He moʻolelo e pili ana i ka noiʻi a me ka hoʻomohala ʻana ma 3 ʻāpana. ʻO ka māhele 1 he ʻimi.
Nui nā lāʻau beech - ʻoi aku ka maikaʻi.
Ka hoʻokumu ʻana i ka pilikia
I ka wā o nā hoʻolaha pentests a me RedTeam, ʻaʻole hiki ke hoʻohana i nā mea hana maʻamau o ka mea kūʻai aku, e like me VPN, RDP, Citrix, etc. ma ke ʻano he heleuma no ke komo ʻana i ka pūnaewele kūloko. I kekahi mau wahi, hana ʻia kahi VPN maʻamau me ka hoʻohana ʻana i ka MFA a hoʻohana ʻia kahi hōʻailona lako ma ke ʻano he kumu ʻelua, ma nā wahi ʻē aʻe ke nānā ʻia a ʻike koke ʻia kā mākou VPN login, e like me kā lākou e ʻōlelo nei, me nā mea a pau e pili ana, akā aia kekahi ʻaʻohe mea like ʻole.
I kēlā mau hihia, pono mākou e hana i nā mea i kapa ʻia ʻo "reverse tunnels" - nā pilina mai ka pūnaewele kūloko i kahi kumuwaiwai waho a i ʻole kahi kikowaena a mākou e hoʻokele ai. I loko o ia tunnel, hiki iā mākou ke hana pū me nā kumuwaiwai kūloko o nā mea kūʻai aku.
Nui nā ʻano like ʻole o kēia mau ala hoʻihoʻi. ʻO ka mea kaulana loa o lākou, ʻoiaʻiʻo, ʻo Meterpreter. Ua makemake nui ʻia nā tunnels SSH me ka hoʻihoʻi ʻana i ke awa ma waena o ka lehulehu hacker. Nui nā ʻano hana no ka hoʻokō ʻana i ka tunnel reverse a ua aʻo maikaʻi ʻia a wehewehe ʻia ka nui o lākou.
ʻOiaʻiʻo, no kā lākou ʻāpana, ʻaʻole kū kaʻawale nā mea hoʻomohala o nā hoʻonā palekana a ʻike ikaika i kēlā mau hana.
No ka laʻana, ua ʻike maikaʻi ʻia nā hui MSF e IPS hou mai Cisco a i ʻole Positive Tech, a hiki ke ʻike ʻia kahi tunnel SSH huli ʻia e nā pā ahi maʻamau.
No laila, i mea e ʻike ʻole ʻia ai i kahi hoʻolaha RedTeam maikaʻi, pono mākou e kūkulu i kahi tunnel huli ʻana me ka hoʻohana ʻana i nā ʻano maʻamau ʻole a hoʻololi e like me ka hiki i ke ʻano hana maoli o ka pūnaewele.
E ho'āʻo kāua e ʻimi a haku i kekahi mea like.
Ma mua o ka hana ʻana i kekahi mea, pono mākou e hoʻomaopopo i ka hopena a mākou e makemake ai e hoʻokō, he aha nā hana e pono ai kā mākou hoʻomohala ʻana. He aha nā koi no ka tunnel i hiki iā mākou ke hana i ke ʻano stealth kiʻekiʻe?
