Nkhani yokhudzana ndi kafukufuku ndi chitukuko mu magawo atatu. Gawo 3 ndi lofufuza.
Pali mitengo yambiri ya beech - zopindulitsa kwambiri.
Kupanga kwa vuto
Pamapentes ndi makampeni a RedTeam, sizingatheke kugwiritsa ntchito zida zokhazikika za Makasitomala, monga VPN, RDP, Citrix, ndi zina zambiri. ngati nangula wolowa mu netiweki yamkati. M'malo ena, VPN yokhazikika imagwira ntchito pogwiritsa ntchito MFA ndipo chizindikiro cha hardware chimagwiritsidwa ntchito ngati chinthu chachiwiri, mwa ena chimayang'aniridwa mwankhanza ndipo kulowa kwathu kwa VPN nthawi yomweyo kumawonekera, monga akunena, ndi zonse zomwe zikuphatikizapo, koma mwa ena pali. kungoti palibe njira zotere.
Zikatero, nthawi zonse timayenera kupanga zomwe zimatchedwa "reverse tunnels" - zolumikizira kuchokera pa netiweki yamkati kupita kuzinthu zakunja kapena seva yomwe timayang'anira. Mkati mwa ngalande yotere, titha kugwira kale ntchito ndi zinthu zamkati za Makasitomala.
Pali mitundu ingapo ya ngalande zobwererazi. Wodziwika kwambiri mwa iwo ndi, ndithudi, Meterpreter. Ma tunnel a SSH okhala ndi ma doko obwereranso akufunikanso kwambiri pakati pa owononga ambiri. Pali njira zambiri zogwirira ntchito zosinthira kumbuyo ndipo zambiri zimaphunziridwa bwino ndikufotokozedwa.
Zachidziwikire, kwa iwo omwe, opanga mayankho achitetezo samayima pambali ndikuzindikira zomwe zikuchitika.
Mwachitsanzo, magawo a MSF amazindikiridwa bwino ndi IPS yamakono kuchokera ku Cisco kapena Positive Tech, ndipo njira yosinthira ya SSH imatha kuzindikirika ndi pafupifupi firewall iliyonse.
Chifukwa chake, kuti tikhalebe osadziwika mu kampeni yabwino ya RedTeam, tifunika kupanga njira yosinthira pogwiritsa ntchito njira zomwe sizili zamtundu uliwonse ndikusintha momwe tingathere kumayendedwe enieni a netiweki.
Tiyeni tiyese kupeza kapena kupanga zofanana.
Tisanayambe kupanga chilichonse, tiyenera kumvetsetsa zomwe tikufuna kukwaniritsa, ntchito zomwe chitukuko chathu chiyenera kuchita. Kodi zofunikira pa ngalandeyo ndi zotani kuti tithe kugwira ntchito mobisa kwambiri?
Zikuwonekeratu kuti pazochitika zilizonse zofunikira zoterezi zimatha kusiyana kwambiri, koma kutengera luso lantchito, zazikuluzikulu zitha kudziwika:
- ntchito pa Windows-7-10 Os. Popeza maukonde ambiri amakampani amagwiritsa ntchito Windows;
- kasitomala amalumikizana ndi seva kudzera pa SSL kuti apewe kumvetsera kopusa pogwiritsa ntchito ips;
- Mukalumikiza, kasitomala ayenera kuthandizira ntchito kudzera pa seva ya proxy ndi chilolezo, chifukwa M'makampani ambiri, kugwiritsa ntchito intaneti kumachitika kudzera pa proxy. M'malo mwake, makina a kasitomala sangadziwe chilichonse chokhudza izi, ndipo proxy imagwiritsidwa ntchito powonekera. Koma tiyenera kupereka magwiridwe antchito;
- gawo la kasitomala liyenera kukhala lalifupi komanso losunthika;
Zikuwonekeratu kuti kuti mugwire ntchito pa intaneti ya Makasitomala, mutha kukhazikitsa OpenVPN pamakina a kasitomala ndikupanga ngalande yokwanira ku seva yanu (mwamwayi, makasitomala a openvpn amatha kugwira ntchito kudzera pa proxy). Koma, choyamba, izi sizigwira ntchito nthawi zonse, popeza sitingakhale olamulira akomweko, ndipo chachiwiri, zidzapanga phokoso kwambiri kotero kuti SIEM kapena HIPS yabwino "idzatilanda" nthawi yomweyo. Momwemo, kasitomala wathu ayenera kukhala otchedwa inline command, monga mwachitsanzo ma bash zipolopolo zambiri zimakhazikitsidwa, ndikuyambitsidwa kudzera pamzere wolamula, mwachitsanzo, popereka malamulo kuchokera ku mawu macro. - ngalande yathu iyenera kukhala yamitundu yambiri ndikuthandizira maulumikizidwe ambiri nthawi imodzi;
- kulumikizidwa kwa seva ya kasitomala kuyenera kukhala ndi chilolezo chamtundu wina kuti ngalandeyo ikhazikitsidwe kwa kasitomala wathu, osati kwa aliyense amene amabwera ku seva yathu pa adilesi ndi doko. Moyenera, tsamba lofikira lomwe lili ndi amphaka kapena mitu yaukadaulo yokhudzana ndi dera loyambirira liyenera kutsegukira "ogwiritsa ntchito chipani chachitatu."
