This commit is contained in:
Itay Mizeretz 2017-08-20 19:32:18 +03:00
parent 6530dd063e
commit 26df64fb87
7 changed files with 22 additions and 26 deletions

View File

@ -188,4 +188,4 @@ Dependency | License | Notes
winbind | GPL-3
pyinstaller | GPL
Celery | BSD
mimikatz | CC BY 4.0 | We use an altered version of mimikatz. Original: https://github.com/gentilkiwi/mimikatz
mimikatz | CC BY 4.0 | We use an altered version of mimikatz: https://github.com/guardicore/mimikatz

View File

@ -4,6 +4,7 @@ from network.range import FixedRange, RelativeRange, ClassCRange
from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter
from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger
from abc import ABCMeta
from itertools import product
import uuid
import types
@ -13,7 +14,6 @@ GUID = str(uuid.getnode())
EXTERNAL_CONFIG_FILE = os.path.join(os.path.abspath(os.path.dirname(sys.argv[0])), 'monkey.bin')
def _cast_by_example(value, example):
"""
a method that casts a value to the type of the parameter given as example
@ -208,8 +208,13 @@ class Configuration(object):
rdp_use_vbs_download = True
# User and password dictionaries for exploits.
exploit_user_list = []
exploit_password_list = []
@property
def exploit_user_password_pairs(self):
return product(self.exploit_user_list, self.exploit_password_list)
exploit_user_list = ['Administrator', 'root', 'user']
exploit_password_list = ["Password1!", "1234", "password", "12345678"]
# smb/wmi exploiter
smb_download_timeout = 300 # timeout in seconds

View File

@ -64,12 +64,7 @@ class SmbExploiter(HostExploiter):
LOG.info("Can't find suitable monkey executable for host %r", host)
return False
config_users = self._config.exploit_user_list
config_passwords = self._config.exploit_password_list
user_password_pairs = []
for user in config_users:
for password in config_passwords:
user_password_pairs.append((user, password))
user_password_pairs = self._config.exploit_user_password_pairs
exploited = False
for user, password in user_password_pairs:

View File

@ -44,12 +44,10 @@ class SSHExploiter(HostExploiter):
LOG.info("SSH port is closed on %r, skipping", host)
return False
passwords = list(self._config.exploit_password_list[:])
users = list(self._config.exploit_user_list)
user_pass = product(users,passwords)
user_password_pairs = self._config.exploit_user_password_pairs
exploited = False
for user, curpass in user_pass:
for user, curpass in user_password_pairs:
try:
ssh.connect(host.ip_addr,
username=user,

View File

@ -233,7 +233,6 @@ class Ms08_067_Exploiter(HostExploiter):
src_path,
self._config.dropper_target_path)
# TODO: why are we doing this? Isn't that smbexec's job?
if not remote_full_path:
# try other passwords for administrator
for password in self._config.exploit_password_list:

View File

@ -29,12 +29,7 @@ class WmiExploiter(HostExploiter):
LOG.info("Can't find suitable monkey executable for host %r", host)
return False
config_users = self._config.exploit_user_list
config_passwords = self._config.exploit_password_list
user_password_pairs = []
for user in config_users:
for password in config_passwords:
user_password_pairs.append((user, password))
user_password_pairs = self._config.exploit_user_password_pairs
for user, password in user_password_pairs:
LOG.debug("Attempting to connect %r using WMI with password '%s'",

View File

@ -69,10 +69,14 @@ class MimikatzCollector:
"""
Logon data structure returned from mimikatz.
"""
WINDOWS_MAX_USERNAME_PASS_LENGTH = 257
LM_NTLM_HASH_LENGTH = 16
_fields_ = \
[
("username", ctypes.c_wchar * 257),
("password", ctypes.c_wchar * 257),
("lm_hash", ctypes.c_byte * 16),
("ntlm_hash", ctypes.c_byte * 16)
("username", ctypes.c_wchar * WINDOWS_MAX_USERNAME_PASS_LENGTH),
("password", ctypes.c_wchar * WINDOWS_MAX_USERNAME_PASS_LENGTH),
("lm_hash", ctypes.c_byte * LM_NTLM_HASH_LENGTH),
("ntlm_hash", ctypes.c_byte * LM_NTLM_HASH_LENGTH)
]