Mukan rubuta akai-akai game da yadda masu satar bayanai sukan dogara ga cin zarafi don gujewa ganowa. Suna zahiri , ta amfani da daidaitattun kayan aikin Windows, ta haka ketare riga-kafi da sauran abubuwan amfani don gano ayyukan mugunta. Mu, a matsayin masu karewa, yanzu an tilasta mana mu magance mummunan sakamako na irin wannan dabarar hacking: ma'aikaci mai kyau zai iya amfani da wannan hanya don satar bayanai a ɓoye (kayan basirar kamfani, lambobin katin kuɗi). Kuma idan bai yi gaggawa ba, amma yana aiki a hankali kuma a hankali, zai zama da wahala sosai - amma har yanzu yana yiwuwa idan ya yi amfani da hanyar da ta dace da kuma dacewa. , - don gane irin wannan aiki.
A gefe guda, ba zan so in lalata ma'aikata ba saboda babu wanda yake son yin aiki a cikin yanayin kasuwanci kai tsaye daga Orwell's 1984. Abin farin ciki, akwai matakai masu amfani da yawa da hacks na rayuwa waɗanda zasu iya sa rayuwa ta fi wahala ga masu ciki. Za mu yi la'akari hanyoyin kai hari a boye, masu hackers ke amfani da su ta hanyar ma'aikata tare da wasu bayanan fasaha. Kuma a ɗan gaba za mu tattauna zaɓuɓɓuka don rage irin wannan haɗari - za mu yi nazarin zaɓuɓɓukan fasaha da na ƙungiya.
Me ke damun PsExec?
Edward Snowden, daidai ne ko kuskure, ya zama daidai da satar bayanan sirri. Af, kar a manta a duba game da sauran 'yan ciki wadanda kuma sun cancanci wani matsayi mai suna. Wani muhimmin batu da ya dace a nanata game da hanyoyin da Snowden ya yi amfani da shi shine, a iyakar saninmu, shi bai shigar ba babu software na mugunta na waje!
Maimakon haka, Snowden ya yi amfani da ɗan aikin injiniya na zamantakewa kuma ya yi amfani da matsayinsa na mai kula da tsarin don tattara kalmomin shiga da ƙirƙirar takaddun shaida. Babu wani abu mai rikitarwa - babu , hare-hare ko .
Ma'aikatan kungiya ba koyaushe suke cikin matsayi na musamman na Snowden ba, amma akwai darussa da yawa da za a koya daga manufar "rayuwa ta hanyar kiwo" don a sani - kada su shiga cikin wani mummunan aiki da za a iya ganowa, kuma ya zama musamman. da hankali tare da yin amfani da takardun shaida. Tuna wannan tunanin.
da dan uwansa sun burge mutane masu yawa, masu satar bayanai, da masu rubutun ra'ayin yanar gizo. Kuma idan aka haɗe shi da mimikatz, psexec yana bawa maharan damar matsawa cikin hanyar sadarwa ba tare da buƙatar sanin kalmar sirrin rubutu ba.
Mimikatz ya katse NTLM hash daga tsarin LSASS sannan ya wuce alamar ko takaddun shaida - abin da ake kira. "wuce zanta" harin - a cikin psexec, ƙyale maharin ya shiga wani sabar kamar yadda wani mai amfani. Kuma tare da kowane motsi na gaba zuwa sabon uwar garken, maharin yana tattara ƙarin takaddun shaida, yana faɗaɗa kewayon damarsa don neman abun ciki mai samuwa.
Lokacin da na fara aiki tare da psexec ya zama kamar sihiri a gare ni - na gode , ƙwararren mai haɓaka psexec - amma kuma na san game da nasa m aka gyara. Ba ya asirce!
Gaskiya na farko mai ban sha'awa game da psexec shine cewa yana amfani da rikitarwa sosai SMB tsarin fayil na hanyar sadarwa daga Microsoft. Amfani da SMB, psexec yana canja wurin ƙananan binary fayiloli zuwa tsarin manufa, sanya su a cikin babban fayil C: Windows.
Bayan haka, psexec ya ƙirƙiri sabis na Windows ta amfani da kwafin binary kuma yana gudanar da shi a ƙarƙashin sunan "marasa tsammani" PSEXECSVC. A lokaci guda, za ku iya ganin duk wannan, kamar yadda na yi, ta kallon na'ura mai nisa (duba ƙasa).
Katin kira na Psexec: "PSEXECSVC" sabis. Yana gudanar da fayil ɗin binary wanda aka sanya ta hanyar SMB a cikin babban fayil C: Windows.
