forked from p15670423/monkey
Merge pull request #1973 from guardicore/1961-decouple-dropper-and-wormconfig
1961 decouple dropper and wormconfig
This commit is contained in:
commit
0baacf3027
|
@ -61,14 +61,6 @@ class Configuration(object):
|
||||||
|
|
||||||
return result
|
return result
|
||||||
|
|
||||||
###########################
|
|
||||||
# dropper config
|
|
||||||
###########################
|
|
||||||
|
|
||||||
dropper_set_date = True
|
|
||||||
dropper_date_reference_path_windows = r"%windir%\system32\kernel32.dll"
|
|
||||||
dropper_date_reference_path_linux = "/bin/sh"
|
|
||||||
|
|
||||||
###########################
|
###########################
|
||||||
# monkey config
|
# monkey config
|
||||||
###########################
|
###########################
|
||||||
|
|
|
@ -7,10 +7,9 @@ import shutil
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
import time
|
import time
|
||||||
from pathlib import WindowsPath
|
from pathlib import PosixPath, WindowsPath
|
||||||
|
|
||||||
from common.utils.attack_utils import UsageEnum
|
from common.utils.attack_utils import UsageEnum
|
||||||
from infection_monkey.config import WormConfiguration
|
|
||||||
from infection_monkey.utils.commands import (
|
from infection_monkey.utils.commands import (
|
||||||
build_monkey_commandline_explicitly,
|
build_monkey_commandline_explicitly,
|
||||||
get_monkey_commandline_linux,
|
get_monkey_commandline_linux,
|
||||||
|
@ -21,8 +20,11 @@ from infection_monkey.utils.file_utils import mark_file_for_deletion_on_windows
|
||||||
|
|
||||||
if "win32" == sys.platform:
|
if "win32" == sys.platform:
|
||||||
from win32process import DETACHED_PROCESS
|
from win32process import DETACHED_PROCESS
|
||||||
|
|
||||||
|
DATE_REFERENCE_PATH_WINDOWS = os.path.expandvars(WindowsPath(r"%windir%\system32\kernel32.dll"))
|
||||||
else:
|
else:
|
||||||
DETACHED_PROCESS = 0
|
DETACHED_PROCESS = 0
|
||||||
|
DATE_REFERENCE_PATH_LINUX = PosixPath("/bin/sh")
|
||||||
|
|
||||||
# Linux doesn't have WindowsError
|
# Linux doesn't have WindowsError
|
||||||
try:
|
try:
|
||||||
|
@ -109,27 +111,23 @@ class MonkeyDrops(object):
|
||||||
|
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if WormConfiguration.dropper_set_date:
|
if sys.platform == "win32":
|
||||||
if sys.platform == "win32":
|
dropper_date_reference_path = DATE_REFERENCE_PATH_WINDOWS
|
||||||
dropper_date_reference_path = os.path.expandvars(
|
else:
|
||||||
WormConfiguration.dropper_date_reference_path_windows
|
dropper_date_reference_path = DATE_REFERENCE_PATH_LINUX
|
||||||
)
|
|
||||||
else:
|
try:
|
||||||
dropper_date_reference_path = WormConfiguration.dropper_date_reference_path_linux
|
ref_stat = os.stat(dropper_date_reference_path)
|
||||||
|
except OSError:
|
||||||
|
logger.warning(
|
||||||
|
"Cannot set reference date using '%s', file not found",
|
||||||
|
dropper_date_reference_path,
|
||||||
|
)
|
||||||
|
else:
|
||||||
try:
|
try:
|
||||||
ref_stat = os.stat(dropper_date_reference_path)
|
os.utime(self._config["destination_path"], (ref_stat.st_atime, ref_stat.st_mtime))
|
||||||
except OSError:
|
except OSError:
|
||||||
logger.warning(
|
logger.warning("Cannot set reference date to destination file")
|
||||||
"Cannot set reference date using '%s', file not found",
|
|
||||||
dropper_date_reference_path,
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
try:
|
|
||||||
os.utime(
|
|
||||||
self._config["destination_path"], (ref_stat.st_atime, ref_stat.st_mtime)
|
|
||||||
)
|
|
||||||
except OSError:
|
|
||||||
logger.warning("Cannot set reference date to destination file")
|
|
||||||
|
|
||||||
monkey_options = build_monkey_commandline_explicitly(
|
monkey_options = build_monkey_commandline_explicitly(
|
||||||
parent=self.opts.parent,
|
parent=self.opts.parent,
|
||||||
|
|
|
@ -12,7 +12,7 @@ import string
|
||||||
import requests
|
import requests
|
||||||
|
|
||||||
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
||||||
from infection_monkey.exploit.tools.helpers import get_agent_dest_path
|
from infection_monkey.exploit.tools.helpers import get_agent_dst_path
|
||||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||||
from infection_monkey.exploit.web_rce import WebRCE
|
from infection_monkey.exploit.web_rce import WebRCE
|
||||||
from infection_monkey.model import (
|
from infection_monkey.model import (
|
||||||
|
@ -43,7 +43,7 @@ class HadoopExploiter(WebRCE):
|
||||||
return self.exploit_result
|
return self.exploit_result
|
||||||
|
|
||||||
try:
