|
|
|
|
'''
|
|
|
|
|
渗透测试任务管理类 一次任务的闭合性要检查2025-3-10 一次任务后要清理LLM和InstrM的数据
|
|
|
|
|
'''
|
|
|
|
|
from TargetManager import TargetManager # 从模块导入类
|
|
|
|
|
#from LLMManager import LLMManager # 同理修正其他导入
|
|
|
|
|
from mycode.ControlCenter import ControlCenter #控制中心替代LLM--控制中心要实现一定的基础逻辑和渗透测试树的维护。
|
|
|
|
|
from myutils.FileManager import FileManager
|
|
|
|
|
from InstructionManager import InstructionManager
|
|
|
|
|
from mycode.DBManager import DBManager
|
|
|
|
|
from myutils.MyTime import get_local_timestr
|
|
|
|
|
from myutils.MyLogger_logger import LogHandler
|
|
|
|
|
import pickle
|
|
|
|
|
import queue
|
|
|
|
|
import time
|
|
|
|
|
import os
|
|
|
|
|
import threading
|
|
|
|
|
|
|
|
|
|
class TaskManager:
|
|
|
|
|
|
|
|
|
|
def __init__(self):
|
|
|
|
|
self.TargetM = TargetManager()
|
|
|
|
|
self.logger = LogHandler().get_logger("TaskManager")
|
|
|
|
|
# 生成功能对象
|
|
|
|
|
self.DBM = DBManager() #主进程一个DBM
|
|
|
|
|
if not self.DBM.connect():
|
|
|
|
|
self.logger.error("数据库连接失败!终止工作!")
|
|
|
|
|
return
|
|
|
|
|
self.CCM = ControlCenter(self.DBM,self)
|
|
|
|
|
self.InstrM = InstructionManager(self) # 类对象渗透,要约束只读取信息
|
|
|
|
|
# 控制最大并发指令数量
|
|
|
|
|
self.max_thread_num = 6
|
|
|
|
|
self.task_id = 0 #任务id --
|
|
|
|
|
self.workth_list = [] #线程句柄list
|
|
|
|
|
# self.long_instr_num = 0 #耗时指令数量
|
|
|
|
|
# self.long_time_instr = ['nikto'] #耗时操作不计入批量执行的数量,不加不减
|
|
|
|
|
self.node_queue = queue.Queue()
|
|
|
|
|
|
|
|
|
|
self.lock = threading.Lock() #线程锁
|
|
|
|
|
self.node_num = 0 #在处理Node线程的处理
|
|
|
|
|
self.brun = True
|
|
|
|
|
self.cookie = "" #cookie参数
|
|
|
|
|
|
|
|
|
|
def res_in_quere(self,bres,instr,reslut,start_time,end_time,th_DBM,source_result,ext_params,work_node):
|
|
|
|
|
'''
|
|
|
|
|
执行结果入队列
|
|
|
|
|
:param bres:
|
|
|
|
|
:param instr:
|
|
|
|
|
:param reslut:
|
|
|
|
|
:return:
|
|
|
|
|
'''
|
|
|
|
|
#入数据库 -- bres True和False 都入数据库2025-3-10---加node_path(2025-3-18)#?
|
|
|
|
|
if th_DBM.ok:
|
|
|
|
|
work_node.do_sn += 1 # 指令的执行序列是一个任务共用,要线程锁,错误问题也不大
|
|
|
|
|
th_DBM.insetr_result(self.task_id, instr, reslut, work_node.do_sn, start_time, end_time, source_result,
|
|
|
|
|
ext_params, work_node.path)
|
|
|
|
|
else:
|
|
|
|
|
self.logger.error("数据库连接失败!!")