A matsayin mataki na ƙarshe, fayil ɗin binary da aka kwafi yana buɗewa haɗin RPC zuwa uwar garken manufa sannan kuma ya karɓi umarnin sarrafawa (ta hanyar Windows cmd harsashi ta tsohuwa), ƙaddamar da su da tura shigarwa da fitarwa zuwa injin gida na maharin. A wannan yanayin, maharin yana ganin ainihin layin umarni - daidai da idan an haɗa shi kai tsaye.
Yawancin abubuwan haɗin gwiwa da tsari mai yawan hayaniya!
Rukunin ciki na psexec sun bayyana saƙon da ya dame ni yayin gwaje-gwajen farko da suka gabata shekaru da yawa da suka gabata: "Farawa PSEXECSVC..." sannan a dakata kafin umarnin umarni ya bayyana.
Impacket's Psexec a zahiri yana nuna abin da ke faruwa a ƙarƙashin hular.
Ba abin mamaki bane: psexec yayi babban adadin aiki a ƙarƙashin hular. Idan kuna sha'awar ƙarin bayani, duba nan ban mamaki bayanin.
Babu shakka, lokacin amfani da kayan aikin sarrafa tsarin, wanda ya kasance asali manufa psexec, babu wani laifi tare da "buzzing" na duk waɗannan hanyoyin Windows. Ga mai kai hari, duk da haka, psexec zai haifar da rikitarwa, kuma ga mai hankali da wayo kamar Snowden, psexec ko makamancin haka zai zama haɗari da yawa.
Sa'an nan kuma ya zo Smbexec
SMB wata hanya ce mai wayo da asirce don canja wurin fayiloli tsakanin sabobin, kuma masu kutse sun kasance suna kutsawa cikin SMB kai tsaye tsawon karnoni. Ina tsammanin kowa ya riga ya san cewa ba shi da daraja SMB tashar jiragen ruwa 445 da 139 zuwa Intanet, daidai?
A Defcon 2013, Eric Millman () gabatar , ta yadda masu laifi za su iya gwada satar bayanan SMB. Ban san cikakken labarin ba, amma sai Impacket ya kara inganta smbexec. A gaskiya ma, don gwaji na, na zazzage rubutun daga Impacket a Python daga .
Ba kamar psexec ba, smbexec kaucewa canja wurin fayil ɗin binary mai yuwuwar ganowa zuwa injin da aka yi niyya. Madadin haka, mai amfani yana rayuwa gaba ɗaya daga makiyaya har zuwa ƙaddamarwa na gida Layin umarnin Windows.
Ga abin da yake yi: yana ba da umarni daga na'ura mai kai hari ta hanyar SMB zuwa fayil ɗin shigarwa na musamman, sannan ya ƙirƙira da gudanar da wani hadadden layin umarni (kamar sabis na Windows) wanda zai zama sananne ga masu amfani da Linux. A takaice: yana ƙaddamar da harsashi na asali na Windows cmd, yana tura kayan aiki zuwa wani fayil, sannan ya aika ta hanyar SMB zuwa injin maharin.
Hanya mafi kyau don fahimtar wannan ita ce duba layin umarni, wanda na sami damar samun hannuna daga bayanan taron (duba ƙasa).
Shin wannan ba ita ce babbar hanyar da za a tura I/O ba? Af, ƙirƙirar sabis yana da ID na taron ID 7045.
Kamar psexec, shi ma yana haifar da sabis wanda ke yin duk aikin, amma sabis ɗin bayan haka cire - Ana amfani da shi sau ɗaya kawai don gudanar da umarni sannan ya ɓace! Jami'in tsaro na bayanai da ke sa ido kan injin wanda abin ya shafa ba zai iya ganowa ba bayyane Manufofin harin: Babu wani fayil ɗin ɓarna da ake ƙaddamarwa, babu sabis na ci gaba da ake shigar, kuma babu wata shaida ta amfani da RPC tunda SMB ita ce kawai hanyar canja wurin bayanai. M!
Daga gefen maharin, akwai "pseudo-shell" tare da jinkiri tsakanin aika umarni da karɓar amsa. Amma wannan ya isa ga maharin - ko dai mai ciki ko na waje wanda ya riga ya sami gindin zama - don fara neman abun ciki mai ban sha'awa.
Don fitar da bayanai daga na'urar da aka yi niyya zuwa na'urar maharin, ana amfani da ita . Eh, Samba daya ne , amma kawai an canza zuwa rubutun Python ta Impacket. A zahiri, smbclient yana ba ku damar ɗaukar nauyin canja wurin FTP a ɓoye akan SMB.
