forked from p15670423/monkey
Agent: Modify Zerologon to publish CredentialsStolenEvent
This commit is contained in:
parent
f171e548f3
commit
76bbe62c3b
|
@ -9,7 +9,8 @@ import os
|
||||||
import re
|
import re
|
||||||
import tempfile
|
import tempfile
|
||||||
from binascii import unhexlify
|
from binascii import unhexlify
|
||||||
from typing import Dict, List, Optional, Tuple
|
from time import time
|
||||||
|
from typing import Dict, List, Optional, Sequence, Tuple
|
||||||
|
|
||||||
import impacket
|
import impacket
|
||||||
from impacket.dcerpc.v5 import epm, nrpc, rpcrt, transport
|
from impacket.dcerpc.v5 import epm, nrpc, rpcrt, transport
|
||||||
|
@ -17,6 +18,8 @@ from impacket.dcerpc.v5.dtypes import NULL
|
||||||
|
|
||||||
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
||||||
from common.credentials import Credentials, LMHash, NTHash, Username
|
from common.credentials import Credentials, LMHash, NTHash, Username
|
||||||
|
from common.events import CredentialsStolenEvent
|
||||||
|
from infection_monkey.config import IGUID
|
||||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||||
from infection_monkey.exploit.tools.wmi_tools import WmiTools
|
from infection_monkey.exploit.tools.wmi_tools import WmiTools
|
||||||
from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets
|
from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets
|
||||||
|
@ -284,14 +287,23 @@ class ZerologonExploiter(HostExploiter):
|
||||||
def send_extracted_creds_as_credential_telemetry(
|
def send_extracted_creds_as_credential_telemetry(
|
||||||
self, user: str, lmhash: str, nthash: str
|
self, user: str, lmhash: str, nthash: str
|
||||||
) -> None:
|
) -> None:
|
||||||
self.telemetry_messenger.send_telemetry(
|
extracted_credentials = [
|
||||||
CredentialsTelem(
|
|
||||||
[
|
|
||||||
Credentials(Username(user), LMHash(lmhash)),
|
Credentials(Username(user), LMHash(lmhash)),
|
||||||
Credentials(Username(user), NTHash(nthash)),
|
Credentials(Username(user), NTHash(nthash)),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
self.telemetry_messenger.send_telemetry(CredentialsTelem(extracted_credentials))
|
||||||
|
self._publish_credentials_stolen_event(extracted_credentials)
|
||||||
|
|
||||||
|
def _publish_credentials_stolen_event(self, extracted_credentials: Sequence[Credentials]):
|
||||||
|
credentials_stolen_event = CredentialsStolenEvent(
|
||||||
|
source=IGUID,
|
||||||
|
target=None,
|
||||||
|
timestamp=time(),
|
||||||
|
tags=({"ZerologonCredentialsStolen"}),
|
||||||
|
stolen_credentials=extracted_credentials,
|
||||||
)
|
)
|
||||||
)
|
self.event_queue.publish(credentials_stolen_event)
|
||||||
|
|
||||||
def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> str:
|
def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> str:
|
||||||
if not self.save_HKLM_keys_locally(username, user_pwd_hashes):
|
if not self.save_HKLM_keys_locally(username, user_pwd_hashes):
|
||||||
|
|
Loading…
Reference in New Issue