|
try:
|
||||||
monkey_path_on_victim = get_agent_dest_path(self.host, self.options)
|
monkey_path_on_victim = get_agent_dst_path(self.host)
|
||||||
except KeyError:
|
except KeyError:
|
||||||
return self.exploit_result
|
return self.exploit_result
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ from infection_monkey.exploit.log4shell_utils import (
|
||||||
build_exploit_bytecode,
|
build_exploit_bytecode,
|
||||||
get_log4shell_service_exploiters,
|
get_log4shell_service_exploiters,
|
||||||
)
|
)
|
||||||
from infection_monkey.exploit.tools.helpers import get_agent_dest_path
|
from infection_monkey.exploit.tools.helpers import get_agent_dst_path
|
||||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||||
from infection_monkey.exploit.web_rce import WebRCE
|
from infection_monkey.exploit.web_rce import WebRCE
|
||||||
from infection_monkey.i_puppet.i_puppet import ExploiterResultData
|
from infection_monkey.i_puppet.i_puppet import ExploiterResultData
|
||||||
|
@ -61,7 +61,7 @@ class Log4ShellExploiter(WebRCE):
|
||||||
self._agent_http_server_thread = None
|
self._agent_http_server_thread = None
|
||||||
|
|
||||||
def _start_servers(self):
|
def _start_servers(self):
|
||||||
target_path = get_agent_dest_path(self.host, self.options)
|
target_path = get_agent_dst_path(self.host)
|
||||||
|
|
||||||
# Start http server, to serve agent to victims
|
# Start http server, to serve agent to victims
|
||||||
agent_http_path = self._start_agent_http_server(target_path)
|
agent_http_path = self._start_agent_http_server(target_path)
|
||||||
|
|
|
@ -8,7 +8,7 @@ import pymssql
|
||||||
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
||||||
from common.utils.exceptions import FailedExploitationError
|
from common.utils.exceptions import FailedExploitationError
|
||||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||||
from infection_monkey.exploit.tools.helpers import get_agent_dest_path
|
from infection_monkey.exploit.tools.helpers import get_agent_dst_path
|
||||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||||
from infection_monkey.exploit.tools.payload_parsing import LimitedSizePayload
|
from infection_monkey.exploit.tools.payload_parsing import LimitedSizePayload
|
||||||
from infection_monkey.i_puppet import ExploiterResultData
|
from infection_monkey.i_puppet import ExploiterResultData
|
||||||
|
@ -59,7 +59,7 @@ class MSSQLExploiter(HostExploiter):
|
||||||
Also, don't forget to start_monkey_server() before self.upload_monkey() and
|
Also, don't forget to start_monkey_server() before self.upload_monkey() and
|
||||||
self.stop_monkey_server() after
|
self.stop_monkey_server() after
|
||||||
"""
|
"""
|
||||||
monkey_path_on_victim = get_agent_dest_path(self.host, self.options)
|
monkey_path_on_victim = get_agent_dst_path(self.host)
|
||||||
|
|
||||||
# Brute force to get connection
|
# Brute force to get connection
|
||||||
creds = generate_identity_secret_pairs(
|
creds = generate_identity_secret_pairs(
|
||||||
|
|
|
@ -13,7 +13,7 @@ from infection_monkey.exploit.powershell_utils.powershell_client import (
|
||||||
IPowerShellClient,
|
IPowerShellClient,
|
||||||
PowerShellClient,
|
PowerShellClient,
|
||||||
)
|
)
|
||||||
from infection_monkey.exploit.tools.helpers import get_agent_dest_path, get_random_file_suffix
|
from infection_monkey.exploit.tools.helpers import get_agent_dst_path, get_random_file_suffix
|
||||||
from infection_monkey.model import DROPPER_ARG, RUN_MONKEY, VictimHost
|
from infection_monkey.model import DROPPER_ARG, RUN_MONKEY, VictimHost
|
||||||
from infection_monkey.utils.commands import build_monkey_commandline
|
from infection_monkey.utils.commands import build_monkey_commandline
|
||||||
from infection_monkey.utils.environment import is_windows_os
|
from infection_monkey.utils.environment import is_windows_os
|
||||||
|
@ -134,7 +134,7 @@ class PowerShellExploiter(HostExploiter):
|
||||||
raise ValueError(f"Unknown secret type {credentials.secret_type}")
|
raise ValueError(f"Unknown secret type {credentials.secret_type}")
|
||||||
|
|
||||||
def _execute_monkey_agent_on_victim(self):
|
def _execute_monkey_agent_on_victim(self):
|
||||||
monkey_path_on_victim = get_agent_dest_path(self.host, self.options)
|
monkey_path_on_victim = get_agent_dst_path(self.host)
|
||||||
|
|
||||||
self._copy_monkey_binary_to_victim(monkey_path_on_victim)
|
self._copy_monkey_binary_to_victim(monkey_path_on_victim)
|
||||||
logger.info("Successfully copied the monkey binary to the victim.")
