From 8807e68177b8f59d31dc52074d93bc311859efde Mon Sep 17 00:00:00 2001 From: Oran Nadler Date: Sat, 10 Mar 2018 23:18:53 -0800 Subject: [PATCH] add posssible attacks per sid --- monkey_island/cc/resources/pthmap.py | 36 +++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/monkey_island/cc/resources/pthmap.py b/monkey_island/cc/resources/pthmap.py index 46e49ad6d..6caad92fc 100644 --- a/monkey_island/cc/resources/pthmap.py +++ b/monkey_island/cc/resources/pthmap.py @@ -405,6 +405,30 @@ class PassTheHashMap(object): print map(lambda x: Machine(x).GetIp(), self.vertices) print map(lambda x: (Machine(x[0]).GetIp(), Machine(x[1]).GetIp()), self.edges) + def GetPossibleAttackCountBySid(self, sid): + return len(self.GetPossibleAttacksBySid(sid)) + + def GetPossibleAttacksBySid(self, sid): + attacks = set() + + for attacker in self.vertices: + cached_creds = set(Machine(attacker).GetCachedCreds().items()) + + for victim in self.vertices: + if attacker == victim: + continue + + admin_creds = set(Machine(victim).GetLocalAdminCreds().items()) + + if len(cached_creds & admin_creds) > 0: + curr_attacks = dict(cached_creds & admin_creds) + + for username, secret in curr_attacks.iteritems(): + if Machine(victim).GetSidByUsername(username) == sid: + attacks.add((attacker, victim)) + + return attacks + def GetSecretBySid(self, sid): for m in self.machines: for user, user_secret in m.GetLocalSecrets().iteritems(): @@ -582,7 +606,7 @@ def main(): print """""" print "

User's Creds

" - print "

To how many machines each user is able to connect with admin rights?

" + print "

To how many machines each user is able to connect with admin rights

" attackable_counts = dict(map(lambda x: (x, pth.GetVictimCountBySid(x)), pth.GetAllSids())) print """""" @@ -591,6 +615,16 @@ def main(): print """""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) print """
{sid}{username}{count}
""" + print "

Actual Possible Attacks By SID

" + print "

How many attacks possible using each SID (aka len(attacker->victim pairs))

" + possible_attacks_by_sid = dict(map(lambda x: (x, pth.GetPossibleAttackCountBySid(x)), pth.GetAllSids())) + + print """""" + print """""" + for sid, count in sorted(possible_attacks_by_sid.iteritems(), key=lambda (k,v): (v,k), reverse=True): + print """""".format(sid=sid, username=pth.GetUsernameBySid(sid), count=count) + print """
SIDUsernameMachine Count
{sid}{username}{count}
""" + print "

Machine's Creds

" print "

To how many machines each machine is able to directly connect with admin rights?

" attackable_counts = dict(map(lambda m: (m, pth.GetVictimCountByMachine(m)), pth.machines))