ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Bhunter - hacking botnet nodes

Bhunter - hacking botnet nodes

Cov kws tshuaj ntsuam kab mob thiab cov kws tshawb nrhiav kev ruaj ntseg hauv computer tau sib tw los sau ntau cov qauv ntawm cov botnets tshiab li sai tau. Lawv siv honeypots rau lawv tus kheej lub hom phiaj ... Tab sis yuav ua li cas yog tias koj xav soj ntsuam cov malware hauv cov xwm txheej tiag? Muab koj lub server lossis router muaj kev pheej hmoo? Yuav ua li cas yog tias tsis muaj cov cuab yeej tsim nyog? Nws yog cov lus nug no uas ua rau kuv tsim bhunter, ib qho cuab yeej rau kev nkag mus rau botnet nodes.

Bhunter - hacking botnet nodes

Lub tswv yim tseem ceeb

Muaj ntau txoj hauv kev los nthuav tawm malware kom nthuav dav botnets: los ntawm phishing mus rau kev siv 0-hnub qhov tsis zoo. Tab sis feem ntau txoj kev tseem yog brute-forcing SSH passwords.

Lub tswv yim yog yooj yim heev. Yog tias qee qhov botnet node tab tom sim brute-force passwords rau koj tus neeg rau zaub mov, feem ntau yuav qhov node nws tus kheej raug ntes los ntawm brute-forcing yooj yim passwords. Qhov no txhais tau hais tias txhawm rau nkag mus rau nws, koj tsuas yog yuav tsum tau rov ua dua.

Qhov no yog raws nraim li cas bhunter ua haujlwm. Mloog rau qhov chaw nres nkoj 22 (SSH kev pabcuam) thiab sau tag nrho cov kev nkag thiab lo lus zais uas lawv sim txuas rau nws. Tom qab ntawd, siv cov passwords khaws cia, nws sim txuas mus rau cov nodes tawm tsam.

Algorithm ntawm kev ua haujlwm

Qhov kev zov me nyuam tuaj yeem muab faib ua 2 qhov tseem ceeb, uas ua haujlwm hauv cov xov sib cais. Thawj yog honeypot. Cov txheej txheem nkag mus rau hauv kev sim, sau cov cim ID nkag mus thiab cov passwords (qhov no, tus ID nkag mus + tus password khub yog suav tias yog ib qho tag nrho), thiab tseem ntxiv IP chaw nyob uas sim txuas mus rau kab rau kev tawm tsam ntxiv.

Qhov thib ob yog lub luag haujlwm ncaj qha rau kev tawm tsam. Ntxiv mus, qhov kev tawm tsam tau ua tiav nyob rau hauv ob hom: BurstAttack (kev tawm tsam tawg) - brute force logins thiab passwords los ntawm cov npe dav dav thiab SingleShotAttack (ib zaug txhaj tshuaj tiv thaiv) - brute force passwords uas tau siv los ntawm qhov tawm tsam, tab sis tseem tsis tau muaj. ntxiv rau daim ntawv teev npe dav dav.

Yuav kom muaj tsawg kawg ib co database ntawm kev nkag mus thiab passwords tam sim ntawd tom qab tso tawm, bhunter yog pib nrog cov npe los ntawm cov ntaub ntawv /etc/bhunter/defaultLoginPairs.

interface

Muaj ntau ntau txoj hauv kev los tua bhunter:

Tsuas yog ib pab neeg xwb

sudo bhunter

Nrog rau qhov kev tso tawm no, nws muaj peev xwm tswj tau bhunter los ntawm nws cov ntawv qhia zaub mov: ntxiv kev nkag mus thiab lo lus zais rau kev tawm tsam, xa cov ntaub ntawv nkag mus thiab password, qhia lub hom phiaj rau kev tawm tsam. Txhua qhov hacked nodes tuaj yeem pom hauv cov ntaub ntawv /var/log/bhunter/hacked.log

Siv tmux

sudo bhunter-ts # ΠΊΠΎΠΌΠ°Π½Π΄Π° запуска bhunter Ρ‡Π΅Ρ€Π΅Π· tmux  
sudo tmux attach -t bhunter # ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°Π΅ΠΌΡΡ ΠΊ сСссии, Π² ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠΉ Π·Π°ΠΏΡƒΡ‰Π΅Π½ bhunter

Tmux yog lub davhlau ya nyob twg multiplexer, ib qho cuab yeej yooj yim heev. Tso cai rau koj los tsim ntau lub qhov rais hauv ib lub davhlau ya nyob twg, thiab faib cov qhov rais rau hauv cov vaj huam sib luag. Siv nws, koj tuaj yeem tawm ntawm lub davhlau ya nyob twg thiab tom qab ntawd nkag mus yam tsis muaj kev cuam tshuam cov txheej txheem khiav.

bhunter-ts tsab ntawv tsim ib qho kev sib tham tmux thiab faib lub qhov rais rau hauv peb lub vaj huam sib luag. Thawj, loj tshaj, muaj cov ntawv qhia zaub mov. Sab saum toj sab xis muaj cov cav ntoo honeypot, ntawm no koj tuaj yeem pom cov lus hais txog kev sim nkag mus rau hauv honeypot. Lub vaj huam sib luag sab xis qhia txog kev nce qib ntawm kev tawm tsam ntawm botnet nodes thiab hais txog kev ua tiav hacks.