|
|
|
|
|
|
|
|
|
|
#结果入队列---2025-3-18所有的指令均需返回给LLM便于节点状态的更新,所以bres作用要调整。
|
|
|
|
|
res = {'执行指令':instr,'结果':reslut}
|
|
|
|
|
str_res = json.dumps(res,ensure_ascii=False) #直接字符串组合也可以-待验证
|
|
|
|
|
work_node.llm_type = 1
|
|
|
|
|
work_node.add_res(str_res) #入节点结果队列
|
|
|
|
|
|
|
|
|
|
def do_worker_th(self):
|
|
|
|
|
#线程的dbm需要一个线程一个
|
|
|
|
|
th_DBM = DBManager()
|
|
|
|
|
th_DBM.connect()
|
|
|
|
|
while self.brun:
|
|
|
|
|
try:
|
|
|
|
|
work_node = self.node_queue.get(block=False)
|
|
|
|
|
# 测试时使用
|
|
|
|
|
with self.lock:
|
|
|
|
|
self.node_num += 1
|
|
|
|
|
# 开始执行指令
|
|
|
|
|
while work_node.instr_queue:
|
|
|
|
|
#for instruction in work_node.instr_queue: #这里要重新调整#?
|
|
|
|
|
instruction = work_node.instr_queue.pop(0)
|
|
|
|
|
start_time = get_local_timestr() # 指令执行开始时间
|
|
|
|
|
bres, instr, reslut, source_result, ext_params = self.InstrM.execute_instruction(instruction)
|
|
|
|
|
end_time = get_local_timestr() # 指令执行结束时间
|
|
|
|
|
self.res_in_quere(bres, instr, reslut, start_time, end_time, th_DBM, source_result,
|
|
|
|
|
ext_params, work_node) # 执行结果入队列
|
|
|
|
|
|
|
|
|
|
# #针对一个节点的指令执行完成后,提交LLM规划下一步操作
|
|
|
|
|
#self.CCM.llm_quere.put(work_node)
|
|
|
|
|
|
|
|
|
|
# 保存记录--测试时使用--后期增加人为停止测试时可以使用
|
|
|
|
|
with self.lock:
|
|
|
|
|
self.node_num -= 1
|
|
|
|
|
if self.node_num == 0 and self.node_queue.empty(): #
|
|
|
|
|
self.logger.debug("此批次指令执行完成!")
|
|
|
|
|
with open("attack_tree", 'wb') as f:
|
|
|
|
|
pickle.dump(self.CCM.attack_tree, f)
|
|
|
|
|
|
|
|
|
|
except queue.Empty:
|
|
|
|
|
self.logger.debug("暂无需要执行指令的节点!")
|
|
|
|
|
time.sleep(20)
|
|
|
|
|
|
|
|
|
|
def start_task(self,target_name,target_in):
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
:param target_name: 任务目标名字
|
|
|
|
|
:param target_in: 任务目标访问地址
|
|
|
|
|
:return:
|
|
|
|
|
'''
|
|
|
|
|
#判断目标合法性
|
|
|
|
|
bok,target,type = self.TargetM.validate_and_extract(target_in)
|
|
|
|
|
if bok:
|
|
|
|
|
self.target = target
|
|
|
|
|
self.type = type #1-IP,2-domain
|
|
|
|
|
self.task_id = self.DBM.start_task(target_name,target_in) #数据库新增任务记录
|
|
|
|
|
#获取基本信息: 读取数据库或预生成指令,获取基本的已知信息
|
|
|
|
|
know_info = "无" #?
|
|
|
|
|
#启动--初始化指令
|
|
|
|
|
self.CCM.start_do(target,self.task_id)
|
|
|
|
|
|
|
|
|
|
#创建工作线程----2025-3-18调整为一个节点一个线程,
|
|
|
|
|
for i in range(self.max_thread_num):
|
|
|
|
|
w_th = threading.Thread(target=self.do_worker_th)
|
|
|
|
|
w_th.start()
|
|
|
|
|
self.workth_list.append(w_th)
|
|
|
|
|
|
|
|
|
|
#等待线程结束--执行生成报告
|
|
|
|
|
for t in self.workth_list:
|
|
|
|
|
t.join()
|
|
|
|
|
#生成报告
|
|
|
|
|
pass
|
|
|
|
|
else:
|
|
|
|
|
return False,"{target}检测目标不合规,请检查!"
