p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Extract nested function

This commit is contained in:
Shreya 2020-11-03 16:42:33 +05:30
parent 8b0dd91c18
commit 62a1520c50
1 changed files with 52 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
monkey/infection_monkey/network/windowsserver_fingerprint.py
View File

@ -20,11 +20,50 @@ class WindowsServerFinger(HostFinger):
MAX_ATTEMPTS = 2000 MAX_ATTEMPTS = 2000
_SCANNED_SERVICE = "NTLM (NT LAN Manager)" _SCANNED_SERVICE = "NTLM (NT LAN Manager)"
def get_host_fingerprint(self, host):
"""
Checks if the Windows Server is vulnerable to Zerologon.
"""
DC_IP = host.ip_addr
DC_NAME = self.get_dc_name(DC_IP)
DC_HANDLE = '\\\\' + DC_NAME
if DC_NAME: # if it is a Windows DC
# Keep authenticating until successful.
# Expected average number of attempts needed: 256.
# Approximate time taken by 2000 attempts: 40 seconds.
LOG.info('Performing Zerologon authentication attempts...')
rpc_con = None
for _ in range(0, self.MAX_ATTEMPTS):
try:
rpc_con = self.try_zero_authenticate(DC_HANDLE, DC_IP, DC_NAME)
if rpc_con is not None:
break
except Exception as ex:
LOG.info(ex)
break
self.init_service(host.services, self._SCANNED_SERVICE, '')
if rpc_con:
LOG.info('Success: Domain Controller can be fully compromised by a Zerologon attack.')
host.services[self._SCANNED_SERVICE]['is_vulnerable'] = True
return True
else:
LOG.info('Failure: Target is either patched or an unexpected error was encountered.')
host.services[self._SCANNED_SERVICE]['is_vulnerable'] = False
return False
else:
LOG.info('Error encountered; most likely not a Windows Domain Controller.')
return False
def get_dc_name(self, DC_IP): def get_dc_name(self, DC_IP):
""" """
Gets NetBIOS name of the Domain Controller (DC). Gets NetBIOS name of the Domain Controller (DC).
""" """
name = ''
try: try:
nb = nmb.NetBIOS.NetBIOS() nb = nmb.NetBIOS.NetBIOS()
name = nb.queryIPForName(ip=DC_IP) # returns either a list of NetBIOS names or None name = nb.queryIPForName(ip=DC_IP) # returns either a list of NetBIOS names or None
@ -32,12 +71,7 @@ class WindowsServerFinger(HostFinger):
except BaseException as ex: except BaseException as ex:
LOG.info(f'Exception: {ex}') LOG.info(f'Exception: {ex}')
def get_host_fingerprint(self, host): def try_zero_authenticate(self, DC_HANDLE, DC_IP, DC_NAME):
"""
Checks if the Windows Server is vulnerable to Zerologon.
"""
def try_zero_authenticate(DC_HANDLE, DC_IP, DC_NAME):
# Connect to the DC's Netlogon service. # Connect to the DC's Netlogon service.
binding = epm.hept_map(DC_IP, nrpc.MSRPC_UUID_NRPC, binding = epm.hept_map(DC_IP, nrpc.MSRPC_UUID_NRPC,
protocol='ncacn_ip_tcp') protocol='ncacn_ip_tcp')
@ -75,37 +109,3 @@ class WindowsServerFinger(HostFinger):
except BaseException as ex: except BaseException as ex:
raise Exception(f'Unexpected error: {ex}.') raise Exception(f'Unexpected error: {ex}.')
DC_IP = host.ip_addr
DC_NAME = self.get_dc_name(DC_IP)
DC_HANDLE = '\\\\' + DC_NAME
if DC_NAME: # if it is a Windows DC
# Keep authenticating until successful.
# Expected average number of attempts needed: 256.
# Approximate time taken by 2000 attempts: 40 seconds.
LOG.info('Performing Zerologon authentication attempts...')
rpc_con = None
for _ in range(0, self.MAX_ATTEMPTS):
try:
rpc_con = try_zero_authenticate(DC_HANDLE, DC_IP, DC_NAME)
if rpc_con is not None:
break
except Exception as ex:
LOG.info(ex)
break
self.init_service(host.services, self._SCANNED_SERVICE, '')
if rpc_con:
LOG.info('Success: Domain Controller can be fully compromised by a Zerologon attack.')
host.services[self._SCANNED_SERVICE]['is_vulnerable'] = True
return True
else:
LOG.info('Failure: Target is either patched or an unexpected error was encountered.')
host.services[self._SCANNED_SERVICE]['is_vulnerable'] = False
return False
else:
LOG.info('Error encountered; most likely not a Windows Domain Controller.')
return False