p15693087
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Still need to test linux

This commit is contained in:
Shay Nehmad 2019-09-03 22:35:18 +03:00
parent c371bf8ac5
commit 3469ec6996
2 changed files with 23 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
monkey/infection_monkey/post_breach/actions/communicate_as_new_user.py
View File

@ -4,7 +4,6 @@ import random
import string
import subprocess
import win32api
import win32con
import win32process
import win32security
@ -15,6 +14,9 @@ from infection_monkey.post_breach.pba import PBA
from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
from infection_monkey.utils import is_windows_os
CREATED_PROCESS_AS_USER_WINDOWS_FORMAT = "Created process '{}' as user '{}'."
CREATED_PROCESS_AS_USER_LINUX_FORMAT = "Created process '{}' as user '{}'. Some of the output was '{}'."
USERNAME = "somenewuser"
PASSWORD = "N3WPa55W0rD!1"
@ -60,12 +62,11 @@ class CommunicateAsNewUser(PBA):
try:
# Open process as that user:
# https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
return_value_create_process = win32process.CreateProcessAsUser(
commandline = "{} {}".format(ping_app_path, "google.com")
_ = win32process.CreateProcessAsUser(
new_user_logon_token_handle, # A handle to the primary token that represents a user.
# If both lpApplicationName and lpCommandLine are non-NULL, *lpApplicationName specifies the module
# to execute, and *lpCommandLine specifies the command line.
ping_app_path, # The name of the module to be executed.
"google.com", # The command line to be executed.
None, # The name of the module to be executed.
commandline, # The command line to be executed.
None, # Process attributes
None, # Thread attributes
True, # Should inherit handles
@ -77,18 +78,27 @@ class CommunicateAsNewUser(PBA):
win32process.STARTUPINFO() # STARTUPINFO structure.
# https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa
)
PostBreachTelem(self, (
CREATED_PROCESS_AS_USER_WINDOWS_FORMAT.format(commandline, username), True)).send()
return
except Exception as e:
# TODO: if failed on 1314, try to add elevate the rights of the current user with the "Replace a
# process level token" right, using Local Security Policy editing (need to find how to do this using
# python...
# TODO: if failed on 1314, we can try to add elevate the rights of the current user with the "Replace a
# process level token" right, using Local Security Policy editing. Worked, but only after reboot. So:
# 1. need to decide if worth it, and then
# 2. need to find how to do this using python...
PostBreachTelem(self, (
"Failed to open process as user {}. Error: {}".format(username, str(e)), False)).send()
return
else:
try:
linux_cmds = BackdoorUser.get_linux_commands_to_add_user(username)
linux_cmds.extend([";", "sudo", "-", username, "-c", "'ping -c 2 google.com'"])
subprocess.check_output(linux_cmds, stderr=subprocess.STDOUT, shell=True)
commandline = "'ping -c 2 google.com'"
linux_cmds.extend([";", "sudo", "-", username, "-c", commandline])
output = subprocess.check_output(linux_cmds, stderr=subprocess.STDOUT, shell=True)
PostBreachTelem(self, (
CREATED_PROCESS_AS_USER_LINUX_FORMAT.format(commandline, username, output[:50]), True)).send()
return
except subprocess.CalledProcessError as e:
PostBreachTelem(self, (e.output, False)).send()
return

2
monkey/infection_monkey/post_breach/post_breach_handler.py
View File

@ -46,7 +46,9 @@ class PostBreach(object):
if ((m[1].__module__ == module.__name__) and issubclass(m[1], PBA))]
# Get post breach action object from class
for pba_class in pba_classes:
LOG.debug("Checking if should run PBA {}".format(pba_class.__name__))
if pba_class.should_run(pba_class.__name__):
pba = pba_class()
pba_list.append(pba)
LOG.debug("Added PBA {} to PBA list".format(pba_class.__name__))
return pba_list