|
|
|
|
|
|
|
|
|
|
def stop_task(self):
|
|
|
|
|
self.brun = False
|
|
|
|
|
self.CCM.stop_do() #清空一些全局变量
|
|
|
|
|
self.InstrM.init_data()
|
|
|
|
|
#结束任务需要收尾处理#?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
import json
|
|
|
|
|
TM = TaskManager()
|
|
|
|
|
FM = FileManager()
|
|
|
|
|
current_path = os.path.dirname(os.path.realpath(__file__))
|
|
|
|
|
strMsg = FM.read_file("test",1)
|
|
|
|
|
|
|
|
|
|
test_type = 1
|
|
|
|
|
instr_index = 19
|
|
|
|
|
iput_index = -1 # 0是根节点
|
|
|
|
|
indexs = []
|
|
|
|
|
if test_type == 0: #新目标测试
|
|
|
|
|
# 启动--初始化指令
|
|
|
|
|
node_list = TM.CCM.start_do("192.168.204.137", 0)
|
|
|
|
|
#异步处理,需要等待线程结束了
|
|
|
|
|
for th in TM.CCM.llmth_list:
|
|
|
|
|
th.join()
|
|
|
|
|
elif test_type == 1:
|
|
|
|
|
#测试执行指令
|
|
|
|
|
with open("attack_tree", "rb") as f:
|
|
|
|
|
TM.CCM.attack_tree = pickle.load(f)
|
|
|
|
|
# 遍历node,查看有instr的ndoe
|
|
|
|
|
nodes = TM.CCM.attack_tree.traverse_dfs()
|
|
|
|
|
if indexs:
|
|
|
|
|
for index in indexs:
|
|
|
|
|
node = nodes[index]
|
|
|
|
|
if node.instr_queue: # list
|
|
|
|
|
TM.node_queue.put(node)
|
|
|
|
|
else:
|
|
|
|
|
for node in nodes:
|
|
|
|
|
if node.instr_queue:
|
|
|
|
|
TM.node_queue.put(node)
|
|
|
|
|
|
|
|
|
|
#创建线程执行指令
|
|
|
|
|
for i in range(TM.max_thread_num):
|
|
|
|
|
w_th = threading.Thread(target=TM.do_worker_th)
|
|
|
|
|
w_th.start()
|
|
|
|
|
TM.workth_list.append(w_th)
|
|
|
|
|
# 等待线程结束--执行生成报告
|
|
|
|
|
for t in TM.workth_list:
|
|
|
|
|
t.join()
|
|
|
|
|
elif test_type ==2:
|
|
|
|
|
#测试LLM返回下一步指令
|
|
|
|
|
with open("attack_tree", "rb") as f:
|
|
|
|
|
TM.CCM.attack_tree = pickle.load(f)
|
|
|
|
|
#遍历node,查看有res的数据
|
|
|
|
|
iput_max_num = 0
|
|
|
|
|
iput_num = 0
|
|
|
|
|
nodes = TM.CCM.attack_tree.traverse_dfs()
|
|
|
|
|
if indexs:
|
|
|
|
|
for index in indexs:
|
|
|
|
|
node = nodes[index]
|
|
|
|
|
if node.res_quere:
|
|
|
|
|
TM.CCM.llm_quere.put(node)
|
|
|
|
|
else:
|
|
|
|
|
for node in nodes:
|
|
|
|
|
if node.res_quere:
|
|
|
|
|
TM.CCM.llm_quere.put(node)
|
|
|
|
|
|
|
|
|
|
#创建llm工作线程
|
|
|
|
|
TM.CCM.brun = True
|
|
|
|
|
for i in range(TM.CCM.max_thread_num):
|
|
|
|
|
l_th = threading.Thread(target=TM.CCM.th_llm_worker())
|
|
|
|
|
l_th.start()
|
|
|
|
|
TM.CCM.llmth_list.append(l_th)
|
|
|
|
|
# 等待线程结束
|
|
|
|
|
for t in TM.CCM.llmth_list:
|
|
|
|
|
t.join()
|
|
|
|
|
elif test_type ==3: #执行指定指令
|
|
|
|
|
with open("attack_tree", "rb") as f:
|
|
|
|
|
TM.CCM.attack_tree = pickle.load(f)
