forked from p34709852/monkey
Add elasticsearch fingerprinting.
This commit is contained in:
parent
cb7bb56588
commit
86d6cdfba3
|
@ -1,13 +1,14 @@
|
||||||
import os
|
import os
|
||||||
import sys
|
import sys
|
||||||
from network.range import FixedRange, RelativeRange, ClassCRange
|
import types
|
||||||
from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter,\
|
import uuid
|
||||||
SambaCryExploiter
|
|
||||||
from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger
|
|
||||||
from abc import ABCMeta
|
from abc import ABCMeta
|
||||||
from itertools import product
|
from itertools import product
|
||||||
import uuid
|
|
||||||
import types
|
from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter, \
|
||||||
|
SambaCryExploiter
|
||||||
|
from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, ElasticFinger
|
||||||
|
from network.range import FixedRange
|
||||||
|
|
||||||
__author__ = 'itamar'
|
__author__ = 'itamar'
|
||||||
|
|
||||||
|
@ -15,6 +16,7 @@ GUID = str(uuid.getnode())
|
||||||
|
|
||||||
EXTERNAL_CONFIG_FILE = os.path.join(os.path.abspath(os.path.dirname(sys.argv[0])), 'monkey.bin')
|
EXTERNAL_CONFIG_FILE = os.path.join(os.path.abspath(os.path.dirname(sys.argv[0])), 'monkey.bin')
|
||||||
|
|
||||||
|
|
||||||
def _cast_by_example(value, example):
|
def _cast_by_example(value, example):
|
||||||
"""
|
"""
|
||||||
a method that casts a value to the type of the parameter given as example
|
a method that casts a value to the type of the parameter given as example
|
||||||
|
@ -142,7 +144,8 @@ class Configuration(object):
|
||||||
scanner_class = TcpScanner
|
scanner_class = TcpScanner
|
||||||
finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger]
|
finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger]
|
||||||
exploiter_classes = [SmbExploiter, WmiExploiter, RdpExploiter, Ms08_067_Exploiter, # Windows exploits
|
exploiter_classes = [SmbExploiter, WmiExploiter, RdpExploiter, Ms08_067_Exploiter, # Windows exploits
|
||||||
SSHExploiter, ShellShockExploiter, SambaCryExploiter # Linux
|
SSHExploiter, ShellShockExploiter, SambaCryExploiter, # Linux
|
||||||
|
ElasticFinger,
|
||||||
]
|
]
|
||||||
|
|
||||||
# how many victims to look for in a single scan iteration
|
# how many victims to look for in a single scan iteration
|
||||||
|
@ -178,7 +181,7 @@ class Configuration(object):
|
||||||
|
|
||||||
range_class = FixedRange
|
range_class = FixedRange
|
||||||
range_size = 1
|
range_size = 1
|
||||||
range_fixed = ['',]
|
range_fixed = ['', ]
|
||||||
|
|
||||||
blocked_ips = ['', ]
|
blocked_ips = ['', ]
|
||||||
|
|
||||||
|
@ -186,7 +189,15 @@ class Configuration(object):
|
||||||
HTTP_PORTS = [80, 8080, 443,
|
HTTP_PORTS = [80, 8080, 443,
|
||||||
8008, # HTTP alternate
|
8008, # HTTP alternate
|
||||||
]
|
]
|
||||||
tcp_target_ports = [22, 2222, 445, 135, 3389]
|
tcp_target_ports = [22,
|
||||||
|
445,
|
||||||
|
135,
|
||||||
|
3389,
|
||||||
|
80,
|
||||||
|
8080,
|
||||||
|
443,
|
||||||
|
8008,
|
||||||
|
9200]
|
||||||
tcp_target_ports.extend(HTTP_PORTS)
|
tcp_target_ports.extend(HTTP_PORTS)
|
||||||
tcp_scan_timeout = 3000 # 3000 Milliseconds
|
tcp_scan_timeout = 3000 # 3000 Milliseconds
|
||||||
tcp_scan_interval = 200
|
tcp_scan_interval = 200
|
||||||
|
@ -211,6 +222,10 @@ class Configuration(object):
