forked from p15670423/monkey
commit
73a8c14397
|
@ -0,0 +1,13 @@
|
|||
from .attack import (
|
||||
T1003_ATTACK_TECHNIQUE_TAG,
|
||||
T1005_ATTACK_TECHNIQUE_TAG,
|
||||
T1021_ATTACK_TECHNIQUE_TAG,
|
||||
T1098_ATTACK_TECHNIQUE_TAG,
|
||||
T1105_ATTACK_TECHNIQUE_TAG,
|
||||
T1110_ATTACK_TECHNIQUE_TAG,
|
||||
T1145_ATTACK_TECHNIQUE_TAG,
|
||||
T1203_ATTACK_TECHNIQUE_TAG,
|
||||
T1210_ATTACK_TECHNIQUE_TAG,
|
||||
T1222_ATTACK_TECHNIQUE_TAG,
|
||||
T1570_ATTACK_TECHNIQUE_TAG,
|
||||
)
|
|
@ -0,0 +1,11 @@
|
|||
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
|
||||
T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
|
||||
T1021_ATTACK_TECHNIQUE_TAG = "attack-t1021"
|
||||
T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098"
|
||||
T1105_ATTACK_TECHNIQUE_TAG = "attack-t1105"
|
||||
T1110_ATTACK_TECHNIQUE_TAG = "attack-t1110"
|
||||
T1145_ATTACK_TECHNIQUE_TAG = "attack-t1145"
|
||||
T1203_ATTACK_TECHNIQUE_TAG = "attack-t1203"
|
||||
T1210_ATTACK_TECHNIQUE_TAG = "attack-t1210"
|
||||
T1222_ATTACK_TECHNIQUE_TAG = "attack-t1222"
|
||||
T1570_ATTACK_TECHNIQUE_TAG = "attack-t1570"
|
|
@ -4,6 +4,7 @@ from typing import Sequence
|
|||
from common.agent_events import CredentialsStolenEvent
|
||||
from common.credentials import Credentials, LMHash, NTHash, Password, Username
|
||||
from common.event_queue import IAgentEventQueue
|
||||
from common.tags import T1003_ATTACK_TECHNIQUE_TAG, T1005_ATTACK_TECHNIQUE_TAG
|
||||
from infection_monkey.i_puppet import ICredentialCollector
|
||||
from infection_monkey.model import USERNAME_PREFIX
|
||||
from infection_monkey.utils.ids import get_agent_id
|
||||
|
@ -15,8 +16,6 @@ logger = logging.getLogger(__name__)
|
|||
|
||||
|
||||
MIMIKATZ_CREDENTIAL_COLLECTOR_TAG = "mimikatz-credentials-collector"
|
||||
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
|
||||
T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
|
||||
|
||||
MIMIKATZ_EVENT_TAGS = frozenset(
|
||||
(
|
||||
|
@ -28,8 +27,8 @@ MIMIKATZ_EVENT_TAGS = frozenset(
|
|||
|
||||
|
||||
class MimikatzCredentialCollector(ICredentialCollector):
|
||||
def __init__(self, event_queue: IAgentEventQueue):
|
||||
self._event_queue = event_queue
|
||||
def __init__(self, agent_event_queue: IAgentEventQueue):
|
||||
self._agent_event_queue = agent_event_queue
|
||||
|
||||
def collect_credentials(self, options=None) -> Sequence[Credentials]:
|
||||
logger.info("Attempting to collect windows credentials with pypykatz.")