Qhov zoo ntawm txoj kev no tshaj thawj zaug yog tias peb tuaj yeem kaw lub davhlau ya nyob twg thiab rov qab mus rau nws tom qab, yam tsis muaj bhunter nres nws txoj haujlwm. Rau cov neeg uas tsis tshua paub txog tmux, kuv xav daim ntawv pov thawj no.

Raws li kev pabcuam

systemctl enable bhunter
systemctl start bhunter

Hauv qhov no, peb pab bhunter autostart ntawm qhov system pib. Hauv cov qauv no, kev sib cuam tshuam nrog bhunter tsis muab, thiab cov npe ntawm hacked nodes tuaj yeem tau txais los ntawm /var/log/bhunter/hacked.log

Ua tau zoo

Thaum ua haujlwm ntawm bhunter, Kuv tau tswj xyuas kom pom thiab nkag mus rau cov khoom sib txawv kiag li: raspberry pi, routers (tshwj xeeb yog mikrotik), web servers, thiab ib zaug ua liaj ua teb mining (hmoov, nkag mus rau nws thaum nruab hnub, yog li tsis muaj kev nthuav dav. dab neeg). Ntawm no yog ib qho screenshot ntawm qhov program, uas qhia tau hais tias cov npe ntawm hacked nodes tom qab ob peb hnub ua haujlwm:

Bhunter - hacking botnet nodes

Hmoov tsis zoo, qhov ua tau zoo ntawm cov cuab yeej no tsis ncav cuag kuv qhov kev cia siab: bhunter tuaj yeem sim cov password rau ntawm ob peb hnub yam tsis muaj kev vam meej, thiab tuaj yeem nyiag ob peb lub hom phiaj hauv ob peb teev. Tab sis qhov no yog txaus rau ib txwm influx ntawm tshiab botnet qauv.

Qhov kev ua tau zoo yog cuam tshuam los ntawm qhov tsis xws li: lub teb chaws uas lub server nrog bhunter nyob, hosting, thiab qhov ntau ntawm qhov chaw nyob IP raug faib. Hauv kuv qhov kev paub, muaj ib rooj plaub thaum kuv xauj ob lub virtual servers los ntawm ib tus tswv tsev, thiab ib qho ntawm lawv tau tawm tsam los ntawm botnets 2 zaug ntau zaus.

Kab mob uas kuv tseem tsis tau kho

Thaum tawm tsam cov neeg muaj kab mob, hauv qee qhov xwm txheej nws tsis tuaj yeem txiav txim siab seb tus password puas raug lossis tsis yog. Cov xwm txheej zoo li no tau nkag rau hauv cov ntaub ntawv /var/log/debug.log.

Paramiko module, uas yog siv los ua haujlwm nrog SSH, qee zaum coj tus cwj pwm tsis raug: nws tsis tas tos rau cov lus teb los ntawm tus tswv thaum nws sim txuas rau nws. Kuv sim nrog timers, tab sis tsis tau txais qhov xav tau

Dab tsi ntxiv yuav tsum tau ua haujlwm?

Lub npe Service

Raws li RFC-4253, tus neeg siv khoom thiab cov neeg siv khoom sib pauv npe ntawm cov kev pabcuam uas siv SSH raws tu qauv ua ntej kev teeb tsa. Lub npe no muaj nyob rau hauv "SERVICE NAME" teb, muaj ob qho tib si hauv kev thov los ntawm cov neeg siv khoom thiab hauv cov lus teb los ntawm server sab. Lub teb yog ib txoj hlua, thiab nws cov nqi tuaj yeem pom siv wireshark lossis nmap. Nov yog ib qho piv txwv rau OpenSSH:

$ nmap -p 22 ***.**.***.** -sV
Starting Nmap ...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     <b>OpenSSH 7.9p1 Debian 10+deb10u2</b> (protocol 2.0)
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Txawm li cas los xij, nyob rau hauv cov ntaub ntawv ntawm Paramiko, daim teb no muaj ib txoj hlua zoo li "Paramiko Python sshd 2.4.2", uas tuaj yeem ntshai tawm cov botnets uas tau tsim los "tsis txhob" ntxiab. Yog li ntawd, kuv xav tias nws yog ib qho tsim nyog los hloov cov kab no nrog ib yam dab tsi ntau nruab nrab.

Lwm vectors

SSH tsis yog tib txoj kev ntawm kev tswj chaw taws teeb. Kuj tseem muaj telnet, rdp. Nws tsim nyog ua tib zoo saib lawv.

extension

Nws yuav zoo heev kom muaj ntau lub ntxiab hauv ntau lub teb chaws thiab hauv nruab nrab sau cov ntawv nkag, passwords thiab hacked nodes los ntawm lawv mus rau hauv ib qho chaw khaws ntaub ntawv.

Kuv tuaj yeem rub tawm qhov twg?

Thaum lub sijhawm sau ntawv, tsuas yog ib qho kev sim version yog npaj txhij, uas tuaj yeem rub tawm los ntawm repository ntawm Github.

Tau qhov twg los: www.hab.com

Ntxiv ib saib