Kuchedwetsa kusaina kumakhala kofala pakampani iliyonse yayikulu. Mgwirizano wapakati pa Tom Hunter ndi sitolo imodzi yosungiramo ziweto kuti alowe mwatsatanetsatane sizinali choncho. Tidayenera kuyang'ana tsambalo, netiweki yamkati, komanso ngakhale kugwiritsa ntchito Wi-Fi.
Nzosadabwitsa kuti manja anga anali kuyabwa ngakhale zikhalidwe zonse zisanathe. Chabwino, ingoyang'anani malowa pokhapokha, sizingatheke kuti sitolo yodziwika bwino monga "The Hound of the Baskervilles" idzalakwitsa apa. Patatha masiku angapo, Tom adapatsidwa pangano loyambirira lomwe adasaina - panthawiyi, atapitilira kapu yachitatu ya khofi, Tom wochokera ku CMS yamkati adawunika momwe malo osungiramo zinthu analili ...
Source:
Koma sikunali kotheka kuyendetsa zambiri mu CMS - oyang'anira webusayiti adaletsa IP ya Tom Hunter. Ngakhale zingakhale zotheka kukhala ndi nthawi yopanga mabonasi pa khadi la sitolo ndikudyetsa mphaka wanu wokondedwa pamtengo wotsika mtengo kwa miyezi yambiri ... "Osati nthawi ino, Darth Sidious," Tom anaganiza akumwetulira. Sizingakhale zosangalatsa kuchoka pa tsamba la webusayiti kupita ku netiweki yamakasitomala, koma mwachiwonekere magawowa sanalumikizidwe ndi kasitomala. Komabe, izi zimachitika nthawi zambiri m'makampani akuluakulu.
Pambuyo pazikhalidwe zonse, Tom Hunter adadzipangira yekha akaunti ya VPN yoperekedwa ndikupita ku netiweki yamakasitomala. Nkhaniyi inali mkati mwa Active Directory domain, kotero zinali zotheka kutaya AD popanda zidule zapadera - kukhetsa zonse zomwe zilipo poyera za ogwiritsa ntchito ndi makina ogwirira ntchito.
Tom adayambitsa pulogalamu ya adfind ndikuyamba kutumiza zopempha za LDAP kwa woyang'anira dera. Ndi fyuluta pa chinthuCategory kalasi, kutchula munthu monga khalidwe. Yankho linabweranso ndi dongosolo ili:
dn:CN=Гость,CN=Users,DC=domain,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: Гость
>description: Встроенная учетная запись для доступа гостей к компьютеру или домену
>distinguishedName: CN=Гость,CN=Users,DC=domain,DC=local
>instanceType: 4
>whenCreated: 20120228104456.0Z
>whenChanged: 20120228104456.0ZKuphatikiza pa izi, panali zambiri zothandiza, koma zokondweretsa kwambiri zinali mu > kufotokoza: > kufotokoza gawo. Awa ndi ndemanga pa akaunti - makamaka malo abwino osungiramo zolemba zazing'ono. Koma oyang'anira kasitomala adaganiza kuti mawu achinsinsi angakhalenso pamenepo mwakachetechete. Ndani, pambuyo pa zonse, angakhale ndi chidwi ndi zolemba zonse zosafunikira izi? Chifukwa chake ndemanga zomwe Tom adalandira zinali:
Создал Администратор, 2018.11.16 7po!*VqnSimufunikanso kukhala wasayansi wa rocket kuti mumvetsetse chifukwa chake kuphatikiza kumapeto kuli kothandiza. Zomwe zidatsala ndikuwunikira fayilo yayikulu yoyankha kuchokera pa CD pogwiritsa ntchito > malo ofotokozera: ndipo apa anali - 20 awiriawiri achinsinsi. Komanso, pafupifupi theka ali ndi ufulu wopeza RDP. Osati zoipa bridgehead, nthawi kugawaniza kuukira mphamvu.
network
Ma Hounds ofikika a mipira ya Baskerville anali kukumbukira mzinda wawukulu mu chisokonezo chake chonse komanso kusadziwikiratu. Ndi mbiri ya ogwiritsa ntchito ndi RDP, Tom Hunter anali mnyamata wosweka mumzinda uno, koma ngakhale adatha kuwona zinthu zambiri kudzera m'mawindo onyezimira a chitetezo.
Magawo a ma seva amafayilo, maakaunti owerengera ndalama, ngakhale zolemba zolumikizidwa nazo zidawonetsedwa poyera. M'makonzedwe a imodzi mwazolemba izi, Tom adapeza MS SQL hash ya wosuta m'modzi. Matsenga ankhanza pang'ono - ndipo hashi ya wogwiritsa ntchito idasandulika mawu achinsinsi. Zikomo kwa John The Ripper ndi Hashcat.
Kiyiyi iyenera kukhala yokwanira pachifuwa. Chifuwa chinapezeka, ndipo kuwonjezera apo, "zifuwa" zina khumi zinagwirizanitsidwa nazo. Ndipo mkati mwa zisanu ndi chimodzi zogona ... maufulu a superuser, nt ulamuliro dongosolo! Pa awiri a iwo tinatha kuyendetsa njira yosungidwa ya xp_cmdshell ndikutumiza malamulo a cmd ku Windows. Kodi mungafunenso chiyani?