|
logger.info("Successfully copied the monkey binary to the victim.")
|
||||||
|
|
|
@ -6,7 +6,7 @@ from impacket.dcerpc.v5.scmr import DCERPCSessionError
|
||||||
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
||||||
from common.utils.attack_utils import ScanStatus, UsageEnum
|
from common.utils.attack_utils import ScanStatus, UsageEnum
|
||||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||||
from infection_monkey.exploit.tools.helpers import get_agent_dest_path
|
from infection_monkey.exploit.tools.helpers import get_agent_dst_path
|
||||||
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
||||||
from infection_monkey.model import DROPPER_CMDLINE_DETACHED_WINDOWS, MONKEY_CMDLINE_DETACHED_WINDOWS
|
from infection_monkey.model import DROPPER_CMDLINE_DETACHED_WINDOWS, MONKEY_CMDLINE_DETACHED_WINDOWS
|
||||||
from infection_monkey.telemetry.attack.t1035_telem import T1035Telem
|
from infection_monkey.telemetry.attack.t1035_telem import T1035Telem
|
||||||
|
@ -31,7 +31,7 @@ class SMBExploiter(HostExploiter):
|
||||||
|
|
||||||
def _exploit_host(self):
|
def _exploit_host(self):
|
||||||
agent_binary = self.agent_repository.get_agent_binary(self.host.os["type"])
|
agent_binary = self.agent_repository.get_agent_binary(self.host.os["type"])
|
||||||
dest_path = get_agent_dest_path(self.host, self.options)
|
dest_path = get_agent_dst_path(self.host)
|
||||||
creds = generate_brute_force_combinations(self.options["credentials"])
|
creds = generate_brute_force_combinations(self.options["credentials"])
|
||||||
|
|
||||||
for user, password, lm_hash, ntlm_hash in interruptible_iter(creds, self.interrupt):
|
for user, password, lm_hash, ntlm_hash in interruptible_iter(creds, self.interrupt):
|
||||||
|
|
|
@ -9,7 +9,7 @@ from common.utils import Timer
|
||||||
from common.utils.attack_utils import ScanStatus
|
from common.utils.attack_utils import ScanStatus
|
||||||
from common.utils.exceptions import FailedExploitationError
|
from common.utils.exceptions import FailedExploitationError
|
||||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||||
from infection_monkey.exploit.tools.helpers import get_agent_dest_path
|
from infection_monkey.exploit.tools.helpers import get_agent_dst_path
|
||||||
from infection_monkey.i_puppet import ExploiterResultData
|
from infection_monkey.i_puppet import ExploiterResultData
|
||||||
from infection_monkey.model import MONKEY_ARG
|
from infection_monkey.model import MONKEY_ARG
|
||||||
from infection_monkey.network.tools import check_tcp_port, get_interface_to_target
|
from infection_monkey.network.tools import check_tcp_port, get_interface_to_target
|
||||||
|
@ -209,7 +209,7 @@ class SSHExploiter(HostExploiter):
|
||||||
self._set_interrupted()
|
self._set_interrupted()
|
||||||
return self.exploit_result
|
return self.exploit_result
|
||||||
|
|
||||||
monkey_path_on_victim = get_agent_dest_path(self.host, self.options)
|
monkey_path_on_victim = get_agent_dst_path(self.host)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
with ssh.open_sftp() as ftp:
|
with ssh.open_sftp() as ftp:
|
||||||
|
|
|
@ -2,7 +2,6 @@ import logging
|
||||||
import random
|
import random
|
||||||
import string
|
import string
|
||||||
from pathlib import PurePath, PurePosixPath, PureWindowsPath
|
from pathlib import PurePath, PurePosixPath, PureWindowsPath
|
||||||
from typing import Any, Mapping
|
|
||||||
|
|
||||||
from infection_monkey.model import VictimHost
|
from infection_monkey.model import VictimHost
|
||||||
|
|
||||||
|
@ -10,6 +9,19 @@ logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
