search

guardicore / monkey

Infection Monkey - An open-source adversary emulation platform
https://www.guardicore.com/infectionmonkey/
GNU General Public License v3.0
6.58k stars 767 forks source link

Fix impacket hard-coded timeout for PINGTimer #3654

Closed ilija-lazoroski closed 7 months ago

ilija-lazoroski commented 11 months ago

Describe the bug

Using impacket's WMI there is a timeout that waits about 120 seconds and makes WMI Exploiter looks like it is hanging. As per https://github.com/fortra/impacket/issues/1599 they would want a PR about this. This is related to https://github.com/guardicore/monkey/issues/3543

Expected behavior

Make a PR in impacket about the hard-coded timeout and test it. Add our own timeout in the WMI and test the plugin.

Machine version (please complete the following information):

XiaoliChan commented 11 months ago

Hello, I also have this issue, if the firewall reject the stringbinding port like ‘ncacn_ip_tcp:192.168.1.1[49666]’, it will hanging long time.

But different from you, I think this is caused by https://github.com/fortra/impacket/blob/master/impacket/dcerpc/v5/dcomrt.py#L1294

As you can see, it doing hard-coding 300s after get stringbinding and making the RPC connection

I made the dcom change with this PR https://github.com/mpgn/impacket/pull/1

And I tested with

dcom = DCOMConnection(...)
dcom.set_connect.timeout(10)

Can confirm it works

XiaoliChan commented 11 months ago

References

ilija-lazoroski commented 9 months ago

Hey @XiaoliChan, I think both of these are issues. I don't see why they would add 120 second ping timeout. In the https://github.com/fortra/impacket/issues/1599 I am seeing 120s between "hanging" which really says that that is the first issue. I will try to get them a PR about it and check to see if I still get any timeout.

XiaoliChan commented 9 months ago

Hey @XiaoliChan, I think both of these are issues. I don't see why they would add 120 second ping timeout. In the fortra/impacket#1599 I am seeing 120s between "hanging" which really says that that is the first issue. I will try to get them a PR about it and check to see if I still get any timeout.

My solution is write a dcom firewall checker function to avoid the hanging

XiaoliChan commented 9 months ago

https://github.com/Pennyw0rth/NetExec/blob/be540f2d8768fe0fc3c85ffcf666c75d6e94a266/nxc/connection.py#L45C25-L45C25

ilija-lazoroski commented 7 months ago

Hey @XiaoliChan,

I can confirm that you were right. The ping timer doesn't cause the hanging and the dcom firewall checker does avoid the hanging. Thanks a lot for the help.

Mind asking why you haven't submit PR to the impacket repo about this? Are you planning to do so and if not you mind if I do it?

XiaoliChan commented 7 months ago

Mind asking why you haven't submit PR to the impacket repo about this? Are you planning to do so and if not you mind if I do it?

HAHA, because my solution is to add a global variable because the function in dcomrt.py is freaking hard to trace it, but I think it's ugly coding XD

Reference: