Agent: Decide if SSL is to be used in auth_options.py

2022-03-23 15:59:53 +05:30 · 2022-03-23 15:59:53 +05:30 · 4614e2207d
parent 6d9e18fdc9
commit 4614e2207d
2 changed files with 23 additions and 12 deletions
--- a/monkey/infection_monkey/exploit/powershell.py
+++ b/monkey/infection_monkey/exploit/powershell.py
@ -49,13 +49,11 @@ class PowerShellExploiter(HostExploiter):
        self._client = None

    def _exploit_host(self):
-        try:
-            use_ssl = self._is_client_using_https()
-        except PowerShellRemotingDisabledError as e:
-            logger.info(e)
-            self.exploit_result.error_message = (
-                "PowerShell Remoting appears to be disabled on the remote host"
-            )
+        if not self._is_any_default_port_open():
+            message = "No default PowerShell remoting ports are open."
+            self.exploit_result.error_message = message
+            logger.debug(message)
+
            return self.exploit_result

        credentials = get_credentials(
@ -66,7 +64,7 @@ class PowerShellExploiter(HostExploiter):
            is_windows_os(),
        )

-        auth_options = [get_auth_options(creds, use_ssl) for creds in credentials]
+        auth_options = [get_auth_options(creds, self.host) for creds in credentials]

        self._client = self._authenticate_via_brute_force(credentials, auth_options)

@ -89,6 +87,9 @@ class PowerShellExploiter(HostExploiter):

        return self.exploit_result

+    def _is_any_default_port_open(self) -> bool:
+        return "tcp-5985" in self.host.services or "tcp-5986" in self.host.services
+
    def _is_client_using_https(self) -> bool:
        try:
            logger.debug("Checking if powershell remoting is enabled over HTTP.")
--- a/monkey/infection_monkey/exploit/powershell_utils/auth_options.py
+++ b/monkey/infection_monkey/exploit/powershell_utils/auth_options.py
@ -1,6 +1,7 @@
 from dataclasses import dataclass

 from infection_monkey.exploit.powershell_utils.credentials import Credentials, SecretType
+from infection_monkey.model.host import VictimHost

 AUTH_BASIC = "basic"
 AUTH_NEGOTIATE = "negotiate"
@ -16,17 +17,26 @@ class AuthOptions:
    ssl: bool


-def get_auth_options(credentials: Credentials, use_ssl: bool) -> AuthOptions:
-    ssl = _get_ssl(credentials, use_ssl)
+def get_auth_options(credentials: Credentials, host: VictimHost) -> AuthOptions:
+    ssl = _get_ssl(credentials, host)
    auth_type = _get_auth_type(credentials)
    encryption = _get_encryption(credentials)

    return AuthOptions(auth_type, encryption, ssl)


-def _get_ssl(credentials: Credentials, use_ssl):
+def _get_ssl(credentials: Credentials, host: VictimHost) -> bool:
+    # Check if default PSRemoting ports are open. Prefer with SSL, if both are.
+    if "tcp-5986" in host.services:  # Default for HTTPS
+        use_ssl = True
+    elif "tcp-5985" in host.services:  # Default for HTTP
+        use_ssl = False
+
    # Passwordless login only works with SSL false, AUTH_BASIC and ENCRYPTION_NEVER
-    return False if credentials.secret == "" else use_ssl
+    if credentials.secret == "":
+        use_ssl = False
+
+    return use_ssl


 def _get_auth_type(credentials: Credentials):