ãã®èšäºã¯ãã°ã«ãŒã IB ã®å°é家ãæ°å¹Žåã«å®æœãã倧æåãåãã䟵å
¥ãã¹ãã«åºã¥ããŠæžãããŸãããããªãŠããã§æ ç»åãããå¯èœæ§ã®ããç©èªãèµ·ãããŸããã ããŠãããããèªè
ã®åå¿ã¯ãããªãã ããããããããŸã PR èšäºã ããŸããã®ãããªããšãæãããŠãããã©ãã ãåªããŠããã®ãããã³ãã¹ããè²·ãã®ãå¿ããªãã§ããã ãŸããäžæ¹ã§ã¯ããã§ãã ãã ãããã®èšäºãæ²èŒãããçç±ã¯ä»ã«ãããã€ããããŸãã ç§ã¯ããã³ãã¹ã¿ãŒãæ£ç¢ºã«äœãããã®ãããã®äœæ¥ãã©ãã»ã©é¢çœããŠç°¡åã§ã¯ãªãã®ãããããžã§ã¯ãã§ã©ã®ãããªããããªç¶æ³ãçºçããå¯èœæ§ãããã®ãââããããŠæãéèŠãªããšã«ãå®éã®äŸã䜿ã£ãŠã©ã€ãè³æã瀺ãããã£ãã®ã§ãã
äžçã®è¬èãã®ãã©ã³ã¹ãå埩ããããã«ããã°ããããŠãããããŸããããªãã£ããã³ãã¹ãã«ã€ããŠæžããŸãã äŒæ¥å ã§é©åã«èšèšãããããã»ã¹ããããšãååã«æºåããããã®ã§ãã£ãŠãããã®ããã»ã¹ãååšãå®éã«æ©èœãããšããã ãã®çç±ã§ãããããçš®é¡ã®æ»æããã©ã®ããã«ä¿è·ã§ãããã瀺ããŸãã
ãã®èšäºã®é¡§å®¢ã«ãšã£ãŠããç§ãã¡ã®æèŠã«ããã°ããã¹ãŠãå šè¬çã«åªããŠãããå°ãªããšããã·ã¢é£éŠåžå Žã® 95% ãããåªããŠããŸããããäžé£ã®é·ãåºæ¥äºã圢æããå€ãã®å°ããªåŸ®åŠãªéãããããŸãããäœæ¥ã«é¢ããé·ãã¬ããŒããçãŸãããããŠãã®èšäºã«è³ããŸããã
ããã§ã¯ããããã³ãŒã³ãè²·ãã ãããŠãæ¢åµç©èªãžããããã èšè - ããã«ã»ã¹ããªã¥ãã¥ã¯ãGroup-IB ã®ãç£æ»ããã³ã³ã³ãµã«ãã£ã³ã°ãéšéã®æè¡ãããŒãžã£ãŒã
ããŒã 1. ãããã³å士
2018幎顧客ã¯ãã€ã㯠IT äŒæ¥ã§ãããå瀟èªäœãå€ãã®é¡§å®¢ã«ãµãŒãã¹ãæäŸããŠããŸãã ãæåã®ç¥èãã¢ã¯ã»ã¹ããªããŠããã€ã³ã¿ãŒãããçµç±ã§äœæ¥ã㊠Active Directory ãã¡ã€ã³ç®¡çè
æš©éãååŸããããšã¯å¯èœã§ãã?ããšãã質åã«å¯Ÿããçããç¥ããããšèããŠããŸãã ãœãŒã·ã£ã« ãšã³ãžãã¢ãªã³ã°ã«ã¯èå³ããããŸãã (
顧客ã®ååããããŸããã¡ã€ã³ Web ãµã€ããå«ããŠãäŒç€ŸããšããŸãã
ç§ã¯ãããã¯ãŒã¯åµå¯ãè¡ããŸãã顧客ã«ç»é²ãããŠããã¢ãã¬ã¹ãšãã¡ã€ã³ã調ã¹ããããã¯ãŒã¯å³ãæãããããã®ã¢ãã¬ã¹ã«ãµãŒãã¹ãã©ã®ããã«é
ä¿¡ãããŠãããã調ã¹ãŸãã çµæã¯ã4000 ãè¶
ããã©ã€ã IP ã¢ãã¬ã¹ã§ãã ç§ã¯ãããã®ãããã¯ãŒã¯ã®ãã¡ã€ã³ã«æ³šç®ããŸãã幞ããªããšã«ã倧å€æ°ã¯é¡§å®¢ã®ã¯ã©ã€ã¢ã³ãã察象ãšãããããã¯ãŒã¯ã§ãããç§ãã¡ã¯ãããã®ãããã¯ãŒã¯ã«æ£åŒã«ã¯é¢å¿ãæã£ãŠããŸããã 顧客ãåãããšãèããŠããŸãã
256 åã®ã¢ãã¬ã¹ãæ〠XNUMX ã€ã®ãããã¯ãŒã¯ãæ®ããŸãããã®æç¹ã§ãIP ã¢ãã¬ã¹ããšã®ãã¡ã€ã³ãšãµããã¡ã€ã³ã®ååžããã§ã«ç解ãããŠãããã¹ãã£ã³ãããããŒãã«é¢ããæ å ±ããããããèå³æ·±ãããŒãã®ãµãŒãã¹ã調ã¹ãããšãã§ããŸãã 䞊è¡ããŠãããããçš®é¡ã®ã¹ãã£ããå©çšå¯èœãª IP ã¢ãã¬ã¹äžã§èµ·åãããWeb ãµã€ãäžã§åå¥ã«èµ·åãããŸãã
ããããã®ãµãŒãã¹ããããŸãã éåžžãããã¯ãã³ãã¹ã¿ãŒã«ââãšã£ãŠåã³ã§ããããµãŒãã¹ãå€ããã°å€ãã»ã©æ»æã®ãã£ãŒã«ããåºããªããã¢ãŒãã£ãã¡ã¯ããèŠã€ããã®ã容æã«ãªããããããã«åå©ãããšããæåŸ ã§ãã Web ãµã€ãããã£ãšèŠããšããããã®ã»ãšãã©ã¯å€§æã°ããŒãã«äŒæ¥ã®æåãªè£œåã® Web ã€ã³ã¿ãŒãã§ã€ã¹ã§ãããã©ãèŠãŠãæè¿ãããŠããªãããšãããããŸãã ãŠãŒã¶ãŒåãšãã¹ã¯ãŒããèŠæ±ããããXNUMX çªç®ã®èŠçŽ ãå ¥åãããã£ãŒã«ããåé€ããããTLS ã¯ã©ã€ã¢ã³ã蚌ææžãèŠæ±ããããããã Microsoft ADFS ã«éä¿¡ãããããŸãã ã€ã³ã¿ãŒãããããã¢ã¯ã»ã¹ã§ããªããã®ããããŸãã äžéšã®äººã«ãšã£ãŠã¯ãæããã« XNUMX ã€ã®çµŠäžãæ¯æãããã®ç¹å¥ãªææã¯ã©ã€ã¢ã³ããæã£ãŠããããå ¥åããæ£ç¢ºãª URL ãç¥ã£ãŠããå¿ èŠããããŸãã æ¢ç¥ã®è匱æ§ã®ãœãããŠã§ã¢ ããŒãžã§ã³ããçªç ŽãããããšããããWeb ãã¹å ã®é ãããã³ã³ãã³ãã LinkedIn ãªã©ã®ãµãŒãããŒã㣠ãµãŒãã¹ããæŒæŽ©ããã¢ã«ãŠã³ããæ€çŽ¢ãããããããã䜿çšããŠãã¹ã¯ãŒããæšæž¬ãããããããã»ã¹ã§ãåŸã ã«èœèãããã XNUMX é±éãçç¥ããŸããããããšãã°ãèªåã§äœæãã Web ãµã€ãã®è匱æ§ãçºæãããªã©ã§ããã¡ãªã¿ã«ãçµ±èšã«ãããšãããã¯ä»æ¥ã®å€éšæ»æã®æãææãªãã¯ãã«ã§ãã ãã®åŸã«çºå°ãããæ ç»ã®éã«ããã«æ³šç®ããŸãã
