Masu binciken ƙwayoyin cuta da masu binciken tsaro na kwamfuta suna yin tsere don tattara samfuran sabbin botnets da yawa kamar yadda zai yiwu. Suna amfani da sandunan zuma don dalilai na kansu ... Amma menene idan kuna son lura da malware a cikin yanayi na ainihi? Sanya uwar garken ku ko na'ura mai ba da hanya tsakanin hanyoyin sadarwa cikin haɗari? Idan babu na'urar da ta dace fa? Waɗannan tambayoyin ne suka sa ni ƙirƙirar bhunter, kayan aiki don samun damar shiga nodes na botnet.
Babban ra'ayi
Akwai hanyoyi da yawa don yada malware don faɗaɗa botnets: daga phishing zuwa yin amfani da raunin kwanaki 0. Amma hanyar da aka fi sani har yanzu ita ce ta tilastawa kalmomin shiga na SSH.
Tunanin yana da sauqi qwarai. Idan wasu kumburin botnet suna ƙoƙarin lalata kalmar sirri don uwar garken ku, to wataƙila wannan kumburin kanta an kama shi ta hanyar tursasa kalmomin sirri masu sauƙi. Wannan yana nufin cewa don samun damar yin amfani da shi, kawai kuna buƙatar ramawa.
Wannan shine ainihin yadda bhunter ke aiki. Yana sauraron tashar jiragen ruwa 22 (sabis na SSH) kuma yana tattara duk abubuwan shiga da kalmomin shiga waɗanda suke ƙoƙarin haɗawa da shi. Sannan, ta amfani da kalmomin shiga da aka tattara, yana ƙoƙarin haɗawa da nodes masu hari.
Algorithm aiki
Ana iya raba shirin zuwa manyan sassa 2, waɗanda ke aiki a cikin zaren daban-daban. Na farko shine tukunyar zuma. Yana aiwatar da yunƙurin shiga, yana tattara abubuwan shiga na musamman da kalmomin shiga (a wannan yanayin, ana ɗaukar login + kalmar sirri a matsayin gaba ɗaya), kuma yana ƙara adiresoshin IP waɗanda suka yi ƙoƙarin haɗawa da layin don ƙarin hari.
Kashi na biyu shine ke da alhakin kai harin. Haka kuma, ana kai harin ta hanyoyi guda biyu: BurstAttack (fashewa hari) - ƙwaƙƙwaran ƙarfi da kalmomin shiga daga jerin gabaɗaya da SingleShotAttack (harbin harbi ɗaya) - kalmomin sirrin ƙarfi waɗanda kumburin ya yi amfani da su, amma har yanzu ba a taɓa yin su ba. kara zuwa ga janar jerin.
Domin samun aƙalla wasu bayanan shiga da kalmomin shiga nan da nan bayan ƙaddamarwa, an fara bhunter tare da jeri daga fayil /etc/bhunter/defaultLoginPairs.
dubawa
Akwai hanyoyi da yawa don ƙaddamar da bhunter:
Kamar kungiya
sudo bhunterTare da wannan ƙaddamarwa, yana yiwuwa a sarrafa bhunter ta hanyar menu na rubutu: ƙara shiga da kalmomin shiga don kai hari, fitar da bayanan shiga da kalmomin shiga, ƙayyade maƙasudin hari. Ana iya ganin duk nodes ɗin da aka yi kutse a cikin fayil ɗin /var/log/bhunter/hacked.log
Yin amfani da tmux
sudo bhunter-ts # команда запуска bhunter через tmux
sudo tmux attach -t bhunter # подключаемся к сессии, в которой запущен bhunter
Tmux shine mahara multixer na tasha, kayan aiki mai dacewa sosai. Yana ba ku damar ƙirƙirar tagogi da yawa a cikin tashoshi ɗaya, kuma ku raba tagogin zuwa bangarori. Yin amfani da shi, zaku iya fita daga tashar sannan ku shiga ba tare da katse hanyoyin tafiyarwa ba.
Rubutun bhunter-ts yana ƙirƙira zaman tmux kuma ya raba taga zuwa bangarori uku. Na farko, mafi girma, ya ƙunshi menu na rubutu. Na sama na dama yana dauke da rajistan ayyukan gidan zuma, a nan zaka iya ganin sakonni game da yunkurin shiga cikin gidan zuma. Ƙarshen dama na dama yana nuna bayanai game da ci gaban harin akan nodes botnet da kuma game da hacks masu nasara.
