forked from p15670423/monkey
Agent: Pass depth to exploiters
This commit is contained in:
parent
41287d458b
commit
7cae4d6dec
|
@ -72,11 +72,13 @@ class HostExploiter:
|
|||
def exploit_host(
|
||||
self,
|
||||
host,
|
||||
current_depth: int,
|
||||
telemetry_messenger: ITelemetryMessenger,
|
||||
agent_repository: IAgentRepository,
|
||||
options: Dict,
|
||||
):
|
||||
self.host = host
|
||||
self.current_depth = current_depth
|
||||
self.telemetry_messenger = telemetry_messenger
|
||||
self.agent_repository = agent_repository
|
||||
self.options = options
|
||||
|
|
|
@ -26,10 +26,10 @@ class ExploiterWrapper:
|
|||
self._telemetry_messenger = telemetry_messenger
|
||||
self._agent_repository = agent_repository
|
||||
|
||||
def exploit_host(self, host: VictimHost, options: Dict):
|
||||
def exploit_host(self, host: VictimHost, current_depth: int, options: Dict):
|
||||
exploiter = self._exploit_class()
|
||||
return exploiter.exploit_host(
|
||||
host, self._telemetry_messenger, self._agent_repository, options
|
||||
host, current_depth, self._telemetry_messenger, self._agent_repository, options
|
||||
)
|
||||
|
||||
def __init__(
|
||||
|
|
|
@ -12,7 +12,6 @@ from random import SystemRandom
|
|||
import requests
|
||||
|
||||
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.exploit.web_rce import WebRCE
|
||||
from infection_monkey.model import (
|
||||
|
@ -95,7 +94,7 @@ class HadoopExploiter(WebRCE):
|
|||
|
||||
def _build_command(self, path, http_path):
|
||||
# Build command to execute
|
||||
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
||||
monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1)
|
||||
if "linux" in self.host.os["type"]:
|
||||
base_command = HADOOP_LINUX_COMMAND
|
||||
else:
|
||||
|
|
|
@ -10,7 +10,6 @@ from infection_monkey.exploit.log4shell_utils import (
|
|||
build_exploit_bytecode,
|
||||
get_log4shell_service_exploiters,
|
||||
)
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.exploit.web_rce import WebRCE
|
||||
from infection_monkey.i_puppet.i_puppet import ExploiterResultData
|
||||
|
@ -114,7 +113,7 @@ class Log4ShellExploiter(WebRCE):
|
|||
|
||||
def _build_command(self, path, http_path) -> str:
|
||||
# Build command to execute
|
||||
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, location=path)
|
||||
monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1, location=path)
|
||||
if "linux" in self.host.os["type"]:
|
||||
base_command = LOG4SHELL_LINUX_COMMAND
|
||||
else:
|
||||
|
|
|
@ -5,7 +5,7 @@ from typing import List, Tuple
|
|||
|
||||
from common.utils.attack_utils import BITS_UPLOAD_STRING, ScanStatus
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||
from infection_monkey.exploit.tools.helpers import get_target_monkey
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.model import (
|
||||
BITSADMIN_CMDLINE_HTTP,
|
||||
|
@ -371,14 +371,14 @@ class WebRCE(HostExploiter):
|
|||
default_path = self.get_default_dropper_path()
|
||||
if default_path is False:
|
||||
return False
|
||||
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, default_path)
|
||||
monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1, default_path)
|
||||
command = RUN_MONKEY % {
|
||||
"monkey_path": path,
|
||||
"monkey_type": DROPPER_ARG,
|
||||
"parameters": monkey_cmd,
|
||||
}
|
||||
else:
|
||||
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
||||
monkey_cmd = build_monkey_commandline(self.host, self.current_depth - 1)
|
||||
command = RUN_MONKEY % {
|
||||
"monkey_path": path,
|
||||
"monkey_type": MONKEY_ARG,
|
||||
|
|
|
@ -114,12 +114,18 @@ class IPuppet(metaclass=abc.ABCMeta):
|
|||
|
||||
@abc.abstractmethod
|
||||
def exploit_host(
|
||||
self, name: str, host: VictimHost, options: Dict, interrupt: threading.Event
|
||||
self,
|
||||
name: str,
|
||||
host: VictimHost,
|
||||
current_depth: int,
|
||||
options: Dict,
|
||||
interrupt: threading.Event,
|
||||
) -> ExploiterResultData:
|
||||
"""
|
||||
Runs an exploiter against a remote host
|
||||
:param str name: The name of the exploiter to run
|
||||
:param VictimHost host: A VictimHost object representing the target to exploit
|
||||
:param int current_depth: The current propagation depth
|
||||
:param Dict options: A dictionary containing options that modify the behavior of the
|
||||
exploiter
|
||||
:param threading.Event interrupt: A threading.Event object that signals the exploit to stop
|
||||
|
|
|
@ -162,8 +162,9 @@ class AutomatedMaster(IMaster):
