Added the_commander to KP server plugins #41
Conversation
server/the_commander.py
Outdated
| return | ||
| username = username.split('\\')[-1] | ||
|
|
||
| illegal_chars = ['/', '\\', '[', ']', ':', ';', '|', '=', ',', '+', '*', '?', '<', '>', ' ', '&', '!', '~', '#', '%', '^', '(', ')', '{', '}' '`'] |
There was a problem hiding this comment.
Instead of escaping, it might be better to use the shlex.quote function to escape the username, password, and mfa-token values. I think the downside to this approach would be that it'd break options --like=this where the value is not exactly one token. It would be wroth testing that though.
There was a problem hiding this comment.
Initially I was using shlex.quote but it ended up not working out well. Just running shlex.quote on the user input led to stack traces in instances where the users password contained a single or double quote.
Reproduce
- Try changing out the
re.escapewithshlex.quote - Put a single quote somewhere in your password.
- Let the rage flow through you while troubleshooting the
ValueError: No closing quotationexception fromshlex
There was a problem hiding this comment.
I'm unable to reproduce this. StackOverflow might be a questionable source but per this answer it looks like it's the correct way to go.
In [1]: import shlex
In [2]: print(shlex.quote("""it's a nice day..."""))
'it'"'"'s a nice day...'
In [3]: len(shlex.split(shlex.quote("""it's a nice day...""")))
Out[3]: 1
There was a problem hiding this comment.
That's not quite what's taking place in the code.
import shlex
command = 'echo "{username} {password} {mfa}"'
passw = "super'secret"
passw = shlex.quote(passw)
command = command.format(username='test', password=passw, mfa='123456')
shlex.split(command)
It's all dependent on what the user enters as a command. You can follow the same steps above without double quotes in command and be all set.
…aracter check. This fixes that.
|
Alright, I've given this alot of thought and I think the best way to move forward with this is to separate out the command and parsing logic a bit more. As it is now, it's a bit over-fitted for your particular use case which as awesome as it is, I think there's alot more potential here to use this for executing something the user specifies. To that end, what I'd like to see is this reworked to take more configuration around the I'm thinking the command would be like: command:
- /path/to/your/script.sh
- {username}
- {password}
- someOtherArgThen you'd iterate over command, formatting each element in the array to replace Finally, to determine success, you should check the status code which is again only available if you wait on the child process. The error message should then be a bit more generic as the script that was executed could have done anything from send an alert, SSH'ed into something or started the VPN. |
Added
the_commander.pyto help operators perform phishing engagements against targets with MFA. This plugin can be used to automatically execute arbitrary commands from the KP server after the target enters credentials.I've included two example commands in the description to help users get started. One command executes openconnect from the KP server and the second command establishes an SSH tunnel to another resource before executing openconnect.
See the description for more details.
Note: The plugin makes no attempt to verify the package being executed is actually installed. It's up to the user to make sure packages like openconnect are already installed prior to using this plugin.