Fixed CR

2017-08-20 19:32:18 +03:00 · 2017-08-20 19:32:18 +03:00 · 26df64fb87
parent 6530dd063e
commit 26df64fb87
7 changed files with 22 additions and 26 deletions
--- a/README.md
+++ b/README.md
@ -188,4 +188,4 @@ Dependency | License | Notes
 winbind | GPL-3 
 pyinstaller | GPL 
 Celery | BSD 
- mimikatz | CC BY 4.0 | We use an altered version of mimikatz. Original: https://github.com/gentilkiwi/mimikatz
+ mimikatz | CC BY 4.0 | We use an altered version of mimikatz: https://github.com/guardicore/mimikatz
--- a/chaos_monkey/config.py
+++ b/chaos_monkey/config.py
@ -4,6 +4,7 @@ from network.range import FixedRange, RelativeRange, ClassCRange
 from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter
 from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger
 from abc import ABCMeta
+from itertools import product
 import uuid
 import types

@ -13,7 +14,6 @@ GUID = str(uuid.getnode())

 EXTERNAL_CONFIG_FILE = os.path.join(os.path.abspath(os.path.dirname(sys.argv[0])), 'monkey.bin')

-
 def _cast_by_example(value, example):
    """
    a method that casts a value to the type of the parameter given as example
@ -208,8 +208,13 @@ class Configuration(object):
    rdp_use_vbs_download = True

    # User and password dictionaries for exploits.
-    exploit_user_list = []
-    exploit_password_list = []
+
+    @property
+    def exploit_user_password_pairs(self):
+        return product(self.exploit_user_list, self.exploit_password_list)
+
+    exploit_user_list = ['Administrator', 'root', 'user']
+    exploit_password_list = ["Password1!", "1234", "password", "12345678"]

    # smb/wmi exploiter
    smb_download_timeout = 300 # timeout in seconds
--- a/chaos_monkey/exploit/smbexec.py
+++ b/chaos_monkey/exploit/smbexec.py
@ -64,12 +64,7 @@ class SmbExploiter(HostExploiter):
            LOG.info("Can't find suitable monkey executable for host %r", host)
            return False

-        config_users = self._config.exploit_user_list
-        config_passwords = self._config.exploit_password_list
-        user_password_pairs = []
-        for user in config_users:
-            for password in config_passwords:
-                user_password_pairs.append((user, password))
+        user_password_pairs = self._config.exploit_user_password_pairs

        exploited = False
        for user, password in user_password_pairs:
--- a/chaos_monkey/exploit/sshexec.py
+++ b/chaos_monkey/exploit/sshexec.py
@ -42,14 +42,12 @@ class SSHExploiter(HostExploiter):
        is_open, _ = check_port_tcp(host.ip_addr, port)
        if not is_open:
            LOG.info("SSH port is closed on %r, skipping", host)
-            return False                
+            return False

-        passwords = list(self._config.exploit_password_list[:])
-        users = list(self._config.exploit_user_list)
-        user_pass = product(users,passwords)
+            user_password_pairs = self._config.exploit_user_password_pairs

        exploited = False
-        for user, curpass in user_pass:
+        for user, curpass in user_password_pairs:
            try:
                ssh.connect(host.ip_addr,
                            username=user,
--- a/chaos_monkey/exploit/win_ms08_067.py
+++ b/chaos_monkey/exploit/win_ms08_067.py
@ -233,7 +233,6 @@ class Ms08_067_Exploiter(HostExploiter):
                                              src_path,
                                              self._config.dropper_target_path)

-        # TODO: why are we doing this? Isn't that smbexec's job?
        if not remote_full_path:
            # try other passwords for administrator
            for password in self._config.exploit_password_list:
--- a/chaos_monkey/exploit/wmiexec.py
+++ b/chaos_monkey/exploit/wmiexec.py
@ -29,12 +29,7 @@ class WmiExploiter(HostExploiter):
            LOG.info("Can't find suitable monkey executable for host %r", host)
            return False

-        config_users = self._config.exploit_user_list
-        config_passwords = self._config.exploit_password_list
-        user_password_pairs = []
-        for user in config_users:
-            for password in config_passwords:
-                user_password_pairs.append((user, password))
+            user_password_pairs = self._config.exploit_user_password_pairs

        for user, password in user_password_pairs:
            LOG.debug("Attempting to connect %r using WMI with password '%s'",
--- a/chaos_monkey/system_info/mimikatz_collector.py
+++ b/chaos_monkey/system_info/mimikatz_collector.py
@ -69,10 +69,14 @@ class MimikatzCollector:
        """
        Logon data structure returned from mimikatz.
        """
+
+        WINDOWS_MAX_USERNAME_PASS_LENGTH = 257
+        LM_NTLM_HASH_LENGTH = 16
+
        _fields_ = \
            [
-                ("username",    ctypes.c_wchar * 257),
-                ("password",    ctypes.c_wchar * 257),
-                ("lm_hash",     ctypes.c_byte * 16),
-                ("ntlm_hash",   ctypes.c_byte * 16)
+                ("username",    ctypes.c_wchar * WINDOWS_MAX_USERNAME_PASS_LENGTH),
+                ("password",    ctypes.c_wchar * WINDOWS_MAX_USERNAME_PASS_LENGTH),
+                ("lm_hash",     ctypes.c_byte * LM_NTLM_HASH_LENGTH),
+                ("ntlm_hash",   ctypes.c_byte * LM_NTLM_HASH_LENGTH)
            ]