|
|
|
|
|
# 遍历node,查看有instr的ndoe
|
|
|
|
|
nodes = TM.CCM.attack_tree.traverse_dfs()
|
|
|
|
|
instrlist = nodes[instr_index].instr_queue
|
|
|
|
|
# instrlist = ['''
|
|
|
|
|
# ''']
|
|
|
|
|
for instr in instrlist:
|
|
|
|
|
start_time = get_local_timestr() # 指令执行开始时间
|
|
|
|
|
bres, instr, reslut, source_result, ext_params = TM.InstrM.execute_instruction(instr)
|
|
|
|
|
end_time = get_local_timestr() # 指令执行结束时间
|
|
|
|
|
|
|
|
|
|
res = {'执行结果': reslut}
|
|
|
|
|
str_res = json.dumps(res,ensure_ascii=False) # 直接字符串组合也可以-待验证
|
|
|
|
|
print(str_res)
|
|
|
|
|
elif test_type == 4: #修改Message
|
|
|
|
|
with open("attack_tree", "rb") as f:
|
|
|
|
|
TM.CCM.attack_tree = pickle.load(f)
|
|
|
|
|
#创建一个新的节点
|
|
|
|
|
from mycode.AttackMap import TreeNode
|
|
|
|
|
testnode = TreeNode("test",0,0)
|
|
|
|
|
TM.CCM.LLM.build_initial_prompt(testnode)#新的Message
|
|
|
|
|
systems = testnode.messages[0]["content"]
|
|
|
|
|
#print(systems)
|
|
|
|
|
# 遍历node,查看有instr的ndoe
|
|
|
|
|
nodes = TM.CCM.attack_tree.traverse_bfs()
|
|
|
|
|
for node in nodes:
|
|
|
|
|
node.messages[0]["content"] = systems
|
|
|
|
|
with open("attack_tree", 'wb') as f:
|
|
|
|
|
pickle.dump(TM.CCM.attack_tree, f)
|
|
|
|
|
elif test_type ==5: #显示指令和结果list
|
|
|
|
|
with open("attack_tree", "rb") as f:
|
|
|
|
|
TM.CCM.attack_tree = pickle.load(f)
|
|
|
|
|
nodes = TM.CCM.attack_tree.traverse_dfs()
|
|
|
|
|
if iput_index == -1:
|
|
|
|
|
for node in nodes:
|
|
|
|
|
print(f"----{node.path}-{node.status}----\n****instr_quere")
|
|
|
|
|
print(f"{','.join(node.instr_queue)}\n****res_quere")
|
|
|
|
|
try:
|
|
|
|
|
print(f"{','.join(node.res_quere)}")
|
|
|
|
|
except:
|
|
|
|
|
print(f"{json.dumps(node.res_quere)}")
|
|
|
|
|
elif iput_index == -2:#只输出有instruction的数据
|
|
|
|
|
index = 0
|
|
|
|
|
for node in nodes:
|
|
|
|
|
if node.instr_queue:
|
|
|
|
|
print(f"----{index}--{node.path}--{node.status}----")
|
|
|
|
|
print(f"{','.join(node.instr_queue)}")
|
|
|
|
|
index += 1
|
|
|
|
|
else:
|
|
|
|
|
print(f"********\n{','.join(nodes[iput_index].instr_queue)}\n********")
|
|
|
|
|
print(f"&&&&&&&&\n{','.join(nodes[iput_index].res_quere)}\n&&&&&&&&")
|
|
|
|
|
elif test_type == 6: #给指定节点添加测试指令
|
|
|
|
|
with open("attack_tree", "rb") as f:
|
|
|
|
|
TM.CCM.attack_tree = pickle.load(f)
|
|
|
|
|
nodes = TM.CCM.attack_tree.traverse_dfs()
|
|
|
|
|
str_instr = "nmap -sV -p- 192.168.204.137 -T4 -oN nmap_full_scan.txt"
|
|
|
|
|