Mwachitsanzo, ngati Makasitomala ndi bungwe lachipatala, ndiye kwa woyang'anira chitetezo chidziwitso yemwe akuganiza kuti ayang'ane gwero limene wogwira ntchito kuchipatala adapeza, tsamba ndi mankhwala opangira mankhwala, Wikipedia ndi kufotokozera za matenda, kapena blog ya Dr. Komarovsky, ndi zina zotero. ayenera kutsegula.
Kusanthula zida zomwe zilipo
Musanabwezerenso njinga yanu, muyenera kusanthula njinga zomwe zilipo ndikumvetsetsa ngati tikuzifunadi ndipo, mwina, si ife tokha omwe taganizira za kufunika kwa njinga yogwira ntchito yotere.
Googling pa intaneti (tikuwoneka ngati google nthawi zonse), komanso kufufuza pa Github pogwiritsa ntchito mawu oti "reverse socks" sikunapereke zotsatira zambiri. Kwenikweni, zonse zimatsikira pakumanga ma ssh tunnel okhala ndi mayendedwe obwerera kumbuyo ndi chilichonse cholumikizidwa nacho. Kuphatikiza pa ma SSH, pali mayankho angapo:
Kukhazikitsa kwanthawi yayitali kwa ngalande yobwerera kuchokera kwa anyamata ku Kaspersky Lab. Dzinali limafotokoza momveka bwino zomwe script iyi idapangidwira. Kukhazikitsidwa mu Python 2.7, ngalandeyi imagwira ntchito momveka bwino (monga momwe zilili pano - moni RKN)
Kukhazikitsa kwina ku Python, komanso momveka bwino, koma ndizotheka zambiri. Imalembedwa ngati gawo ndipo ili ndi API yophatikiza yankho kumapulojekiti anu.
Ulalo woyamba ndi mtundu woyambirira wa kukhazikitsidwa kwa reverse sox ku Golang (osathandizidwa ndi wopanga).
Ulalo wachiwiri ndikukonzanso kwathu ndi zina zowonjezera, komanso ku Golang. Mu mtundu wathu, tidakhazikitsa SSL, gwirani ntchito kudzera pa projekiti yokhala ndi chilolezo cha NTLM, chilolezo kwa kasitomala, tsamba lofikira ngati pali mawu achinsinsi olakwika (kapena m'malo mwake, kutumiziranso tsamba lofikira), mawonekedwe amitundu yambiri (ie anthu angapo). akhoza kugwira ntchito ndi ngalandeyo panthawi imodzimodzi) , dongosolo la pinging kasitomala kuti adziwe ngati ali ndi moyo kapena ayi.
Kukhazikitsa kwa reverse sox kuchokera kwa "abwenzi athu aku China" ku Python. Kumeneko, kwa waulesi ndi "wosafa", pali binary yokonzeka (exe), yosonkhanitsidwa ndi achi China ndikukonzekera kugwiritsidwa ntchito. Apa, ndi Mulungu waku China yekha amene amadziwa china chilichonse chomwe chida ichi chingakhale nacho kupatula magwiridwe antchito, chifukwa chake gwiritsani ntchito mwangozi komanso pachiwopsezo chanu.
Pulojekiti yosangalatsa kwambiri mu C ++ pakukhazikitsa reverse sox ndi zina zambiri. Kuphatikiza panjira yobwerera kumbuyo, imatha kutumiza doko, kupanga chipolopolo cholamula, ndi zina.
Mtengo wa MSF
Apa, monga akunena, palibe ndemanga. Obera onse ochulukirapo kapena ocheperapo amadziwa bwino chinthu ichi ndikumvetsetsa momwe angadziwike mosavuta ndi zida zachitetezo.
Zida zonse zomwe zafotokozedwa pamwambapa zimagwira ntchito pogwiritsa ntchito teknoloji yofanana: gawo la binary lokonzekera lokonzekera likuyambika pamakina mkati mwa intaneti, zomwe zimakhazikitsa kugwirizana ndi seva yakunja. Seva imayendetsa seva ya SOCKS4/5 yomwe imavomereza zolumikizira ndikuzipereka kwa kasitomala.
Kuipa kwa zida zonse zomwe zili pamwambazi ndikuti Python kapena Golang iyenera kuyikidwa pamakina a kasitomala (kodi mumawona Python nthawi zambiri imayikidwa pamakina a, mwachitsanzo, wotsogolera kampani kapena ogwira ntchito muofesi?), kapena osonkhanitsidwa kale. binary (kwenikweni python) iyenera kukokera pamakinawa ndi script mu botolo limodzi) ndikuyendetsa binary kale pamenepo. Ndipo kutsitsa exe ndikuyiyambitsanso ndi siginecha ya antivayirasi yakomweko kapena HIPS.
