shadowbrokers-exploits/windows/Resources/Ops/PyScripts/scansweep/monitorengine/netconnections.py


import ops
import os.path
import imp
import re
import glob
import os
import sys
from xml.etree.ElementTree import ElementTree
import dsz
import ops.cmd
from monitorengine import monitor
DSZ_NS = '{urn:mca:db00db84-8b5b-2141-a632b5980175d3c6}'
COMMANDDATA_TAG = ('%sCommandData' % DSZ_NS)
NETCONNECTION_PATTERN = 'Data/*netconnections*xml'
CONNECTIONS_TAG = ('%sConnections' % DSZ_NS)
CONNECTION_TAG = ('%sConnection' % DSZ_NS)
REMOTE_IP_TAG = ('%sRemoteAddress' % DSZ_NS)
LOCAL_IP_TAG = ('%sLocalAddress' % DSZ_NS)
LOCAL_PORT_TAG = ('%sLocalPort' % DSZ_NS)
REMOTE_PORT_TAG = ('%sRemotePort' % DSZ_NS)
STARTED_TAG = ('%sStarted' % DSZ_NS)
PID_TAG = ('%sPid' % DSZ_NS)
IPV4_TAG = ('%sIPv4Address' % DSZ_NS)
IPV6_TAG = ('%sIPv6Address' % DSZ_NS)

def _whats_your_job():
    return 'netconnections'

def _whats_your_name():
    return 'netconnections'

class netconnectionObj(object, ):

    def __init__(self):
        self.localaddress = ''
        self.remoteaddress = ''
        self.localport = 0
        self.remoteport = 0
        self.pid = 0
        self.state = ''
        self.valid = False
        self.type = ''
        self.iptype = ''

class netconnections(monitor, ):

    def __init__(self, job):
        monitor.__init__(self, job, NETCONNECTION_PATTERN)

    def parse_data(self, file_to_read):
        if (not file_to_read):
            return
        data_path = '/'.join([COMMANDDATA_TAG, CONNECTIONS_TAG, STARTED_TAG, CONNECTION_TAG])
        tree = ElementTree()
        try:
            tree.parse(file_to_read)
        except:
            dsz.ui.Echo(("Couldn't parse XML file: %s" % file_to_read), dsz.WARNING)
            return (False, None)
        connections = tree.findall(data_path)
        netconnections_list = []
        for connection in connections:
            this_connection = netconnectionObj()
            this_connection.state = connection.get('state').strip()
            this_connection.valid = bool(connection.get('valid'))
            this_connection.type = connection.get('type').strip()
            remote_ip_tag = connection.find('/'.join([REMOTE_IP_TAG, IPV4_TAG]))
            local_ip_tag = connection.find('/'.join([LOCAL_IP_TAG, IPV4_TAG]))
            this_connection.iptype = 'ipv4'
            if (local_ip_tag is None):
                remote_ip_tag = connection.find('/'.join([REMOTE_IP_TAG, IPV6_TAG]))
                local_ip_tag = connection.find('/'.join([LOCAL_IP_TAG, IPV6_TAG]))
                this_connection.iptype = 'ipv6'
            if (local_ip_tag is None):
                continue
            this_connection.localaddress = local_ip_tag.text.strip().split('%')[0]
            this_connection.remoteaddress = remote_ip_tag.text.strip().split('%')[0]
            if (this_connection.localaddress == '127.0.0.1'):
                continue
            local_port_tag = connection.find(LOCAL_PORT_TAG)
            remote_port_tag = connection.find(REMOTE_PORT_TAG)
            this_connection.localport = int(local_port_tag.text.strip())
            this_connection.remoteport = int(remote_port_tag.text.strip())
            pid_tag = connection.find('/'.join([PID_TAG]))
            this_connection.pid = int(pid_tag.text.strip())
            this_connection.target = this_connection.remoteaddress
            netconnections_list.append(this_connection)
        return (True, netconnections_list)

    def check_escalation(self, escalation_rule, connection):
        netconnections = connection
        try:
            if eval(escalation_rule):
                return True
            else:
                return False
        except:
            return False

