forked from p15670423/monkey
Zerologon's success on a machine shouldn't prevent other exploit attempts on the machine
(ZL gathers credentials for other exploits)
This commit is contained in:
parent
9c0fc7e435
commit
290385a8a0
|
@ -35,6 +35,13 @@ class HostExploiter(Plugin):
|
||||||
# Usual values are 'vulnerability' or 'brute_force'
|
# Usual values are 'vulnerability' or 'brute_force'
|
||||||
EXPLOIT_TYPE = ExploitType.VULNERABILITY
|
EXPLOIT_TYPE = ExploitType.VULNERABILITY
|
||||||
|
|
||||||
|
# Specifies whether a machine, on which the exploit was successful, should be added to the set of exploited
|
||||||
|
# machines. This would then prevent any other exploits from being attempted on it.
|
||||||
|
# Sample use case - Zerologon exploiter:
|
||||||
|
# Exploited machine gives us useful credentials which can be used, but machine isn't compromised by Zerologon
|
||||||
|
# on its own. Some other exploit using PTH needs to be exploit it.
|
||||||
|
SHOULD_ADD_MACHINE_TO_EXPLOITED_SET = True
|
||||||
|
|
||||||
@property
|
@property
|
||||||
@abstractmethod
|
@abstractmethod
|
||||||
def _EXPLOITED_SERVICE(self):
|
def _EXPLOITED_SERVICE(self):
|
||||||
|
|
|
@ -65,6 +65,7 @@ class ZerologonExploiter(HostExploiter):
|
||||||
_TARGET_OS_TYPE = ['windows']
|
_TARGET_OS_TYPE = ['windows']
|
||||||
_EXPLOITED_SERVICE = 'Netlogon'
|
_EXPLOITED_SERVICE = 'Netlogon'
|
||||||
EXPLOIT_TYPE = ExploitType.VULNERABILITY
|
EXPLOIT_TYPE = ExploitType.VULNERABILITY
|
||||||
|
SHOULD_ADD_MACHINE_TO_EXPLOITED_SET = False
|
||||||
MAX_ATTEMPTS = 2000
|
MAX_ATTEMPTS = 2000
|
||||||
OPTIONS_FOR_SECRETSDUMP =\
|
OPTIONS_FOR_SECRETSDUMP =\
|
||||||
{
|
{
|
||||||
|
@ -227,6 +228,7 @@ class ZerologonExploiter(HostExploiter):
|
||||||
if user in secret:
|
if user in secret:
|
||||||
hashes = secret.split(':')[2:4] # format of secret - "domain\uid:rid:lmhash:nthash:::"
|
hashes = secret.split(':')[2:4] # format of secret - "domain\uid:rid:lmhash:nthash:::"
|
||||||
self.add_extracted_creds_to_exploit_info(user, hashes[0], hashes[1])
|
self.add_extracted_creds_to_exploit_info(user, hashes[0], hashes[1])
|
||||||
|
self.add_extracted_creds_to_monkey_config(user, hashes[0], hashes[1])
|
||||||
return ':'.join(hashes) # format - "lmhash:nthash"
|
return ':'.join(hashes) # format - "lmhash:nthash"
|
||||||
|
|
||||||
def add_extracted_creds_to_exploit_info(self, user, lmhash, nthash):
|
def add_extracted_creds_to_exploit_info(self, user, lmhash, nthash):
|
||||||
|
@ -239,6 +241,16 @@ class ZerologonExploiter(HostExploiter):
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
def add_extracted_creds_to_monkey_config(self, user, lmhash, nthash): # so other exploiters can use these creds
|
||||||
|
if user not in self._config.exploit_user_list:
|
||||||
|
self._config.exploit_user_list.append(user)
|
||||||
|
|
||||||
|
if lmhash not in self._config.exploit_lm_hash_list:
|
||||||
|
self._config.exploit_lm_hash_list.append(lmhash)
|
||||||
|
|
||||||
|
if nthash not in self._config.exploit_ntlm_hash_list:
|
||||||
|
self._config.exploit_ntlm_hash_list.append(nthash)
|
||||||
|
|
||||||
def get_original_pwd_nthash(self, DC_IP, admin_pwd_hashes):
|
def get_original_pwd_nthash(self, DC_IP, admin_pwd_hashes):
|
||||||
if not self.save_HKLM_keys_locally(DC_IP, admin_pwd_hashes):
|
if not self.save_HKLM_keys_locally(DC_IP, admin_pwd_hashes):
|
||||||
return
|
return
|
||||||
|
|
|
@ -208,7 +208,8 @@ class InfectionMonkey(object):
|
||||||
if self.try_exploiting(machine, exploiter):
|
if self.try_exploiting(machine, exploiter):
|
||||||
host_exploited = True
|
host_exploited = True
|
||||||
VictimHostTelem('T1210', ScanStatus.USED, machine=machine).send()
|
VictimHostTelem('T1210', ScanStatus.USED, machine=machine).send()
|
||||||
break
|
if exploiter.SHOULD_ADD_MACHINE_TO_EXPLOITED_SET:
|
||||||
|
break # if adding machine to exploited, won't try other exploits on it
|
||||||
if not host_exploited:
|
if not host_exploited:
|
||||||
self._fail_exploitation_machines.add(machine)
|
self._fail_exploitation_machines.add(machine)
|
||||||
VictimHostTelem('T1210', ScanStatus.SCANNED, machine=machine).send()
|
VictimHostTelem('T1210', ScanStatus.SCANNED, machine=machine).send()
|
||||||
|
@ -351,7 +352,8 @@ class InfectionMonkey(object):
|
||||||
try:
|
try:
|
||||||
result = exploiter.exploit_host()
|
result = exploiter.exploit_host()
|
||||||
if result:
|
if result:
|
||||||
self.successfully_exploited(machine, exploiter)
|
self.successfully_exploited(machine, exploiter) if exploiter.SHOULD_ADD_MACHINE_TO_EXPLOITED_SET else\
|
||||||
|
self.successfully_exploited(machine, exploiter, False)
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
LOG.info("Failed exploiting %r with exploiter %s", machine, exploiter.__class__.__name__)
|
LOG.info("Failed exploiting %r with exploiter %s", machine, exploiter.__class__.__name__)
|
||||||
|
@ -369,12 +371,13 @@ class InfectionMonkey(object):
|
||||||
exploiter.send_exploit_telemetry(result)
|
exploiter.send_exploit_telemetry(result)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def successfully_exploited(self, machine, exploiter):
|
def successfully_exploited(self, machine, exploiter, should_add_machine_to_exploited_set=True):
|
||||||
"""
|
"""
|
||||||
Workflow of registering successfully exploited machine
|
Workflow of registering successfully exploited machine
|
||||||
:param machine: machine that was exploited
|
:param machine: machine that was exploited
|
||||||
:param exploiter: exploiter that succeeded
|
:param exploiter: exploiter that succeeded
|
||||||
"""
|
"""
|
||||||
|
if should_add_machine_to_exploited_set:
|
||||||
self._exploited_machines.add(machine)
|
self._exploited_machines.add(machine)
|
||||||
|
|
||||||
LOG.info("Successfully propagated to %s using %s",
|
LOG.info("Successfully propagated to %s using %s",
|
||||||
|
|
Loading…
Reference in New Issue