Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SMB vulnerable port fix #664

Merged
merged 3 commits into from
May 26, 2020
Merged

SMB vulnerable port fix #664

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9864720
Get node label performance improvement and small BB test changes
VakarisZ May 22, 2020
1ed49c6
Fixed smb exploiter bug where vulnerable port was not passed
VakarisZ May 26, 2020
8cf9c9f
Explicitly set vulnerable port to None
VakarisZ May 26, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions monkey/infection_monkey/exploit/smbexec.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline
from infection_monkey.exploit.tools.smb_tools import SmbTools
from infection_monkey.model import MONKEY_CMDLINE_DETACHED_WINDOWS, DROPPER_CMDLINE_DETACHED_WINDOWS
from infection_monkey.model import MONKEY_CMDLINE_DETACHED_WINDOWS, DROPPER_CMDLINE_DETACHED_WINDOWS, VictimHost
from infection_monkey.network.smbfinger import SMBFinger
from infection_monkey.network.tools import check_tcp_port
from common.utils.exploit_enum import ExploitType
Expand Down Expand Up @@ -37,13 +37,11 @@ def is_os_supported(self):
if not self.host.os.get('type'):
is_smb_open, _ = check_tcp_port(self.host.ip_addr, 445)
if is_smb_open:
self.vulnerable_port = 445
smb_finger = SMBFinger()
smb_finger.get_host_fingerprint(self.host)
else:
is_nb_open, _ = check_tcp_port(self.host.ip_addr, 139)
if is_nb_open:
self.vulnerable_port = 139
self.host.os['type'] = 'windows'
return self.host.os.get('type') in self._TARGET_OS_TYPE
return False
Expand Down Expand Up @@ -102,6 +100,7 @@ def _exploit_host(self):
LOG.debug("Exploiter SmbExec is giving up...")
return False

self.set_vulnerable_port(self.host)
# execute the remote dropper in case the path isn't final
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \
Expand Down Expand Up @@ -164,3 +163,9 @@ def _exploit_host(self):
self.add_vuln_port("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1]))
return True

def set_vulnerable_port(self, host: VictimHost):
if 'tcp-445' in self.host.services:
self.vulnerable_port = "445"
elif 'tcp-139' in self.host.services:
self.vulnerable_port = "139"
Comment on lines +166 to +171
Copy link
Contributor

@ShayNehmad ShayNehmad May 26, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a hidden temporal coupling here. What if none of these services are in the list?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vulnerable port remains none, which is fine