Vaongorori vehutachiona uye vanoongorora kuchengetedzwa kwekombuta vari kumhanya kuunganidza akawanda masampula emabhoti matsva sezvinobvira. Vanoshandisa huchi nekuda kwezvinangwa zvavo ... Asi zvakadini kana iwe uchida kuona iyo malware mumamiriro ezvinhu chaiwo? Isa server yako kana router panjodzi? Ko kana pasina mudziyo wakakodzera? Yaive mibvunzo iyi yakandikurudzira kugadzira bhunter, chishandiso chekuwana mukana kune botnet node.
Pfungwa huru
Pane nzira dzakawanda dzekuparadzira malware yekuwedzera botnets: kubva pakubira kusvika pakushandisa 0-zuva kusagadzikana. Asi nzira yakajairika ichiri kumanikidza-kumanikidza SSH mapassword.
Pfungwa yacho iri nyore kwazvo. Kana imwe botnet node iri kuyedza brute-force mapassword evhavha yako, saka kazhinji iyi node pachayo yakatorwa nebrute-forcing simple passwords. Izvi zvinoreva kuti kuti uwane mukana wazviri, iwe unongoda kudzorera.
Aya ndiwo mashandiro anoita bhunter. Inoteerera kuchiteshi 22 (SSH sevhisi) uye inounganidza ese mapindiro nemapassword avanoedza kubatana nawo. Zvadaro, ichishandisa mapassword akaunganidzwa, inoedza kubatana nekurwisa node.
Basa algorithm
Iyo purogiramu inogona kukamurwa kuita 2 zvikamu zvikuru, izvo zvinoshanda mumatambo akasiyana. Chekutanga ihari yehuchi. Maitiro ekuedza kupinda, anounganidza akasarudzika ekuisa uye mapassword (mune iyi kesi, iyo login + password pair inoonekwa seyakakwana), uye zvakare inowedzera IP kero yakaedza kubatana kune iyo mutsara kuti iwedzere kurwiswa.
Chikamu chechipiri ndicho chakanangana nekurwisa. Uyezve, kurwiswa kunoitwa nenzira mbiri: BurstAttack (kuputika kurwiswa) - brute force logins uye mapassword kubva kune general list uye SingleShotAttack (kurwiswa kumwe chete) - brute force passwords akashandiswa neakarwiswa node, asi haasati aitwa. yakawedzerwa kune general list.
Kuti uve neinenge imwe dhatabhesi ye logins uye mapassword nekukurumidza mushure mekutangwa, bhunter inotangwa nerunyorwa kubva pafaira /etc/bhunter/defaultLoginPairs.
inowanikwa
Pane nzira dzinoverengeka dzekutanga bhunter:
Sechikwata
sudo bhunterNekuvhurwa uku, zvinogoneka kudzora bhunter kuburikidza nemenu yayo yezvinyorwa: wedzera logins uye mapassword ekurwiswa, tumira kunze dhatabhesi ye logins uye mapassword, tsanangura chinangwa chekurwisa. Manode ese akachekwa anogona kuoneka mufaira /var/log/bhunter/hacked.log
Kushandisa tmux
sudo bhunter-ts # ΠΊΠΎΠΌΠ°Π½Π΄Π° Π·Π°ΠΏΡΡΠΊΠ° bhunter ΡΠ΅ΡΠ΅Π· tmux
sudo tmux attach -t bhunter # ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΠΌΡΡ ΠΊ ΡΠ΅ΡΡΠΈΠΈ, Π² ΠΊΠΎΡΠΎΡΠΎΠΉ Π·Π°ΠΏΡΡΠ΅Π½ bhunter
Tmux ndeye terminal multiplexer, chishandiso chiri nyore kwazvo. Inokutendera kuti ugadzire akati wandei windows mukati meimwe terminal, uye patsanura mahwindo kuita mapaneru. Uchishandisa iyo, unogona kubuda iyo terminal uye wozopinda mukati usingakanganise maitiro ekumhanya.
Iyo bhunter-ts script inogadzira musangano wetmux uye inotsemura hwindo kuita mapaneru matatu. Yekutanga, yakakura, ine menyu yemavara. Yekumusoro kurudyi ine matanda ehuchi, pano iwe unogona kuona mameseji ekuedza kupinda muhari yehuchi. Iyo yepazasi yekurudyi pani inoratidza ruzivo nezve kufambira mberi kwekurwiswa kwe botnet node uye nezve akabudirira hacks.