Olamulira ma domain
Tom Hunter adakonza nkhonya yachiwiri kwa olamulira madera. Panali atatu mwa iwo mu "Dogs of the Baskervilles" network, malinga ndi chiwerengero cha ma seva akutali. Woyang'anira dera aliyense ali ndi chikwatu chapagulu, ngati chikwangwani chotseguka m'sitolo, pafupi ndi pomwe mnyamata wosauka yemweyo Tom amakhala kunja.
Ndipo nthawi ino mnyamatayo anali ndi mwayi kachiwiri - anaiwala kuchotsa script kuchokera pachiwonetsero, pomwe mawu achinsinsi a seva yapafupi anali ovuta. Chifukwa chake njira yopita ku domain control inali yotseguka. Lowani, Tom!
Apa kuchokera pachipewa chamatsenga adakokedwa , omwe adapindula kuchokera kwa oyang'anira madera angapo. Tom Hunter adapeza makina onse pamaneti akomweko, ndipo kuseka kwachiwandako kudawopsyeza mphaka pampando wotsatira. Njirayi inali yaifupi kuposa momwe amayembekezera.
Chingalaka
Kukumbukira kwa WannaCry ndi Petya kudakali ndi moyo m'malingaliro a pentester, koma ma admins ena akuwoneka kuti aiwala za ransomware pakuyenda kwa nkhani zina zamadzulo. Tom adapeza ma node atatu omwe ali pachiwopsezo mu protocol ya SMB - CVE-2017-0144 kapena EternalBlue. Uku ndi kusatetezeka komweku komwe kunagwiritsidwa ntchito kugawa WannaCry ndi Petya ransomware, kusatetezeka komwe kumalola kuti khodi yachinsinsi iwonongeke kwa wolandira. Pamalo amodzi omwe anali pachiwopsezo panali gawo la admin domain - "exploit and get it." Zomwe mungachite, nthawi sinaphunzitse aliyense.
"Galu wa Basterville"
Ma Classics achitetezo azidziwitso amakonda kubwereza kuti chofooka kwambiri pa dongosolo lililonse ndi munthu. Mukuwona kuti mutu womwe uli pamwambapa sukugwirizana ndi dzina la sitolo? Mwina si onse amene ali tcheru kwambiri.
M'miyambo yabwino kwambiri yazabodza, Tom Hunter adalembetsa domeni yomwe imasiyana ndi chilembo chimodzi kuchokera ku "Hounds of the Baskervilles" domain. Adilesi yamakalata patsambali idatengera adilesi yachitetezo chazidziwitso za sitolo. M'kupita kwa masiku 4 kuyambira 16:00 mpaka 17:00, kalata yotsatirayi inatumizidwa mofanana ku ma adilesi 360 kuchokera ku adilesi yabodza:
Mwina, ulesi wawo okha anapulumutsa ogwira ntchito kutayikira misa achinsinsi. Mwa makalata 360, 61 okha anatsegulidwa - ntchito ya chitetezo si yotchuka kwambiri. Koma ndiye zinali zosavuta.
Tsamba la Phishing
Anthu 46 adadina ulalowo ndipo pafupifupi theka - antchito 21 - sanayang'ane pa adilesiyo ndipo adalowetsamo mawu awo achinsinsi ndi mapasiwedi. Kugwira bwino, Tom.
Wi-Fi network
Tsopano panalibe chifukwa chodalira thandizo la mphaka. Tom Hunter anaponya zidutswa zingapo zachitsulo mu sedan yake yakale ndikupita ku ofesi ya Hound of the Baskervilles. Ulendo wake sunavomerezedwe: Tom amayesa Wi-Fi ya kasitomala. Pamalo oimikapo magalimoto pamalo ochitira bizinesi panali malo angapo aulere omwe amaphatikizidwa mosavuta m'mphepete mwa network yomwe mukufuna. Mwachiwonekere, sanaganizire zambiri za kuchepa kwake - ngati kuti olamulirawo amangowonjezera mfundo zina mwachisawawa poyankha dandaulo lililonse la Wi-Fi yofooka.
Kodi chitetezo cha WPA/WPA2 PSK chimagwira ntchito bwanji? Kubisa pakati pa malo olowera ndi makasitomala kumaperekedwa ndi kiyi yoyambira gawo - Pairwise Transient Key (PTK). PTK imagwiritsa ntchito Key Pre-Shared Key ndi magawo ena asanu - SSID, Authenticator Nounce (ANounce), Supplicant Nounce (SNounce), malo olowera ndi ma adilesi a kasitomala a MAC. Tom adasokoneza magawo onse asanu, ndipo tsopano Key Pre-Shared Key yokha idasowa.
Ntchito ya Hashcat idatsitsa ulalo womwe ukusowawu pafupifupi mphindi 50 - ndipo ngwazi yathu idathera pa netiweki ya alendo. Kuchokera pamenepo mutha kuwona kale yomwe ikugwira ntchito - zodabwitsa, apa Tom adawongolera mawu achinsinsi pafupifupi mphindi zisanu ndi zinayi. Ndipo zonsezi osasiya malo oimikapo magalimoto, popanda VPN iliyonse. Maukonde ogwirira ntchito adatsegula mwayi wochita zinthu zoopsa kwambiri kwa ngwazi yathu, koma ... sanawonjezere mabonasi pamakhadi ogulitsa.
Tom anaima kaye, n’kuyang’ana wotchi yake, n’kuponya ndalama zingapo patebulopo, n’kutsanzikana, n’kutuluka m’kafe. Mwina ndi pentest kachiwiri, kapena mwina ili mkati Ndinaganiza zolemba...
Source: www.habr.com