forked from p15670423/monkey
Fixed CR
This commit is contained in:
parent
6530dd063e
commit
26df64fb87
|
@ -188,4 +188,4 @@ Dependency | License | Notes
|
||||||
winbind | GPL-3
|
winbind | GPL-3
|
||||||
pyinstaller | GPL
|
pyinstaller | GPL
|
||||||
Celery | BSD
|
Celery | BSD
|
||||||
mimikatz | CC BY 4.0 | We use an altered version of mimikatz. Original: https://github.com/gentilkiwi/mimikatz
|
mimikatz | CC BY 4.0 | We use an altered version of mimikatz: https://github.com/guardicore/mimikatz
|
||||||
|
|
|
@ -4,6 +4,7 @@ from network.range import FixedRange, RelativeRange, ClassCRange
|
||||||
from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter
|
from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter
|
||||||
from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger
|
from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger
|
||||||
from abc import ABCMeta
|
from abc import ABCMeta
|
||||||
|
from itertools import product
|
||||||
import uuid
|
import uuid
|
||||||
import types
|
import types
|
||||||
|
|
||||||
|
@ -13,7 +14,6 @@ GUID = str(uuid.getnode())
|
||||||
|
|
||||||
EXTERNAL_CONFIG_FILE = os.path.join(os.path.abspath(os.path.dirname(sys.argv[0])), 'monkey.bin')
|
EXTERNAL_CONFIG_FILE = os.path.join(os.path.abspath(os.path.dirname(sys.argv[0])), 'monkey.bin')
|
||||||
|
|
||||||
|
|
||||||
def _cast_by_example(value, example):
|
def _cast_by_example(value, example):
|
||||||
"""
|
"""
|
||||||
a method that casts a value to the type of the parameter given as example
|
a method that casts a value to the type of the parameter given as example
|
||||||
|
@ -208,8 +208,13 @@ class Configuration(object):
|
||||||
rdp_use_vbs_download = True
|
rdp_use_vbs_download = True
|
||||||
|
|
||||||
# User and password dictionaries for exploits.
|
# User and password dictionaries for exploits.
|
||||||
exploit_user_list = []
|
|
||||||
exploit_password_list = []
|
@property
|
||||||
|
def exploit_user_password_pairs(self):
|
||||||
|
return product(self.exploit_user_list, self.exploit_password_list)
|
||||||
|
|
||||||
|
exploit_user_list = ['Administrator', 'root', 'user']
|
||||||
|
exploit_password_list = ["Password1!", "1234", "password", "12345678"]
|
||||||
|
|
||||||
# smb/wmi exploiter
|
# smb/wmi exploiter
|
||||||
smb_download_timeout = 300 # timeout in seconds
|
smb_download_timeout = 300 # timeout in seconds
|
||||||
|
|
|
@ -64,12 +64,7 @@ class SmbExploiter(HostExploiter):
|
||||||
LOG.info("Can't find suitable monkey executable for host %r", host)
|
LOG.info("Can't find suitable monkey executable for host %r", host)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
config_users = self._config.exploit_user_list
|
user_password_pairs = self._config.exploit_user_password_pairs
|
||||||
config_passwords = self._config.exploit_password_list
|
|
||||||
user_password_pairs = []
|
|
||||||
for user in config_users:
|
|
||||||
for password in config_passwords:
|
|
||||||
user_password_pairs.append((user, password))
|
|
||||||
|
|
||||||
exploited = False
|
exploited = False
|
||||||
for user, password in user_password_pairs:
|
for user, password in user_password_pairs:
|
||||||
|
|
|
@ -42,14 +42,12 @@ class SSHExploiter(HostExploiter):
|
||||||
is_open, _ = check_port_tcp(host.ip_addr, port)
|
is_open, _ = check_port_tcp(host.ip_addr, port)
|
||||||
if not is_open:
|
if not is_open:
|
||||||
LOG.info("SSH port is closed on %r, skipping", host)
|
LOG.info("SSH port is closed on %r, skipping", host)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
passwords = list(self._config.exploit_password_list[:])
|
user_password_pairs = self._config.exploit_user_password_pairs
|
||||||
users = list(self._config.exploit_user_list)
|
|
||||||
user_pass = product(users,passwords)
|
|
||||||
|
|
||||||
exploited = False
|
exploited = False
|
||||||
for user, curpass in user_pass:
|
for user, curpass in user_password_pairs:
|
||||||
try:
|
try:
|
||||||
ssh.connect(host.ip_addr,
|
ssh.connect(host.ip_addr,
|
||||||
username=user,
|
username=user,
|
||||||
|
|
|
@ -233,7 +233,6 @@ class Ms08_067_Exploiter(HostExploiter):
|
||||||
src_path,
|
src_path,
|
||||||
self._config.dropper_target_path)
|
self._config.dropper_target_path)
|
||||||
|
|
||||||
# TODO: why are we doing this? Isn't that smbexec's job?
|
|
||||||
if not remote_full_path:
|
if not remote_full_path:
|
||||||
# try other passwords for administrator
|
# try other passwords for administrator
|
||||||
for password in self._config.exploit_password_list:
|
for password in self._config.exploit_password_list:
|
||||||
|
|
|
@ -29,12 +29,7 @@ class WmiExploiter(HostExploiter):
|
||||||
LOG.info("Can't find suitable monkey executable for host %r", host)
|
LOG.info("Can't find suitable monkey executable for host %r", host)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
config_users = self._config.exploit_user_list
|
user_password_pairs = self._config.exploit_user_password_pairs
|
||||||
config_passwords = self._config.exploit_password_list
|
|
||||||
user_password_pairs = []
|
|
||||||
for user in config_users:
|
|
||||||
for password in config_passwords:
|
|
||||||
user_password_pairs.append((user, password))
|
|
||||||
|
|
||||||
for user, password in user_password_pairs:
|
for user, password in user_password_pairs:
|
||||||
LOG.debug("Attempting to connect %r using WMI with password '%s'",
|
LOG.debug("Attempting to connect %r using WMI with password '%s'",
|
||||||
|
|
|
@ -69,10 +69,14 @@ class MimikatzCollector:
|
||||||
"""
|
"""
|
||||||
Logon data structure returned from mimikatz.
|
Logon data structure returned from mimikatz.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
WINDOWS_MAX_USERNAME_PASS_LENGTH = 257
|
||||||
|
LM_NTLM_HASH_LENGTH = 16
|
||||||
|
|
||||||
_fields_ = \
|
_fields_ = \
|
||||||
[
|
[
|
||||||
("username", ctypes.c_wchar * 257),
|
("username", ctypes.c_wchar * WINDOWS_MAX_USERNAME_PASS_LENGTH),
|
||||||
("password", ctypes.c_wchar * 257),
|
("password", ctypes.c_wchar * WINDOWS_MAX_USERNAME_PASS_LENGTH),
|
||||||
("lm_hash", ctypes.c_byte * 16),
|
("lm_hash", ctypes.c_byte * LM_NTLM_HASH_LENGTH),
|
||||||
("ntlm_hash", ctypes.c_byte * 16)
|
("ntlm_hash", ctypes.c_byte * LM_NTLM_HASH_LENGTH)
|
||||||
]
|
]
|
||||||
|
|
Loading…
Reference in New Issue