When one day the boss raises the question: βWhy do some people have remote access to a work computer without obtaining additional permissions for use?β,
there is a task to "cover up" a loophole.
There are plenty of applications for remote control over the network: Chrome remote desktop, AmmyAdmin, LiteManager, TeamViewer, Anyplace Control, etc. If Chrome remote desktop has an official manual for combating access to the service, TeamViewer has license restrictions on time or requests from the network and users "gritting their teeth" somehow "shine" with the admins, then the favorite of many for personal use - AnyDesk still requires special attention, especially if the boss said "No!".
If you know what blocking of a network packet is by its contents and it suits you, then the rest of the material
not intended for you.
Trying to go from the opposite, in fact
Once I solved the problem of blocking "Anyplace Control" which came to us with some dubious software, and it was solved by blocking only a few IPs (I secured the antivirus). The problem with AnyDesk, after I manually collected more than a dozen IP addresses, provoked get away from routine manual labor.
It was also found that in "C: ProgramDataAnyDesk" there are a number of files with settings, etc., and in the file ad_svc.trace events about connections and failures are collected.
1. Observation
As already mentioned, blocking *.anydesk.com did not give any results in the program, it was decided to analyze program behavior in stressful situations. TCPView from Sysinternals in hand and go!
1.1. It can be seen that several processes of interest to us are βhangingβ, and only the one that communicates with the address from the outside is of interest to us. The ports to which it connects are moved, from what I saw it: 80, 443, 6568. π 80 and 443 we definitely cannot block.
1.2. After blocking the address through the router, another address is quietly selected.
1.3. Our console is EVERYTHING! We determine the PID and then I got a little lucky that AnyDesk was installed by the service, respectively, the PID I was looking for is the only one.
1.4. We determine the IP address of the service server by the PID of the process.
2. Preparation
Since the program for discovering IP addresses will probably only work on my PC, I have no restrictions on convenience and laziness, so C#.
2.1. All methods for identifying the desired IP address are already known, it remains to be implemented.
string pid1_;//ΡΠ·Π½Π°Π΅ΠΌ PID ΡΠ΅ΡΠ²ΠΈΡΠ° AnyDesk
using (var p = new Process())
{p.StartInfo.FileName = "cmd.exe";
p.StartInfo.Arguments = " /c "tasklist.exe /fi "imagename eq AnyDesk.exe" /NH /FO CsV | findstr "Services""";
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.CreateNoWindow = true;
p.StartInfo.StandardOutputEncoding = Encoding.GetEncoding("CP866");
p.Start();
string output = p.StandardOutput.ReadToEnd();
string[] pid1 = output.Split(',');//ΠΏΠ΅ΡΠ΅Π²ΠΎΠ΄ΠΈΠΌ ΠΎΡΠ²Π΅Ρ Π² ΠΌΠ°ΡΡΠΈΠ²
pid1_ = pid1[1].Replace(""", "");//Π±Π΅ΡΠ΅ΠΌ 2ΠΉ ΡΠ»Π΅ΠΌΠ΅Π½Ρ Π±Π΅Π· ΠΊΠ°Π²ΡΡΠ΅ΠΊ
}
Similarly, we find the service that established the connection, I will give only the main line
p.StartInfo.Arguments = "/c " netstat -n -o | findstr /I " + pid1_ + " | findstr "ESTABLISHED""";
The result of which will be:
From the line, similarly to the previous step, we extract the 3rd column, and remove everything after the ":". As a result, we have our desired IP.
2.2. IP blocking in Windows. If Linux has Blackhole and iptables, then the method of blocking an IP address in one line, without using a firewall, turned out to be unusual in Windows,
But what tools were...
route add Π½Π°Ρ_Π½Π°ΠΉΠ΄Π΅Π½Π½ΡΠΉ_IP_Π°Π΄ΡΠ΅Ρ mask 255.255.255.255 10.113.113.113 if 1 -p
Key parameter "if 1" send the route to Loopback (You can display the available interfaces by running route print ). And IMPORTANT! Now the program needs to be run with administrator rightsbecause changing the route requires elevation.
2.3. Displaying and saving the identified IP addresses is a trivial task and does not require explanation. If you think about it, you can process the file ad_svc.trace AnyDesk itself, but I didnβt immediately think about it + maybe there is a restriction on it.
2.4. The strange unequal behavior of the program is that when the service process is βtaskkilledβ in Windows 10, it restarts automatically, in Windows 8 it ends, leaving only the console process and without reconnecting, in general, it is illogical and inaccurate.
Deleting a process that has connected to the server allows you to "force" a reconnection to the next address. It is implemented similarly to the previous commands, so I give only:
p.StartInfo.Arguments = "/c taskkill /PID " + pid1_ + " /F";
Additionally, launch the AnyDesk program.
//Π·Π°ΠΏΡΡΠΊΠ°Π΅ΠΌ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ ΠΊΠΎΡΠΎΡΠ°Ρ ΡΠ°ΡΠΏΠΎΠ»ΠΎΠΆΠ΅Π½Π° ΠΏΠΎ ΠΏΡΡΠΈ path_pro
if (File.Exists(path_pro)){
Process p1 = Process.Start(path_pro);}
2.5. We will check the status of AnyDesk once a minute (or more often?), and if it is connected, i.e. connection ESTABLISHED - block this IP, and again all over again - wait until it connects, block and wait.
3. Attack
The code was βdraftedβ, it was decided to visualize the process "+" specify found and blocked IP, and "." - repeated check without successful connection from AnyDesk.
β
As a resultβ¦
The program worked on several computers with different Windows OS, with AnyDesk versions 5 and 6. About 500 addresses were collected in 80 iterations. For 2500 - 87 and so on ...
Over time, the number of blocked IPs reached 100+.
Link to final text file with addresses:
It is done! A pool of IP addresses is added to the rules of the main router through a script, and AnyDesk simply cannot create an external connection.
There is a strange moment, according to the initial logs, it is clear that the address is involved in the transfer of information boot-01.net.anydesk.com. We have of course blocked all *.net.anydesk.com hosts as a general rule, but that's not the oddity. Each time a normal ping from different computers this domain name gives a different IP. Checking in Linux:
host boot-01.net.anydesk.com
like DNSLookup, they only give one IP address, but this address is variable. When parsing a TCPView connection, we get back PTR records of IP addresses like relay-*.net.anydesk.com.
Theoretically: since the ping sometimes goes to an unknown unblocked host boot-01.net.anydesk.com we can find these ip and block, make this implementation a regular script under Linux OS, here you donβt need to install AnyDesk. The analysis showed that these IPs are often "intersect" with those found from our list. Perhaps this is just this host, to which the program connects before it starts to "sort out" known IPs. Probably later I will supplement the article with the 2nd part of host searches, although at the moment the program itself does not install outer join in general.
I hope you did not see anything illegal in the above, and the creators of AnyDesk will treat my actions in a sporty way.
Source: habr.com