p17860254
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Testing is important

This commit is contained in:
Shreya 2020-10-21 01:08:01 +05:30
parent 0a8d1f2afe
commit 08d3801120
2 changed files with 36 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
monkey/infection_monkey/network/windowsserver_fingerprint.py
View File

@ -18,6 +18,22 @@ class WindowsServerFinger(HostFinger):
def __init__(self): def __init__(self):
self._config = infection_monkey.config.WormConfiguration self._config = infection_monkey.config.WormConfiguration
def get_dc_name(self, DC_IP):
"""
Gets NetBIOS name of the DC.
"""
name = ''
try:
if is_windows_os():
cmd = f'nbtstat -A {DC_IP} | findstr "<00>"'
name = subprocess.check_output(cmd, shell=True).decode().split('\n')[0].strip(' ').split(' ')[0]
else:
cmd = f'nmblookup -A {DC_IP} | grep "<00>"'
name = subprocess.check_output(cmd, shell=True).decode().split('\n')[0].strip('\t').strip(' ').split(' ')[0]
except BaseException as ex:
LOG.info(f'Exception: {ex} Most likely not a Windows DC.')
return name
def get_host_fingerprint(self, host): def get_host_fingerprint(self, host):
""" """
Checks if the Windows Server is vulnerable to Zerologon. Checks if the Windows Server is vulnerable to Zerologon.
@ -71,33 +87,26 @@ class WindowsServerFinger(HostFinger):
DC_NAME = self.get_dc_name(DC_IP) DC_NAME = self.get_dc_name(DC_IP)
DC_HANDLE = '\\\\' + DC_NAME DC_HANDLE = '\\\\' + DC_NAME
# Keep authenticating until successful. Expected average number of attempts needed: 256. if DC_NAME: # if it is a Windows DC
LOG.info('Performing Zerologon authentication attempts...') # Keep authenticating until successful. Expected average number of attempts needed: 256.
rpc_con = None LOG.info('Performing Zerologon authentication attempts...')
for attempt in range(0, self.MAX_ATTEMPTS): rpc_con = None
rpc_con = try_zero_authenticate(DC_HANDLE, DC_IP, DC_NAME) for attempt in range(0, self.MAX_ATTEMPTS):
if (rpc_con is not None) or (unexpected_error_encountered): rpc_con = try_zero_authenticate(DC_HANDLE, DC_IP, DC_NAME)
break if (rpc_con is not None) or (unexpected_error_encountered):
break
self.init_service(host.services, self._SCANNED_SERVICE, None) self.init_service(host.services, self._SCANNED_SERVICE, '')
if rpc_con:
LOG.info('Success: DC can be fully compromised by a Zerologon attack.')
host.services[self._SCANNED_SERVICE]['is_vulnerable'] = True
return True
else:
LOG.info('Failure: Target is either patched or an unexpected error was encountered.')
host.services[self._SCANNED_SERVICE]['is_vulnerable'] = False
return False
if rpc_con:
LOG.info('Success: DC can be fully compromised by a Zerologon attack.')
host.services[self._SCANNED_SERVICE]['is_vulnerable'] = True
return True
else: else:
LOG.info('Failure: Target is either patched or an unexpected error was encountered.') LOG.info('Error encountered; most likely not a Windows DC.')
host.services[self._SCANNED_SERVICE]['is_vulnerable'] = False
return False return False
def get_dc_name(self, DC_IP):
"""
Gets NetBIOS name of the DC.
"""
if is_windows_os():
cmd = f'nbtstat -A {DC_IP} | findstr "<00>"'
name = subprocess.check_output(cmd, shell=True).decode().split('\n')[0].strip(' ').split(' ')[0]
else:
cmd = f'nmblookup -A {DC_IP} | grep "<00>"'
name = subprocess.check_output(cmd, shell=True).decode().split('\n')[0].strip('\t').strip(' ').split(' ')[0]
return name

2
monkey/monkey_island/cc/services/config_schema/internal.py
View File

@ -222,7 +222,7 @@ INTERNAL = {
"HTTPFinger", "HTTPFinger",
"MySQLFinger", "MySQLFinger",
"MSSQLFinger", "MSSQLFinger",
"ElasticFinger" "ElasticFinger",
"WindowsServerFinger" "WindowsServerFinger"
] ]
} }