RAND_SUFFIX_LEN = 8
|
RAND_SUFFIX_LEN = 8
|
||||||
|
|
||||||
|
# Where to upload agent binaries on victims
|
||||||
|
AGENT_BINARY_PATH_LINUX = PurePosixPath("/tmp/monkey")
|
||||||
|
AGENT_BINARY_PATH_WIN64 = PureWindowsPath(r"C:\Windows\temp\monkey64.exe")
|
||||||
|
|
||||||
|
|
||||||
|
def get_agent_dst_path(host: VictimHost) -> PurePath:
|
||||||
|
if host.os["type"] == "windows":
|
||||||
|
path = PureWindowsPath(AGENT_BINARY_PATH_WIN64)
|
||||||
|
else:
|
||||||
|
path = PurePosixPath(AGENT_BINARY_PATH_LINUX)
|
||||||
|
|
||||||
|
return _add_random_suffix(path)
|
||||||
|
|
||||||
|
|
||||||
def get_random_file_suffix() -> str:
|
def get_random_file_suffix() -> str:
|
||||||
character_set = list(string.ascii_letters + string.digits + "_" + "-")
|
character_set = list(string.ascii_letters + string.digits + "_" + "-")
|
||||||
|
@ -18,15 +30,6 @@ def get_random_file_suffix() -> str:
|
||||||
return random_string
|
return random_string
|
||||||
|
|
||||||
|
|
||||||
def get_agent_dest_path(host: VictimHost, options: Mapping[str, Any]) -> PurePath:
|
|
||||||
if host.os["type"] == "windows":
|
|
||||||
path = PureWindowsPath(options["dropper_target_path_win_64"])
|
|
||||||
else:
|
|
||||||
path = PurePosixPath(options["dropper_target_path_linux"])
|
|
||||||
|
|
||||||
return _add_random_suffix(path)
|
|
||||||
|
|
||||||
|
|
||||||
# Turns C:\\monkey.exe into C:\\monkey-<random_string>.exe
|
# Turns C:\\monkey.exe into C:\\monkey-<random_string>.exe
|
||||||
# Useful to avoid duplicate file paths
|
# Useful to avoid duplicate file paths
|
||||||
def _add_random_suffix(path: PurePath) -> PurePath:
|
def _add_random_suffix(path: PurePath) -> PurePath:
|
||||||
|
|
|
@ -22,7 +22,11 @@ from infection_monkey.model import (
|
||||||
from infection_monkey.network.tools import tcp_port_to_service
|
from infection_monkey.network.tools import tcp_port_to_service
|
||||||
from infection_monkey.telemetry.attack.t1197_telem import T1197Telem
|
from infection_monkey.telemetry.attack.t1197_telem import T1197Telem
|
||||||
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
||||||
from infection_monkey.utils.commands import build_monkey_commandline
|
from infection_monkey.utils.commands import (
|
||||||
|
DROPPER_TARGET_PATH_LINUX,
|
||||||
|
DROPPER_TARGET_PATH_WIN64,
|
||||||
|
build_monkey_commandline,
|
||||||
|
)
|
||||||
from infection_monkey.utils.threading import interruptible_iter
|
from infection_monkey.utils.threading import interruptible_iter
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
@ -109,8 +113,8 @@ class WebRCE(HostExploiter):
|
||||||
def pre_exploit(self):
|
def pre_exploit(self):
|
||||||
if not self.monkey_target_paths:
|
if not self.monkey_target_paths:
|
||||||
self.monkey_target_paths = {
|
self.monkey_target_paths = {
|
||||||
"linux": self.options["dropper_target_path_linux"],
|
"linux": DROPPER_TARGET_PATH_LINUX,
|
||||||
"windows": self.options["dropper_target_path_win_64"],
|
"windows": DROPPER_TARGET_PATH_WIN64,
|
||||||
}
|
}
|
||||||
self.HTTP = [str(port) for port in self.options["http_ports"]]
|
self.HTTP = [str(port) for port in self.options["http_ports"]]
|
||||||
super().pre_exploit()
|
super().pre_exploit()
|
||||||
|
@ -405,7 +409,6 @@ class WebRCE(HostExploiter):
|
||||||
"""
|
"""
|
||||||
Gets default dropper path for the host.
|
Gets default dropper path for the host.
|
||||||
:return: Default monkey's destination path for corresponding host or False if failed.
|
:return: Default monkey's destination path for corresponding host or False if failed.
