Zerologon's success on a machine shouldn't prevent other exploit attempts on the machine

(ZL gathers credentials for other exploits)
This commit is contained in:
Shreya 2021-01-31 19:38:36 +05:30
parent 9c0fc7e435
commit 290385a8a0
3 changed files with 26 additions and 4 deletions

View File

@ -35,6 +35,13 @@ class HostExploiter(Plugin):
# Usual values are 'vulnerability' or 'brute_force' # Usual values are 'vulnerability' or 'brute_force'
EXPLOIT_TYPE = ExploitType.VULNERABILITY EXPLOIT_TYPE = ExploitType.VULNERABILITY
# Specifies whether a machine, on which the exploit was successful, should be added to the set of exploited
# machines. This would then prevent any other exploits from being attempted on it.
# Sample use case - Zerologon exploiter:
# Exploited machine gives us useful credentials which can be used, but machine isn't compromised by Zerologon
# on its own. Some other exploit using PTH needs to be exploit it.
SHOULD_ADD_MACHINE_TO_EXPLOITED_SET = True
@property @property
@abstractmethod @abstractmethod
def _EXPLOITED_SERVICE(self): def _EXPLOITED_SERVICE(self):

View File

@ -65,6 +65,7 @@ class ZerologonExploiter(HostExploiter):
_TARGET_OS_TYPE = ['windows'] _TARGET_OS_TYPE = ['windows']
_EXPLOITED_SERVICE = 'Netlogon' _EXPLOITED_SERVICE = 'Netlogon'
EXPLOIT_TYPE = ExploitType.VULNERABILITY EXPLOIT_TYPE = ExploitType.VULNERABILITY
SHOULD_ADD_MACHINE_TO_EXPLOITED_SET = False
MAX_ATTEMPTS = 2000 MAX_ATTEMPTS = 2000
OPTIONS_FOR_SECRETSDUMP =\ OPTIONS_FOR_SECRETSDUMP =\
{ {
@ -227,6 +228,7 @@ class ZerologonExploiter(HostExploiter):
if user in secret: if user in secret:
hashes = secret.split(':')[2:4] # format of secret - "domain\uid:rid:lmhash:nthash:::" hashes = secret.split(':')[2:4] # format of secret - "domain\uid:rid:lmhash:nthash:::"
self.add_extracted_creds_to_exploit_info(user, hashes[0], hashes[1]) self.add_extracted_creds_to_exploit_info(user, hashes[0], hashes[1])
self.add_extracted_creds_to_monkey_config(user, hashes[0], hashes[1])
return ':'.join(hashes) # format - "lmhash:nthash" return ':'.join(hashes) # format - "lmhash:nthash"
def add_extracted_creds_to_exploit_info(self, user, lmhash, nthash): def add_extracted_creds_to_exploit_info(self, user, lmhash, nthash):
@ -239,6 +241,16 @@ class ZerologonExploiter(HostExploiter):
} }
}) })
def add_extracted_creds_to_monkey_config(self, user, lmhash, nthash): # so other exploiters can use these creds
if user not in self._config.exploit_user_list:
self._config.exploit_user_list.append(user)
if lmhash not in self._config.exploit_lm_hash_list:
self._config.exploit_lm_hash_list.append(lmhash)
if nthash not in self._config.exploit_ntlm_hash_list:
self._config.exploit_ntlm_hash_list.append(nthash)
def get_original_pwd_nthash(self, DC_IP, admin_pwd_hashes): def get_original_pwd_nthash(self, DC_IP, admin_pwd_hashes):
if not self.save_HKLM_keys_locally(DC_IP, admin_pwd_hashes): if not self.save_HKLM_keys_locally(DC_IP, admin_pwd_hashes):
return return

View File

@ -208,7 +208,8 @@ class InfectionMonkey(object):
if self.try_exploiting(machine, exploiter): if self.try_exploiting(machine, exploiter):
host_exploited = True host_exploited = True
VictimHostTelem('T1210', ScanStatus.USED, machine=machine).send() VictimHostTelem('T1210', ScanStatus.USED, machine=machine).send()
break if exploiter.SHOULD_ADD_MACHINE_TO_EXPLOITED_SET:
break # if adding machine to exploited, won't try other exploits on it
if not host_exploited: if not host_exploited:
self._fail_exploitation_machines.add(machine) self._fail_exploitation_machines.add(machine)
VictimHostTelem('T1210', ScanStatus.SCANNED, machine=machine).send() VictimHostTelem('T1210', ScanStatus.SCANNED, machine=machine).send()
@ -351,7 +352,8 @@ class InfectionMonkey(object):
try: try:
result = exploiter.exploit_host() result = exploiter.exploit_host()
if result: if result:
self.successfully_exploited(machine, exploiter) self.successfully_exploited(machine, exploiter) if exploiter.SHOULD_ADD_MACHINE_TO_EXPLOITED_SET else\
self.successfully_exploited(machine, exploiter, False)
return True return True
else: else:
LOG.info("Failed exploiting %r with exploiter %s", machine, exploiter.__class__.__name__) LOG.info("Failed exploiting %r with exploiter %s", machine, exploiter.__class__.__name__)
@ -369,12 +371,13 @@ class InfectionMonkey(object):
exploiter.send_exploit_telemetry(result) exploiter.send_exploit_telemetry(result)
return False return False
def successfully_exploited(self, machine, exploiter): def successfully_exploited(self, machine, exploiter, should_add_machine_to_exploited_set=True):
""" """
Workflow of registering successfully exploited machine Workflow of registering successfully exploited machine
:param machine: machine that was exploited :param machine: machine that was exploited
:param exploiter: exploiter that succeeded :param exploiter: exploiter that succeeded
""" """
if should_add_machine_to_exploited_set:
self._exploited_machines.add(machine) self._exploited_machines.add(machine)
LOG.info("Successfully propagated to %s using %s", LOG.info("Successfully propagated to %s using %s",