Ua maopopo no kēlā me kēia hihia he ʻokoʻa loa nā koi, akā ma muli o ka ʻike hana, hiki ke ʻike ʻia nā mea nui:
- hana ma Windows-7-10 OS. Ma muli o ka hoʻohana ʻana o ka hapa nui o nā ʻoihana pūnaewele i ka Windows;
- hoʻopili ka mea kūʻai aku i ke kikowaena ma o SSL e pale i ka hoʻolohe naʻaupō me ka hoʻohana ʻana i ka ips;
- I ka hoʻohui ʻana, pono e kākoʻo ka mea kūʻai aku i ka hana ma o kahi kikowaena proxy me ka ʻae, no ka mea I nā hui he nui, loaʻa ke komo i ka Pūnaewele ma o kahi koho. ʻO ka ʻoiaʻiʻo, ʻaʻole ʻike paha ka mīkini mea kūʻai aku i kekahi mea e pili ana iā ia, a hoʻohana ʻia ka mea koho i kahi ʻano ʻike. Akā, pono mākou e hāʻawi i kēlā mau hana;
- ʻo ka ʻāpana o ka mea kūʻai aku e pōkole a hiki ke lawe ʻia;
He mea maopopo e hana i loko o ka pūnaewele o ka mea kūʻai aku, hiki iā ʻoe ke hoʻokomo iā OpenVPN ma ka mīkini mea kūʻai aku a hana i kahi tunnel piha piha i kāu kikowaena (ʻo ka pōmaikaʻi, hiki i nā mea kūʻai aku openvpn ke hana ma o kahi koho). Akā, ʻo ka mea mua, ʻaʻole e hana mau kēia, no ka mea ʻaʻole paha mākou he poʻe hoʻokele kūloko ma laila, a ʻo ka lua, e hana nui ia e hiki ai i kahi SIEM a i ʻole HIPS kūpono ke "hoʻopaʻa" iā mākou. ʻO ka mea kūpono, ʻo kā mākou mea kūʻai aku he mea i kapa ʻia he kauoha inline, e like me ka laʻana he nui nā pūpū bash i hoʻokō ʻia, a hoʻokuʻu ʻia ma o ka laina kauoha, no ka laʻana, i ka wā e hoʻokō ai i nā kauoha mai kahi huaʻōlelo macro. - ʻO kā mākou tunnel pono e hoʻopaʻa i nā pilina he nui i ka manawa like;
- pono e loaʻa i ka pilina o ka mea kūʻai aku kekahi ʻano mana i hoʻokumu ʻia ka tunnel no kā mākou mea kūʻai aku, ʻaʻole no ka poʻe a pau e hele mai i kā mākou kikowaena ma ka helu wahi a me ke awa. ʻO ka mea kūpono, pono e wehe ʻia kahi ʻaoʻao pae me nā pōpoki a i ʻole nā kumuhana ʻoihana e pili ana i ke kahua kumu no nā "mea hoʻohana ʻekolu."
No ka laʻana, inā he hui lapaʻau ka Customer, a laila no ka luna hoʻomalu ʻike e hoʻoholo e nānā i ka waiwai i loaʻa i kahi limahana lapaʻau, kahi ʻaoʻao me nā huahana pharmaceutical, Wikipedia me ka wehewehe ʻana o ka maʻi, a i ʻole Dr. Komarovsky blog, etc. pono e wehe.
Ka nānā 'ana i nā mea hana e kū nei
Ma mua o ka hana hou ʻana i kāu paikikala ponoʻī, pono ʻoe e hana i kahi loiloi o nā kaʻa i loaʻa a hoʻomaopopo inā pono maoli mākou a, ʻaʻole paha, ʻaʻole mākou wale nō ka mea i noʻonoʻo e pili ana i ka pono o kēlā kaʻa hana.
ʻO Googling ma ka Pūnaewele (ʻike mākou he google maʻamau), a me ka ʻimi ʻana ma Github me ka hoʻohana ʻana i nā huaʻōlelo "reverse socks" ʻaʻole i hāʻawi i nā hopena he nui. ʻO ke kumu, hele mai nā mea a pau i ke kūkulu ʻana i nā tunnels ssh me ka hoʻihoʻi ʻana i ke awa a me nā mea a pau e pili ana me ia. Ma kahi o SSH tunnels, aia kekahi mau hopena:
ʻO kahi hoʻokō lōʻihi o kahi tunnel huli ʻana mai nā kāne ma Kaspersky Lab. Hoʻomaopopo ka inoa i ke kumu o kēia palapala. Hoʻokomo ʻia ma Python 2.7, holo ka tunnel i ka mode cleartext (e like me ke ʻano o ka ʻōlelo ʻana i kēia manawa - aloha RKN)
ʻO kahi hoʻokō ʻē aʻe ma Python, pū kekahi i ka cleartext, akā me nā mea hou aʻe. Ua kākau ʻia ma ke ʻano he module a he API no ka hoʻohui ʻana i ka hopena i kāu mau papahana.
ʻO ka loulou mua ka mana kumu o ka hoʻokō sox reverse ma Golang (ʻaʻole i kākoʻo ʻia e ka mea hoʻomohala).