|
||||||
E.g. config.dropper_target_path_linux(/tmp/monkey.sh) for linux host
|
|
||||||
"""
|
"""
|
||||||
if not self.host.os.get("type") or (
|
if not self.host.os.get("type") or (
|
||||||
self.host.os["type"] != "linux" and self.host.os["type"] != "windows"
|
self.host.os["type"] != "linux" and self.host.os["type"] != "windows"
|
||||||
|
@ -413,9 +416,9 @@ class WebRCE(HostExploiter):
|
||||||
logger.error("Target's OS was either unidentified or not supported. Aborting")
|
logger.error("Target's OS was either unidentified or not supported. Aborting")
|
||||||
return False
|
return False
|
||||||
if self.host.os["type"] == "linux":
|
if self.host.os["type"] == "linux":
|
||||||
return self.options["dropper_target_path_linux"]
|
return DROPPER_TARGET_PATH_LINUX
|
||||||
if self.host.os["type"] == "windows":
|
if self.host.os["type"] == "windows":
|
||||||
return self.options["dropper_target_path_win_64"]
|
return DROPPER_TARGET_PATH_WIN64
|
||||||
|
|
||||||
def get_target_url(self):
|
def get_target_url(self):
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -6,7 +6,7 @@ import traceback
|
||||||
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
||||||
|
|
||||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||||
from infection_monkey.exploit.tools.helpers import get_agent_dest_path
|
from infection_monkey.exploit.tools.helpers import get_agent_dst_path
|
||||||
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
||||||
from infection_monkey.exploit.tools.wmi_tools import AccessDeniedException, WmiTools
|
from infection_monkey.exploit.tools.wmi_tools import AccessDeniedException, WmiTools
|
||||||
from infection_monkey.i_puppet import ExploiterResultData
|
from infection_monkey.i_puppet import ExploiterResultData
|
||||||
|
@ -15,7 +15,7 @@ from infection_monkey.utils.brute_force import (
|
||||||
generate_brute_force_combinations,
|
generate_brute_force_combinations,
|
||||||
get_credential_string,
|
get_credential_string,
|
||||||
)
|
)
|
||||||
from infection_monkey.utils.commands import build_monkey_commandline
|
from infection_monkey.utils.commands import DROPPER_TARGET_PATH_WIN64, build_monkey_commandline
|
||||||
from infection_monkey.utils.threading import interruptible_iter
|
from infection_monkey.utils.threading import interruptible_iter
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
@ -74,7 +74,7 @@ class WmiExploiter(HostExploiter):
|
||||||
self._set_interrupted()
|
self._set_interrupted()
|
||||||
return self.exploit_result
|
return self.exploit_result
|
||||||
|
|
||||||
target_path = get_agent_dest_path(self.host, self.options)
|
target_path = get_agent_dst_path(self.host)
|
||||||
|
|
||||||
remote_full_path = SmbTools.copy_file(
|
remote_full_path = SmbTools.copy_file(
|
||||||
self.host,
|
self.host,
|
||||||
|
@ -91,13 +91,13 @@ class WmiExploiter(HostExploiter):
|
||||||
wmi_connection.close()
|
wmi_connection.close()
|
||||||
return self.exploit_result
|
return self.exploit_result
|
||||||
# execute the remote dropper in case the path isn't final
|
# execute the remote dropper in case the path isn't final
|
||||||
elif remote_full_path.lower() != self.options["dropper_target_path_win_64"]:
|
elif remote_full_path.lower() != DROPPER_TARGET_PATH_WIN64:
|
||||||
cmdline = DROPPER_CMDLINE_WINDOWS % {
|
cmdline = DROPPER_CMDLINE_WINDOWS % {
|
||||||
"dropper_path": remote_full_path
|
"dropper_path": remote_full_path
|
||||||
} + build_monkey_commandline(
|
} + build_monkey_commandline(
|
||||||
self.host,
|
self.host,
|
||||||
self.current_depth - 1,
|
self.current_depth - 1,
|
||||||
self.options["dropper_target_path_win_64"],
|
DROPPER_TARGET_PATH_WIN64,
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
cmdline = MONKEY_CMDLINE_WINDOWS % {
