Timalemba pafupipafupi za momwe obera nthawi zambiri amadalira kugwiritsa ntchito kupewa kuzindikiridwa. Iwo kwenikweni , pogwiritsa ntchito zida zodziwika bwino za Windows, potero zimadutsa ma antivayirasi ndi zida zina zodziwira zoyipa. Ife, monga otetezera, tsopano tikukakamizika kulimbana ndi zotsatira zatsoka za njira zochenjera zozembera: wogwira ntchito woikidwa bwino angagwiritse ntchito njira yomweyi pobisa deta (katundu wamakampani, manambala a kirediti kadi). Ndipo ngati sathamangira, koma amagwira ntchito pang'onopang'ono komanso mwakachetechete, zidzakhala zovuta kwambiri - komabe zingatheke ngati akugwiritsa ntchito njira yoyenera komanso yoyenera. , - kuzindikira ntchito yotere.
Kumbali ina, sindingafune kuchitira ziwanda antchito chifukwa palibe amene akufuna kugwira ntchito m'malo azamalonda kuyambira mu 1984 wa Orwell. Mwamwayi, pali njira zingapo zothandiza komanso ma hacks omwe angapangitse moyo kukhala wovuta kwambiri kwa omwe ali mkati. Tilingalira njira zobisika zowukira, ogwiritsidwa ntchito ndi owononga ndi antchito omwe ali ndi luso linalake. Ndipo pang'ono tidzakambirana za njira zochepetsera zoopsa zotere - tiphunzira zonse zaukadaulo ndi bungwe.
Kodi cholakwika ndi PsExec ndi chiyani?
Edward Snowden, moyenerera kapena molakwika, wafanana ndi kuba kwa data mkati. Mwa njira, musaiwale kuyang'ana za ena amkati omwe amayeneranso kutchuka. Mfundo imodzi yofunika kutsindika za njira zomwe Snowden adagwiritsa ntchito ndikuti, momwe tingadziwire, iye sanayike palibe pulogalamu yoyipa yakunja!
M'malo mwake, Snowden adagwiritsa ntchito uinjiniya pang'ono ndipo adagwiritsa ntchito udindo wake ngati woyang'anira dongosolo kusonkhanitsa mapasiwedi ndikupanga zidziwitso. Palibe chovuta - palibe , kuukira kapena .
Ogwira ntchito m'bungwe sali nthawi zonse pa malo apadera a Snowden, koma pali maphunziro angapo omwe angaphunzire kuchokera ku lingaliro la "kupulumuka mwa kudyetsa" kuti adziwe - kuti asachite nawo ntchito iliyonse yoipa yomwe ingadziwike, komanso kukhala makamaka. kusamala ndi kugwiritsa ntchito zizindikiro. Kumbukirani ganizo ili.
ndi msuweni wake achita chidwi ndi anthu ambiri ochita zachiwerewere, owononga, komanso olemba mabulogu a cybersecurity. Ndipo ikaphatikizidwa ndi mimikatz, psexec imalola owukira kuti azitha kuyenda pa intaneti osafuna kudziwa mawu achinsinsi omveka bwino.
Mimikatz imadula hashi ya NTLM kuchokera ku ndondomeko ya LSASS ndiyeno imadutsa chizindikiro kapena zizindikiro - zomwe zimatchedwa. "kupatsirani hashi" kuwukira - mu psexec, kulola wowukira kuti alowe mu seva ina ngati za wina wogwiritsa ntchito. Ndipo pakapita nthawi iliyonse kupita ku seva yatsopano, wowukirayo amasonkhanitsa zidziwitso zowonjezera, kukulitsa luso lake pofufuza zomwe zilipo.
Nditayamba kugwira ntchito ndi psexec zinkawoneka zamatsenga kwa ine - zikomo , wopanga wanzeru wa psexec - koma ndikudziwanso zake phokoso zigawo. Sakhala wobisika!
Chochititsa chidwi choyamba chokhudza psexec ndikuti imagwiritsa ntchito zovuta kwambiri SMB network file protocol kuchokera ku Microsoft. Pogwiritsa ntchito SMB, psexec imasamutsa yaying'ono binary mafayilo kumakina omwe mukufuna, kuwayika mufoda ya C: Windows.
Kenako, psexec imapanga ntchito ya Windows pogwiritsa ntchito binary yojambulidwa ndikuyiyendetsa pansi pa dzina "losayembekezeka" kwambiri PSEXECSVC. Panthawi imodzimodziyo, mukhoza kuwona zonsezi, monga momwe ndinachitira, poyang'ana makina akutali (onani m'munsimu).
Khadi loyimba la Psexec: "PSEXECSVC" service. Imayendetsa fayilo ya binary yomwe idayikidwa kudzera pa SMB mufoda ya C: Windows.