ããã§ãäœçŸãã®ãµãŒãã¹ã®äžããéç«ã£ã XNUMX ã€ã®ãµã€ããèŠã€ããŸããã ãããã®ãµã€ãã«ã¯ XNUMX ã€ã®å ±éç¹ããããŸããããã¡ã€ã³ããšã«ç¶¿å¯ãªãããã¯ãŒã¯åµå¯ãè¡ãããéããŠããããŒããæ£é¢ããæ¢ãããæ¢ç¥ã® IP ç¯å²ã䜿çšããŠè匱æ§ã¹ãã£ããŒãã¿ãŒã²ããã«ããå Žåããããã®ãµã€ãã¯ã¹ãã£ã³ãåé¿ããåçŽã«ã¹ãã£ã³å¯Ÿè±¡å€ã«ãªããŸãã DNS åãããããªããŠã衚瀺ãããŸãã ããããããããã¯å°ãªããšã以åã«èŠéãããŠãããããšããããããªãœãŒã¹ã«çŽæ¥éä¿¡ããããšããŠããç§ãã¡ã®èªåããŒã«ã¯ãããã«é¢ããåé¡ãæ€åºããŸããã§ããã
ã¡ãªã¿ã«ã以åã«çºå£²ãããã¹ãã£ããŒãäžè¬çã«èŠã€ãããã®ã«ã€ããŠã æãåºããŠãããããã®ã§ãããäžéšã®äººã«ãšã£ãŠããäŸµå ¥ãã¹ããã¯ãèªåã¹ãã£ã³ããšåãã§ãã ãããããã®ãããžã§ã¯ãã®ã¹ãã£ããŒã¯äœãèšããŸããã§ããã ããã§ãããæ倧å€ã¯äžçšåºŠã®èåŒ±æ§ (æ·±å»åºŠã®ç¹ã§ 3 段éäž 5 段é) ã§ç€ºãããŸãããäžéšã®ãµãŒãã¹ã§ã¯äžæ£ãª TLS 蚌ææžãŸãã¯å€ãæå·åã¢ã«ãŽãªãºã ããããã»ãšãã©ã®ãµã€ãã§ã¯ã¯ãªãã¯ãžã£ããã³ã°ãçºçããŸããã ããããããã§ã¯ç®æšãéæããããšã¯ã§ããŸããã ããããããã§ã¯ã¹ãã£ããŒã®æ¹ã䟿å©ãããããŸããããæãåºãããŠãã ããã顧客èªèº«ããã®ãããªããã°ã©ã ãè³Œå ¥ããŠèªåã§ãã¹ãããããšãã§ããæ²æšãªçµæããå€æãããšã圌ã¯ãã§ã«ãã§ãã¯ããŸããã
ãç°åžžãªããµã€ãã«æ»ããŸãããã XNUMX ã€ç®ã¯ãæšæºä»¥å€ã®ã¢ãã¬ã¹ã«ããããŒã«ã« Wiki ã®ãããªãã®ã§ããããã®èšäºã§ã¯ wiki.company[.]ru ãšããŸãã ãŸãã圌女ã¯ããã«ãã°ã€ã³ãšãã¹ã¯ãŒããèŠæ±ããŸãããããã©ãŠã¶ã® NTLM ã䜿çšããŸããã ãŠãŒã¶ãŒã«ãšã£ãŠãããã¯ãŠãŒã¶ãŒåãšãã¹ã¯ãŒãã®å ¥åãæ±ããçŠæ¬²çãªãŠã£ã³ããŠã®ããã«èŠããŸãã ãããŠãããã¯æªãç¿æ £ã§ãã
ã¡ãã£ãšããã¡ã¢ã å¢ç Web ãµã€ãã® NTLM ã¯ãããŸããŸãªçç±ããæªåœ±é¿ãåãŒããŸãã XNUMX ã€ç®ã®çç±ã¯ãActive Directory ãã¡ã€ã³åãå ¬éãããŠããŸãããšã§ãã ãã®äŸã§ã¯ããå€éšãDNS åãšåæ§ã«ãcompany.ru ã§ããããšãå€æããŸããã ãããç¥ã£ãŠãããšãæªæã®ãããã®ãæ éã«æºåããŠããµã³ãããã¯ã¹ã§ã¯ãªãçµç¹ã®ãã¡ã€ã³ ãã·ã³äžã§ã®ã¿å®è¡ãããããã«ããããšãã§ããŸãã 次ã«ãèªèšŒã¯ NTLM çµç±ã§ãã¡ã€ã³ ã³ã³ãããŒã©ãŒãçŽæ¥çµç±ã (é©ãã§ããã?)ãã¢ã«ãŠã³ãã®ãã¹ã¯ãŒãå ¥åè©Šè¡åæ°ãè¶ éããã®ããããã¯ãããªã©ããå éšããããã¯ãŒã¯ ããªã·ãŒã®ãã¹ãŠã®æ©èœã䜿çšãããŸãã æ»æè ããã°ã€ã³æ å ±ãèŠã€ããå Žåããã®ãã¹ã¯ãŒããè©Šè¡ããŸãã ã¢ã«ãŠã³ããééã£ããã¹ã¯ãŒããå ¥åããã®ããããã¯ããããã«æ§æãããŠããå Žåãããã¯æ©èœããã¢ã«ãŠã³ãã¯ãããã¯ãããŸãã 第äžã«ããã®ãããªèªèšŒã« XNUMX çªç®ã®èŠçŽ ãè¿œå ããããšã¯äžå¯èœã§ãã èªè ã®äžã§ãã®æ¹æ³ããŸã ç¥ã£ãŠãã人ããããããã²æããŠãã ããããšãŠãèå³æ·±ããã®ã§ãã XNUMX çªç®ã¯ãPass-the-Hash æ»æã«å¯Ÿããè匱æ§ã§ãã ADFS ã¯ããšããããããããã¹ãŠããä¿è·ããããã«çºæãããŸããã
Microsoft 補åã«ã¯æªãç¹æ§ã XNUMX ã€ãããŸãããã®ãã㪠NTLM ãç¹ã«å ¬éââããŠããªããŠããå°ãªããšã OWA ãš Lync ã«ã¯ããã©ã«ãã§ã€ã³ã¹ããŒã«ãããŠããŸããŸãã
ã¡ãªã¿ã«ããã®èšäºã®çè ãåãæå£ã§ããã倧æéè¡ã®è¡å¡çŽ1000人ã®å£åº§ã誀ã£ãŠãããXNUMXæéã§ãããã¯ããŠããŸãããã®æã¯å°ãéãããããšããããŸãã éè¡ã® IT ãµãŒãã¹ãéãããŠããŸãããããã¹ãŠãããŸãé©åã«çµäºãããã®åé¡ãæåã«çºèŠããè¿ éãã€æ±ºå®çãªä¿®æ£ãè¡ã£ãããšã§è³è³ãããããŸããã
10 çªç®ã®ãµã€ãã®ã¢ãã¬ã¹ã¯ãæããã«ããçš®ã®å§.company.ruãã§ããã Google ã§èŠã€ããŸãããXNUMX ããŒãžã«æ¬¡ã®ãããªãã®ããããŸããã ãã¶ã€ã³ã¯ XNUMX 幎代åé ããäžæã®ãã®ã§ãç«æŽŸãªäººãã¡ã€ã³ ããŒãžãã次ã®ãããªãã®ãèŠãŠããŸããã
ããã§ã¯ãHeart of a Dogãã®éæ¢ç»ãæ®ã£ãã®ã§ãããä¿¡ããŠãã ããããªããšãªã䌌ãŠããŠãã«ã©ãŒãã¶ã€ã³ãåããããªããŒã³ã§ããã ãµã€ãã次ã®ããã«åŒã³ãŸã preobrazhensky.company.ru.
ããã¯æ³å°¿åšç§å»ã®å人çãªãŠã§ããµã€ãã§ããã æ³å°¿åšç§å»ã®ãŠã§ããµã€ãããã€ãã¯äŒæ¥ã®ãµããã¡ã€ã³ã§äœãããŠããã®ãçåã«æããŸããã Google ããã£ãšèª¿ã¹ãŠã¿ããšããããã®å»åž«ã¯åœç€Ÿã®é¡§å®¢ã®æ³äººã®å ±ååµèšè ã§ãããèªå¯è³æ¬ãšããŠçŽ 1000 ã«ãŒãã«ãå¯ä»ããŠããããšãããããŸããã ãã®ãµã€ãã¯ããããäœå¹Žãåã«äœæããã顧客ã®ãµãŒã㌠ãªãœãŒã¹ããã¹ãã£ã³ã°ãšããŠäœ¿çšãããŠããŸããã ãã®ãµã€ãã¯é·ãéãã®é¢é£æ§ã倱ã£ãŠããããäœããã®çç±ã§é·æéã«ããã£ãŠæ©èœãç¶ããã
è匱æ§ãšããç¹ã§ã¯ãWeb ãµã€ãèªäœã¯å®å šã§ããã å°æ¥çã«ã¯ãããã¯äžé£ã®éçãªæ å ±ãã€ãŸãè èãšèè±ã®åœ¢ã§æ¿å ¥ãããã€ã©ã¹ããå«ãŸããåçŽãª HTML ããŒãžã ã£ããšèšããŸãã ãã®ãããªãµã€ãããå£ããã®ã¯ç¡é§ã§ãã
ãããããã®äžã® Web ãµãŒããŒã¯ãã£ãšèå³æ·±ããã®ã§ããã HTTP Server ããããŒããå€æãããšãIIS 6.0 ãæèŒãããŠããããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ãšã㊠Windows 2003 ã䜿çšããŠããããšãæå³ããŸãã ã¹ãã£ããŒã¯ããã®ç¹å®ã®æ³å°¿åšç§å»ã® Web ãµã€ãããåã Web ãµãŒããŒäžã®ä»ã®ä»®æ³ãã¹ããšã¯ç°ãªããPROPFIND ã³ãã³ãã«å¿çããWebDAV ãå®è¡ããŠããããšã以åã«ç¹å®ããŠããŸããã ã¡ãªã¿ã«ãã¹ãã£ãã¯ãã®æ å ±ã Info ãšããããŒã¯ã§è¿ããŸãã (ã¹ãã£ã ã¬ããŒãã®èšèã§èšãã°ãããã¯æãå±éºæ§ãäœãããšãæå³ããŸã)ãéåžžããã®ãããªæ å ±ã¯åçŽã«ã¹ããããããŸãã ãããçµã¿åããã£ãŠèå³æ·±ã圱é¿ãäžããŸãããããã㯠Google ã§å床調æ»ããåŸã«åããŠæããã«ãªããŸãããããã¯ãShadow Brokers ã»ããã«é¢é£ããçšãªãããã¡ ãªãŒããŒãããŒã®è匱æ§ãã€ãŸã CVE-2017-7269 ã§ããããã§ã«æ¢è£œã®ãšã¯ã¹ããã€ããååšããŠããŸããã ã€ãŸããWindows 2003 ã䜿çšããŠããŠãWebDAV ã IIS äžã§å®è¡ãããŠããå Žåãåé¡ãçºçããŸãã ãšã¯ããã2003 幎ã®éçšç°å¢ã§ Windows 2018 ãå®è¡ããããšèªäœãåé¡ã§ãã
ãã®ãšã¯ã¹ããã€ãã¯æçµçã« Metasploit ã«å°éããå¶åŸ¡ããããµãŒãã¹ã« DNS ãªã¯ãšã¹ããéä¿¡ããè² è·ã§çŽã¡ã«ãã¹ããããŸãããäŒçµ±çã« DNS ãªã¯ãšã¹ãããã£ããããããã« Burp Collaborator ã䜿çšãããŠããŸããã é©ããããšã«ãããã¯åããŠæ©èœããŸãããDNS ããã¯ã¢ãŠããåä¿¡ãããŸããã 次ã«ãããŒã 80 ãä»ããŠããã¯ã³ãã¯ã (ã€ãŸãã被害ãã¹ãäžã® cmd.exe ã«ã¢ã¯ã»ã¹ã§ããããµãŒããŒããæ»æè ãžã®ãããã¯ãŒã¯æ¥ç¶) ãäœæããããšããŸãããã倧倱æãçºçããŸããã æ¥ç¶ã¯ç¢ºç«ããããXNUMX åç®ã«ãµã€ãã䜿çšããããšããåŸããã¹ãŠã®èå³æ·±ãåçãšãšãã«æ°žä¹ ã«æ¶ããŠããŸããŸããã
éåžžããã®åŸã«ãã客æ§ãèµ·ããŠãã ããããã¹ãŠãèœãšããŸãããããšãã圢åŒã®æçŽãç¶ããŸãã ãããããã®ãµã€ãã¯ããžãã¹ããã»ã¹ãšã¯äœã®é¢ä¿ããªãããµãŒããŒå
šäœãšåæ§ã«äœã®çç±ããªãããã§åäœããŠããããã®ãªãœãŒã¹ãèªç±ã«äœ¿çšããŠãããšèšãããŸããã
çŽ 6.0 æ¥åŸããµã€ããçªç¶åæã«åäœãå§ããŸããã IIS 30 äžã§ WebDAV ãããã³ããæ§ç¯ãããšãããããã©ã«ãèšå®ã§ã¯ IIS ã¯ãŒã«ãŒ ããã»ã¹ã 30 æéããšã«åèµ·åãããããšãããããŸããã ã€ãŸããå¶åŸ¡ãã·ã§ã«ã³ãŒããçµäºãããšãIIS ã¯ãŒã«ãŒ ããã»ã¹ãçµäºãããã®åŸæ°åèªåçã«åèµ·åããããã®åŸ XNUMX æéäŒæ¢ç¶æ
ã«ãªããŸãã
æåã« TCP ãžã®ããã¯æ¥ç¶ã倱æããããããã®åé¡ã¯éããããããŒãã«ãããšèããŸããã ã€ãŸããçºä¿¡æ¥ç¶ãå€éšã«ééããããšãèš±å¯ããªããããçš®ã®ãã¡ã€ã¢ãŠã©ãŒã«ã®ååšãæ³å®ããŠããŸããã å€ãã® TCP ããŒããš UDP ããŒããæ€çŽ¢ããã·ã§ã«ã³ãŒããå®è¡ãå§ããŸããããå¹æã¯ãããŸããã§ããã Metasploit ããã® http(s) çµç±ã®ãªããŒã¹æ¥ç¶ããŒããæ©èœããŸããã§ãã - meterpreter/reverse_http(s)ã çªç¶ãåãããŒã 80 ãžã®æ¥ç¶ã確ç«ãããŸããããããã«åæãããŸããã ç§ã¯ããããæ€éå¡ã®äº€éã奜ãŸãªãããŸã æ³åäžã® IPS ã®è¡åã«ãããã®ã ãšèããŸããã ããŒã 80 ãžã®çŽç²ãª tcp æ¥ç¶ã¯ééãããhttp æ¥ç¶ã¯ééãããšããäºå®ãèæ ®ããŠãhttp ãããã·ãäœããã®åœ¢ã§ã·ã¹ãã ã«æ§æãããŠãããšçµè«ä»ããŸããã
DNSçµç±ã§meterpreterãè©ŠããŠã¿ãŸããïŒããããšãïŒ
å®éã«ã¯æ¬¡ã®ããã«ãªããŸããã3 å以å ã« 4 ïœ 5 åã®æ»æãè©Šã¿ããããã®åŸ 30 æéåŸ æ©ããŸããã ãªã©ãXNUMXé±é£ç¶ã§ç¶ããŸãã æéãç¡é§ã«ããªãããã«ãªãã€ã³ããŒãèšå®ããŸããã ããã«ããã¹ãç°å¢ãšéçšç°å¢ã®åäœã«ã¯éãããããŸããããã®è匱æ§ã«å¯ŸããŠã¯ãåæ§ã®ãšã¯ã¹ããã€ãã XNUMX ã€ãããXNUMX ã€ã¯ Metasploit ããããã XNUMX ã€ã¯ã€ã³ã¿ãŒããããããShadow Brokers ããŒãžã§ã³ããå€æãããŸããã ãã®ãããMetasploit ã®ã¿ãæŠéã§ãã¹ããããXNUMX ã€ç®ã®ã¿ããã³ãã§ãã¹ããããŸãããããã«ããããããã°ãããã«å°é£ã«ãªããé ã䜿ãããšã«ãªããŸããã
æçµçã«ãhttp çµç±ã§ç¹å®ã®ãµãŒããŒãã exe ãã¡ã€ã«ãããŠã³ããŒãããã¿ãŒã²ãã ã·ã¹ãã äžã§èµ·åããã·ã§ã«ã³ãŒããå¹æçã§ããããšã蚌æãããŸããã ã·ã§ã«ã³ãŒãã¯ååå°ãããã®ã§ããããå°ãªããšãæ©èœããŸããã ãµãŒããŒã¯ TCP ãã©ãã£ãã¯ããŸã£ãã奜ãŸããhttp 㧠meterpreter ã®ååšãæ€æ»ãããããããã®ã·ã§ã«ã³ãŒããéã㊠DNS-meterpreter ãå«ã exe ãã¡ã€ã«ãããŠã³ããŒãããã®ãæãéãæ¹æ³ã§ãããšå€æããŸããã
ããã§ãåé¡ãçºçããŸãããexe ãã¡ã€ã«ãããŠã³ããŒããããšãã«ãè©Šè¡ããçµæãã©ããããŠã³ããŒãããŠãããŠã³ããŒããäžæãããŸããã ç¹°ãè¿ãã«ãªããŸãããç§ã®ãµãŒããŒãšæ³å°¿åšç§å»ã®éã«ããã»ãã¥ãªã㣠ããã€ã¹ããå éšã« exe ãå«ã http ãã©ãã£ãã¯ã奜ãŸãªãã£ãã®ã§ãã ãè¿ éãªã解決çã¯ãå®è¡äžã« http ãã©ãã£ãã¯ãé£èªåããŠãexe ã®ä»£ããã«æœè±¡ãã€ã㪠ããŒã¿ã転éãããããã«ã·ã§ã«ã³ãŒããå€æŽããããšã®ããã§ãã æçµçã«ãæ»æã¯æåããã·ã³ DNS ãã£ãã«ãéããŠå¶åŸ¡ãåä¿¡ãããŸããã
ç§ãæãåºæ¬ç㪠IIS ã¯ãŒã¯ãããŒæš©éãæã£ãŠããããšãããã«æããã«ãªããäœãããããšãã§ããªããªããŸããã Metasploit ã³ã³ãœãŒã«ã§ã¯æ¬¡ã®ããã«è¡šç€ºãããŸãã
ãã¹ãŠã®äŸµå
¥ãã¹ãææ³ã§ã¯ãã¢ã¯ã»ã¹ãååŸããéã«æš©éãå¢ããå¿
èŠãããããšã匷ã瀺åãããŠããŸãã ç§ã¯éåžžããããããŒã«ã«ã§è¡ããŸãããæåã®ã¢ã¯ã»ã¹ã¯åã«ãããã¯ãŒã¯ ãšã³ã㪠ãã€ã³ããšããŠèŠãªãããåããããã¯ãŒã¯äžã®å¥ã®ãã·ã³ã䟵害ããããšã¯ãéåžžãæ¢åã®ãã¹ãã§æš©éãææ Œãããããç°¡åãã€è¿
éã ããã§ãã ãã ããDNS ãã£ãã«ã¯éåžžã«çãããã©ãã£ãã¯ã解æ¶ãããªããããããã¯åœãŠã¯ãŸããŸããã
ãã® Windows 2003 ãµãŒããŒã®æå㪠MS17-010 è匱æ§ã修埩ãããŠããªããšä»®å®ããŠãã¡ãŒã¿ãŒãã¬ãã¿ãŒ DNS ãã³ãã«ãä»ããŠããŒã«ã«ãã¹ããžã®ãã©ãã£ãã¯ãããŒã 445/TCP ã«ãã³ãã«ã (ã¯ãããããå¯èœã§ã)ã以åã«ããŠã³ããŒããã exe ãå®è¡ããŠã¿ãŸããè匱æ§ã æ»æã¯æ©èœããXNUMX çªç®ã®æ¥ç¶ãåãåããŸãããSYSTEM æš©éãå¿ èŠã§ãã
èå³æ·±ãã®ã¯ã圌ããäŸç¶ãšããŠãµãŒããŒã MS17-010 ããä¿è·ããããšããŠããããšã§ããè匱ãªãããã¯ãŒã¯ ãµãŒãã¹ãå€éšã€ã³ã¿ãŒãã§ã€ã¹ã§ç¡å¹ã«ãªã£ãŠããŸããã ããã«ããããããã¯ãŒã¯çµç±ã®æ»æããä¿è·ãããŸãããããŒã«ã«ãã¹ãäžã® SMB ãããã«ç¡å¹ã«ããããšã¯ã§ããªããããããŒã«ã«ãã¹ãå ããã®æ»æã¯æ©èœããŸããã
次ã«ãæ°ããªèå³æ·±ã詳现ãæããã«ãªããŸãã
- SYSTEM æš©éããããšãTCP çµç±ã§ããã¯æ¥ç¶ãç°¡åã«ç¢ºç«ã§ããŸãã æããã«ããã€ã¬ã¯ã TCP ãç¡å¹ã«ããããšã¯ãéå®ããã IIS ãŠãŒã¶ãŒã«ãšã£ãŠå³å¯ã«ã¯åé¡ã§ãã ã¹ãã€ã©ãŒ: IIS ãŠãŒã¶ãŒ ãã©ãã£ãã¯ã¯ãã©ããããããåæ¹åã§ããŒã«ã« ISA ãããã·ã«ã©ãããããŠããŸããã ãããã©ã®ããã«æ£ç¢ºã«æ©èœãããã¯ãç§ã¯åçŸããŠããŸããã
- ç§ã¯ç¹å®ã®ãDMZãã«ããŸã (ãã㯠Active Directory ãã¡ã€ã³ã§ã¯ãªããWORKGROUP ã§ã) - ããã¯è«ççã«èãããŸãã ããããäºæããããã©ã€ããŒã (ãã°ã¬ãŒã) IP ã¢ãã¬ã¹ã®ä»£ããã«ã以åã«æ»æãããã®ãšãŸã£ããåããå®å šã«ãçœãã® IP ã¢ãã¬ã¹ãæã£ãŠããŸãã ããã¯ãå瀟ã IPv4 ã¢ãã¬ãã·ã³ã°ã®äžçã§ã¯éåžžã«å€ãã128 幎ã®ã·ã¹ã³ã®ããã¥ã¢ã«ã«èšèŒãããŠããããã«ãã¹ããŒã ã«åŸã£ãŠ NAT ã䜿çšããã« 2005 åã®ããã¯ã€ããã¢ãã¬ã¹ã® DMZ ãŸãŒã³ãç¶æããäœè£ãããããšãæå³ããŸãã
ãµãŒããŒãå€ããããMimikatz ã¯ã¡ã¢ãªããçŽæ¥åäœããããšãä¿èšŒãããŠããŸãã
ããŒã«ã«ç®¡çè
ã®ãã¹ã¯ãŒããååŸããTCP çµç±ã§ RDP ãã©ãã£ãã¯ããã³ããªã³ã°ããå¿«é©ãªãã¹ã¯ãããã«ãã°ã€ã³ããŸãã ãµãŒããŒã§ããããããšã¯äœã§ãã§ããã®ã§ããŠã€ã«ã¹å¯ŸçãœãããŠã§ã¢ãåé€ãããšããããµãŒããŒã¯ TCP ããŒã 80 ãš 443 çµç±ã§ã®ã¿ã€ã³ã¿ãŒãããããã¢ã¯ã»ã¹å¯èœã§ããã443 ã¯ããžãŒã§ã¯ãªãããšãããããŸããã ç§ã¯ 443 ã« OpenVPN ãµãŒããŒãã»ããã¢ããããVPN ãã©ãã£ãã¯ã« NAT æ©èœãè¿œå ããOpenVPN ãéããŠç¡å¶éã®åœ¢åŒã§ DMZ ãããã¯ãŒã¯ã«çŽæ¥ã¢ã¯ã»ã¹ã§ããããã«ããŸããã ISA ã¯ç¡å¹ã«ãªã£ãŠããªã IPS æ©èœãããã€ãåããŠãããããããŒã ã¹ãã£ã³ã§ãã©ãã£ãã¯ããããã¯ãããããããã·ã³ãã«ã§æºæ æ§ã®é«ã RRAS ã«çœ®ãæããå¿
èŠããã£ãããšã¯æ³šç®ã«å€ããŸãã ãã®ããããã³ãã¹ã¿ãŒã¯äŸç¶ãšããŠããŸããŸãªããšã管çããªããã°ãªããªãããšããããŸãã
泚ææ·±ãèªè
ã¯ããXNUMX çªç®ã®ãµã€ããã€ãŸã NTLM èªèšŒãåãã Wiki ã«ã€ããŠã¯ã©ãã§ãããã? ããã«ã€ããŠã¯å€ãã®ããšãæžãããŠããŸããããšå°ããã§ãããã ããã«ã€ããŠã¯åŸã§è©³ãã説æããŸãã
ããŒã 2. ãŸã æå·åããŠããªãã®ã§ãã? ããã§ã¯ãç§ãã¡ã¯ãã§ã«ããã§ããªãã®ãšããã«æ¥ãŠããŸã
ãããã£ãŠãDMZ ãããã¯ãŒã¯ ã»ã°ã¡ã³ãã«ã¢ã¯ã»ã¹ã§ããŸãã ãã¡ã€ã³ç®¡çè ã«è¡ãå¿ èŠããããŸãã æåã«æãæµ®ãã¶ã®ã¯ãDMZ ã»ã°ã¡ã³ãå ã®ãµãŒãã¹ã®ã»ãã¥ãªãã£ãèªåçã«ãã§ãã¯ããããšã§ããç¹ã«ãçŸåšã¯ããã«å€ãã®ãµãŒãã¹ãç 究ã®ããã«å ¬éãããŠããããã§ãã ãããã¬ãŒã·ã§ã³ ãã¹ãäžã®å žåçãªå³: å€éšå¢çã¯å éšãµãŒãã¹ãããä¿è·ãããŠããã倧èŠæš¡ãªã€ã³ãã©ã¹ãã©ã¯ãã£å ã§ã¢ã¯ã»ã¹ãååŸããå Žåããã¡ã€ã³å ã§æ¡åŒµãããæš©å©ãååŸããæ¹ãã¯ããã«ç°¡åã§ããããã¯ããã®ãã¡ã€ã³ãä¿è·ããå§ããŠããããã§ãã次ã«ãæ°åã®ãã¹ããååšããã€ã³ãã©ã¹ãã©ã¯ãã£ã§ã¯ãåžžã«ããã€ãã®é倧ãªåé¡ãçºçããŸãã
OpenVPN ãã³ãã«çµç±ã§ DMZ çµç±ã§ã¹ãã£ããå é»ããåŸ ã¡ãŸãã ç§ã¯ã¬ããŒããéããŸãã - ãããæ·±å»ãªãã®ã§ã¯ãããŸãããã©ããã誰ããç§ããåã«åãæ¹æ³ãçµéšããããã§ãã 次ã®ã¹ãããã¯ãDMZ ãããã¯ãŒã¯å ã®ãã¹ããã©ã®ããã«éä¿¡ãããã調ã¹ãããšã§ãã ãããè¡ãã«ã¯ããŸãéåžžã® Wireshark ãèµ·åãããããŒããã£ã¹ã ãªã¯ãšã¹ã (䞻㫠ARP) ããªãã¹ã³ããŸãã ARP ãã±ãã㯠XNUMX æ¥äžåéãããŸããã ãã®ã»ã°ã¡ã³ãã§ã¯è€æ°ã®ã²ãŒããŠã§ã€ã䜿çšãããŠããããšãããããŸãã ããã¯åŸã§åœ¹ã«ç«ã¡ãŸãã ARP ãªã¯ãšã¹ããšã¬ã¹ãã³ã¹ã®ããŒã¿ãšããŒã ã¹ãã£ã³ ããŒã¿ãçµã¿åãããããšã§ãWeb ãã¡ãŒã«ãªã©ã®ãããŸã§ç¥ãããŠãããµãŒãã¹ã«å ããŠãããŒã«ã« ãããã¯ãŒã¯å ããã®ãŠãŒã¶ãŒ ãã©ãã£ãã¯ã®åºå£ãã€ã³ããçºèŠããŸããã
çŸæç¹ã§ã¯ä»ã®ã·ã¹ãã ã«ã¢ã¯ã»ã¹ã§ãããäŒæ¥ãµãŒãã¹çšã®ã¢ã«ãŠã³ãã XNUMX ã€ãæã£ãŠããªãã£ãã®ã§ãARP ã¹ããŒãã£ã³ã°ã䜿çšããŠãã©ãã£ãã¯ããå°ãªããšãäžéšã®ã¢ã«ãŠã³ããé£ãåºãããšã«ããŸããã
Cain&Abel ã¯æ³å°¿åšç§å»ã®ãµãŒããŒäžã§èµ·åãããŸããã ç¹å®ããããã©ãã£ã㯠ãããŒãèæ ®ããŠãäžéè æ»æã«æãææãªãã¢ãéžæããããµãŒããŒãåèµ·åããã¿ã€ããŒã䜿çšããŠã5 ïœ 10 åéã®çæéã®èµ·åã«ãã£ãŠäžéšã®ãããã¯ãŒã¯ ãã©ãã£ãã¯ãåä¿¡ãããŸãããåçµã®å Žåã åè«ã®ããã«ããã¥ãŒã¹ã XNUMX ã€ãããŸããã
- è¯ãçµæ: å€ãã®èªèšŒæ å ±ãææãããæ»æã¯å šäœãšããŠæ©èœããŸããã
- æªãç¹: ãã¹ãŠã®èªèšŒæ å ±ã¯é¡§å®¢èªèº«ã®ã¯ã©ã€ã¢ã³ãããã®ãã®ã§ããã ãµããŒã ãµãŒãã¹ãæäŸããéãã«ã¹ã¿ã㌠ã¹ãã·ã£ãªã¹ãã¯ãå¿ ããããã©ãã£ãã¯æå·åãèšå®ãããŠããªãã¯ã©ã€ã¢ã³ãã®ãµãŒãã¹ã«æ¥ç¶ããŠããŸããã
ãã®çµæããããžã§ã¯ãã®æèã§ã¯åœ¹ã«ç«ããªãããæ»æã®å±éºæ§ã瀺ããã®ãšããŠã¯ééããªãèå³æ·±ãè³æ Œæ
å ±ãå€æ°ååŸããŸããã Telnet ãåãã倧äŒæ¥ã®ããŒã㌠ã«ãŒã¿ãŒããããã° http ããŒãããã¹ãŠã®ããŒã¿ãšãšãã«å
éš CRM ã«è»¢éãããŒã«ã« ãããã¯ãŒã¯äžã® Windows XP ãã RDP ãžã®çŽæ¥ã¢ã¯ã»ã¹ãããã³ãã®ä»ã®é èœæ©èœã ãã®ããã«ãªããŸãã
ãŸãã亀éæ©é¢ããã®æçŽãéããé¢çœãæ©äŒãèŠã€ããŸããããã®ãããªãã®ã§ãã ããã¯ã顧客ãã顧客㮠SMTP ããŒãã«éä¿¡ãããæ¢è£œã®æçŽã®äŸã§ãããããæå·åã¯è¡ãããŠããŸããã ã¢ã³ãã¬ã€ãšãã人ã¯ãååã®äººç©ã«ããã¥ã¡ã³ãã®åéä¿¡ãäŸé Œãããã®ããã¥ã¡ã³ã㯠XNUMX éã®è¿ä¿¡ã¬ã¿ãŒã§ãã°ã€ã³ããã¹ã¯ãŒãããªã³ã¯ãšãšãã«ã¯ã©ãŠã ãã£ã¹ã¯ã«ã¢ããããŒããããŸãã
ããã¯ããã¹ãŠã®ãµãŒãã¹ãæå·åããããã®ãã XNUMX ã€ã®æ³šæäºé
ã§ãã ãããã€ããŒãå¥ã®äŒç€Ÿã®ã·ã¹ãã 管çè
ããŸãã¯ãã®ãããªäŸµå
¥ãã¹ã¿ãŒãªã©ãå
·äœçã«èª°ããã€ããŒã¿ãèªã¿åã£ãŠäœ¿çšãããã¯äžæã§ãã å€ãã®äººãæå·åãããŠããªããã©ãã£ãã¯ãåçŽã«ååã§ãããšããäºå®ã«ã€ããŠã¯ãç§ã¯æ²é»ããŠããŸãã
äžèŠæåããããã«èŠããŸããããããã§ã¯ç§ãã¡ã¯ç®æšã«è¿ã¥ãããšãã§ããŸããã§ããã ãã¡ãããé·æéæŸçœ®ããŠè²Žéãªæ å ±ãèãåºãããšã¯å¯èœã§ããããããããã«çŸãããšããäºå®ã¯ãªããæ»æèªäœã¯ãããã¯ãŒã¯ã®å®å šæ§ã®èŠ³ç¹ããéåžžã«å±éºã§ãã
ãµãŒãã¹ãããã«è©³ãã調ã¹ããšãããèå³æ·±ãã¢ã€ãã¢ãæãã€ããŸããã Responder ãšåŒã°ãããŠãŒãã£ãªãã£ããã (ãã®ååã§äœ¿çšäŸãç°¡åã«èŠã€ããããšãã§ããŸã)ããããŒããã£ã¹ã ãªã¯ãšã¹ããããã€ãºãã³ã°ãããããšã§ãSMBãHTTPãLDAP ãªã©ã®ããŸããŸãªãããã³ã«ãä»ããæ¥ç¶ãåŒãèµ·ãããŸãã 次ã«ãæ¥ç¶ãããã¹ãŠã®äººã«èªèšŒãæ±ããNTLM çµç±ã§è¢«å®³è ã«ééçãªã¢ãŒãã§èªèšŒãè¡ãããããã«èšå®ããŸãã ã»ãšãã©ã®å Žåãæ»æè ã¯ãã®æ¹æ³ã§ NetNTLMv2 ãã³ãã·ã§ã€ã¯ãåéããããããèŸæžã䜿çšããŠãŠãŒã¶ãŒ ãã¡ã€ã³ã®ãã¹ã¯ãŒããè¿ éã«å埩ããŸãã ããã§ãåæ§ã®ãã®ãæãã§ããŸãããããŠãŒã¶ãŒã¯ãå£ã®åŸããã«åº§ã£ãŠããŸãããã€ãŸãããã¡ã€ã¢ãŠã©ãŒã«ã«ãã£ãŠåé¢ãããŠãããBlue Coat ãããã· ã¯ã©ã¹ã¿ãŒãä»ã㊠WEB ã«ã¢ã¯ã»ã¹ããŠããŸããã
Active Directory ãã¡ã€ã³åããå€éšããã¡ã€ã³ãšäžèŽãããã€ãŸã company.ru ã§ãããšæå®ããããšãèŠããŠããŸãã? ãã®ãããWindowsãããæ£ç¢ºã«ã¯ Internet Explorer (ããã³ Edge ãš Chrome) ã§ã¯ããµã€ãããã€ã³ãã©ããã ãŸãŒã³ãã«ãããšèããããå ŽåããŠãŒã¶ãŒã NTLM çµç±ã§ HTTP ã§ééçã«èªèšŒã§ããããã«ãªããŸãã ãã€ã³ãã©ããããã®å
åã® XNUMX ã€ã¯ããã°ã¬ãŒãã® IP ã¢ãã¬ã¹ããŸãã¯ãããã®ãªãçã DNS åãžã®ã¢ã¯ã»ã¹ã§ãã ãçœããIP ãš DNS å preobrazhensky.company.ru ãæã€ãµãŒããŒãããããã¡ã€ã³ ãã·ã³ã¯éåžžãååå
¥åãç°¡ç¥åããããã« DHCP çµç±ã§ Active Directory ãã¡ã€ã³ ãµãã£ãã¯ã¹ãåä¿¡ãããããã¢ãã¬ã¹ ããŒã« URL ãæžã蟌ãã ãã§æžã¿ãŸããã
çŽ æŽããã Intercepter-NG ãŠãŒãã£ãªãã£ãå©ããŠãããŸãã (ããããšã)
ãŠãŒã¶ãŒãã°ããŒãã« WEB ã«ã¢ã¯ã»ã¹ããéã«çµç±ãã Blue Coat ãããã·ã¯ãéçã³ã³ãã³ããå®æçã«ãã£ãã·ã¥ããŸããã ãã©ãã£ãã¯ãé®æããããšã§ã圌ãã XNUMX æéäœå¶ã§äœæ¥ããããŒã¯æã®ã³ã³ãã³ãã®è¡šç€ºãé«éåããããã«é »ç¹ã«äœ¿çšãããéçãªã¯ãšã¹ããééãªãèŠæ±ããŠããããšã¯æããã§ããã ããã«ãBlueCoat ã«ã¯ç¹å®ã®ãŠãŒã¶ãŒ ãšãŒãžã§ã³ãããããå®éã®ãŠãŒã¶ãŒãšæ確ã«åºââå¥ãããŠããŸããã
Javascript ãçšæãããIntercepter-NG ã䜿çšããŠãBlue Coat çšã® JS ãã¡ã€ã«ã䜿çšããŠå¿çããšã«å€é XNUMX æéå®è£ ãããŸããã ã¹ã¯ãªããã¯æ¬¡ã®ããšãå®è¡ããŸããã
- User-Agent ã«ãã£ãŠçŸåšã®ãã©ãŠã¶ãç¹å®ããŸããã Internet ExplorerãEdgeããŸã㯠Chrome ã®å Žåã¯ãåŒãç¶ãåäœããŸããã
- ããŒãžã® DOM ã圢æããããŸã§åŸ ã¡ãŸããã
- ãã©ãŒã ã® src å±æ§ã䜿çšããŠãé衚瀺ã®ç»åã DOM ã«æ¿å
¥ããŸããã
ãã¬ãªãã©ãžã§ã³ã¹ã㌠:8080/NNNNNNNN.pngããã㧠NNN 㯠BlueCoat ããã£ãã·ã¥ããªãããã«ããããã®ä»»æã®æ°åã§ãã - ã°ããŒãã« ãã©ã°å€æ°ãèšå®ããŠãæ³šå ¥ãå®äºããã€ã¡ãŒãžãæ¿å ¥ããå¿ èŠããªããªã£ãããšã瀺ããŸãã
ãã©ãŠã¶ã¯ãã®ã€ã¡ãŒãžãããŒãããããšããŸãããã䟵害ããããµãŒããŒã®ããŒã 8080 ã§ãåãã¬ã¹ãã³ããŒãå®è¡ãããŠããç§ã®ã©ããããããžã® TCP ãã³ãã«ãã€ã¡ãŒãžãåŸ æ©ããŠããããã©ãŠã¶ã¯ NTLM çµç±ã§ãã°ã€ã³ããå¿ èŠããããŸããã
ã¬ã¹ãã³ããŒã®ãã°ããå€æãããšã人ã
ã¯æåºå€ããã¯ãŒã¯ã¹ããŒã·ã§ã³ã®é»æºãå
¥ãããã®åŸãNTLM ãã³ãã·ã§ã€ã¯ããæåºãããããšãå¿ããã«ããã€ã®éã«ãæ³å°¿åšç§å»ã®ãµãŒããŒã«äžæã«ã¢ã¯ã»ã¹ãå§ããŸããã ãã³ãã·ã§ã€ã¯ã¯äžæ¥äžéãç¶ããæããã«ãã¹ã¯ãŒããå埩ããæ»æãæåããããã®ææãèç©ãããŸããã ã¬ã¹ãã³ããŒã®ãã°ã¯æ¬¡ã®ããã«ãªããŸãã
ãŠãŒã¶ãŒã«ããæ³å°¿åšç§å»ãµãŒããŒãžã®å€§éç§å¯èšªå
ãããããã§ã«ãæ°ã¥ãããšæããŸããããã®ç©èªå šäœãããã¹ãŠãããŸããããŸãããããã®åŸã¯æ®å¿µãªããšãããããã®åŸã¯å æãããããã®åŸãã¹ãŠãæåããããšããååã«åºã¥ããŠæ§ç¯ãããŠããŸãã ããŠãããã§æ®å¿µãªããšããããŸããã 2 åã®ãŠããŒã¯ãªæ¡æã®ãã¡ãå ¬éãããæ¡æ㯠XNUMX ã€ããããŸããã§ããã ããã¯ãããã»ããµãæ éããã©ãããããã§ãã£ãŠãããããã® NTLMvXNUMX ãã³ãã·ã§ã€ã¯ã XNUMX ç§ãããæ°ååã®è©Šè¡é床ã§åŠçããããšããäºå®ãèæ ®ããŠããŸãã
ãã¹ã¯ãŒãå€æŽãã¯ããã¯ããã㪠ã«ãŒããååãèŸæžãè£ åããŠåŸ ã€å¿ èŠããããŸããã é·ãæéãçµã£ãåŸããQ11111111....1111111qããšãã圢åŒã®ãã¹ã¯ãŒããæã€è€æ°ã®ã¢ã«ãŠã³ããæããã«ãªããŸãããããã¯ããã¹ãŠã®ãŠãŒã¶ãŒããã€ãŠã¯å€§æåãšå°æåãç°ãªãéåžžã«é·ããã¹ã¯ãŒããèããããšã匷å¶ãããŠããããšã瀺åããŠããŸããè€éã«ãªãã ããããçµéšè±å¯ãªãŠãŒã¶ãŒãã ãŸãããšã¯ã§ããŸããã圌ã¯ããããŠèªåèªèº«ãèŠããããããŸããã åèšã§çŽ 5 ã€ã®ã¢ã«ãŠã³ãã䟵害ããããµãŒãã¹ã«å¯Ÿãã貎éãªæš©å©ãæã£ãŠããã®ã¯ãã®ãã¡ã® XNUMX ã€ã ãã§ããã
ããŒã 3. ãã¹ã³ã ããŸãŒã«ã®åæ
ããã§ãæåã®ãã¡ã€ã³ ã¢ã«ãŠã³ããåä¿¡ãããŸããã é·ãæç« ãèªãã§ãã®æç¹ã§ãŸã ç ã£ãŠããªãæ¹ã¯ãèªèšŒã® XNUMX çªç®ã®èŠçŽ ãå¿ èŠãšããªããµãŒãã¹ã«ã€ããŠèšåããããšãèŠããŠããã§ãããããã㯠NTLM èªèšŒã䜿çšãã Wiki ã§ãã ãã¡ãããæåã«ããããšã¯ããã«å ¥ãããšã§ããã 瀟å ã®ç¥èããŒã¹ãæãäžãããšãããã«çµæãåŸãããŸããã
- å瀟ã¯ãããŒã«ã« ãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ã§ãããã¡ã€ã³ ã¢ã«ãŠã³ãã䜿çšããèªèšŒãåãã WiFi ãããã¯ãŒã¯ãæã£ãŠããŸãã çŸåšã®ããŒã¿ã»ããã§ã¯ãããã¯ãã§ã«æå¹ãªæ»æãã¯ãã«ã§ãããèªåã®è¶³ã§ãªãã£ã¹ã«è¡ãã顧客ã®ãªãã£ã¹ã®é åã®ã©ããã«ããå¿ èŠããããŸãã
- ãŠãŒã¶ãŒãããŒã«ã« ãããã¯ãŒã¯å ã«ããŠãèªåã®ãã¡ã€ã³ ãã°ã€ã³ãšãã¹ã¯ãŒããèªä¿¡ãæã£ãŠèŠããŠããå Žåã«ãã第 XNUMX èŠçŽ ãèªèšŒããã€ã¹ãç¬èªã«ç»é²ã§ãããµãŒãã¹ããããšããæ瀺ãèŠã€ããŸããã ãã®å Žåããå éšããšãå€éšãã¯ããŠãŒã¶ãŒãæ¬ãµãŒãã¹ã®ããŒãã«ã¢ã¯ã»ã¹ã§ãããã©ããã«ãã£ãŠæ±ºãŸããŸãã ãã®ããŒãã«ã¯ã€ã³ã¿ãŒãããããã¯ã¢ã¯ã»ã¹ã§ããŸããã§ããããDMZ çµç±ã§ã¯ååã«ã¢ã¯ã»ã¹ã§ããŸããã
ãã¡ãããç§ã®æºåž¯é»è©±äžã®ã¢ããªã±ãŒã·ã§ã³ã®åœ¢ã§ã䟵害ãããã¢ã«ãŠã³ãã«ã第 XNUMX èŠçŽ ããããã«è¿œå ãããŸããã ã¢ã¯ã·ã§ã³ã®ãæ¿èªã/ãäžæ¿èªããã¿ã³ãåããããã·ã¥èŠæ±ã倧声ã§é»è©±ã«éä¿¡ããããããã«ç¬ç«ããå ¥åã®ããã«ç»é¢ã« OTP ã³ãŒããéãã«è¡šç€ºãããã§ããããã°ã©ã ããããŸããã ããã«ã説ææžã§ã¯æåã®æ¹æ³ãå¯äžæ£ãããšãããŠããŸããããOTP æ¹æ³ãšã¯ç°ãªããæ©èœããŸããã§ããã
ãXNUMX çªç®ã®èŠçŽ ããå£ãããããCitrix Netscaler Gateway 㧠Outlook Web Access ã¡ãŒã«ãšãªã¢ãŒã ã¢ã¯ã»ã¹ã«ã¢ã¯ã»ã¹ã§ããŸããã Outlook ã®ã¡ãŒã«ã«é©ãã®å 容ããããŸããã
ãã®çããã·ã§ããã§ã¯ãRoskomnadzor ããã³ãã¹ã¿ãŒãã©ã®ããã«æ¯æŽããŠããããèŠãããšãã§ããŸã
ãããã¯ãæ°åã®ã¢ãã¬ã¹ãæã€ãããã¯ãŒã¯å šäœã容赊ãªãã¢ã¯ã»ã¹äžèœã«ãªã£ããæåãªããã¡ã³ãã«ãã Telegram ã®ãããã¯ããæåã®æ°ãæã§ããã ãªãããã·ã¥ãããã«æ©èœããªãã£ãã®ãããããŠãªãç§ã®ã被害è ããå¶æ¥æéäžã«ã¢ã«ãŠã³ãã䜿ãå§ããããã«èŠå ±ã鳎ãããªãã£ãã®ããæããã«ãªããŸããã
Citrix Netscaler ã«è©³ãã人ãªã誰ã§ããCitrix Netscaler ã¯éåžžããŠãŒã¶ãŒã«ç»åã€ã³ã¿ãŒãã§ã€ã¹ã®ã¿ãäŒãããµãŒãããŒã㣠ã¢ããªã±ãŒã·ã§ã³ãèµ·åããŠããŒã¿ã転éããããŒã«ãäžãããããããæ¹æ³ã§ã¢ã¯ã·ã§ã³ãå¶éãããããªæ¹æ³ã§å®è£ ãããŠãããšæ³åããã§ããããæšæºã®å¶åŸ¡ã·ã§ã«ãä»ããŠã ç§ã®ã被害è ãã¯è·æ¥æã1C ããããããŸããã§ããã
1C ã€ã³ã¿ãŒãã§ãŒã¹ãå°ãèŠãŠåã£ããšãããããã«å€éšåŠçã¢ãžã¥ãŒã«ãããããšãããããŸããã ãããã¯ã€ã³ã¿ãŒãã§ã€ã¹ããããŒãã§ããæš©éãšèšå®ã«å¿ããŠã¯ã©ã€ã¢ã³ããŸãã¯ãµãŒããŒã§å®è¡ãããŸãã
ç§ã¯ 1C ããã°ã©ããŒã®å人ã«ãæååãåãåã£ãŠå®è¡ããåŠçãäœæããããã«äŸé ŒããŸããã 1C èšèªã§ã¯ãããã»ã¹ã®éå§ã¯æ¬¡ã®ããã«ãªããŸã (ã€ã³ã¿ãŒãããããæç²)ã 1C èšèªã®æ§æã¯ãã·ã¢èªã話ã人ã ããã®èªçºæ§ã§é©ãããŠããããšã«åæããŸãã?
åŠçã¯å®ç§ã«å®è¡ããã䟵å
¥ãã¹ãè
ããã·ã§ã«ããšåŒã¶ãã®ã§ããããšãå€æãããããéã㊠Internet Explorer ãèµ·åãããŸããã
以åããã®é åãžã®ãã¹ã泚æã§ããã·ã¹ãã ã®ã¢ãã¬ã¹ãéµäŸ¿ã§çºèŠãããŸããã WiFi æ»æãã¯ãã«ã䜿çšããå¿
èŠãããå Žåã«åããŠãã¹ã泚æããŸããã
ã€ã³ã¿ãŒãããã§ã¯ã顧客ã®ãªãã£ã¹ã«ã¯ãŸã ããããç¡æã®ã±ãŒã¿ãªã³ã°ããã£ããšãã話ããããŸãããç§ã¯ãŸã æ»æããªã¢ãŒãã§å±éããããšã奜ã¿ãŸããããã®ã»ããç©ããã§ãã
Citrix ãå®è¡ããŠããã¢ããªã±ãŒã·ã§ã³ ãµãŒããŒã§ AppLocker ãã¢ã¯ãã£ãåãããŸãããããã€ãã¹ãããŸããã http ããŒãžã§ã³ã§ã¯æ¥ç¶ãæãŸãªãã£ããããåã Meterpreter ã DNS çµç±ã§ããŒããããèµ·åãããŸããããŸãããã®æç¹ã§ã¯å éšãããã· ã¢ãã¬ã¹ãããããŸããã§ããã ã¡ãªã¿ã«ããã®ç¬éãããå€éšäŸµå ¥ãã¹ãã¯å®è³ªçã«å®å šã«å éšäŸµå ¥ãã¹ãã«å€ãããŸããã
ããŒã 4. ãŠãŒã¶ãŒã®ç®¡çè æš©éã¯æªãã§ããã?