Bari mu sake komawa baya mu yi tunanin abin da wannan zai iya yi wa ma'aikaci. A cikin labari na tatsuniya, bari mu ce mai rubutun ra'ayin kanka a yanar gizo, manazarcin kudi ko kuma mai ba da shawara kan tsaro da ake biya sosai an yarda ya yi amfani da kwamfutar tafi-da-gidanka na sirri don aiki. Sakamakon wani tsari na sihiri, ta yi fushi a kamfanin kuma "ya tafi duka." Dangane da tsarin aikin kwamfutar tafi-da-gidanka, ko dai yana amfani da nau'in Python daga Impact, ko kuma nau'in Windows na smbexec ko smbclient azaman fayil .exe.
Kamar Snowden, ta gano kalmar sirrin wani mai amfani ko dai ta hanyar duba kafadarta, ko kuma ta yi sa'a kuma ta ci karo da fayil ɗin rubutu tare da kalmar sirri. Kuma tare da taimakon waɗannan takaddun shaida, ta fara tono tsarin a wani sabon matakin gata.
Hacking DCC: Ba ma buƙatar kowane "wawa" Mimikatz
A cikin rubutuna na baya akan pentesting, na yi amfani da mimikatz sau da yawa. Wannan babban kayan aiki ne don kutse bayanan sirri - NTLM hashes har ma da bayyanannen kalmomin sirri da ke ɓoye a cikin kwamfyutocin, kawai ana jira a yi amfani da su.
Lokaci ya canza. Kayan aikin sa ido sun yi kyau wajen ganowa da toshe mimikatz. Masu kula da tsaro na bayanai kuma yanzu suna da ƙarin zaɓuɓɓuka don rage haɗarin da ke tattare da wuce hare-haren zanta (PtH).
Don haka menene ma'aikaci mai hankali ya yi don tattara ƙarin takaddun shaida ba tare da amfani da mimikatz ba?
Kit ɗin Impacket ya haɗa da abin amfani da ake kira , wanda ke dawo da takaddun shaida daga Domain Credential Cache, ko DCC a takaice. Abinda na fahimta shine idan mai amfani da yanki ya shiga cikin uwar garken amma babu mai sarrafa yankin, DCC tana bawa uwar garken damar tantance mai amfani. Ko ta yaya, secretsdump yana ba ku damar zubar da duk waɗannan hashes idan akwai.
DCC hashes ne ba NTML hashes da su ba za a iya amfani da shi don harin PtH ba.
To, kuna iya ƙoƙarin yin hacking ɗin su don samun ainihin kalmar sirri. Koyaya, Microsoft ya sami wayo tare da DCC kuma hashes na DCC sun zama masu wahala sosai. Ee, ina da , "Mafi saurin zato kalmar sirri a duniya," amma yana buƙatar GPU don aiki yadda ya kamata.
Maimakon haka, bari mu yi ƙoƙari mu yi tunani kamar Snowden. Ma'aikaci na iya gudanar da aikin injiniya ta fuskar fuska da fuska kuma zai yiwu ta gano wasu bayanai game da mutumin da take son fasa kalmar sirrinsa. Misali, gano idan an taɓa yin kutse a cikin asusun mutumin na kan layi kuma bincika kalmar sirrin su ta bayyananniyar kowane mahimmin bayani.
Kuma wannan shine yanayin da na yanke shawarar tafiya dashi. Bari mu ɗauka cewa wani mai ciki ya sami labarin cewa an yi wa ubangidansa, Cruella, kutse sau da yawa akan albarkatun yanar gizo daban-daban. Bayan nazarin da yawa daga cikin waɗannan kalmomin shiga, ya gane cewa Cruella ya fi son yin amfani da tsarin sunan ƙungiyar ƙwallon kwando "Yankees" wanda shekara ta yanzu - "Yankees2015".
Idan yanzu kuna ƙoƙarin sake haifuwa wannan a gida, to zaku iya zazzage ƙaramin, "C" , wanda ke aiwatar da DCC hashing algorithm, da kuma tattara shi. , Af, ƙarin tallafi ga DCC, don haka ana iya amfani da shi. Bari mu ɗauka cewa mai ciki baya so ya damu da koyo John the Ripper kuma yana son yin "gcc" akan lambar C na gado.
Da yake nuna matsayin mai ciki, na gwada haɗuwa daban-daban kuma a ƙarshe na sami damar gano kalmar sirrin Cruella shine "Yankees2019" (duba ƙasa). An Kammala Ofishin Jakadancin!
Ƙwararrun injiniyan zamantakewa, ɗimbin saɓo da ɗan ɗanɗano na Maltego kuma kuna kan hanyar ku don fasa zaren DCC.
Ina ba da shawarar mu ƙare a nan. Za mu koma kan wannan batu a cikin wasu posts kuma mu duba ma fi jinkiri da hanyoyin kai hari, ci gaba da ginawa kan ingantattun kayan aikin Impacket.
source: www.habr.com