Monga gawo lomaliza, fayilo ya binary yomwe idakopedwa imatsegulidwa Kugwirizana kwa RPC kwa seva yomwe mukufuna ndikuvomera malamulo owongolera (kudzera pa Windows cmd chipolopolo mwachisawawa), kuwayambitsa ndikuwongolera zolowera ndi zotuluka pamakina akunyumba kwa wowukirayo. Pankhaniyi, wowukirayo amawona mzere woyamba wa lamulo - chimodzimodzi ngati alumikizidwa mwachindunji.
Zigawo zambiri komanso njira yaphokoso kwambiri!
Ogwira ntchito mkati mwa psexec akufotokoza uthenga womwe unandidabwitsa pa mayesero anga oyambirira zaka zingapo zapitazo: "Kuyambira PEXECCSVC ..." ndikutsatiridwa ndi kupuma musanayambe kulamula mwamsanga.
Impacket's Psexec ikuwonetsa zomwe zikuchitika pansi pa hood.
N'zosadabwitsa: psexec inagwira ntchito yaikulu pansi pa hood. Ngati mukufuna kufotokozera mwatsatanetsatane, onani apa kulongosola kodabwitsa.
Zachidziwikire, zikagwiritsidwa ntchito ngati chida choyendetsera dongosolo, chomwe chinali cholinga choyambirira psexec, palibe cholakwika ndi "kugwedeza" kwa machitidwe onse a Windows. Kwa wowukira, komabe, psexec imatha kuyambitsa zovuta, ndipo kwa wochenjera komanso wochenjera ngati Snowden, psexec kapena zida zofananira zitha kukhala pachiwopsezo chachikulu.
Kenako pakubwera Smbexec
SMB ndi njira yanzeru komanso yachinsinsi yosamutsira mafayilo pakati pa maseva, ndipo obera akhala akulowa mu SMB mwachindunji kwazaka zambiri. Ndikuganiza kuti aliyense amadziwa kale kuti sizoyenera Madoko a SMB 445 ndi 139 kupita pa intaneti, sichoncho?
Ku Defcon 2013, Eric Millman () zoperekedwa , kotero kuti pentesters atha kuyesa kubera kwachinyengo kwa SMB. Sindikudziwa nkhani yonse, koma Impacket inakonzanso smbexec. M'malo mwake, pakuyesa kwanga, ndidatsitsa zolemba kuchokera ku Impacket ku Python kuchokera .
Mosiyana ndi psexec, smbexec amapewa kusamutsa fayilo ya binary yomwe ingadziwike ku makina omwe mukufuna. M'malo mwake, ntchitoyo imakhala yonse kuyambira msipu mpaka kuyambitsa kwanuko Windows command line.
Izi ndi zomwe imachita: imadutsa lamulo kuchokera pamakina owukira kudzera pa SMB kupita ku fayilo yapadera yolowera, kenako imapanga ndikuyendetsa mzere wolamula wovuta (monga Windows service) womwe ungawoneke ngati wodziwika kwa ogwiritsa ntchito a Linux. Mwachidule: imayambitsa chipolopolo cha Windows cmd, imalozera zomwe zatuluka ku fayilo ina, kenako ndikuzitumiza kudzera pa SMB kubwerera ku makina owukira.
Njira yabwino yomvetsetsa izi ndikuyang'ana pamzere wolamula, womwe ndidatha kuyika manja anga pa chipika cha zochitika (onani pansipa).
Kodi iyi si njira yabwino kwambiri yotumiziranso I/O? Mwa njira, kupanga ntchito kumakhala ndi ID 7045.
Monga psexec, imapanganso ntchito yomwe imagwira ntchito yonse, koma ntchitoyo pambuyo pake kuchotsedwa - imagwiritsidwa ntchito kamodzi kokha poyendetsa lamulo kenako nkuzimiririka! Woteteza zidziwitso yemwe amayang'anira makina a munthu wozunzidwayo sangathe kuzindikira zoonekeratu Zizindikiro zowukira: Palibe fayilo yoyipa yomwe ikuyambitsidwa, palibe ntchito yosalekeza yomwe ikuyikidwa, ndipo palibe umboni woti RPC ikugwiritsidwa ntchito popeza SMB ndiyo njira yokhayo yotumizira deta. Wanzeru!
Kuchokera kumbali ya wowukirayo, "pseudo-shell" imapezeka ndikuchedwa pakati pa kutumiza lamulo ndi kulandira yankho. Koma izi ndizokwanira kuti wowukira - kaya wamkati kapena wowononga wakunja yemwe ali ndi poyambira - ayambe kuyang'ana zosangalatsa.
Kutulutsa deta kuchokera pamakina omwe mukufuna kupita ku makina owukira, imagwiritsidwa ntchito . Inde, ndi Samba yemweyo , koma amangosinthidwa kukhala Python script ndi Impacket. M'malo mwake, smbclient imakupatsani mwayi wochititsa mobisa kusamutsidwa kwa FTP pa SMB.
