forked from p15670423/monkey
Merge pull request #444 from guardicore/434/bugfix/plaintext-passwords-logged
Hashing lm+ntlm hashes to make sure we don't log them plaintext
This commit is contained in:
commit
5c680256cd
|
@ -68,8 +68,12 @@ class SmbExploiter(HostExploiter):
|
||||||
self._config.smb_download_timeout)
|
self._config.smb_download_timeout)
|
||||||
|
|
||||||
if remote_full_path is not None:
|
if remote_full_path is not None:
|
||||||
LOG.debug("Successfully logged in %r using SMB (%s : (SHA-512) %s : %s : %s)",
|
LOG.debug("Successfully logged in %r using SMB (%s : (SHA-512) %s : (SHA-512) %s : (SHA-512) %s)",
|
||||||
self.host, user, self._config.hash_sensitive_data(password), lm_hash, ntlm_hash)
|
self.host,
|
||||||
|
user,
|
||||||
|
self._config.hash_sensitive_data(password),
|
||||||
|
self._config.hash_sensitive_data(lm_hash),
|
||||||
|
self._config.hash_sensitive_data(ntlm_hash))
|
||||||
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
|
||||||
self.add_vuln_port("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
|
self.add_vuln_port("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
|
||||||
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1]))
|
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1]))
|
||||||
|
@ -80,9 +84,15 @@ class SmbExploiter(HostExploiter):
|
||||||
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
||||||
|
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
LOG.debug("Exception when trying to copy file using SMB to %r with user:"
|
LOG.debug(
|
||||||
" %s, password (SHA-512): '%s', LM hash: %s, NTLM hash: %s: (%s)", self.host,
|
"Exception when trying to copy file using SMB to %r with user:"
|
||||||
user, self._config.hash_sensitive_data(password), lm_hash, ntlm_hash, exc)
|
" %s, password (SHA-512): '%s', LM hash (SHA-512): %s, NTLM hash (SHA-512): %s: (%s)",
|
||||||
|
self.host,
|
||||||
|
user,
|
||||||
|
self._config.hash_sensitive_data(password),
|
||||||
|
self._config.hash_sensitive_data(lm_hash),
|
||||||
|
self._config.hash_sensitive_data(ntlm_hash),
|
||||||
|
exc)
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if not exploited:
|
if not exploited:
|
||||||
|
@ -92,7 +102,8 @@ class SmbExploiter(HostExploiter):
|
||||||
# execute the remote dropper in case the path isn't final
|
# execute the remote dropper in case the path isn't final
|
||||||
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
|
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
|
||||||
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \
|
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \
|
||||||
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path_win_32)
|
build_monkey_commandline(self.host, get_monkey_depth() - 1,
|
||||||
|
self._config.dropper_target_path_win_32)
|
||||||
else:
|
else:
|
||||||
cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} + \
|
cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} + \
|
||||||
build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
||||||
|
|
|
@ -32,8 +32,12 @@ class SmbTools(object):
|
||||||
# skip guest users
|
# skip guest users
|
||||||
if smb.isGuestSession() > 0:
|
if smb.isGuestSession() > 0:
|
||||||
LOG.debug("Connection to %r granted guest privileges with user: %s, password (SHA-512): '%s',"
|
LOG.debug("Connection to %r granted guest privileges with user: %s, password (SHA-512): '%s',"
|
||||||
" LM hash: %s, NTLM hash: %s",
|
" LM hash (SHA-512): %s, NTLM hash (SHA-512): %s",
|
||||||
host, username, Configuration.hash_sensitive_data(password), lm_hash, ntlm_hash)
|
host,
|
||||||
|
username,
|
||||||
|
Configuration.hash_sensitive_data(password),
|
||||||
|
Configuration.hash_sensitive_data(lm_hash),
|
||||||
|
Configuration.hash_sensitive_data(ntlm_hash))
|
||||||
|
|
||||||
try:
|
try:
|
||||||
smb.logoff()
|
smb.logoff()
|
||||||
|
@ -164,9 +168,13 @@ class SmbTools(object):
|
||||||
smb = None
|
smb = None
|
||||||
|
|
||||||
if not file_uploaded:
|
if not file_uploaded:
|
||||||
LOG.debug("Couldn't find a writable share for exploiting"
|
LOG.debug("Couldn't find a writable share for exploiting victim %r with "
|
||||||
" victim %r with username: %s, password (SHA-512): '%s', LM hash: %s, NTLM hash: %s",
|
"username: %s, password (SHA-512): '%s', LM hash (SHA-512): %s, NTLM hash (SHA-512): %s",
|
||||||
host, username, Configuration.hash_sensitive_data(password), lm_hash, ntlm_hash)
