From 711cab5f386a105c9796a2f408f54ae0049a913d Mon Sep 17 00:00:00 2001 From: vakarisz Date: Wed, 1 Jun 2022 13:04:57 +0300 Subject: [PATCH] Agent: Separate dropper path from agent binary path --- .../infection_monkey/exploit/tools/helpers.py | 24 +++++++++++-------- monkey/infection_monkey/exploit/web_rce.py | 8 ++++--- monkey/infection_monkey/exploit/wmiexec.py | 8 ++----- monkey/infection_monkey/model/__init__.py | 4 ---- monkey/infection_monkey/utils/commands.py | 5 ++++ .../exploit/test_powershell.py | 5 ++-- .../exploit/tools/test_helpers.py | 10 +++++--- 7 files changed, 35 insertions(+), 29 deletions(-) diff --git a/monkey/infection_monkey/exploit/tools/helpers.py b/monkey/infection_monkey/exploit/tools/helpers.py index 2739da215..17d76607a 100644 --- a/monkey/infection_monkey/exploit/tools/helpers.py +++ b/monkey/infection_monkey/exploit/tools/helpers.py @@ -3,12 +3,25 @@ import random import string from pathlib import PurePath, PurePosixPath, PureWindowsPath -from infection_monkey.model import DROPPER_TARGET_PATH_LINUX, DROPPER_TARGET_PATH_WIN64, VictimHost +from infection_monkey.model import VictimHost logger = logging.getLogger(__name__) RAND_SUFFIX_LEN = 8 +# Where to upload agent binaries on victims +AGENT_BINARY_PATH_LINUX = "/tmp/monkey" +AGENT_BINARY_PATH_WIN64 = r"C:\Windows\temp\monkey64.exe" + + +def get_agent_dest_path(host: VictimHost) -> PurePath: + if host.os["type"] == "windows": + path = PureWindowsPath(AGENT_BINARY_PATH_WIN64) + else: + path = PurePosixPath(AGENT_BINARY_PATH_LINUX) + + return _add_random_suffix(path) + def get_random_file_suffix() -> str: character_set = list(string.ascii_letters + string.digits + "_" + "-") @@ -17,15 +30,6 @@ def get_random_file_suffix() -> str: return random_string -def get_agent_dest_path(host: VictimHost) -> PurePath: - if host.os["type"] == "windows": - path = PureWindowsPath(DROPPER_TARGET_PATH_WIN64) - else: - path = PurePosixPath(DROPPER_TARGET_PATH_LINUX) - - return _add_random_suffix(path) - - # Turns C:\\monkey.exe into C:\\monkey-.exe # Useful to avoid duplicate file paths def _add_random_suffix(path: PurePath) -> PurePath: diff --git a/monkey/infection_monkey/exploit/web_rce.py b/monkey/infection_monkey/exploit/web_rce.py index 9363f5b32..957ed361d 100644 --- a/monkey/infection_monkey/exploit/web_rce.py +++ b/monkey/infection_monkey/exploit/web_rce.py @@ -12,8 +12,6 @@ from infection_monkey.model import ( CHMOD_MONKEY, DOWNLOAD_TIMEOUT, DROPPER_ARG, - DROPPER_TARGET_PATH_LINUX, - DROPPER_TARGET_PATH_WIN64, ID_STRING, MONKEY_ARG, POWERSHELL_HTTP_UPLOAD, @@ -24,7 +22,11 @@ from infection_monkey.model import ( from infection_monkey.network.tools import tcp_port_to_service from infection_monkey.telemetry.attack.t1197_telem import T1197Telem from infection_monkey.telemetry.attack.t1222_telem import T1222Telem -from infection_monkey.utils.commands import build_monkey_commandline +from infection_monkey.utils.commands import ( + DROPPER_TARGET_PATH_LINUX, + DROPPER_TARGET_PATH_WIN64, + build_monkey_commandline, +) from infection_monkey.utils.threading import interruptible_iter logger = logging.getLogger(__name__) diff --git a/monkey/infection_monkey/exploit/wmiexec.py b/monkey/infection_monkey/exploit/wmiexec.py index a008beee2..50f8deb6b 100644 --- a/monkey/infection_monkey/exploit/wmiexec.py +++ b/monkey/infection_monkey/exploit/wmiexec.py @@ -10,16 +10,12 @@ from infection_monkey.exploit.tools.helpers import get_agent_dest_path from infection_monkey.exploit.tools.smb_tools import SmbTools from infection_monkey.exploit.tools.wmi_tools import AccessDeniedException, WmiTools from infection_monkey.i_puppet import ExploiterResultData -from infection_monkey.model import ( - DROPPER_CMDLINE_WINDOWS, - DROPPER_TARGET_PATH_WIN64, - MONKEY_CMDLINE_WINDOWS, -) +from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS from infection_monkey.utils.brute_force import ( generate_brute_force_combinations, get_credential_string, ) -from infection_monkey.utils.commands import build_monkey_commandline +from infection_monkey.utils.commands import DROPPER_TARGET_PATH_WIN64, build_monkey_commandline from infection_monkey.utils.threading import interruptible_iter logger = logging.getLogger(__name__) diff --git a/monkey/infection_monkey/model/__init__.py b/monkey/infection_monkey/model/__init__.py index e81861ee7..138dbf92a 100644 --- a/monkey/infection_monkey/model/__init__.py +++ b/monkey/infection_monkey/model/__init__.py @@ -5,10 +5,6 @@ MONKEY_ARG = "m0nk3y" DROPPER_ARG = "dr0pp3r" ID_STRING = "M0NK3Y3XPL0ITABLE" -# Dropper target paths -DROPPER_TARGET_PATH_LINUX = "/tmp/monkey" -DROPPER_TARGET_PATH_WIN64 = r"C:\Windows\temp\monkey64.exe" - # Username prefix for users created by Infection Monkey USERNAME_PREFIX = "somenewuser" diff --git a/monkey/infection_monkey/utils/commands.py b/monkey/infection_monkey/utils/commands.py index 284729206..ddd07dc8d 100644 --- a/monkey/infection_monkey/utils/commands.py +++ b/monkey/infection_monkey/utils/commands.py @@ -1,7 +1,12 @@ from infection_monkey.config import GUID +from infection_monkey.exploit.tools.helpers import AGENT_BINARY_PATH_LINUX, AGENT_BINARY_PATH_WIN64 from infection_monkey.model import CMD_CARRY_OUT, CMD_EXE, MONKEY_ARG from infection_monkey.model.host import VictimHost +# Dropper target paths +DROPPER_TARGET_PATH_LINUX = AGENT_BINARY_PATH_LINUX +DROPPER_TARGET_PATH_WIN64 = AGENT_BINARY_PATH_WIN64 + def build_monkey_commandline(target_host: VictimHost, depth: int, location: str = None) -> str: diff --git a/monkey/tests/unit_tests/infection_monkey/exploit/test_powershell.py b/monkey/tests/unit_tests/infection_monkey/exploit/test_powershell.py index ea211444c..24afebc85 100644 --- a/monkey/tests/unit_tests/infection_monkey/exploit/test_powershell.py +++ b/monkey/tests/unit_tests/infection_monkey/exploit/test_powershell.py @@ -5,8 +5,7 @@ from unittest.mock import MagicMock import pytest from infection_monkey.exploit import powershell -from infection_monkey.exploit.tools.helpers import RAND_SUFFIX_LEN -from infection_monkey.model import DROPPER_TARGET_PATH_WIN64 +from infection_monkey.exploit.tools.helpers import AGENT_BINARY_PATH_WIN64, RAND_SUFFIX_LEN from infection_monkey.model.host import VictimHost # Use the path_win32api_get_user_name fixture for all tests in this module @@ -115,7 +114,7 @@ def test_successful_copy(monkeypatch, powershell_exploiter, powershell_arguments exploit_result = powershell_exploiter.exploit_host(**powershell_arguments) # Check if the copied agent name has randomness of 8 plus dash - assert len(str(DROPPER_TARGET_PATH_WIN64)) + RAND_SUFFIX_LEN + 1 == len( + assert len(str(AGENT_BINARY_PATH_WIN64)) + RAND_SUFFIX_LEN + 1 == len( str(mock_client.return_value.copy_file.call_args[0][1]) ) assert exploit_result.exploitation_success diff --git a/monkey/tests/unit_tests/infection_monkey/exploit/tools/test_helpers.py b/monkey/tests/unit_tests/infection_monkey/exploit/tools/test_helpers.py index 21629f683..68cba4598 100644 --- a/monkey/tests/unit_tests/infection_monkey/exploit/tools/test_helpers.py +++ b/monkey/tests/unit_tests/infection_monkey/exploit/tools/test_helpers.py @@ -2,8 +2,12 @@ from unittest.mock import Mock import pytest -from infection_monkey.exploit.tools.helpers import RAND_SUFFIX_LEN, get_agent_dest_path -from infection_monkey.model import DROPPER_TARGET_PATH_LINUX, DROPPER_TARGET_PATH_WIN64 +from infection_monkey.exploit.tools.helpers import ( + AGENT_BINARY_PATH_LINUX, + AGENT_BINARY_PATH_WIN64, + RAND_SUFFIX_LEN, + get_agent_dest_path, +) def _get_host(os): @@ -13,7 +17,7 @@ def _get_host(os): @pytest.mark.parametrize( - "os, path", [("linux", DROPPER_TARGET_PATH_LINUX), ("windows", DROPPER_TARGET_PATH_WIN64)] + "os, path", [("linux", AGENT_BINARY_PATH_LINUX), ("windows", AGENT_BINARY_PATH_WIN64)] ) def test_get_agent_dest_path(os, path): host = _get_host(os)