3éšæ§æã®ç 究éçºã®ç©èªã ããŒã 1 ã¯æ¢çŽ¢çãªãã®ã§ãã
ããã®æšããããããããããã«ã¡ãªããããããŸãã
åé¡ã®å®åŒå
äŸµå ¥ãã¹ãããã³ RedTeam ãã£ã³ããŒã³äžã¯ãVPNãRDPãCitrix ãªã©ã®ã客æ§ã®æšæºããŒã«ã䜿çšã§ãããšã¯éããŸããã å éšãããã¯ãŒã¯ã«å ¥ãã¢ã³ã«ãŒãšããŠã ããã€ãã®å Žæã§ã¯ãæšæº VPN 㯠MFA ã䜿çšããŠæ©èœããããŒããŠã§ã¢ ããŒã¯ã³ã XNUMX çªç®ã®èŠçŽ ãšããŠäœ¿çšãããŸãããŸããä»ã®å Žæã§ã¯ãVPN ã¯åŸ¹åºçã«ç£èŠãããå¿ èŠãªãã¹ãŠã®æ©èœãåãã£ãŠãããããVPN ãã°ã€ã³ãããã«å¯èŠåãããŸãããã®ãããªæ段ã¯ãããŸããã
ãã®ãããªå Žåããããããéãã³ãã«ããã€ãŸãå éšãããã¯ãŒã¯ããå€éšãªãœãŒã¹ãŸãã¯åœç€Ÿãå¶åŸ¡ãããµãŒããŒãžã®æ¥ç¶ãåžžã«äœæããå¿ èŠããããŸãã ãã®ãããªãã³ãã«å ã§ã¯ããã§ã«ã客æ§ã®å éšãªãœãŒã¹ãšé£æºã§ããŸãã
ãããã®æ»ããã³ãã«ã«ã¯ããã€ãã®çš®é¡ããããŸãã ãã®äžã§æãæåãªã®ã¯ããã¡ãããMeterpreter ã§ãã ãªããŒã¹ ããŒã転éãåãã SSH ãã³ãã«ãããã«ãŒã®éã§å€§ããªéèŠããããŸãã ãªããŒã¹ ãã³ããªã³ã°ãå®è£
ããæ段ã¯éåžžã«å€ãããããã®å€ãã¯ããç 究ãã説æãããŠããŸãã
ãã¡ãããã»ãã¥ãªã㣠ãœãªã¥ãŒã·ã§ã³ã®éçºè
ã¯ããã®ãããªã¢ã¯ã·ã§ã³ãå芳ããŠç©æ¥µçã«æ€åºããããã§ã¯ãããŸããã
ããšãã°ãMSF ã»ãã·ã§ã³ã¯ Cisco ãŸã㯠Positive Tech ã®ææ°ã® IPS ã«ãã£ãŠæ£åžžã«æ€åºããããªããŒã¹ SSH ãã³ãã«ã¯ã»ãŒãã¹ãŠã®éåžžã®ãã¡ã€ã¢ãŠã©ãŒã«ã«ãã£ãŠæ€åºã§ããŸãã
ãããã£ãŠãåªãã RedTeam ãã£ã³ããŒã³ã§æ°ã¥ãããªãããã«ããã«ã¯ãéæšæºçãªæ段ã䜿çšããŠãªããŒã¹ ãã³ãã«ãæ§ç¯ãããããã¯ãŒã¯ã®å®éã®åäœã¢ãŒãã«å¯èœãªéãå³å¯ã«é©å¿ããå¿ èŠããããŸãã
åæ§ã®ãã®ãèŠã€ãããçºæãããããŠã¿ãŸãããã
äœããçºæããåã«ãã©ã®ãããªçµæãéæãããã®ããéçºã§ã©ã®ãããªæ©èœãå®è¡ããå¿
èŠãããã®ãââãç解ããå¿
èŠããããŸãã æ倧éã®ã¹ãã«ã¹ ã¢ãŒãã§åäœã§ããããã«ããããã®ãã³ãã«ã®èŠä»¶ã¯äœã§ãã?