|
host,
|
||||||
|
username,
|
||||||
|
Configuration.hash_sensitive_data(password),
|
||||||
|
Configuration.hash_sensitive_data(lm_hash),
|
||||||
|
Configuration.hash_sensitive_data(ntlm_hash))
|
||||||
return None
|
return None
|
||||||
|
|
||||||
return remote_full_path
|
return remote_full_path
|
||||||
|
@ -195,8 +203,14 @@ class SmbTools(object):
|
||||||
smb.login(username, password, '', lm_hash, ntlm_hash)
|
smb.login(username, password, '', lm_hash, ntlm_hash)
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
LOG.debug(
|
LOG.debug(
|
||||||
"Error while logging into %r using user: %s, password (SHA-512): '%s', LM hash: %s, NTLM hash: %s: %s",
|
"Error while logging into %r using user: %s, password (SHA-512): '%s', "
|
||||||
host, username, Configuration.hash_sensitive_data(password), lm_hash, ntlm_hash, exc)
|
"LM hash (SHA-512): %s, NTLM hash (SHA-512): %s: %s",
|
||||||
|
host,
|
||||||
|
username,
|
||||||
|
Configuration.hash_sensitive_data(password),
|
||||||
|
Configuration.hash_sensitive_data(lm_hash),
|
||||||
|
Configuration.hash_sensitive_data(ntlm_hash),
|
||||||
|
exc)
|
||||||
return None, dialect
|
return None, dialect
|
||||||
|
|
||||||
smb.setTimeout(timeout)
|
smb.setTimeout(timeout)
|
||||||
|
|
|
@ -37,9 +37,10 @@ class WmiExploiter(HostExploiter):
|
||||||
|
|
||||||
for user, password, lm_hash, ntlm_hash in creds:
|
for user, password, lm_hash, ntlm_hash in creds:
|
||||||
password_hashed = self._config.hash_sensitive_data(password)
|
password_hashed = self._config.hash_sensitive_data(password)
|
||||||
LOG.debug("Attempting to connect %r using WMI with "
|
lm_hash_hashed = self._config.hash_sensitive_data(lm_hash)
|
||||||
"user,password (SHA-512),lm hash,ntlm hash: ('%s','%s','%s','%s')",
|
mtlm_hash_hashed = self._config.hash_sensitive_data(ntlm_hash)
|
||||||
self.host, user, password_hashed, lm_hash, ntlm_hash)
|
creds_for_logging = "user, password (SHA-512), lm hash (SHA-512), ntlm hash (SHA-512): ({},{},{},{})".format(user, password_hashed, lm_hash_hashed, mtlm_hash_hashed)
|
||||||
|
LOG.debug(("Attempting to connect %r using WMI with " % self.host) + creds_for_logging)
|
||||||
|
|
||||||
wmi_connection = WmiTools.WmiConnection()
|
wmi_connection = WmiTools.WmiConnection()
|
||||||
|
|
||||||
|
@ -47,25 +48,21 @@ class WmiExploiter(HostExploiter):
|
||||||
wmi_connection.connect(self.host, user, password, None, lm_hash, ntlm_hash)
|
wmi_connection.connect(self.host, user, password, None, lm_hash, ntlm_hash)
|
||||||
except AccessDeniedException:
|
except AccessDeniedException:
|
||||||
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
||||||
LOG.debug("Failed connecting to %r using WMI with "
|
LOG.debug(("Failed connecting to %r using WMI with " % self.host) + creds_for_logging)
|
||||||
"user,password (SHA-512),lm hash,ntlm hash: ('%s','%s','%s','%s')",
|
|
||||||
self.host, user, password_hashed, lm_hash, ntlm_hash)
|
|
||||||
continue
|
continue
|
||||||
except DCERPCException:
|
except DCERPCException:
|
||||||
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
|
||||||
LOG.debug("Failed connecting to %r using WMI with "
|
LOG.debug(("Failed connecting to %r using WMI with " % self.host) + creds_for_logging)
|
||||||
"user,password (SHA-512),lm hash,ntlm hash: ('%s','%s','%s','%s')",
|
|
||||||
self.host, user, password_hashed, lm_hash, ntlm_hash)
|
|
||||||
continue
|
continue
|
||||||
except socket.error:
|
except socket.error:
|
||||||
LOG.debug("Network error in WMI connection to %r with "
|
LOG.debug(("Network error in WMI connection to %r with " % self.host) + creds_for_logging)
|
||||||
"user,password (SHA-512),lm hash,ntlm hash: ('%s','%s','%s','%s')",
|
|
||||||
self.host, user, password_hashed, lm_hash, ntlm_hash)
|
|
||||||
return False
|
return False
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
LOG.debug("Unknown WMI connection error to %r with "
|
LOG.debug(
|
||||||
"user,password (SHA-512),lm hash,ntlm hash: ('%s','%s','%s','%s') (%s):\n%s",
|
("Unknown WMI connection error to %r with " % self.host)
|
||||||
self.host, user, password_hashed, lm_hash, ntlm_hash, exc, traceback.format_exc())
|
+ creds_for_logging
|
||||||
|
+ (" (%s):\n%s" % (exc, traceback.format_exc()))
|
||||||
|
)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
|
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
|
||||||
|
|
Loading…
Reference in New Issue