username" {
+    type = string
+    default = "packer_user"
+}
+variable "packer_user_password" {
+    type = string
+    default = "Passw0rd"
+}
+
+
+
+source "googlecompute" "mimikatz-15" {
+    image_name = "mimikatz-15"
+    project_id = "${var.project_id}"
+    source_image = "${var.source_image}"
+    zone = "${var.zone}"
+    disk_size = 50
+    machine_type = "${var.machine_type}"
+    account_file = "${var.account_file}"
+    communicator = "winrm"
+    winrm_username = "${var.packer_username}"
+    winrm_password = "${var.packer_user_password}"
+    winrm_insecure = true
+    winrm_use_ssl = true
+    metadata = {
+      sysprep-specialize-script-cmd = "winrm quickconfig -quiet & net user packer_user Passw0rd /add & net localgroup administrators packer_user /add & winrm set winrm/config/service/auth @{Basic=\"true\"}"
+    }
+}
+
+build {
+    sources = [
+        "source.googlecompute.mimikatz-15",
+    ]
+    provisioner "ansible" {
+        only = ["googlecompute.mimikatz-15"]
+        use_proxy = false
+        user = "${var.packer_username}"
+        playbook_file = "./packer/setup_mimikatz_15.yml"
+        ansible_env_vars = ["ANSIBLE_HOST_KEY_CHECKING=False"]
+        extra_arguments = [
+                "-e", "ansible_winrm_transport=ntlm ansible_winrm_server_cert_validation=ignore",
+                "-e", "ansible_password=${var.packer_user_password}",
+                "-vvv"
+        ]
+    }
+}
diff --git a/envs/monkey_zoo/terraform/firewalls.tf b/envs/monkey_zoo/terraform/firewalls.tf
@@ -323,9 +323,9 @@ resource "google_compute_firewall" "deny-rdp64-rdp65-to-others" {
   source_tags = ["rdp-64", "rdp-65"]
 }
 
-// We are disabling PowerShell because we want only RDP to run on these machines
+// We are disabling PowerShell because we want only RDP\SMB to run on these machines
 // and we can't do it via Packer because it uses WinRM to configure the instances
-resource "google_compute_firewall" "deny-powershell-on-rdp" {
+resource "google_compute_firewall" "deny-powershell-on-rdp-and-smb" {
  name    = "deny-powershell-on-rdp"
  network = google_compute_network.monkeyzoo.name
 
@@ -337,5 +337,5 @@ resource "google_compute_firewall" "deny-powershell-on-rdp" {
  priority = "998"
 
  source_ranges = ["0.0.0.0/0"]
- target_tags   = ["rdp-64", "rdp-65"]
+ target_tags   = ["rdp-64", "rdp-65", "mimikatz-14", "mimikatz-15"]
 }