Merge pull request #444 from guardicore/434/bugfix/plaintext-passwords-logged

Hashing lm+ntlm hashes to make sure we don't log them plaintext
This commit is contained in:
VakarisZ 2019-09-24 08:44:26 +03:00 committed by GitHub
commit 5c680256cd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 50 additions and 28 deletions

View File

@ -68,8 +68,12 @@ class SmbExploiter(HostExploiter):
self._config.smb_download_timeout) self._config.smb_download_timeout)
if remote_full_path is not None: if remote_full_path is not None:
LOG.debug("Successfully logged in %r using SMB (%s : (SHA-512) %s : %s : %s)", LOG.debug("Successfully logged in %r using SMB (%s : (SHA-512) %s : (SHA-512) %s : (SHA-512) %s)",
self.host, user, self._config.hash_sensitive_data(password), lm_hash, ntlm_hash) self.host,
user,
self._config.hash_sensitive_data(password),
self._config.hash_sensitive_data(lm_hash),
self._config.hash_sensitive_data(ntlm_hash))
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash) self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
self.add_vuln_port("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1], self.add_vuln_port("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1])) SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1]))
@ -80,9 +84,15 @@ class SmbExploiter(HostExploiter):
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash) self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
except Exception as exc: except Exception as exc:
LOG.debug("Exception when trying to copy file using SMB to %r with user:" LOG.debug(
" %s, password (SHA-512): '%s', LM hash: %s, NTLM hash: %s: (%s)", self.host, "Exception when trying to copy file using SMB to %r with user:"
user, self._config.hash_sensitive_data(password), lm_hash, ntlm_hash, exc) " %s, password (SHA-512): '%s', LM hash (SHA-512): %s, NTLM hash (SHA-512): %s: (%s)",
self.host,
user,
self._config.hash_sensitive_data(password),
self._config.hash_sensitive_data(lm_hash),
self._config.hash_sensitive_data(ntlm_hash),
exc)
continue continue
if not exploited: if not exploited:
@ -92,7 +102,8 @@ class SmbExploiter(HostExploiter):
# execute the remote dropper in case the path isn't final # execute the remote dropper in case the path isn't final
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower(): if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \ cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path_win_32) build_monkey_commandline(self.host, get_monkey_depth() - 1,
self._config.dropper_target_path_win_32)
else: else:
cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} + \ cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} + \
build_monkey_commandline(self.host, get_monkey_depth() - 1) build_monkey_commandline(self.host, get_monkey_depth() - 1)

View File

@ -32,8 +32,12 @@ class SmbTools(object):
# skip guest users # skip guest users
if smb.isGuestSession() > 0: if smb.isGuestSession() > 0:
LOG.debug("Connection to %r granted guest privileges with user: %s, password (SHA-512): '%s'," LOG.debug("Connection to %r granted guest privileges with user: %s, password (SHA-512): '%s',"
" LM hash: %s, NTLM hash: %s", " LM hash (SHA-512): %s, NTLM hash (SHA-512): %s",
host, username, Configuration.hash_sensitive_data(password), lm_hash, ntlm_hash) host,
username,
Configuration.hash_sensitive_data(password),
Configuration.hash_sensitive_data(lm_hash),
Configuration.hash_sensitive_data(ntlm_hash))
try: try:
smb.logoff() smb.logoff()
@ -164,9 +168,13 @@ class SmbTools(object):
smb = None smb = None
if not file_uploaded: if not file_uploaded:
LOG.debug("Couldn't find a writable share for exploiting" LOG.debug("Couldn't find a writable share for exploiting victim %r with "
" victim %r with username: %s, password (SHA-512): '%s', LM hash: %s, NTLM hash: %s", "username: %s, password (SHA-512): '%s', LM hash (SHA-512): %s, NTLM hash (SHA-512): %s",
host, username, Configuration.hash_sensitive_data(password), lm_hash, ntlm_hash) host,
username,
Configuration.hash_sensitive_data(password),
Configuration.hash_sensitive_data(lm_hash),
Configuration.hash_sensitive_data(ntlm_hash))
return None return None
return remote_full_path return remote_full_path
@ -195,8 +203,14 @@ class SmbTools(object):
smb.login(username, password, '', lm_hash, ntlm_hash) smb.login(username, password, '', lm_hash, ntlm_hash)
except Exception as exc: except Exception as exc:
LOG.debug( LOG.debug(
"Error while logging into %r using user: %s, password (SHA-512): '%s', LM hash: %s, NTLM hash: %s: %s", "Error while logging into %r using user: %s, password (SHA-512): '%s', "
host, username, Configuration.hash_sensitive_data(password), lm_hash, ntlm_hash, exc) "LM hash (SHA-512): %s, NTLM hash (SHA-512): %s: %s",
host,
username,
Configuration.hash_sensitive_data(password),
Configuration.hash_sensitive_data(lm_hash),
Configuration.hash_sensitive_data(ntlm_hash),
exc)
return None, dialect return None, dialect
smb.setTimeout(timeout) smb.setTimeout(timeout)