|
||||
|
@ -82,4 +81,4 @@ class MimikatzCredentialCollector(ICredentialCollector):
|
|||
stolen_credentials=collected_credentials,
|
||||
)
|
||||
|
||||
self._event_queue.publish(credentials_stolen_event)
|
||||
self._agent_event_queue.publish(credentials_stolen_event)
|
||||
|
|
|
@ -15,13 +15,15 @@ class SSHCredentialCollector(ICredentialCollector):
|
|||
SSH keys credential collector
|
||||
"""
|
||||
|
||||
def __init__(self, telemetry_messenger: ITelemetryMessenger, event_queue: IAgentEventQueue):
|
||||
def __init__(
|
||||
self, telemetry_messenger: ITelemetryMessenger, agent_event_queue: IAgentEventQueue
|
||||
):
|
||||
self._telemetry_messenger = telemetry_messenger
|
||||
self._event_queue = event_queue
|
||||
self._agent_event_queue = agent_event_queue
|
||||
|
||||
def collect_credentials(self, _options=None) -> Sequence[Credentials]:
|
||||
logger.info("Started scanning for SSH credentials")
|
||||
ssh_info = ssh_handler.get_ssh_info(self._telemetry_messenger, self._event_queue)
|
||||
ssh_info = ssh_handler.get_ssh_info(self._telemetry_messenger, self._agent_event_queue)
|
||||
logger.info("Finished scanning for SSH credentials")
|
||||
|
||||
return ssh_handler.to_credentials(ssh_info)
|
||||
|
|
|
@ -6,6 +6,11 @@ from typing import Dict, Iterable, Sequence
|
|||
from common.agent_events import CredentialsStolenEvent
|
||||
from common.credentials import Credentials, SSHKeypair, Username
|
||||
from common.event_queue import IAgentEventQueue
|
||||
from common.tags import (
|
||||
T1003_ATTACK_TECHNIQUE_TAG,
|
||||
T1005_ATTACK_TECHNIQUE_TAG,
|
||||
T1145_ATTACK_TECHNIQUE_TAG,
|
||||
)
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
|
||||
from infection_monkey.telemetry.attack.t1145_telem import T1145Telem
|
||||
|
@ -17,9 +22,6 @@ logger = logging.getLogger(__name__)
|
|||
|
||||
DEFAULT_DIRS = ["/.ssh/", "/"]
|
||||
SSH_CREDENTIAL_COLLECTOR_TAG = "ssh-credentials-collector"
|
||||
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
|
||||
T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
|
||||
T1145_ATTACK_TECHNIQUE_TAG = "attack-t1145"
|
||||
|
||||
SSH_COLLECTOR_EVENT_TAGS = frozenset(
|
||||
(
|
||||
|
@ -32,7 +34,7 @@ SSH_COLLECTOR_EVENT_TAGS = frozenset(
|
|||
|
||||
|
||||
def get_ssh_info(
|
||||
telemetry_messenger: ITelemetryMessenger, event_queue: IAgentEventQueue
|
||||
telemetry_messenger: ITelemetryMessenger, agent_event_queue: IAgentEventQueue
|
||||
) -> Iterable[Dict]:
|
||||
# TODO: Remove this check when this is turned into a plugin.
|
||||
if is_windows_os():
|
||||
|
@ -42,7 +44,7 @@ def get_ssh_info(
|
|||
return []
|
||||
|
||||
home_dirs = _get_home_dirs()
|
||||
ssh_info = _get_ssh_files(home_dirs, telemetry_messenger, event_queue)
|
||||
ssh_info = _get_ssh_files(home_dirs, telemetry_messenger, agent_event_queue)
|
||||
|
||||
return ssh_info
|
||||
|
||||
|
@ -83,7 +85,7 @@ def _get_ssh_struct(name: str, home_dir: str) -> Dict:
|
|||
def _get_ssh_files(
|
||||
user_info: Iterable[Dict],
|
||||
telemetry_messenger: ITelemetryMessenger,
|
||||
event_queue: IAgentEventQueue,
|
||||
agent_event_queue: IAgentEventQueue,
|
||||
) -> Iterable[Dict]:
|
||||
for info in user_info:
|
||||
path = info["home_dir"]
|
||||
|
@ -125,7 +127,7 @@ def _get_ssh_files(
|
|||
|
||||
collected_credentials = to_credentials([info])
|
||||
_publish_credentials_stolen_event(
|
||||
collected_credentials, event_queue
|
||||
collected_credentials, agent_event_queue
|
||||
)
|
||||
else:
|
||||
continue
|
||||
|
@ -170,7 +172,7 @@ def to_credentials(ssh_info: Iterable[Dict]) -> Sequence[Credentials]:
|
|||
|
||||
|
||||
def _publish_credentials_stolen_event(
|
||||
collected_credentials: Credentials, event_queue: IAgentEventQueue
|
||||
collected_credentials: Sequence[Credentials], agent_event_queue: IAgentEventQueue
|
||||
):
|
||||
credentials_stolen_event = CredentialsStolenEvent(
|
||||
source=get_agent_id(),
|
||||
|
@ -178,4 +180,4 @@ def _publish_credentials_stolen_event(
|
|||
stolen_credentials=collected_credentials,
|
||||
)
|
||||
|
||||
event_queue.publish(credentials_stolen_event)
|
||||
agent_event_queue.publish(credentials_stolen_event)
|
||||
|
|
|
@ -18,6 +18,7 @@ from impacket.dcerpc.v5.dtypes import NULL
|
|||
from common.agent_events import CredentialsStolenEvent
|
||||
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
||||
from common.credentials import Credentials, LMHash, NTHash, Username
|
||||
from common.tags import T1003_ATTACK_TECHNIQUE_TAG, T1098_ATTACK_TECHNIQUE_TAG
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.wmi_tools import WmiTools
|
||||
from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets
|
||||
|
@ -32,9 +33,6 @@ from infection_monkey.utils.threading import interruptible_iter
|
|||
logger = logging.getLogger(__name__)
|
||||
|
||||
ZEROLOGON_EXPLOITER_TAG = "zerologon-exploiter"
|
||||
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
|
||||
T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098"
|
||||
|
||||
|
||||
ZEROLOGON_EVENT_TAGS = frozenset(
|
||||
{
|
||||
|
@ -315,7 +313,7 @@ class ZerologonExploiter(HostExploiter):
|
|||
tags=ZEROLOGON_EVENT_TAGS,
|
||||
stolen_credentials=extracted_credentials,
|
||||
)
|
||||
self.event_queue.publish(credentials_stolen_event)
|
||||
self.agent_event_queue.publish(credentials_stolen_event)
|
||||
|
||||
def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> Optional[str]:
|
||||
if not self.save_HKLM_keys_locally(username, user_pwd_hashes):
|
||||
|
|
|
@ -9,11 +9,17 @@ from common.agent_configuration.agent_sub_configurations import (
|
|||
)
|
||||
from common.agent_events import ExploitationEvent, PingScanEvent, PropagationEvent, TCPScanEvent
|
||||
from common.credentials import Credentials, LMHash, NTHash
|
||||
from infection_monkey.exploit.HostExploiter.HostExploiter import (
|
||||
_publish_exploitation_event,
|
||||
_publish_propagation_event,
|
||||
from common.tags import (
|
||||
T1021_ATTACK_TECHNIQUE_TAG,
|
||||
T1105_ATTACK_TECHNIQUE_TAG,
|
||||
T1110_ATTACK_TECHNIQUE_TAG,
|
||||
T1203_ATTACK_TECHNIQUE_TAG,
|
||||
T1210_ATTACK_TECHNIQUE_TAG,
|
||||
T1222_ATTACK_TECHNIQUE_TAG,
|
||||
T1570_ATTACK_TECHNIQUE_TAG,
|
||||
)
|
||||
from common.types import NetworkPort, NetworkService
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.log4shell_utils.ldap_server import LDAPServerFactory
|
||||
from monkey_island.cc.models import Machine, Node, Report
|
||||
from monkey_island.cc.models.networkmap import Arc, NetworkMap
|
||||
|
@ -319,8 +325,17 @@ TCPScanEvent
|
|||
TCPScanEvent.port_status
|
||||
|
||||
# TODO: Remove once #2269 is close
|
||||
_publish_exploitation_event,
|
||||
_publish_propagation_event,
|
||||
PropagationEvent
|
||||
ExploitationEvent
|
||||
T1021_ATTACK_TECHNIQUE_TAG
|
||||
T1105_ATTACK_TECHNIQUE_TAG
|
||||
T1110_ATTACK_TECHNIQUE_TAG
|
||||
T1203_ATTACK_TECHNIQUE_TAG
|
||||
T1210_ATTACK_TECHNIQUE_TAG
|
||||
T1222_ATTACK_TECHNIQUE_TAG
|
||||
T1570_ATTACK_TECHNIQUE_TAG
|
||||
HostExploiter._publish_propagation_event
|
||||
HostExploiter._publish_exploitation_event
|
||||
|
||||
# pydantic base models
|
||||
underscore_attrs_are_private
|
||||
|
|
Loading…
Reference in New Issue