|
|||
# still running.
|
||||
credential_collector_thread.join()
|
||||
|
||||
if self._can_propagate() and config["depth"] > 0:
|
||||
self._propagator.propagate(config["propagation"], self._stop)
|
||||
current_depth = config["depth"]
|
||||
if self._can_propagate() and current_depth > 0:
|
||||
self._propagator.propagate(config["propagation"], current_depth, self._stop)
|
||||
|
||||
payload_thread = create_daemon_thread(
|
||||
target=self._run_plugins,
|
||||
|
|
|
@ -34,6 +34,7 @@ class Exploiter:
|
|||
self,
|
||||
exploiter_config: Dict,
|
||||
hosts_to_exploit: Queue,
|
||||
current_depth: int,
|
||||
results_callback: Callback,
|
||||
scan_completed: Event,
|
||||
stop: Event,
|
||||
|
@ -44,7 +45,14 @@ class Exploiter:
|
|||
f"{', '.join([e['name'] for e in exploiters_to_run])}"
|
||||
)
|
||||
|
||||
exploit_args = (exploiters_to_run, hosts_to_exploit, results_callback, scan_completed, stop)
|
||||
exploit_args = (
|
||||
exploiters_to_run,
|
||||
hosts_to_exploit,
|
||||
current_depth,
|
||||
results_callback,
|
||||
scan_completed,
|
||||
stop,
|
||||
)
|
||||
run_worker_threads(
|
||||
target=self._exploit_hosts_on_queue, args=exploit_args, num_workers=self._num_workers
|
||||
)
|
||||
|
@ -69,6 +77,7 @@ class Exploiter:
|
|||
self,
|
||||
exploiters_to_run: List[Dict],
|
||||
hosts_to_exploit: Queue,
|
||||
current_depth: int,
|
||||
results_callback: Callback,
|
||||
scan_completed: Event,
|
||||
stop: Event,
|
||||
|
@ -78,7 +87,9 @@ class Exploiter:
|
|||
while not stop.is_set():
|
||||
try:
|
||||
victim_host = hosts_to_exploit.get(timeout=QUEUE_TIMEOUT)
|
||||
self._run_all_exploiters(exploiters_to_run, victim_host, results_callback, stop)
|
||||
self._run_all_exploiters(
|
||||
exploiters_to_run, victim_host, current_depth, results_callback, stop
|
||||
)
|
||||
except queue.Empty:
|
||||
if _all_hosts_have_been_processed(scan_completed, hosts_to_exploit):
|
||||
break
|
||||
|
@ -93,6 +104,7 @@ class Exploiter:
|
|||
self,
|
||||
exploiters_to_run: List[Dict],
|
||||
victim_host: VictimHost,
|
||||
current_depth: int,
|
||||
results_callback: Callback,
|
||||
stop: Event,
|
||||
):
|
||||
|
@ -100,7 +112,7 @@ class Exploiter:
|
|||
for exploiter in interruptable_iter(exploiters_to_run, stop):
|
||||
exploiter_name = exploiter["name"]
|
||||
exploiter_results = self._run_exploiter(
|
||||
exploiter_name, exploiter["options"], victim_host, stop
|
||||
exploiter_name, exploiter["options"], victim_host, current_depth, stop
|
||||
)
|
||||
results_callback(exploiter_name, victim_host, exploiter_results)
|
||||
|
||||
|
@ -108,7 +120,12 @@ class Exploiter:
|
|||
break
|
||||
|
||||
def _run_exploiter(
|
||||
self, exploiter_name: str, options: Dict, victim_host: VictimHost, stop: Event
|
||||
self,
|
||||
exploiter_name: str,
|
||||
options: Dict,
|
||||
victim_host: VictimHost,
|
||||
current_depth: int,
|
||||
stop: Event,
|
||||
) -> ExploiterResultData:
|
||||
logger.debug(f"Attempting to use {exploiter_name} on {victim_host.ip_addr}")
|
||||
|
||||
|
@ -116,7 +133,9 @@ class Exploiter:
|
|||
options = {"credentials": credentials, **options}
|
||||
|
||||
try:
|
||||
return self._puppet.exploit_host(exploiter_name, victim_host, options, stop)
|
||||
return self._puppet.exploit_host(
|
||||
exploiter_name, victim_host, current_depth, options, stop
|
||||
)
|
||||
except Exception as ex:
|
||||
msg = (
|
||||
f"An unexpected error occurred while exploiting {victim_host.ip_addr} with "
|
||||
|
|
|
@ -101,13 +101,13 @@ class MockMaster(IMaster):
|
|||
|
||||
def _exploit(self):
|
||||
logger.info("Exploiting victims")
|
||||
result = self._puppet.exploit_host("PowerShellExploiter", "10.0.0.1", {}, None)
|
||||
result = self._puppet.exploit_host("PowerShellExploiter", "10.0.0.1", 0, {}, None)
|
||||
logger.info(f"Attempts for exploiting {result.attempts}")
|
||||
self._telemetry_messenger.send_telemetry(
|
||||
ExploitTelem("PowerShellExploiter", self._hosts["10.0.0.1"], result)
|
||||
)
|
||||
|
||||
result = self._puppet.exploit_host("SSHExploiter", "10.0.0.3", {}, None)
|
||||
result = self._puppet.exploit_host("SSHExploiter", "10.0.0.3", 0, {}, None)
|
||||
logger.info(f"Attempts for exploiting {result.attempts}")
|
||||
self._telemetry_messenger.send_telemetry(
|
||||
ExploitTelem("SSHExploiter", self._hosts["10.0.0.3"], result)
|
||||
|
|
|
@ -39,7 +39,7 @@ class Propagator:
|
|||
self._local_network_interfaces = local_network_interfaces
|
||||
self._hosts_to_exploit = None
|
||||
|
||||
def propagate(self, propagation_config: Dict, stop: Event):
|
||||
def propagate(self, propagation_config: Dict, current_depth: int, stop: Event):
|
||||
logger.info("Attempting to propagate")
|
||||
|
||||
network_scan_completed = Event()
|
||||
|
@ -50,7 +50,7 @@ class Propagator:
|
|||
)
|
||||
exploit_thread = create_daemon_thread(
|
||||
target=self._exploit_hosts,
|
||||
args=(propagation_config, network_scan_completed, stop),
|
||||
args=(propagation_config, current_depth, network_scan_completed, stop),
|
||||
)
|
||||
|
||||
scan_thread.start()
|
||||
|
@ -134,6 +134,7 @@ class Propagator:
|
|||
def _exploit_hosts(
|
||||
self,
|
||||
propagation_config: Dict,
|
||||
current_depth: int,
|
||||
network_scan_completed: Event,
|
||||
stop: Event,
|
||||
):
|
||||
|
@ -143,6 +144,7 @@ class Propagator:
|
|||
self._exploiter.exploit_hosts(
|
||||
exploiter_config,
|
||||
self._hosts_to_exploit,
|
||||
current_depth,
|
||||
self._process_exploit_attempts,
|
||||
network_scan_completed,
|
||||
stop,
|
||||
|
|
|
@ -137,7 +137,12 @@ class MockPuppet(IPuppet):
|
|||
|
||||
# TODO: host should be VictimHost, at the moment it can't because of circular dependency
|
||||
def exploit_host(
|
||||
self, name: str, host: VictimHost, options: Dict, interrupt: threading.Event
|
||||
self,
|
||||
name: str,
|
||||
host: VictimHost,
|
||||
current_depth: int,
|
||||
options: Dict,
|
||||
interrupt: threading.Event,
|
||||
) -> ExploiterResultData:
|
||||
logger.debug(f"exploit_hosts({name}, {host}, {options})")
|
||||
attempts = [
|
||||
|
|
|
@ -58,10 +58,15 @@ class Puppet(IPuppet):
|
|||
return fingerprinter.get_host_fingerprint(host, ping_scan_data, port_scan_data, options)
|
||||
|
||||
def exploit_host(
|
||||
self, name: str, host: VictimHost, options: Dict, interrupt: threading.Event
|
||||
self,
|
||||
name: str,
|
||||
host: VictimHost,
|
||||
current_depth: int,
|
||||
options: Dict,
|
||||
interrupt: threading.Event,
|
||||
) -> ExploiterResultData:
|
||||
exploiter = self._plugin_registry.get_plugin(name, PluginType.EXPLOITER)
|
||||
return exploiter.exploit_host(host, options)
|
||||
return exploiter.exploit_host(host, current_depth, options)
|
||||
|
||||
def run_payload(self, name: str, options: Dict, interrupt: threading.Event):
|
||||
payload = self._plugin_registry.get_plugin(name, PluginType.PAYLOAD)
|
||||
|
|
|
@ -74,7 +74,7 @@ def run_exploiters(exploiter_config, hosts_to_exploit, callback, scan_completed,
|
|||
scan_completed.set()
|
||||
|
||||
e = Exploiter(puppet, num_workers, get_credentials_for_propagation)
|
||||
e.exploit_hosts(exploiter_config, hosts_to_exploit, callback, scan_completed, stop)
|
||||
e.exploit_hosts(exploiter_config, hosts_to_exploit, 1, callback, scan_completed, stop)
|
||||
|
||||
return inner
|
||||
|
||||
|
@ -102,7 +102,7 @@ def test_credentials_passed_to_exploiter(run_exploiters):
|
|||
run_exploiters(mock_puppet, 1)
|
||||
|
||||
for call_args in mock_puppet.exploit_host.call_args_list:
|
||||
assert call_args[0][2].get("credentials") == CREDENTIALS_FOR_PROPAGATION
|
||||
assert call_args[0][3].get("credentials") == CREDENTIALS_FOR_PROPAGATION
|
||||
|
||||
|
||||
def test_stop_after_callback(exploiter_config, callback, scan_completed, stop, hosts_to_exploit):
|
||||
|
@ -121,7 +121,7 @@ def test_stop_after_callback(exploiter_config, callback, scan_completed, stop, h
|
|||
# Intentionally NOT setting scan_completed.set(); _callback() will set stop
|
||||
|
||||
e = Exploiter(MockPuppet(), callback_barrier_count + 2, get_credentials_for_propagation)
|
||||
e.exploit_hosts(exploiter_config, hosts_to_exploit, stoppable_callback, scan_completed, stop)
|
||||
e.exploit_hosts(exploiter_config, hosts_to_exploit, 1, stoppable_callback, scan_completed, stop)
|
||||
|
||||
assert stoppable_callback.call_count == 2
|
||||
|
||||
|
|
|
@ -124,7 +124,13 @@ def mock_ip_scanner():
|
|||
|
||||
class StubExploiter:
|
||||
def exploit_hosts(
|
||||
self, hosts_to_exploit, exploiter_config, results_callback, scan_completed, stop
|
||||
self,
|
||||
exploiters_to_run,
|
||||
hosts_to_exploit,
|
||||
current_depth,
|
||||
results_callback,
|
||||
scan_completed,
|
||||
stop,
|
||||
):
|
||||
pass
|
||||
|
||||
|
@ -144,6 +150,7 @@ def test_scan_result_processing(telemetry_messenger_spy, mock_ip_scanner, mock_v
|
|||
"network_scan": {}, # This is empty since MockIPscanner ignores it
|
||||
"exploiters": {}, # This is empty since StubExploiter ignores it
|
||||
},
|
||||
1,
|
||||
Event(),
|
||||
)
|
||||
|
||||
|
@ -174,7 +181,13 @@ def test_scan_result_processing(telemetry_messenger_spy, mock_ip_scanner, mock_v
|
|||
|
||||
class MockExploiter:
|
||||
def exploit_hosts(
|
||||
self, exploiter_config, hosts_to_exploit, results_callback, scan_completed, stop
|
||||
self,
|
||||
exploiters_to_run,
|
||||
hosts_to_exploit,
|
||||
current_depth,
|
||||
results_callback,
|
||||
scan_completed,
|
||||
stop,
|
||||
):
|
||||
scan_completed.wait()
|
||||
hte = []
|
||||
|
@ -240,6 +253,7 @@ def test_exploiter_result_processing(
|
|||
"network_scan": {}, # This is empty since MockIPscanner ignores it
|
||||
"exploiters": {}, # This is empty since MockExploiter ignores it
|
||||
},
|
||||
1,
|
||||
Event(),
|
||||
)
|
||||
|
||||
|
@ -284,6 +298,7 @@ def test_scan_target_generation(telemetry_messenger_spy, mock_ip_scanner, mock_v
|
|||
"network_scan": {}, # This is empty since MockIPscanner ignores it
|
||||
"exploiters": {}, # This is empty since MockExploiter ignores it
|
||||
},
|
||||
1,
|
||||
Event(),
|
||||
)
|
||||
expected_ip_scan_list = [
|
||||
|
|
Loading…
Reference in New Issue