Kubatsira kweiyi nzira pane yekutanga ndeyekuti isu tinogona kuvhara zvakachengeteka terminal todzokera kwairi gare gare, pasina bhunter kumisa basa rayo. Kune avo vasingazive nezve tmux, ini ndinokurudzira .
Sebasa
systemctl enable bhunter
systemctl start bhunterMune ino kesi, isu tinogonesa bhunter autostart pakutanga system. Munzira iyi, kudyidzana nebhunter hakuna kupihwa, uye rondedzero yeakabiwa node anogona kuwanikwa kubva /var/log/bhunter/hacked.log
Kubudirira
Ndichiri kushanda pabhunter, ndakakwanisa kuwana uye kuwana ruzivo rwezvishandiso zvakasiyana zvachose: raspberry pi, routers (kunyanya mikrotik), sevhavha yewebhu, uye kamwe chete purazi remigodhi (zvinosuruvarisa, kuwana kwairi kwaiva masikati, saka pakanga pasina chinonakidza. nyaya). Heino mufananidzo wechirongwa, unoratidza runyoro rwevakabiwa node mushure memazuva akati wandei ebasa:
Nehurombo, kushanda kwechishandiso ichi hakuna kusvika pane zvandaitarisira: bhunter inogona kuedza mapassword kumanode kwemazuva akati wandei pasina budiriro, uye inogona kubira zvibodzwa zvakati mumaawa akati wandei. Asi izvi zvakaringana kune yenguva dzose kupinda kwemasamples matsva ebhotnet.
Kubudirira kunokonzerwa nemiganhu yakadai se: nyika iyo sevha ine bhunter iripo, kutambira, uye huwandu kubva kune iyo IP kero yakagoverwa. Mune ruzivo rwangu, pane imwe nyaya pandakarenda maviri mavhavha evhavha kubva kune imwe hoster, uye imwe yacho yakarwiswa ne botnets 2 nguva kakawanda.
Mabug andisati ndagadzirisa
Paunenge uchirwisa mauto ane hutachiona, mune mamwe mamiriro hazvigoneke kuti uone kuti password ndeyechokwadi here kana kuti kwete. Mhosva dzakadai dzakaiswa mu/var/log/debug.log faira.
Iyo Paramiko module, iyo inoshandiswa kushanda neSSH, dzimwe nguva inoita zvisizvo: isingaperi inomirira mhinduro kubva kumugadziri kana ichiedza kubatana nayo. Ndakaedza nenguva, asi handina kuwana mhedzisiro yandaida
Ndezvipi zvimwe zvinoda kushandirwa?
Zita rebasa
Zvinoenderana neRFC-4253, mutengi uye sevha vanochinjana mazita emasevhisi anoshandisa SSH protocol isati yaiswa. Iri zita riri muchikamu che "SERVICE NAME", chirimo mune chikumbiro kubva kudivi revatengi uye mumhinduro kubva kudivi reseva. Munda itambo, uye kukosha kwayo kunogona kuwanikwa uchishandisa wireshark kana nmap. Heino muenzaniso weOpenSSH:
$ nmap -p 22 ***.**.***.** -sV
Starting Nmap ...
PORT STATE SERVICE VERSION
22/tcp open ssh <b>OpenSSH 7.9p1 Debian 10+deb10u2</b> (protocol 2.0)
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
Zvisinei, munyaya yeParamiko, munda uyu une tambo yakafanana ne "Paramiko Python sshd 2.4.2", iyo inogona kutyisa mabhoti akagadzirirwa "kudzivisa" misungo. Naizvozvo, ndinofunga zvakafanira kutsiva iyi mutsara nechimwe chinhu chisina kwazvakarerekera.
Mamwe mavector
SSH haisiriyo chete nzira yekuremedza manejimendi. Kune zvakare telnet, rdp. Zvakakodzera kunyatsoongorora kwavari.
ekisitenjeni
Zvingave zvakanaka kuve nemiteyo yakati wandei munyika dzakasiyana uye nepakati kuunganidza logins, mapassword uye hacked node kubva kwavari kuita yakafanana dhatabhesi.
Ndingadhaunirodha kupi?
Panguva yekunyora, chete bvunzo vhezheni yakagadzirira, iyo inogona kutorwa kubva .
Source: www.habr.com