    def verify_escalation(self, escalation_rule):
        netconnections = netconnectionObj()
        try:
            eval_res = eval(escalation_rule)
            if ((eval_res == True) or (eval_res == False)):
                return True
            else:
                return False
        except:
            return False
Inital commit of Shadowbrokers 'Lost in Translation' release 2017-04-14 09:45:07 +00:00
			`import ops`
			`import os.path`
			`import imp`
			`import re`
			`import glob`
			`import os`
			`import sys`
			`from xml.etree.ElementTree import ElementTree`
			`import dsz`
			`import ops.cmd`
			`from monitorengine import monitor`
			`DSZ_NS = '{urn:mca:db00db84-8b5b-2141-a632b5980175d3c6}'`
			`COMMANDDATA_TAG = ('%sCommandData' % DSZ_NS)`
			`NETCONNECTION_PATTERN = 'Data/netconnectionsxml'`
			`CONNECTIONS_TAG = ('%sConnections' % DSZ_NS)`
			`CONNECTION_TAG = ('%sConnection' % DSZ_NS)`
			`REMOTE_IP_TAG = ('%sRemoteAddress' % DSZ_NS)`
			`LOCAL_IP_TAG = ('%sLocalAddress' % DSZ_NS)`
			`LOCAL_PORT_TAG = ('%sLocalPort' % DSZ_NS)`
			`REMOTE_PORT_TAG = ('%sRemotePort' % DSZ_NS)`
			`STARTED_TAG = ('%sStarted' % DSZ_NS)`
			`PID_TAG = ('%sPid' % DSZ_NS)`
			`IPV4_TAG = ('%sIPv4Address' % DSZ_NS)`
			`IPV6_TAG = ('%sIPv6Address' % DSZ_NS)`

			`def _whats_your_job():`
			`return 'netconnections'`

			`def _whats_your_name():`
			`return 'netconnections'`

			`class netconnectionObj(object, ):`

			`def __init__(self):`
			`self.localaddress = ''`
			`self.remoteaddress = ''`
			`self.localport = 0`
			`self.remoteport = 0`
			`self.pid = 0`
			`self.state = ''`
			`self.valid = False`
			`self.type = ''`
			`self.iptype = ''`

			`class netconnections(monitor, ):`

			`def __init__(self, job):`
			`monitor.__init__(self, job, NETCONNECTION_PATTERN)`

			`def parse_data(self, file_to_read):`
			`if (not file_to_read):`
			`return`
			`data_path = '/'.join([COMMANDDATA_TAG, CONNECTIONS_TAG, STARTED_TAG, CONNECTION_TAG])`
			`tree = ElementTree()`
			`try:`
			`tree.parse(file_to_read)`
			`except:`
			`dsz.ui.Echo(("Couldn't parse XML file: %s" % file_to_read), dsz.WARNING)`
			`return (False, None)`
			`connections = tree.findall(data_path)`
			`netconnections_list = []`
			`for connection in connections:`
			`this_connection = netconnectionObj()`
			`this_connection.state = connection.get('state').strip()`
			`this_connection.valid = bool(connection.get('valid'))`
			`this_connection.type = connection.get('type').strip()`
			`remote_ip_tag = connection.find('/'.join([REMOTE_IP_TAG, IPV4_TAG]))`
			`local_ip_tag = connection.find('/'.join([LOCAL_IP_TAG, IPV4_TAG]))`
			`this_connection.iptype = 'ipv4'`
			`if (local_ip_tag is None):`
			`remote_ip_tag = connection.find('/'.join([REMOTE_IP_TAG, IPV6_TAG]))`
			`local_ip_tag = connection.find('/'.join([LOCAL_IP_TAG, IPV6_TAG]))`
			`this_connection.iptype = 'ipv6'`
			`if (local_ip_tag is None):`
			`continue`
			`this_connection.localaddress = local_ip_tag.text.strip().split('%')[0]`
			`this_connection.remoteaddress = remote_ip_tag.text.strip().split('%')[0]`
			`if (this_connection.localaddress == '127.0.0.1'):`
			`continue`
			`local_port_tag = connection.find(LOCAL_PORT_TAG)`
			`remote_port_tag = connection.find(REMOTE_PORT_TAG)`
			`this_connection.localport = int(local_port_tag.text.strip())`
			`this_connection.remoteport = int(remote_port_tag.text.strip())`
			`pid_tag = connection.find('/'.join([PID_TAG]))`
			`this_connection.pid = int(pid_tag.text.strip())`
			`this_connection.target = this_connection.remoteaddress`
			`netconnections_list.append(this_connection)`
			`return (True, netconnections_list)`

			`def check_escalation(self, escalation_rule, connection):`
			`netconnections = connection`
			`try:`
			`if eval(escalation_rule):`
			`return True`
			`else:`
			`return False`
			`except:`
			`return False`

			`def verify_escalation(self, escalation_rule):`
			`netconnections = netconnectionObj()`
			`try:`
			`eval_res = eval(escalation_rule)`
			`if ((eval_res == True) or (eval_res == False)):`
			`return True`
			`else:`
			`return False`
			`except:`
			`return False`