ʻO ka loulou ʻelua ʻo kā mākou loiloi me nā hiʻohiʻona hou aʻe, ma Golang pū kekahi. I kā mākou mana, ua hoʻokō mākou i ka SSL, hana ma o ka mea koho me ka mana NTLM, ka ʻae ʻana i ka mea kūʻai aku, kahi ʻaoʻao pae i ka hihia o ka ʻōlelo huna (a i ʻole, kahi hoʻihoʻi i ka ʻaoʻao pae), ke ʻano multi-threaded (ʻo ia hoʻi. hiki ke hana me ka tunnel i ka manawa like), kahi ʻōnaehana pinging i ka mea kūʻai aku e hoʻoholo ai inā ola ʻo ia a ʻaʻole paha.
Ka hoʻokō ʻana i ka reverse sox mai kā mākou "hoaaloha Kina" ma Python. Ma laila, no ka palaualelo a me ka "makeʻole", aia kahi binary (exe) i hoʻomākaukau ʻia, i hui ʻia e ka Kina a mākaukau no ka hoʻohana. Ma ʻaneʻi, ʻo ke Akua Kina wale nō ka mea ʻike i nā mea ʻē aʻe i loko o kēia binary ma waho o ka hana nui, no laila e hoʻohana i kāu pilikia a me ka pilikia.
He papahana hoihoi ma C++ no ka hoʻokō ʻana i ka reverse sox a me nā mea hou aku. Ma waho aʻe o ka tunnel hope, hiki iā ia ke hana i ka port forwarding, hana i kahi shell command, etc.
ʻO ka mīkini mika MSF
Eia, e like me kā lākou e ʻōlelo nei, ʻaʻohe manaʻo. Ua kamaʻāina loa nā mea hackers aʻoi aʻe a ʻoi aʻe paha i kēia mea a hoʻomaopopo i ka maʻalahi o ka ʻike ʻia e nā mea hana palekana.
ʻO nā mea hana a pau i ho'ākākaʻia ma luna nei e hana me ka hoʻohanaʻana i kahiʻenehana like: ua hoʻokumuʻia kahi module binary i hoʻomākaukau muaʻia ma kahi mīkini i loko o ka pūnaewele, kahi e hoʻokumu ai i kahi pilina me kahi kikowaena waho. Ke holo nei ke kikowaena i kahi kikowaena SOCKS4/5 e ʻae i nā pilina a hoʻokuʻu iā lākou i ka mea kūʻai aku.
ʻO ka hemahema o nā mea hana ma luna aʻe, ʻo ia ʻo Python a i ʻole Golang pono e hoʻokomo ʻia ma ka mīkini mea kūʻai aku (ua ʻike pinepine ʻoe iā Python i hoʻokomo ʻia ma nā mīkini o, no ka laʻana, he luna ʻoihana a limahana paha?), A i ʻole kahi hui mua pono e kauo ʻia ka binary (ʻoiaʻiʻo python) ma luna o kēia mīkini a me ka palapala i loko o hoʻokahi hue) a holo i kēia binary ma laila. A ʻo ka hoʻoiho ʻana i kahi exe a laila hoʻokuʻu iā ia he pūlima no kahi antivirus kūloko a i ʻole HIPS.
Ma ka laulā, hōʻike ka hopena iā ia iho - pono mākou i kahi hopena powershell. I kēia manawa e lele mai nā ʻōmato iā mākou - ʻōlelo lākou ua hackney ʻia ka powershell, nānā ʻia, paʻa, a pēlā aku. a laila. ʻOiaʻiʻo, ʻaʻole ma nā wahi āpau. Ke hai aku nei makou i ke kuleana. Ma ke ala, nui nā ala e kāpae ai i ka pale ʻana (eia hou kahi ʻōlelo maʻamau e pili ana i ke aloha RKN 🙂), e hoʻomaka ana mai ka hoʻololi hou ʻana o powershell.exe -> cmdd.exe a hoʻopau me powerdll, etc.
E hoʻomaka kākou i ka haku mele
Ua maopopo e nānā mua mākou ma Google a… ʻaʻole mākou e ʻike i kekahi mea ma kēia kumuhana (inā loaʻa i kekahi, e kau i nā loulou i nā manaʻo). Aia wale nō ʻO Socks5 ma ka powershell, akā he "pololei" maʻamau kēia, a he nui kona mau hemahema (e kamaʻilio mākou e pili ana iā lākou ma hope). Hiki iā ʻoe, ʻoiaʻiʻo, me ka neʻe liʻiliʻi o kou lima, e hoʻohuli iā ia i ka ʻaoʻao hope, akā ʻo kēia wale nō ka sox-threaded sox, ʻaʻole ia ka mea e pono ai no mākou.