|
cmdline = MONKEY_CMDLINE_WINDOWS % {
|
||||||
|
|
|
@ -1,7 +1,12 @@
|
||||||
from infection_monkey.config import GUID
|
from infection_monkey.config import GUID
|
||||||
|
from infection_monkey.exploit.tools.helpers import AGENT_BINARY_PATH_LINUX, AGENT_BINARY_PATH_WIN64
|
||||||
from infection_monkey.model import CMD_CARRY_OUT, CMD_EXE, MONKEY_ARG
|
from infection_monkey.model import CMD_CARRY_OUT, CMD_EXE, MONKEY_ARG
|
||||||
from infection_monkey.model.host import VictimHost
|
from infection_monkey.model.host import VictimHost
|
||||||
|
|
||||||
|
# Dropper target paths
|
||||||
|
DROPPER_TARGET_PATH_LINUX = AGENT_BINARY_PATH_LINUX
|
||||||
|
DROPPER_TARGET_PATH_WIN64 = AGENT_BINARY_PATH_WIN64
|
||||||
|
|
||||||
|
|
||||||
def build_monkey_commandline(target_host: VictimHost, depth: int, location: str = None) -> str:
|
def build_monkey_commandline(target_host: VictimHost, depth: int, location: str = None) -> str:
|
||||||
|
|
||||||
|
|
|
@ -617,12 +617,6 @@ class ConfigService:
|
||||||
|
|
||||||
exploit_options = {}
|
exploit_options = {}
|
||||||
|
|
||||||
for dropper_target in [
|
|
||||||
"dropper_target_path_linux",
|
|
||||||
"dropper_target_path_win_64",
|
|
||||||
]:
|
|
||||||
exploit_options[dropper_target] = config.get(dropper_target, "")
|
|
||||||
|
|
||||||
exploit_options["http_ports"] = sorted(config["HTTP_PORTS"])
|
exploit_options["http_ports"] = sorted(config["HTTP_PORTS"])
|
||||||
|
|
||||||
formatted_exploiters_config = {
|
formatted_exploiters_config = {
|
||||||
|
|
|
@ -135,51 +135,6 @@ INTERNAL = {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"dropper": {
|
|
||||||
"title": "Dropper",
|
|
||||||
"type": "object",
|
|
||||||
"properties": {
|
|
||||||
"dropper_set_date": {
|
|
||||||
"title": "Dropper sets date",
|
|
||||||
"type": "boolean",
|
|
||||||
"default": True,
|
|
||||||
"description": "Determines whether the dropper should set the monkey's file "
|
|
||||||
"date to be the same as"
|
|
||||||
" another file",
|
|
||||||
},
|
|
||||||
"dropper_date_reference_path_windows": {
|
|
||||||
"title": "Dropper date reference path (Windows)",
|
|
||||||
"type": "string",
|
|
||||||
"default": "%windir%\\system32\\kernel32.dll",
|
|
||||||
"description": "Determines which file the dropper should copy the date from if "
|
|
||||||
"it's configured to do"
|
|
||||||
" so on Windows (use fullpath)",
|
|
||||||
},
|
|
||||||
"dropper_date_reference_path_linux": {
|
|
||||||
"title": "Dropper date reference path (Linux)",
|
|
||||||
"type": "string",
|
|
||||||
"default": "/bin/sh",
|
|
||||||
"description": "Determines which file the dropper should copy the date from if "
|
|
||||||
"it's configured to do"
|
|
||||||
" so on Linux (use fullpath)",
|
|
||||||
},
|
|
||||||
"dropper_target_path_linux": {
|
|
||||||
"title": "Dropper target path on Linux",
|
|
||||||
"type": "string",
|
|
||||||
"default": "/tmp/monkey",
|
|
||||||
"description": "Determines where should the dropper place the monkey on a "
|
|
||||||
"Linux machine",
|
|
||||||
},
|
|
||||||
"dropper_target_path_win_64": {
|
|
||||||
"title": "Dropper target path on Windows (64bit)",
|
|
||||||
"type": "string",
|
|
||||||
"default": "C:\\Windows\\temp\\monkey64.exe",
|
|
||||||
"description": "Determines where should the dropper place the monkey on a "
|
|
||||||
"Windows machine "
|
|
||||||
"(64 bit)",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
"exploits": {
|
"exploits": {
|
||||||
"title": "Exploits",
|
"title": "Exploits",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
|
|
|
@ -69,7 +69,6 @@
|
||||||
"windows_command": ""
|
"windows_command": ""
|
||||||
},
|
},
|
||||||
"depth": 2,
|
"depth": 2,
|
||||||
"dropper_set_date": true,
|
|
||||||