Amfanin wannan hanyar akan na farko shine cewa zamu iya rufe tashar lafiya mu koma cikinta daga baya, ba tare da bhunter ya dakatar da aikinsa ba. Ga waɗanda ba su da masaniya da tmux, ina ba da shawara .
A matsayin sabis
systemctl enable bhunter
systemctl start bhunterA wannan yanayin, muna kunna bhunter autostart a farawa tsarin. A cikin wannan hanyar, ba a samar da hulɗa tare da bhunter ba, kuma ana iya samun jerin sunayen nodes ɗin da aka yi kutse daga /var/log/bhunter/hacked.log
Amfani
Yayin da nake aiki a kan bhunter, na sami damar samun dama ga na'urori daban-daban: rasberi pi, masu ba da hanya (musamman mikrotik), sabar yanar gizo, kuma sau ɗaya a gonar ma'adinai (abin takaici, samun damar yin amfani da shi a lokacin rana, don haka babu wani ban sha'awa). labari). Anan ga hoton shirin, wanda ke nuna jerin kuɗaɗen kutse bayan kwanaki da yawa na aiki:
Abin takaici, tasirin wannan kayan aiki bai kai ga tsammanina ba: bhunter na iya gwada kalmomin shiga zuwa nodes na kwanaki da yawa ba tare da nasara ba, kuma yana iya hacking da dama hari cikin sa'o'i biyu. Amma wannan ya isa don kwararar sabbin samfuran botnet na yau da kullun.
Irin waɗannan sigogi suna tasiri tasirin tasiri kamar: ƙasar da ke cikin uwar garken tare da bhunter, hosting, da kewayon da aka ware adireshin IP. A cikin kwarewata, akwai wani shari'ar lokacin da na yi hayar sabar sabar guda biyu daga mai masaukin baki ɗaya, kuma ɗayan botnets ya kai hari sau 2 sau da yawa.
Kwarorin da ban gyara ba tukuna
Lokacin kai hari ga majiyoyi masu kamuwa da cuta, a wasu yanayi ba zai yiwu a tantance ko kalmar sirri daidai ba ce ko a'a. Ana shigar da irin waɗannan lokuta a cikin /var/log/debug.log fayil.
Tsarin Paramiko, wanda ake amfani da shi don aiki tare da SSH, wani lokacin yana yin kuskure: ba ya ƙarewa yana jiran amsa daga mai watsa shiri lokacin da yake ƙoƙarin haɗa shi. Na gwada da masu ƙidayar lokaci, amma ban sami sakamakon da ake so ba
Me kuma ya kamata a yi aiki akai?
Sunan sabis
Dangane da RFC-4253, abokin ciniki da uwar garken suna musayar sunaye na sabis waɗanda ke aiwatar da ka'idar SSH kafin shigarwa. Wannan suna yana ƙunshe a cikin filin "SERVICE NAME", wanda ya ƙunshi duka a cikin buƙatun daga ɓangaren abokin ciniki da kuma a cikin martani daga ɓangaren uwar garke. Filin kirtani ne, kuma ana iya samun ƙimarsa ta amfani da wayashark ko nmap. Ga misali ga OpenSSH:
$ nmap -p 22 ***.**.***.** -sV
Starting Nmap ...
PORT STATE SERVICE VERSION
22/tcp open ssh <b>OpenSSH 7.9p1 Debian 10+deb10u2</b> (protocol 2.0)
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
Duk da haka, a cikin yanayin Paramiko, wannan filin yana ƙunshe da kirtani kamar "Paramiko Python sshd 2.4.2", wanda zai iya tsoratar da botnets waɗanda aka tsara don "guje wa" tarko. Saboda haka, ina ganin ya zama dole a maye gurbin wannan layin da wani abu mafi tsaka tsaki.
Sauran vectors
SSH ba shine kawai hanyar sarrafa nesa ba. Akwai kuma telnet, rdp. Yana da kyau a duba su da kyau.
tsawo
Zai yi kyau a sami tarkuna da yawa a cikin ƙasashe daban-daban kuma a tsakiyar tattara bayanan shiga, kalmomin shiga da kuɗaɗen kutse daga gare su zuwa cikin bayanan gama gari.
A ina zan iya saukewa?
A lokacin rubutawa, nau'in gwaji kawai yana shirye, wanda za'a iya saukewa daga .
source: www.habr.com