ããããã®ã±ãŒã¹ã§ãã®ãããªèŠä»¶ã倧ããç°ãªãå¯èœæ§ãããããšã¯æããã§ãããè·åçµéšã«åºã¥ããŠãäž»ãªèŠä»¶ãç¹å®ã§ããŸãã
- Windows-7-10 OSã§åäœããŸãã ã»ãšãã©ã®äŒæ¥ãããã¯ãŒã¯ã¯ Windows ã䜿çšããŠããããã
- ã¯ã©ã€ã¢ã³ãã¯ãips ã䜿çšããæããªãªã¹ãã³ã°ãé¿ããããã« SSL çµç±ã§ãµãŒããŒã«æ¥ç¶ããŸãã
- æ¥ç¶ãããšããã¯ã©ã€ã¢ã³ãã¯æ¿èªã®ãããããã· ãµãŒããŒãä»ããäœæ¥ããµããŒãããå¿ èŠããããŸãã å€ãã®äŒæ¥ã§ã¯ãã€ã³ã¿ãŒããããžã®ã¢ã¯ã»ã¹ã¯ãããã·çµç±ã§è¡ãããŸãã å®éãã¯ã©ã€ã¢ã³ã ãã·ã³ã¯ããã«ã€ããŠäœãç¥ããªãå¯èœæ§ãããããããã·ã¯ééã¢ãŒãã§äœ¿çšãããŸãã ãããããã®ãããªæ©èœãæäŸããå¿ èŠããããŸãã
- ã¯ã©ã€ã¢ã³ãéšåã¯ç°¡æœã§ç§»æ€å¯èœã§ããå¿
èŠããããŸãã
顧客ã®ãããã¯ãŒã¯å ã§åäœããã«ã¯ãã¯ã©ã€ã¢ã³ã ãã·ã³ã« OpenVPN ãã€ã³ã¹ããŒã«ãããµãŒããŒãžã®æ¬æ Œçãªãã³ãã«ãäœæã§ããããšã¯æããã§ã (幞ããªããšã«ãopenVPN ã¯ã©ã€ã¢ã³ãã¯ãããã·çµç±ã§åäœã§ããŸã)ã ãããã第äžã«ãç§ãã¡ãããŒã«ã«ç®¡çè ã§ã¯ãªãå¯èœæ§ããããããããã¯åžžã«æ©èœãããšã¯éããŸããã第äºã«ããŸãšã㪠SIEM ã HIPS ãããã«ç§ãã¡ããå¯åãããã»ã©å€§ããªãã€ãºãçºçããŸãã çæ³çã«ã¯ãã¯ã©ã€ã¢ã³ãã¯ããããã€ã³ã©ã€ã³ ã³ãã³ãã§ããå¿ èŠããããŸããããšãã°ãå€ãã® bash ã·ã§ã«ãå®è£ ãããŠãããããšãã° Word ãã¯ãããã³ãã³ããå®è¡ãããšãã«ã³ãã³ã ã©ã€ã³çµç±ã§èµ·åãããããã§ãã - ãã³ãã«ã¯ãã«ãã¹ã¬ããã§ãããå€ãã®æ¥ç¶ãåæã«ãµããŒãããå¿ èŠããããŸãã
- ã¯ã©ã€ã¢ã³ããšãµãŒããŒã®æ¥ç¶ã«ã¯ãæå®ãããã¢ãã¬ã¹ãšããŒãã§ãµãŒããŒã«ã¢ã¯ã»ã¹ãããã¹ãŠã®ãŠãŒã¶ãŒã§ã¯ãªããã¯ã©ã€ã¢ã³ãã«å¯ŸããŠã®ã¿ãã³ãã«ã確ç«ãããããã«ãäœããã®æ¿èªãå¿
èŠã§ãã çæ³çã«ã¯ãç«ãå
ã®ãã¡ã€ã³ã«é¢é£ããå°éçãªãããã¯ãå«ãã©ã³ãã£ã³ã° ããŒãžãããµãŒãããŒã㣠ãŠãŒã¶ãŒãåãã«éãããå¿
èŠããããŸãã
ããšãã°ã顧客ãå»çæ©é¢ã®å Žåã蚺çæã®åŸæ¥å¡ãã¢ã¯ã»ã¹ãããªãœãŒã¹ãå»è¬åã®ããŒãžã蚺æã®èª¬æãèšèŒããããŠã£ãããã£ã¢ãã³ãããã¹ããŒå士ã®ããã°ãªã©ããã§ãã¯ããããšã決å®ããæ å ±ã»ãã¥ãªãã£ç®¡çè ã«ãšã£ãŠã¯ã . ãéãã¯ãã§ãã