Kawirikawiri, mapeto amadziwonetsera okha - timafunikira njira yothetsera mphamvu. Tsopano tomato adzawulukira kwa ife - amati powershell kale hackneyed, kuyang'aniridwa, oletsedwa, etc. ndi zina zotero. Ndipotu, osati kulikonse. Timalengeza motsimikiza. Mwa njira, pali njira zambiri zodutsira kutsekereza (apa palinso mawu apamwamba onena za moni RKN π), kuyambira pakusinthidwa kopusa kwa powershell.exe -> cmdd.exe ndikutha ndi powerdll, ndi zina zambiri.
Tiyeni tiyambe kupanga
Zikuwonekeratu kuti choyamba tiyang'ana pa Google ndipo ... sitidzapeza chilichonse pamutuwu (ngati wina waupeza, tumizani maulalo mu ndemanga). Pali basi Socks5 pa powershell, koma iyi ndi sox wamba "mwachindunji", yomwe ili ndi zovuta zake zingapo (tidzakambirana pambuyo pake). Mukhoza, ndithudi, ndi kusuntha pang'ono kwa dzanja lanu, kutembenuzira kumbuyo, koma izi zidzakhala sox imodzi yokha, yomwe sizomwe timafunikira kwa ife.
Chifukwa chake, sitinapeze chilichonse chokonzekera, chifukwa chake tiyenera kukonzanso gudumu lathu. Tidzatenga ngati maziko a njinga yathu reverse sox ku Golang, ndipo timayika kasitomala wake mu powershell.
RSocksTun
Ndiye kodi rsockstun imagwira ntchito bwanji?
Kugwira ntchito kwa RsocksTun (yotchedwa rs) kumachokera pazigawo ziwiri zamapulogalamu - Yamux ndi seva ya Socks5. Seva ya Socks5 ndi socks5 wamba wakomweko, imayendera kasitomala. Ndipo kuchulukitsa kwa maulumikizidwe kwa izo (mukumbukira za multithreading?) kumaperekedwa pogwiritsa ntchito yamux (). Chiwembuchi chimakulolani kuti mutsegule ma seva angapo a makasitomala a socks5 ndikugawira maulumikizidwe akunja kwa iwo, kuwatumizira kudzera mu mgwirizano umodzi wa TCP (pafupifupi ngati meterpreter) kuchokera kwa kasitomala kupita ku seva, potero kugwiritsa ntchito mitundu yambirimbiri, popanda zomwe sitingakhale nazo. amatha kugwira ntchito mokwanira mumanetiweki amkati.
Chofunikira cha momwe yamux imagwirira ntchito ndikuti imayambitsa mitsinje yowonjezera yowonjezera, ndikuyigwiritsa ntchito ngati mutu wa 12-byte pa paketi iliyonse. (Apa timagwiritsa ntchito mwadala mawu oti "mtsinje" osati ulusi, kuti tisasokoneze owerenga ndi "ulusi" wa pulogalamu - tidzagwiritsanso ntchito mfundoyi m'nkhaniyi). Mutu wa yamux uli ndi nambala yamtsinje, mbendera zoyika / kuthetsa mtsinje, chiwerengero cha ma byte omwe anasamutsidwa, ndi kukula kwa zenera lotumizira.
Kuphatikiza pa kuyika / kuletsa mtsinje, yamux imagwiritsa ntchito njira yosungira yomwe imakupatsani mwayi wowunika momwe njira yolumikizirana ikuyendera. Kugwira ntchito kwa meseji ya Keeplive kumakonzedwa popanga gawo la Yamux. Kwenikweni, pazokonda pali magawo awiri okha: yambitsani / zimitsani komanso kuchuluka kwa kutumiza mapaketi mumasekondi. Mauthenga a Keepalive amatha kutumizidwa ndi seva yamux kapena kasitomala yamux. Polandira uthenga wosunga moyo, gulu lakutali liyenera kuyankha potumiza chizindikiritso cha uthenga womwewo (chiwerengero chenicheni) chomwe chidalandira. Nthawi zambiri, keepalive ndi ping yomweyo, yamux yokha.
Njira yonse yogwiritsira ntchito multiplexer: mitundu ya paketi, khwekhwe lolumikizira ndi mbendera zoyimitsa, ndi njira yosinthira deta ikufotokozedwa mwatsatanetsatane ku yamx.
Kumaliza kwa gawo loyamba
Choncho, m'chigawo choyamba cha nkhaniyi, tidadziwa zida zina zopangira ma tunnel osinthika, tinayang'ana ubwino ndi zovuta zawo, tinaphunzira njira yogwiritsira ntchito Yamux multiplexer ndikufotokozera zofunikira za gawo la powershell lomwe langoyamba kumene. Mu gawo lotsatira tipanga gawo lokha, kuyambira poyambira. Zipitilizidwa. Osasintha :)
Source: www.habr.com