|
||||||
# User and password dictionaries for exploits.
|
# User and password dictionaries for exploits.
|
||||||
|
|
||||||
def get_exploit_user_password_pairs(self):
|
def get_exploit_user_password_pairs(self):
|
||||||
|
"""
|
||||||
|
Returns all combinations of the configurations users and passwords
|
||||||
|
:return:
|
||||||
|
"""
|
||||||
return product(self.exploit_user_list, self.exploit_password_list)
|
return product(self.exploit_user_list, self.exploit_password_list)
|
||||||
|
|
||||||
exploit_user_list = ['Administrator', 'root', 'user']
|
exploit_user_list = ['Administrator', 'root', 'user']
|
||||||
|
@ -243,7 +258,6 @@ class Configuration(object):
|
||||||
# Monkey copy filename on share (64 bit)
|
# Monkey copy filename on share (64 bit)
|
||||||
sambacry_monkey_copy_filename_64 = "monkey64_2"
|
sambacry_monkey_copy_filename_64 = "monkey64_2"
|
||||||
|
|
||||||
|
|
||||||
# system info collection
|
# system info collection
|
||||||
collect_system_info = True
|
collect_system_info = True
|
||||||
|
|
||||||
|
@ -253,4 +267,5 @@ class Configuration(object):
|
||||||
|
|
||||||
mimikatz_dll_name = "mk.dll"
|
mimikatz_dll_name = "mk.dll"
|
||||||
|
|
||||||
|
|
||||||
WormConfiguration = Configuration()
|
WormConfiguration = Configuration()
|
||||||
|
|
|
@ -39,6 +39,7 @@
|
||||||
"SSHFinger",
|
"SSHFinger",
|
||||||
"PingScanner",
|
"PingScanner",
|
||||||
"HTTPFinger",
|
"HTTPFinger",
|
||||||
|
"ElasticFinger",
|
||||||
"SMBFinger"
|
"SMBFinger"
|
||||||
],
|
],
|
||||||
"max_iterations": 3,
|
"max_iterations": 3,
|
||||||
|
@ -83,7 +84,8 @@
|
||||||
80,
|
80,
|
||||||
8080,
|
8080,
|
||||||
443,
|
443,
|
||||||
8008
|
8008,
|
||||||
|
9200
|
||||||
],
|
],
|
||||||
"timeout_between_iterations": 10,
|
"timeout_between_iterations": 10,
|
||||||
"use_file_logging": true,
|
"use_file_logging": true,
|
||||||
|
|
|
@ -23,5 +23,6 @@ from tcp_scanner import TcpScanner
|
||||||
from smbfinger import SMBFinger
|
from smbfinger import SMBFinger
|
||||||
from sshfinger import SSHFinger
|
from sshfinger import SSHFinger
|
||||||
from httpfinger import HTTPFinger
|
from httpfinger import HTTPFinger
|
||||||
|
from elasticfinger import ElasticFinger
|
||||||
from info import local_ips
|
from info import local_ips
|
||||||
from info import get_free_tcp_port
|
from info import get_free_tcp_port
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
import json
|
||||||
|
import logging
|
||||||
|
from contextlib import closing
|
||||||
|
|
||||||
|
import requests
|
||||||
|
from requests.exceptions import Timeout, ConnectionError
|
||||||
|
|
||||||
|
from model.host import VictimHost
|
||||||
|
from network import HostFinger
|
||||||
|
|
||||||
|
ES_PORT = 9200
|
||||||
|
ES_SERVICE = 'es-3306'
|
||||||
|
|
||||||
|
LOG = logging.getLogger(__name__)
|
||||||
|
__author__ = 'danielg'
|
||||||
|
|
||||||
|
|
||||||
|
class ElasticFinger(HostFinger):
|
||||||
|
"""
|
||||||
|
Fingerprints mysql databases, only on port 3306
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self):
|
||||||
|
self._config = __import__('config').WormConfiguration
|
||||||
|
|
||||||
|
def get_host_fingerprint(self, host):
|
||||||
|
"""
|
||||||
|
Returns elasticsearch metadata
|
||||||
|
:param host:
|
||||||
|
:return: Success/failure, data is saved in the host struct
|
||||||
|
"""
|
||||||
|
assert isinstance(host, VictimHost)
|
||||||
|
try:
|
||||||
|
url = 'http://%s:%s/' % (host.ip_addr, ES_PORT)
|
||||||
|
with closing(requests.get(url, timeout=1)) as req:
|
||||||
|
data = json.loads(req.text)
|
||||||
|
host.services[ES_SERVICE] = {}
|
||||||
|
host.services[ES_SERVICE]['name'] = 'ElasticSearch'
|
||||||
|
host.services[ES_SERVICE]['cluster_name'] = data['name']
|
||||||
|
host.services[ES_SERVICE]['version'] = data['version']['number']
|
||||||
|
return True
|
||||||
|
except Timeout:
|
||||||
|
LOG.debug("Got timeout while trying to read header information")
|
||||||
|
except ConnectionError: # Someone doesn't like us
|
||||||
|
LOG.debug("Unknown connection error")
|
||||||
|
except KeyError:
|
||||||
|
LOG.debug("Failed parsing the ElasticSearch JSOn response")
|
||||||
|
return False
|
Loading…
Reference in New Issue