æ¢åããŒã«ã®åæ
èªåã®èªè»¢è»ãåçºæããåã«ãæ¢åã®èªè»¢è»ãåæããŠããããæ¬åœã«å¿ èŠãã©ãããç解ããå¿ èŠããããŸããããããããã®ãããªæ©èœçãªèªè»¢è»ã®å¿ èŠæ§ã«ã€ããŠèããããšãããã®ã¯ç§ãã¡ã ãã§ã¯ãããŸããã
ã€ã³ã¿ãŒãããã§ã°ãŒã°ã«ïŒç§ãã¡ã¯æ®éã«ã°ãŒã°ã«ãããŠããããã§ãïŒã§æ€çŽ¢ããããGithubã§ãéãœãã¯ã¹ããšããããŒã¯ãŒãã䜿çšããŠæ€çŽ¢ãããããŠããããŸãçµæãåŸãããŸããã§ããã åºæ¬çã«ã¯ããªããŒã¹ ããŒã転éãšããã«æ¥ç¶ããããã¹ãŠã®ãã®ãåãã ssh ãã³ãã«ãæ§ç¯ããããšã«ãªããŸãã SSH ãã³ãã«ã«å ããŠãããã€ãã®ãœãªã¥ãŒã·ã§ã³ããããŸãã
Kaspersky Lab ã®ã¹ã¿ããã«ããé·å¹Žã«ããããªããŒã¹ ãã³ãã«ã®å®è£
ã ååã«ãã£ãŠããã®ã¹ã¯ãªããã®ç®çãæ確ã«ãªããŸãã Python 2.7 ã§å®è£
ããããã³ãã«ã¯ã¯ãªã¢ããã¹ã ã¢ãŒãã§åäœããŸã (ä»ã§ã¯æµè¡ã£ãŠããããã«ãããã«ã¡ã¯ RKN)
Python ã§ã®å¥ã®å®è£
ãã¯ãªã¢ããã¹ãã§è¡ãããŸãããããå€ãã®å¯èœæ§ããããŸãã ããã¯ã¢ãžã¥ãŒã«ãšããŠèšè¿°ãããŠããããœãªã¥ãŒã·ã§ã³ããããžã§ã¯ãã«çµ±åããããã® API ãåããŠããŸãã
æåã®ãªã³ã¯ã¯ãGolang ã§ã®ãªããŒã¹ sox å®è£
ã®ãªãªãžãã« ããŒãžã§ã³ã§ã (éçºè
ã«ãã£ãŠãµããŒããããŠããŸãã)ã
XNUMX çªç®ã®ãªã³ã¯ã¯ãåãã Golang ã§ã®è¿œå æ©èœãåãããªããžã§ã³ã§ãã ç§ãã¡ã®ããŒãžã§ã³ã§ã¯ãSSL ãå®è£
ããNTLM èªèšŒã«ãããããã·ãä»ããäœæ¥ãã¯ã©ã€ã¢ã³ãã§ã®èªèšŒããã¹ã¯ãŒããééã£ãŠããå Žåã®ã©ã³ãã£ã³ã° ããŒãž (ãŸãã¯ã©ã³ãã£ã³ã° ããŒãžãžã®ãªãã€ã¬ã¯ã)ããã«ãã¹ã¬ãã ã¢ãŒã (ã€ãŸããè€æ°äºº)åæã«ãã³ãã«ãæäœã§ããŸã)ãã¯ã©ã€ã¢ã³ãã« ping ãéä¿¡ããŠãã¯ã©ã€ã¢ã³ããçããŠãããã©ãããå€æããã·ã¹ãã ã§ãã
ãäžåœäººã®å人ãããã®ãªããŒã¹ãœãã¯ã¹ãPythonã§å®è£
ã ããã«ã¯ãæ ãè
ã§ãäžæ»
ãã®äººã®ããã«ãäžåœäººã«ãã£ãŠçµã¿ç«ãŠãããããã«äœ¿çšã§ããæ¢è£œã®ãã€ã㪠(exe) ããããŸãã ããã§ããã®ãã€ããªã«äž»èŠãªæ©èœä»¥å€ã«äœãå«ãŸãããã¯äžåœã®ç¥ã®ã¿ãç¥ãã®ã§ããèªèº«ã®è²¬ä»»ã§äœ¿çšããŠãã ããã
ãªããŒã¹ãœãã¯ã¹ãªã©ãå®è£