No laila, ʻaʻole i loaʻa iā mākou kahi mea i hoʻomākaukau ʻia, no laila pono mākou e hana hou i kā mākou huila. E lawe mākou i kumu no ko mākou paikikala hoʻohuli i ka sox ma Golang, a hoʻokō mākou i kahi mea kūʻai aku no ia ma powerhell.
RSocksTun
No laila pehea e hana ai ka rsockstun?
Hoʻokumu ʻia ka hana a RsocksTun (ma hope mai i kapa ʻia ʻo rs) ma luna o nā ʻāpana polokalamu ʻelua - Yamux a me Socks5 server. ʻO ka server Socks5 kahi socks5 kūloko maʻamau, holo ia ma ka mea kūʻai. A ʻo ka hoʻohui ʻana o nā pilina iā ia (e hoʻomanaʻo e pili ana i ka multithreading?) Hāʻawi ʻia me ka hoʻohana ʻana i ka yamux (). Hāʻawi kēia papahana iā ʻoe e hoʻolauna i kekahi mau kikowaena socks5 mea kūʻai aku a puʻunaue i nā pilina o waho iā lākou, e hoʻouna iā lākou ma o kahi pilina TCP hoʻokahi (kokoke e like me ka meterpreter) mai ka mea kūʻai aku i kahi kikowaena, a laila e hoʻokō i kahi mode multi-threaded, me ka ʻole o mākou ʻaʻole e lilo. hiki ke hana piha i loko o nā pūnaewele kūloko.
ʻO ke kumu o ka hana ʻana o yamux ʻo ia ka hoʻolauna ʻana i kahi ʻāpana pūnaewele hou o nā kahawai, e hoʻokō ana ma ke ʻano o kahi poʻomanaʻo 12-byte no kēlā me kēia ʻeke. (Maʻaneʻi mākou e hoʻohana i ka huaʻōlelo "stream" ma mua o ke kaula, i ʻole e huikau i ka mea heluhelu me kahi kahawai papahana "thread" - e hoʻohana pū mākou i kēia manaʻo ma kēia ʻatikala). Aia ma ke poʻomanaʻo yamux ka helu kahawai, nā hae no ka hoʻokomo/hoʻopau ʻana i ke kahawai, ka helu o nā bytes i hoʻoili ʻia, a me ka nui o ka puka makani hoʻololi.
Ma waho aʻe o ka hoʻokomo / hoʻopau ʻana i kahi kahawai, hoʻokō ʻo yamux i kahi hana keepalive e hiki ai iā ʻoe ke nānā i ka hana o ke kahawai kamaʻilio paʻa. Hoʻonohonoho ʻia ka hana o ka memo keeplive me ka hana ʻana i kahi hālāwai Yamux. ʻOiaʻiʻo, ʻelua mau palena wale nō o nā hoʻonohonoho: hiki / hoʻopau a me ke alapine o ka hoʻouna ʻana i nā ʻeke i kekona. Hiki ke hoʻouna ʻia nā memo Keepalive e kahi kikowaena yamux a i ʻole ka mea kūʻai aku yamux. I ka loaʻa ʻana o ka memo keepalive, pono e pane ka ʻaoʻao mamao iā ia ma ka hoʻouna ʻana i ka ʻike memo like (he helu maoli) i loaʻa iā ia. Ma ka laulā, ʻo keepalive ka ping like, no yamux wale nō.
ʻO ke ʻano hana holoʻokoʻa o ka multiplexer: nā ʻano packet, ka hoʻonohonoho pili a me nā hae hoʻopau, a me ka mīkini hoʻoili ʻikepili i wehewehe ʻia ma ka kikoʻī. iā yamux.
Ka hopena i ka hapa mua
No laila, ma ka ʻāpana mua o ka ʻatikala, ua kamaʻāina mākou i kekahi mau mea hana no ka hoʻonohonoho ʻana i nā tunnels hope, nānā i kā lākou mau pono a me nā hemahema, aʻo i ke ʻano o ka hana ʻana o ka Yamux multiplexer a wehewehe i nā koi kumu no ka module powershell hou. Ma ka ʻāpana aʻe e hoʻomohala mākou i ka module ponoʻī, maʻamau mai ka ʻohi ʻana. E hoʻomau ʻia. Mai hoʻololi :)
Source: www.habr.com