ãã¡ã€ã³ ãŠãŒã¶ãŒ ã»ãã·ã§ã³ã®å¶åŸ¡ãååŸããéã®ãã³ãã¹ã¿ãŒã®æåã®ã¿ã¹ã¯ã¯ããã¡ã€ã³å ã®æš©å©ã«é¢ãããã¹ãŠã®æ å ±ãåéããããšã§ãã BloodHound ãŠãŒãã£ãªãã£ã䜿çšãããšããã¡ã€ã³ ã³ã³ãããŒã©ãŒãã LDAP ãããã³ã«çµç±ã§ãŠãŒã¶ãŒãã³ã³ãã¥ãŒã¿ãŒãã»ãã¥ãªã㣠ã°ã«ãŒãã«é¢ããæ å ±ãããã³ SMB çµç±ã§ãã©ã®ãŠãŒã¶ãŒãæè¿ãã°ã€ã³ããããããŒã«ã«ç®¡çè ã誰ã§ããããªã©ã®æ å ±ãèªåçã«ããŠã³ããŒãã§ããŸãã
ãã¡ã€ã³ç®¡çè æš©éã奪åããããã®å žåçãªææ³ã¯ãå調ãªã¢ã¯ã·ã§ã³ã®ãµã€ã¯ã«ãšããŠåçŽåãããŸãã
- ãã§ã«ååŸãããŠãããã¡ã€ã³ ã¢ã«ãŠã³ãã«åºã¥ããŠãããŒã«ã«ç®¡çè æš©éããããã¡ã€ã³ ã³ã³ãã¥ãŒã¿ãŒã«ç§»åããŸãã
- Mimikatz ãèµ·åããæè¿ãã®ã·ã¹ãã ã«ãã°ã€ã³ãããã¡ã€ã³ ã¢ã«ãŠã³ãã®ãã£ãã·ã¥ããããã¹ã¯ãŒããKerberos ãã±ãããããã³ NTLM ããã·ã¥ãååŸããŸãã ãŸãã¯ãlsass.exe ããã»ã¹ã®ã¡ã¢ãª ã€ã¡ãŒãžãåé€ãããã¡ãåŽã§ãåãããšãè¡ããŸãã ããã¯ãããã©ã«ãèšå®ã® 2012R2/Windows 8.1 ããåã® Windows ã§ããŸãæ©èœããŸãã
- 䟵害ãããã¢ã«ãŠã³ããããŒã«ã«ç®¡çè æš©éãæã£ãŠããå Žæãç¹å®ããŸãã æåã®ç¹ãç¹°ãè¿ããŸãã ãã段éã§ããã¡ã€ã³å šäœã®ç®¡çè æš©éãååŸããŸãã
1C ããã°ã©ããŒãããã«æžããããªããµã€ã¯ã«ã®çµãããã
ãããã£ãŠããã®ãŠãŒã¶ãŒã¯ãWindows 7 ãæèŒãã XNUMX å°ã®ãã¹ãã®ã¿ã®ããŒã«ã«ç®¡çè ã§ããããšãå€æããŸããããã®ãã¹ãã®ååã«ã¯ãå人çšä»®æ³ãã·ã³ã§ãããVDIããŸãã¯ãä»®æ³ãã¹ã¯ããã ã€ã³ãã©ã¹ãã©ã¯ãã£ããšããåèªãå«ãŸããŠããŸããã ãããããVDI ãµãŒãã¹ã®èšèšè ã¯ãVDI ã¯ãŠãŒã¶ãŒã®å人çãªãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã§ããããããŠãŒã¶ãŒããœãããŠã§ã¢ç°å¢ãèªç±ã«å€æŽããŠãããã¹ãã¯åŒãç¶ãããªããŒããã§ããããšãæå³ããã®ã§ãããã ãŸããäžè¬çã«ãã®ã¢ã€ãã¢ã¯è¯ããšæããŸãããç§ã¯ãã®åäººçš VDI ãã¹ãã«è¡ããããã«ãã¹ããäœæããŸããã
- ããã« OpenVPN ã¯ã©ã€ã¢ã³ããã€ã³ã¹ããŒã«ããã€ã³ã¿ãŒããããä»ããŠãµãŒããŒãžã®ãã³ãã«ãäœæããŸããã ã¯ã©ã€ã¢ã³ãã¯ãã¡ã€ã³èªèšŒã§åã Blue Coat ã匷å¶çã«ééããå¿ èŠããããŸããããOpenVPN ã¯ãèšãã°ãããã«äœ¿ããããããå®çŸããŸããã
- VDI ã« OpenSSH ãã€ã³ã¹ããŒã«ããŸããã ããã§ãããå®éã®ãšãããSSH ã®ãªã Windows 7 ãšã¯äœã§ãããã?
ã©ã€ãã§ã¯ãããªæãã§ããã ããã¯ãã¹ãŠ Citrix ãš 1C ãéããŠè¡ãå¿ èŠãããããšãæãåºããŠãã ããã
é£æ¥ããã³ã³ãã¥ãŒã¿ãžã®ã¢ã¯ã»ã¹ãä¿é²ãã XNUMX ã€ã®ææ³ã¯ãããŒã«ã«ç®¡çè
ã®ãã¹ã¯ãŒããäžèŽãããã©ããã確èªããããšã§ãã ããã§ããã«å¹žéãåŸ
ã£ãŠããŸãããããã©ã«ãã®ããŒã«ã«ç®¡çè
(çªç¶ç®¡çè
ãšåŒã°ããããã«ãªããŸãã) ã® NTLM ããã·ã¥ããæ°çŸããé£æ¥ãã VDI ãã¹ããžã®ã㹠㶠ããã·ã¥æ»æãéããŠæ¥è¿ãããŸããã ãã¡ããããã®æ»æã¯å³åº§ã«åœŒãã襲ã£ãã
ããã§ã¯ãVDI 管çè ãèªåã®è¶³ã XNUMX åæã£ãå Žæã§ãã
- XNUMX åç®ã¯ãVDI ãã·ã³ã LAPS ã®ç®¡çäžã«çœ®ãããŠããããåºæ¬çã« VDI ã«å€§èŠæš¡ã«å±éãããã€ã¡ãŒãžããã®åãããŒã«ã«ç®¡çè ãã¹ã¯ãŒããä¿æããŠãããšãã§ããã
- ããã©ã«ãã®ç®¡çè ã¯ãããã·ã¥ãã¹æ»æã«å¯ŸããŠè匱ãªå¯äžã®ããŒã«ã« ã¢ã«ãŠã³ãã§ãã åããã¹ã¯ãŒãã䜿çšããå Žåã§ããè€éã§ã©ã³ãã ãªãã¹ã¯ãŒããæ〠XNUMX çªç®ã®ããŒã«ã«ç®¡çè ã¢ã«ãŠã³ããäœæããããã©ã«ãã®ã¢ã«ãŠã³ãããããã¯ããããšã§ã倧é䟵害ãåé¿ããããšãå¯èœã§ãã
ãã® Windows ã«ã¯ãªã SSH ãµãŒãã¹ãããã®ã§ãããã? éåžžã«ã·ã³ãã«ã§ããOpenSSH ãµãŒããŒã¯ããŠãŒã¶ãŒã®äœæ¥ã劚ããããšãªãã䟿å©ãªå¯Ÿè©±åã³ãã³ã ã·ã§ã«ãæäŸããã ãã§ãªããVDI äžã® Socks5 ãããã·ãæäŸããŸãã ãã®ãœãã¯ã¹ãä»ã㊠SMB çµç±ã§æ¥ç¶ããæ°çŸå°ã® VDI ãã·ã³ãã¹ãŠãããã£ãã·ã¥ãããã¢ã«ãŠã³ããåéããBloodHound ã°ã©ãã§ãããã䜿çšããŠãã¡ã€ã³ç®¡çè ãžã®ãã¹ãæ¢ããŸããã äœçŸãã®ãã¹ããèªç±ã«äœ¿ããã®ã§ããã®æ¹æ³ã¯ããã«èŠã€ãããŸããã ãã¡ã€ã³ç®¡çè æš©éãååŸããŸããã
ããã¯ãåæ§ã®æ€çŽ¢ã瀺ãã€ã³ã¿ãŒãããäžã®ç»åã§ãã æ¥ç¶ã«ã¯ã管çè ãã©ãã«ããã®ãã誰ãã©ãã«ãã°ã€ã³ããŠããã®ãã衚瀺ãããŸãã
ã¡ãªã¿ã«ããããžã§ã¯ãéå§æã®æ¡ä»¶ããœãŒã·ã£ã«ãšã³ãžãã¢ãªã³ã°ã䜿çšããªãããèŠããŠãããŠãã ããã ããã§ç§ã¯ãããããããªãã£ãã·ã³ã°ãäŸç¶ãšããŠå¯èœã ã£ãå Žåãç¹æ®å¹æã®ããããªãŠããäœåãã©ãã ãé®æãããããèããŠã¿ãããšãææ¡ããŸãã ããããå人çã«ã¯ãããããã¹ãŠãè¡ãã®ã¯éåžžã«èå³æ·±ããã®ã§ããã 楜ããã§èªãã§ããã ããã°å¹žãã§ãã ãã¡ããããã¹ãŠã®ãããžã§ã¯ããããã»ã©é
åçã«èŠããããã§ã¯ãããŸããããå
šäœãšããŠã®ä»äºã¯éåžžã«ããããããããåæ»ããããšã¯ãããŸããã
ãããã誰ãã質åããã§ãããïŒã©ããã£ãŠèªåãå®ãã®ã§ããïŒ ãã®èšäºã§ãå€ãã®ãã¯ããã¯ã説æãããŠããŸããããã®å€ã㯠Windows 管çè ããç¥ããŸããã ãã ããç§ã¯ããããããããããªååãšæ å ±ã»ãã¥ãªãã£å¯Ÿçã®èŠ³ç¹ããèŠãŠã¿ãããšãææ¡ããŸãã
- å€ããœãããŠã§ã¢ã䜿çšããªãã§ãã ãã (æåã® Windows 2003 ãèŠããŠããŸãã?)
- äžå¿ èŠãªã·ã¹ãã ããªã³ã«ãããŸãŸã«ããªãã§ãã ãã (ãªãæ³å°¿åšç§å»ã® Web ãµã€ãããã£ãã®ã§ãã?)
- ãŠãŒã¶ãŒã®ãã¹ã¯ãŒãã®åŒ·åºŠãèªåã§ãã§ãã¯ããŠãã ããïŒããã§ãªãå Žåã¯å µå£«...äŸµå ¥ãã¹ãæ åœè ããããè¡ããŸãïŒ
- ç°ãªãã¢ã«ãŠã³ãã«åããã¹ã¯ãŒãã䜿çšããªã (VDI 䟵害)
- ãããŠããäžã€
ãã¡ããããããå®è£
ããã®ã¯éåžžã«å°é£ã§ããã次ã®èšäºã§ã¯ãããååã«å¯èœã§ããããšãå®éã«ç€ºããŸãã
åºæïŒ habr.com