"exploit_lm_hash_list": ["DEADBEEF", "FACADE"],
|
"exploit_lm_hash_list": ["DEADBEEF", "FACADE"],
|
||||||
"exploit_ntlm_hash_list": ["BEADED", "ACCEDE", "DECADE"],
|
"exploit_ntlm_hash_list": ["BEADED", "ACCEDE", "DECADE"],
|
||||||
"exploit_password_list": ["p1", "p2", "p3"],
|
"exploit_password_list": ["p1", "p2", "p3"],
|
||||||
|
|
|
@ -21,11 +21,6 @@
|
||||||
"custom_PBA_linux_cmd": "bash test.sh",
|
"custom_PBA_linux_cmd": "bash test.sh",
|
||||||
"custom_PBA_windows_cmd": "powershell test.ps1",
|
"custom_PBA_windows_cmd": "powershell test.ps1",
|
||||||
"depth": 2,
|
"depth": 2,
|
||||||
"dropper_date_reference_path_linux": "/bin/sh",
|
|
||||||
"dropper_date_reference_path_windows": "%windir%\\system32\\kernel32.dll",
|
|
||||||
"dropper_set_date": true,
|
|
||||||
"dropper_target_path_linux": "/tmp/monkey",
|
|
||||||
"dropper_target_path_win_64": "C:\\Windows\\temp\\monkey64.exe",
|
|
||||||
"exploit_lm_hash_list": ["lm_hash_1", "lm_hash_2"],
|
"exploit_lm_hash_list": ["lm_hash_1", "lm_hash_2"],
|
||||||
"exploit_ntlm_hash_list": ["nt_hash_1", "nt_hash_2", "nt_hash_3"],
|
"exploit_ntlm_hash_list": ["nt_hash_1", "nt_hash_2", "nt_hash_3"],
|
||||||
"exploit_password_list": [
|
"exploit_password_list": [
|
||||||
|
|
|
@ -96,13 +96,6 @@
|
||||||
"ElasticFinger"
|
"ElasticFinger"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"dropper": {
|
|
||||||
"dropper_set_date": true,
|
|
||||||
"dropper_date_reference_path_windows": "%windir%\\system32\\kernel32.dll",
|
|
||||||
"dropper_date_reference_path_linux": "/bin/sh",
|
|
||||||
"dropper_target_path_linux": "/tmp/monkey",
|
|
||||||
"dropper_target_path_win_64": "C:\\Windows\\temp\\monkey64.exe"
|
|
||||||
},
|
|
||||||
"exploits": {
|
"exploits": {
|
||||||
"exploit_lm_hash_list": [],
|
"exploit_lm_hash_list": [],
|
||||||
"exploit_ntlm_hash_list": [],
|
"exploit_ntlm_hash_list": [],
|
||||||
|
|
|
@ -5,6 +5,7 @@ from unittest.mock import MagicMock
|
||||||
import pytest
|
import pytest
|
||||||
|
|
||||||
from infection_monkey.exploit import powershell
|
from infection_monkey.exploit import powershell
|
||||||
|
from infection_monkey.exploit.tools.helpers import AGENT_BINARY_PATH_WIN64
|
||||||
from infection_monkey.model.host import VictimHost
|
from infection_monkey.model.host import VictimHost
|
||||||
|
|
||||||
# Use the path_win32api_get_user_name fixture for all tests in this module
|
# Use the path_win32api_get_user_name fixture for all tests in this module
|
||||||
|
@ -14,7 +15,6 @@ USER_LIST = ["user1", "user2"]
|
||||||
PASSWORD_LIST = ["pass1", "pass2"]
|
PASSWORD_LIST = ["pass1", "pass2"]
|
||||||
LM_HASH_LIST = ["bogo_lm_1"]
|
LM_HASH_LIST = ["bogo_lm_1"]
|
||||||
NT_HASH_LIST = ["bogo_nt_1", "bogo_nt_2"]
|
NT_HASH_LIST = ["bogo_nt_1", "bogo_nt_2"]
|
||||||
DROPPER_TARGET_PATH_64 = "C:\\agent64"
|
|
||||||
|
|
||||||
|
|
||||||
mock_agent_repository = MagicMock()
|
mock_agent_repository = MagicMock()
|
||||||
|
@ -24,7 +24,6 @@ mock_agent_repository.get_agent_binary.return_value = BytesIO(b"BINARY_EXECUTABL
|
||||||
@pytest.fixture
|
@pytest.fixture
|
||||||
def powershell_arguments(http_and_https_both_enabled_host):
|
def powershell_arguments(http_and_https_both_enabled_host):
|
||||||
options = {
|
options = {
|
||||||
"dropper_target_path_win_64": DROPPER_TARGET_PATH_64,
|
|
||||||
"credentials": {
|
"credentials": {
|
||||||
"exploit_user_list": USER_LIST,
|
"exploit_user_list": USER_LIST,
|
||||||
"exploit_password_list": PASSWORD_LIST,
|
"exploit_password_list": PASSWORD_LIST,
|
||||||
|
@ -114,7 +113,7 @@ def test_successful_copy(monkeypatch, powershell_exploiter, powershell_arguments
|
||||||
|
|
||||||
exploit_result = powershell_exploiter.exploit_host(**powershell_arguments)
|