ããããã® C++ ã®éåžžã«èå³æ·±ããããžã§ã¯ãã§ãã ãªããŒã¹ ãã³ãã«ã«å ããŠãããŒã ãã©ã¯ãŒãã£ã³ã°ãå®è¡ããããã³ãã³ã ã·ã§ã«ãäœæãããããããšãã§ããŸãã
MSFã®æ€éå¡
圌ããèšãããã«ãããã§ã¯ã³ã¡ã³ãã¯ãããŸããã å€ããå°ãªããæè²ãåããããã«ãŒã¯çããã®åé¡ã«ç²ŸéããŠãããã»ãã¥ãªã㣠ããŒã«ã«ãã£ãŠãããããã«ç°¡åã«æ€åºãããããç解ããŠããŸãã
äžèšã§èª¬æããããŒã«ã¯ãã¹ãŠãåæ§ã®ãã¯ãããžãŒã䜿çšããŠæ©èœããŸããã€ãŸããäºåã«æºåãããå®è¡å¯èœãã€ã㪠ã¢ãžã¥ãŒã«ããããã¯ãŒã¯å ã®ãã·ã³äžã§èµ·åãããå€éšãµãŒããŒãšã®æ¥ç¶ã確ç«ãããŸãã ãµãŒããŒã¯ãæ¥ç¶ãåãå ¥ããŠã¯ã©ã€ã¢ã³ãã«äžç¶ãã SOCKS4/5 ãµãŒããŒãå®è¡ããŸãã
äžèšã®ãã¹ãŠã®ããŒã«ã®æ¬ ç¹ã¯ãPython ãŸã㯠Golang ã®ãããããã¯ã©ã€ã¢ã³ã ãã·ã³ã«ã€ã³ã¹ããŒã«ããå¿ èŠãããããšã§ã (ããšãã°ãäŒç€Ÿã®åç· åœ¹ãäºåå¡ã®ãã·ã³ã« Python ãã€ã³ã¹ããŒã«ãããŠããã®ãããèŠãããšããããŸãã?)ããã€ã㪠(å®éã«ã¯ Python) ããã®ãã·ã³ã«ãã©ãã°ããã¹ã¯ãªããã XNUMX ã€ã®ããã«ã«å ¥ããå¿ èŠããããŸã)ããã§ã«ããã«ãããã®ãã€ããªãå®è¡ããŸãã ãŸããexe ãããŠã³ããŒãããŠèµ·åããããšã¯ãããŒã«ã«ã®ãŠã€ã«ã¹å¯Ÿçããã°ã©ã ãŸã㯠HIPS ã®çœ²åã§ããããŸãã
äžè¬ã«ãçµè«ã¯ããèªäœã瀺åããŠããŸã - PowerShell ãœãªã¥ãŒã·ã§ã³ãå¿ èŠã§ãã ä»ãããããç§ãã¡ã«åãã£ãŠé£ãã§ããã§ããã - PowerShell ã¯ãã§ã«ãã¹ãŠé³è åãããŠãããç£èŠããããããã¯ãããŠãããšèšãããŠããŸãã çã ã å®éãã©ãã«ã§ãããããã§ã¯ãããŸããã ç§ãã¡ã¯è²¬ä»»ãæã£ãŠå®£èšããŸãã ã¡ãªã¿ã«ãããããã³ã°ãåé¿ããæ¹æ³ã¯ãããããããŸã (ããã§ããããã«ã¡ã¯ RKN ã«ã€ããŠã®æµè¡ã®ãã¬ãŒãºãåºãŠããŸã ð)ãpowershell.exe -> cmdd.exe ãšããæããªååå€æŽããå§ãŸããpowerdll ã§çµãããªã©ã§ãã
çºæãå§ããŸããã
ãŸã Google ã§èª¿ã¹ãŠã¿ããšâŠãã®ãããã¯ã«é¢ãããã®ã¯äœãèŠã€ãããŸãã (誰ããèŠã€ããããã³ã¡ã³ãã«ãªã³ã¯ãæçš¿ããŠãã ãã)ã ããã®ã¯ãã
ã€ãŸããæ¢è£œã®ãã®ã¯äœãèŠã€ãã£ãŠããªããããåŒãç¶ãè»èŒªãåçºæããå¿
èŠããããŸãã ç§ãã¡ã®èªè»¢è»ã®ããŒã¹ãšãªããŸã
RSãœãã¯ã¹ã¿ã³
ããã§ã¯ãrsockstun ã¯ã©ã®ããã«æ©èœããã®ã§ãããã?
RsocksTun (以äžãrs) ã®åäœã¯ãYamux ãš Socks5 ãµãŒããŒãšãã 5 ã€ã®ãœãããŠã§ã¢ ã³ã³ããŒãã³ãã«åºã¥ããŠããŸãã Socks5 ãµãŒããŒã¯éåžžã®ããŒã«ã«ã® SocksXNUMX ã§ãããã¯ã©ã€ã¢ã³ãäžã§å®è¡ãããŸãã ãããŠããããžã®æ¥ç¶ã®å€éå (ãã«ãã¹ã¬ããã«ã€ããŠèŠããŠããŸãã?) 㯠yamux ã䜿çšããŠæäŸãããŸã (
yamux ã®ä»çµã¿ã®æ¬è³ªã¯ãã¹ããªãŒã ã®è¿œå ãããã¯ãŒã¯å±€ãå°å ¥ãããããåãã±ããã® 12 ãã€ãã®ããããŒã®åœ¢åŒã§å®è£ ããããšã§ãã (èªè ãããã°ã©ã ã¹ããªãŒã ã®ãã¹ã¬ããããšæ··åããªãããã«ãããã§ã¯ã¹ã¬ããã§ã¯ãªããã¹ããªãŒã ããšããèšèãæå³çã«äœ¿çšããŸãããã®èšäºã§ããã®æŠå¿µã䜿çšããŸã)ã yamux ããããŒã«ã¯ãã¹ããªãŒã çªå·ãã¹ããªãŒã ã®ã€ã³ã¹ããŒã«/çµäºçšã®ãã©ã°ã転éãã€ãæ°ãããã³è»¢éãŠã£ã³ããŠã®ãµã€ãºãå«ãŸããŸãã
yamux ã¯ãã¹ããªãŒã ã®ã€ã³ã¹ããŒã«/çµäºã«å ããŠã確ç«ãããéä¿¡ãã£ãã«ã®ããã©ãŒãã³ã¹ãç£èŠã§ããããŒãã¢ã©ã€ã ã¡ã«ããºã ãå®è£
ããŸãã keeplive ã¡ãã»ãŒãž ã¡ã«ããºã ã®åäœã¯ãYamux ã»ãã·ã§ã³ã®äœææã«æ§æãããŸãã å®éã«ã¯ãèšå®ã®ãã¡ãã©ã¡ãŒã¿ã¯æå¹/ç¡å¹ãšãã±ããéä¿¡é »åºŠ (ç§åäœ) ã® XNUMX ã€ã ãã§ãã ããŒãã¢ã©ã€ã ã¡ãã»ãŒãžã¯ãyamux ãµãŒããŒãŸã㯠yamux ã¯ã©ã€ã¢ã³ãããéä¿¡ã§ããŸãã ããŒãã¢ã©ã€ã ã¡ãã»ãŒãžãåä¿¡ããå Žåããªã¢ãŒãåŽã¯åä¿¡ãããã®ãšãŸã£ããåãã¡ãã»ãŒãž ID (å®éã«ã¯çªå·) ãéä¿¡ããŠå¿çããå¿
èŠããããŸãã äžè¬ã«ãããŒãã¢ã©ã€ã㯠yamux ã®å Žåã®ã¿åã ping ã§ãã
ãã«ããã¬ã¯ãµã®å
šäœçãªåäœæè¡ (ãã±ãã ã¿ã€ããæ¥ç¶ã»ããã¢ãããšçµäºãã©ã°ãããŒã¿è»¢éã¡ã«ããºã ) ã«ã€ããŠã¯ã次ã®ã»ã¯ã·ã§ã³ã§è©³ãã説æãããŠããŸãã
æåã®éšåã®çµè«
ãã®ãããèšäºã®æåã®éšåã§ã¯ããªããŒã¹ ãã³ãã«ãæ§æããããã®ããã€ãã®ããŒã«ã«ã€ããŠèª¬æãããã®å©ç¹ãšæ¬ ç¹ã確èªããYamux ãã«ããã¬ã¯ãµãŒã®åäœã¡ã«ããºã ãç 究ããæ°ããäœæããã PowerShell ã¢ãžã¥ãŒã«ã®åºæ¬èŠä»¶ã«ã€ããŠèª¬æããŸããã 次ã®ããŒãã§ã¯ãã¢ãžã¥ãŒã«èªäœãå®è³ªçã«ãŒãããéçºããŸãã ã€ã¥ãã åãæ¿ããªãã§ãã ãã:)
åºæïŒ habr.com