Agent: Add tags to SSHExploiter

This commit is contained in:
Ilija Lazoroski 2022-10-04 15:59:58 +02:00
parent ddaada1f09
commit 5948537d4a
1 changed files with 49 additions and 28 deletions

View File

@ -30,6 +30,11 @@ SSH_EXEC_TIMEOUT = LONG_REQUEST_TIMEOUT
SSH_CHANNEL_TIMEOUT = MEDIUM_REQUEST_TIMEOUT
TRANSFER_UPDATE_RATE = 15
SSH_EXPLOITER_TAG = "ssh-exploiter"
T1105_ATTACK_TECHNIQUE_TAG = "attack-t1105"
T1110_ATTACK_TECHNIQUE_TAG = "attack-t1110"
T1222_ATTACK_TECHNIQUE_TAG = "attack-t1222"
T1021_ATTACK_TECHNIQUE_TAG = "attack-t1021"
class SSHExploiter(HostExploiter):
@ -86,12 +91,28 @@ class SSHExploiter(HostExploiter):
)
self.add_vuln_port(port)
self.exploit_result.exploitation_success = True
self._publish_exploitation_event(
target=self.host.ip_addr,
exploitation_success=True,
tags=(
SSH_EXPLOITER_TAG,
T1110_ATTACK_TECHNIQUE_TAG,
T1021_ATTACK_TECHNIQUE_TAG,
),
)
self.report_login_attempt(True, user, ssh_key=ssh_string)
return ssh
except paramiko.AuthenticationException as err:
ssh.close()
logger.info(
f"Failed logging into victim {self.host} with {ssh_string} private key: {err}",
error_message = (
f"Failed logging into victim {self.host} with {ssh_string} private key: {err}"
)
logger.info(error_message)
self._publish_exploitation_event(
target=self.host.ip_addr,
exploitation_success=False,
error_message=error_message,
tags=(SSH_EXPLOITER_TAG,),
)
self.report_login_attempt(False, user, ssh_key=ssh_string)
continue
@ -131,15 +152,26 @@ class SSHExploiter(HostExploiter):
logger.debug("Successfully logged in %r using SSH. User: %s", self.host, user)
self.add_vuln_port(port)
self.exploit_result.exploitation_success = True
self._publish_exploitation_event(
target=self.host.ip_addr,
exploitation_success=True,
tags=(
SSH_EXPLOITER_TAG,
T1110_ATTACK_TECHNIQUE_TAG,
T1021_ATTACK_TECHNIQUE_TAG,
),
)
self.report_login_attempt(True, user, current_password)
return ssh
except paramiko.AuthenticationException as err:
logger.debug(
"Failed logging into victim %r with user" " %s: (%s)",
self.host,
user,
err,
error_message = f"Failed logging into victim {self.host} with user: {user}: {err}"
logger.debug(error_message)
self._publish_exploitation_event(
target=self.host.ip_addr,
exploitation_success=False,
error_message=error_message,
tags=(SSH_EXPLOITER_TAG,),
)
self.report_login_attempt(False, user, current_password)
ssh.close()
@ -159,7 +191,12 @@ class SSHExploiter(HostExploiter):
is_open, _ = check_tcp_port(self.host.ip_addr, port)
if not is_open:
self.exploit_result.error_message = f"SSH port is closed on {self.host}, skipping"
self._publish_exploitation_event(
target=self.host.ip_addr,
exploitation_success=False,
error_message=self.exploit_result.error_message,
tags=(SSH_EXPLOITER_TAG,),
)
logger.info(self.exploit_result.error_message)
return self.exploit_result
@ -188,23 +225,12 @@ class SSHExploiter(HostExploiter):
self.exploit_result.error_message = f"SSH Skipping unknown os: {uname_os}"
if not uname_os:
self._publish_propagation_event(
target=self.host.ip_addr,
propagation_success=False,
error_message=self.exploit_result.error_message,
)
logger.error(self.exploit_result.error_message)
return self.exploit_result
except Exception as exc:
self.exploit_result.error_message = (
f"Error running uname os command on victim {self.host}: ({exc})"
)
self._publish_propagation_event(
target=self.host.ip_addr,
propagation_success=False,
error_message=self.exploit_result.error_message,
)
logger.error(self.exploit_result.error_message)
return self.exploit_result
@ -222,6 +248,7 @@ class SSHExploiter(HostExploiter):
target=self.host.ip_addr,
propagation_success=False,
error_message=self.exploit_result.error_message,
tags=(SSH_EXPLOITER_TAG,),
)
logger.error(self.exploit_result.error_message)
@ -265,7 +292,7 @@ class SSHExploiter(HostExploiter):
target=self.host.ip_addr,
propagation_success=False,
error_message=self.exploit_result.error_message,
tags=frozenset((T1105_ATTACK_TECHNIQUE_TAG,)),
tags=(SSH_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG, T1222_ATTACK_TECHNIQUE_TAG),
)
return self.exploit_result
@ -287,7 +314,7 @@ class SSHExploiter(HostExploiter):
self._publish_propagation_event(
target=self.host.ip_addr,
propagation_success=True,
tags=frozenset((T1105_ATTACK_TECHNIQUE_TAG,)),
tags=(SSH_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG, T1222_ATTACK_TECHNIQUE_TAG),
)
ssh.close()
@ -303,7 +330,7 @@ class SSHExploiter(HostExploiter):
target=self.host.ip_addr,
propagation_success=False,
error_message=self.exploit_result.error_message,
tags=frozenset((T1105_ATTACK_TECHNIQUE_TAG,)),
tags=(SSH_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG, T1222_ATTACK_TECHNIQUE_TAG),
)
logger.error(self.exploit_result.error_message)
@ -320,9 +347,3 @@ class SSHExploiter(HostExploiter):
self.host,
)
)
self._publish_propagation_event(
target=self.host.ip_addr,
propagation_success=False,
tags=frozenset((T1222_ATTACK_TECHNIQUE_TAG,)),
)