index = 9
|
|
|
|
|
nodes[index].instr_queue.append(str_instr)
|
|
|
|
|
nodes[index].res_quere = []
|
|
|
|
|
with open("attack_tree", 'wb') as f:
|
|
|
|
|
pickle.dump(TM.CCM.attack_tree, f)
|
|
|
|
|
elif test_type == 7: #给指定节点修改指令的执行结果
|
|
|
|
|
with open("attack_tree", "rb") as f:
|
|
|
|
|
TM.CCM.attack_tree = pickle.load(f)
|
|
|
|
|
nodes = TM.CCM.attack_tree.traverse_dfs()
|
|
|
|
|
str_instr = "psql -h 192.168.204.137 -U postgres -c '\l'"
|
|
|
|
|
start_time = get_local_timestr() # 指令执行开始时间
|
|
|
|
|
bres, instr, reslut, source_result, ext_params = TM.InstrM.execute_instruction(str_instr)
|
|
|
|
|
end_time = get_local_timestr() # 指令执行结束时间
|
|
|
|
|
# 入数据库 -- bres True和False 都入数据库2025-3-10---加node_path(2025-3-18)#?
|
|
|
|
|
if TM.DBM.ok:
|
|
|
|
|
TM.DBM.insetr_result(0, instr, reslut, 0, start_time, end_time, source_result,
|
|
|
|
|
ext_params, "独立命令执行")
|
|
|
|
|
index = 9
|
|
|
|
|
nodes[index].res_quere.clear()
|
|
|
|
|
nodes[index].res_quere.append(reslut)
|
|
|
|
|
|
|
|
|
|
with open("attack_tree", 'wb') as f:
|
|
|
|
|
pickle.dump(TM.CCM.attack_tree, f)
|
|
|
|
|
elif test_type == 9: #处理自定义llm回复内容
|
|
|
|
|
with open("attack_tree", "rb") as f:
|
|
|
|
|
TM.CCM.attack_tree = pickle.load(f)
|
|
|
|
|
nodes = TM.CCM.attack_tree.traverse_dfs()
|
|
|
|
|
node = nodes[5]
|
|
|
|
|
strconent = '''
|
|
|
|
|
{'role': 'assistant', 'content': '{"action":"update_status", "node": "25端口", "status": "已完成", "vulnerability": {"name":"SMTP用户枚举漏洞","risk":"中危","info":"VRFY命令可验证有效用户"}}\n\n```bash-[目标系统->192.168.204.137->25端口]\nsmtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.204.137\n```\n\n```bash-[目标系统->192.168.204.137->25端口]\nnc -nv 192.168.204.137 25 << EOF\nEXPN root\nMAIL FROM: attacker@example.com\nRCPT TO: external@example.com\nDATA\nTest open relay\n.\nQUIT\nEOF\n```'}
|
|
|
|
|
'''
|
|
|
|
|
strjson = json.loads(strconent)
|
|
|
|
|
node_cmds,commands = TM.CCM.LLM.fetch_instruction(strjson["content"])
|
|
|
|
|
TM.CCM.tree_manager(node_cmds)
|
|
|
|
|
|
|
|
|
|
# 更新tree
|
|
|
|
|
bok, new_commands = TM.CCM.tree_manager(node_cmds, node, commands, TM.DBM)
|
|
|
|
|
# 分析指令入对应节点
|
|
|
|
|
if bok: # 节点指令若存在错误,测试指令都不处理,需要LLM重新生成
|
|
|
|
|
node_list = TM.CCM.instr_in_node(new_commands, node)
|
|
|
|
|
|
|
|
|
|
#报不保存待定--
|
|
|
|
|
with open("attack_tree", 'wb') as f:
|
|
|
|
|
pickle.dump(TM.CCM.attack_tree, f)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
#完整过程测试---要设定终止条件
|
|
|
|
|
pass
|