Tiyeni tibwerere mmbuyo ndikuganiza zomwe izi zingamuchitire wogwira ntchitoyo. M'nkhani yanga yopeka, tinene kuti wolemba mabulogu, katswiri wazachuma kapena mlangizi wolipidwa kwambiri wachitetezo amaloledwa kugwiritsa ntchito laputopu yake pantchito. Chifukwa cha zochita zamatsenga, amakhumudwa ndi kampaniyo ndipo "zimakhala zoipa." Kutengera makina opangira laputopu, mwina amagwiritsa ntchito mtundu wa Python kuchokera ku Impact, kapena mtundu wa Windows wa smbexec kapena smbclient ngati fayilo ya .exe.
Monga Snowden, amapeza mawu achinsinsi a wogwiritsa ntchito wina poyang'ana paphewa pake, kapena amakhala ndi mwayi ndikupunthwa ndi fayilo yokhala ndi mawu achinsinsi. Ndipo mothandizidwa ndi zidziwitso izi, akuyamba kukumba mozungulira dongosolo pamlingo watsopano wamwayi.
Kubera DCC: Sitikufuna Mimikatz "wopusa" aliyense
M'zolemba zanga zam'mbuyomu pa pentesting, ndimagwiritsa ntchito mimikatz nthawi zambiri. Ichi ndi chida chachikulu cholumikizira zidziwitso - NTLM hashes komanso mawu achinsinsi omveka obisika mkati mwa laputopu, akungoyembekezera kugwiritsidwa ntchito.
Nthawi zasintha. Zida zowunikira zakhala bwino pakuzindikira ndi kutsekereza mimikatz. Oyang'anira chitetezo chazidziwitso alinso ndi njira zambiri zochepetsera zoopsa zomwe zimakhudzidwa ndi kuukira kwa hashi (PtH).
Ndiye kodi wogwira ntchito wanzeru ayenera kuchita chiyani kuti atenge zidziwitso zowonjezera popanda kugwiritsa ntchito mimikatz?
Zida za Impacket zimaphatikizapo chida chotchedwa , yomwe imatenga zidziwitso kuchokera ku Domain Credential Cache, kapena DCC mwachidule. Kumvetsetsa kwanga ndikuti ngati wogwiritsa ntchito adalowa mu seva koma wolamulira sakupezeka, DCC imalola seva kutsimikizira wogwiritsa ntchitoyo. Komabe, secretsdump imakupatsani mwayi wotaya ma hashi onsewa ngati alipo.
Zithunzi za DCC osati NTML hashes ndi awo sichingagwiritsidwe ntchito polimbana ndi PtH.
Chabwino, mungayesere kuthyolako iwo kupeza achinsinsi choyambirira. Komabe, Microsoft yakhala yanzeru ndi DCC ndipo DCC hashes zakhala zovuta kwambiri kusweka. Inde, ndatero , "chowerengetsera mawu achinsinsi chachangu kwambiri padziko lonse lapansi," koma pamafunika GPU kuti iziyenda bwino.
M'malo mwake, tiyeni tiyese kuganiza ngati Snowden. Wogwira ntchito atha kuyang'ana maso ndi maso komanso kudziwa zambiri za munthu yemwe akufuna kusokoneza mawu achinsinsi ake. Mwachitsanzo, fufuzani ngati akaunti yapaintaneti ya munthuyo idabedwapo ndikuwunika mawu achinsinsi awo kuti adziwe zambiri.
Ndipo izi ndizochitika zomwe ndidaganiza zopita nazo. Tiyerekeze kuti munthu wamkati adamva kuti abwana ake, Cruella, adabedwa kangapo pamasamba osiyanasiyana. Pambuyo pofufuza mapasiwedi angapo, adazindikira kuti Cruella amakonda kugwiritsa ntchito mtundu wa timu ya baseball "Yankees" yotsatiridwa ndi chaka chino - "Yankees2015".
Ngati mukuyesera kupanganso izi kunyumba, ndiye kuti mutha kutsitsa "C" yaying'ono. , yomwe imagwiritsa ntchito DCC hashing algorithm, ndikuipanga. , mwa njira, thandizo lowonjezera la DCC, kotero lingagwiritsidwe ntchito. Tiyerekeze kuti munthu wamkati sakufuna kuvutikira kuphunzira John the Ripper ndipo amakonda kuthamanga "gcc" pa code C ya cholowa.
Potengera gawo la munthu wamkati, ndidayesa zophatikizira zingapo ndipo pamapeto pake ndidazindikira kuti mawu achinsinsi a Cruella anali "Yankees2019" (onani pansipa). Ntchito Yathunthu!
Ukamisiri wocheperako, kulosera zam'tsogolo komanso pang'ono za Maltego ndipo muli panjira yowononga hashi ya DCC.
Ndikupempha kuti tithere apa. Tibwereranso kumutuwu m'makalata ena ndikuwona njira zowukira pang'onopang'ono komanso mozemba, ndikupitiliza kumanga pazida zabwino kwambiri za Impacket.
Source: www.habr.com