From 4614e2207ddbb99fe4fea9a6562152907b6a0220 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Wed, 23 Mar 2022 15:59:53 +0530 Subject: [PATCH] Agent: Decide if SSL is to be used in auth_options.py --- monkey/infection_monkey/exploit/powershell.py | 17 +++++++++-------- .../exploit/powershell_utils/auth_options.py | 18 ++++++++++++++---- 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/monkey/infection_monkey/exploit/powershell.py b/monkey/infection_monkey/exploit/powershell.py index 8bdf7e571..1a76f4044 100644 --- a/monkey/infection_monkey/exploit/powershell.py +++ b/monkey/infection_monkey/exploit/powershell.py @@ -49,13 +49,11 @@ class PowerShellExploiter(HostExploiter): self._client = None def _exploit_host(self): - try: - use_ssl = self._is_client_using_https() - except PowerShellRemotingDisabledError as e: - logger.info(e) - self.exploit_result.error_message = ( - "PowerShell Remoting appears to be disabled on the remote host" - ) + if not self._is_any_default_port_open(): + message = "No default PowerShell remoting ports are open." + self.exploit_result.error_message = message + logger.debug(message) + return self.exploit_result credentials = get_credentials( @@ -66,7 +64,7 @@ class PowerShellExploiter(HostExploiter): is_windows_os(), ) - auth_options = [get_auth_options(creds, use_ssl) for creds in credentials] + auth_options = [get_auth_options(creds, self.host) for creds in credentials] self._client = self._authenticate_via_brute_force(credentials, auth_options) @@ -89,6 +87,9 @@ class PowerShellExploiter(HostExploiter): return self.exploit_result + def _is_any_default_port_open(self) -> bool: + return "tcp-5985" in self.host.services or "tcp-5986" in self.host.services + def _is_client_using_https(self) -> bool: try: logger.debug("Checking if powershell remoting is enabled over HTTP.") diff --git a/monkey/infection_monkey/exploit/powershell_utils/auth_options.py b/monkey/infection_monkey/exploit/powershell_utils/auth_options.py index 1f53c1df5..cde316c90 100644 --- a/monkey/infection_monkey/exploit/powershell_utils/auth_options.py +++ b/monkey/infection_monkey/exploit/powershell_utils/auth_options.py @@ -1,6 +1,7 @@ from dataclasses import dataclass from infection_monkey.exploit.powershell_utils.credentials import Credentials, SecretType +from infection_monkey.model.host import VictimHost AUTH_BASIC = "basic" AUTH_NEGOTIATE = "negotiate" @@ -16,17 +17,26 @@ class AuthOptions: ssl: bool -def get_auth_options(credentials: Credentials, use_ssl: bool) -> AuthOptions: - ssl = _get_ssl(credentials, use_ssl) +def get_auth_options(credentials: Credentials, host: VictimHost) -> AuthOptions: + ssl = _get_ssl(credentials, host) auth_type = _get_auth_type(credentials) encryption = _get_encryption(credentials) return AuthOptions(auth_type, encryption, ssl) -def _get_ssl(credentials: Credentials, use_ssl): +def _get_ssl(credentials: Credentials, host: VictimHost) -> bool: + # Check if default PSRemoting ports are open. Prefer with SSL, if both are. + if "tcp-5986" in host.services: # Default for HTTPS + use_ssl = True + elif "tcp-5985" in host.services: # Default for HTTP + use_ssl = False + # Passwordless login only works with SSL false, AUTH_BASIC and ENCRYPTION_NEVER - return False if credentials.secret == "" else use_ssl + if credentials.secret == "": + use_ssl = False + + return use_ssl def _get_auth_type(credentials: Credentials):