View File

@ -37,9 +37,10 @@ class WmiExploiter(HostExploiter):
for user, password, lm_hash, ntlm_hash in creds: for user, password, lm_hash, ntlm_hash in creds:
password_hashed = self._config.hash_sensitive_data(password) password_hashed = self._config.hash_sensitive_data(password)
LOG.debug("Attempting to connect %r using WMI with " lm_hash_hashed = self._config.hash_sensitive_data(lm_hash)
"user,password (SHA-512),lm hash,ntlm hash: ('%s','%s','%s','%s')", mtlm_hash_hashed = self._config.hash_sensitive_data(ntlm_hash)
self.host, user, password_hashed, lm_hash, ntlm_hash) creds_for_logging = "user, password (SHA-512), lm hash (SHA-512), ntlm hash (SHA-512): ({},{},{},{})".format(user, password_hashed, lm_hash_hashed, mtlm_hash_hashed)
LOG.debug(("Attempting to connect %r using WMI with " % self.host) + creds_for_logging)
wmi_connection = WmiTools.WmiConnection() wmi_connection = WmiTools.WmiConnection()
@ -47,25 +48,21 @@ class WmiExploiter(HostExploiter):
wmi_connection.connect(self.host, user, password, None, lm_hash, ntlm_hash) wmi_connection.connect(self.host, user, password, None, lm_hash, ntlm_hash)
except AccessDeniedException: except AccessDeniedException:
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash) self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
LOG.debug("Failed connecting to %r using WMI with " LOG.debug(("Failed connecting to %r using WMI with " % self.host) + creds_for_logging)
"user,password (SHA-512),lm hash,ntlm hash: ('%s','%s','%s','%s')",
self.host, user, password_hashed, lm_hash, ntlm_hash)
continue continue
except DCERPCException: except DCERPCException:
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash) self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
LOG.debug("Failed connecting to %r using WMI with " LOG.debug(("Failed connecting to %r using WMI with " % self.host) + creds_for_logging)
"user,password (SHA-512),lm hash,ntlm hash: ('%s','%s','%s','%s')",
self.host, user, password_hashed, lm_hash, ntlm_hash)
continue continue
except socket.error: except socket.error:
LOG.debug("Network error in WMI connection to %r with " LOG.debug(("Network error in WMI connection to %r with " % self.host) + creds_for_logging)
"user,password (SHA-512),lm hash,ntlm hash: ('%s','%s','%s','%s')",
self.host, user, password_hashed, lm_hash, ntlm_hash)
return False return False
except Exception as exc: except Exception as exc:
LOG.debug("Unknown WMI connection error to %r with " LOG.debug(
"user,password (SHA-512),lm hash,ntlm hash: ('%s','%s','%s','%s') (%s):\n%s", ("Unknown WMI connection error to %r with " % self.host)
self.host, user, password_hashed, lm_hash, ntlm_hash, exc, traceback.format_exc()) + creds_for_logging
+ (" (%s):\n%s" % (exc, traceback.format_exc()))
)
return False return False
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash) self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)