exploit_result = powershell_exploiter.exploit_host(**powershell_arguments)
|
||||||
|
|
||||||
assert DROPPER_TARGET_PATH_64 in str(mock_client.return_value.copy_file.call_args[0][1])
|
assert AGENT_BINARY_PATH_WIN64.stem in str(mock_client.return_value.copy_file.call_args[0][1])
|
||||||
assert exploit_result.exploitation_success
|
assert exploit_result.exploitation_success
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -2,39 +2,44 @@ from unittest.mock import Mock
|
||||||
|
|
||||||
import pytest
|
import pytest
|
||||||
|
|
||||||
from infection_monkey.exploit.tools.helpers import RAND_SUFFIX_LEN, get_agent_dest_path
|
from infection_monkey.exploit.tools.helpers import (
|
||||||
|
AGENT_BINARY_PATH_LINUX,
|
||||||
|
AGENT_BINARY_PATH_WIN64,
|
||||||
|
RAND_SUFFIX_LEN,
|
||||||
|
get_agent_dst_path,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def _get_host_and_options(os, path):
|
def _get_host(os):
|
||||||
host = Mock()
|
host = Mock()
|
||||||
host.os = {"type": os}
|
host.os = {"type": os}
|
||||||
options = {"dropper_target_path_win_64": path, "dropper_target_path_linux": path}
|
return host
|
||||||
return host, options
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize("os", ["windows", "linux"])
|
@pytest.mark.parametrize(
|
||||||
@pytest.mark.parametrize("path", ["C:\\monkey.exe", "/tmp/monkey-linux-64", "mon.key.exe"])
|
"os, path", [("linux", AGENT_BINARY_PATH_LINUX), ("windows", AGENT_BINARY_PATH_WIN64)]
|
||||||
def test_get_agent_dest_path(os, path):
|
)
|
||||||
host, options = _get_host_and_options(os, path)
|
def test_get_agent_dst_path(os, path):
|
||||||
rand_path = get_agent_dest_path(host, options)
|
host = _get_host(os)
|
||||||
|
rand_path = get_agent_dst_path(host)
|
||||||
|
|
||||||
# Assert that filename got longer by RAND_SUFFIX_LEN and one dash
|
# Assert that filename got longer by RAND_SUFFIX_LEN and one dash
|
||||||
assert len(str(rand_path)) == (len(str(path)) + RAND_SUFFIX_LEN + 1)
|
assert len(str(rand_path)) == (len(str(path)) + RAND_SUFFIX_LEN + 1)
|
||||||
|
|
||||||
|
|
||||||
def test_get_agent_dest_path_randomness():
|
def test_get_agent_dst_path_randomness():
|
||||||
host, options = _get_host_and_options("windows", "monkey.exe")
|
host = _get_host("windows")
|
||||||
|
|
||||||
path1 = get_agent_dest_path(host, options)
|
path1 = get_agent_dst_path(host)
|
||||||
path2 = get_agent_dest_path(host, options)
|
path2 = get_agent_dst_path(host)
|
||||||
|
|
||||||
assert path1 != path2
|
assert path1 != path2
|
||||||
|
|
||||||
|
|
||||||
def test_get_agent_dest_path_str_place():
|
def test_get_agent_dst_path_str_place():
|
||||||
host, options = _get_host_and_options("windows", "C:\\abc\\monkey.exe")
|
host = _get_host("windows")
|
||||||
|
|
||||||
rand_path = get_agent_dest_path(host, options)
|
rand_path = get_agent_dst_path(host)
|
||||||
|
|
||||||
assert str(rand_path).startswith("C:\\abc\\monkey-")
|
assert str(rand_path).startswith(r"C:\Windows\temp\monkey")
|
||||||
assert str(rand_path).endswith(".exe")
|
assert str(rand_path).endswith(".exe")
|
||||||
|
|
|
@ -179,8 +179,6 @@ def test_format_config_for_agent__network_scan(flat_monkey_config):
|
||||||
def test_format_config_for_agent__exploiters(flat_monkey_config):
|
def test_format_config_for_agent__exploiters(flat_monkey_config):
|
||||||
expected_exploiters_config = {
|
expected_exploiters_config = {
|
||||||
"options": {
|
"options": {
|
||||||
"dropper_target_path_linux": "/tmp/monkey",
|
|
||||||
"dropper_target_path_win_64": r"C:\Windows\temp\monkey64.exe",
|
|
||||||
"http_ports": [80, 443, 7001, 8008, 8080, 9200],
|
"http_ports": [80, 443, 7001, 8008, 8080, 9200],
|
||||||
},
|
},
|
||||||
"brute_force": [
|
"brute_force": [
|
||||||
|
|
Loading…
Reference in New Issue