Ichi chinyorwa chakanyorwa zvichibva papentest yakabudirira kwazvo yakaitwa nenyanzvi dzeBoka-IB makore akati wandei apfuura: nyaya yakaitika yaigona kugadziridzwa firimu muBollywood. Zvino, zvichida, kuita kwomuverengi kuchatevera: βO, chimwe chinyorwa chePR, zvakare izvi zviri kuratidzirwa, kunaka kwazvo, usakanganwa kutenga pentest.β Zvakanaka, kune rumwe rutivi, ndizvo. Zvisinei, pane zvimwe zvikonzero zvakawanda nei chinyorwa ichi chakabuda. Ini ndaida kuratidza izvo chaizvo mapentester anoita, kuti basa iri ringave rinonakidza uye risiri diki, ndeapi mamiriro anosekesa anogona kumuka mumapurojekiti, uye zvakanyanya kukosha, kuratidza zvinhu zvinorarama nemienzaniso chaiyo.
Kudzorera kuenzana kwekuzvininipisa munyika, mushure mechinguva tichanyora nezve pentest isina kufamba zvakanaka. Isu ticharatidza kuti maitiro akagadzirwa zvakanaka sei mukambani anogona kudzivirira kubva kune huwandu hwese hwekurwiswa, kunyangwe hwakagadzirirwa zvakanaka, nekuda kwekuti maitiro aya aripo uye anoshanda chaizvo.
Kune mutengi mune ino chinyorwa, zvese zvaive zvakare zvakanakisa, zvirinani zvirinani kupfuura 95% yemusika muRussian Federation, maererano nemanzwiro edu, asi pane akati wandei madiki nuances akaumba refu cheni yezviitiko, izvo zvakatanga. yakatungamirira kumushumo wakareba pamusoro pebasa , uyezve kuchinyorwa chino.
Saka, ngatitorei mapopcorn, uye tigamuchire kune iyo yekuongorora nyaya. Shoko - Pavel Suprunyuk, technical maneja we "Audit uye Consulting" dhipatimendi reBoka-IB.
Chikamu 1. Pochkin chiremba
2018 Kune mutengi - yepamusoro-tech IT kambani, iyo pachayo inoshumira vatengi vakawanda. Unoda kuwana mhinduro kumubvunzo: zvinoita here, pasina ruzivo rwekutanga uye kuwana, kushanda kuburikidza neInternet, kuwana Active Directory domain administrator kodzero? Ini handifarire chero social engineering (), havadi kupindira nebasa nemaune, asi vanogona netsaona - kurodhazve sevha inoshanda zvinoshamisa, semuenzaniso. Chimwe chinangwa ndechekuona mamwe akawanda mavector ekurwisa sezvinobvira achipesana neperimita yekunze. Iyo kambani inogara ichiitisa bvunzo dzakadai, uye ikozvino nguva yekupedzisira yebvunzo nyowani yasvika. Mamiriro acho anenge akafanana, akakwana, anonzwisisika. Ngatitangei.
Pane zita remutengi - ngarive "Company", ine webhusaiti huru . Zvechokwadi, mutengi anonzi zvakasiyana, asi munyaya ino zvinhu zvose zvichange zvisina munhu.
Ini ndinoitisa network reconnaissance - tsvaga kuti ndeapi kero nemadomasi akanyoreswa nemutengi, dhirowa dhayagiramu yetiweki, kuti masevhisi anogovaniswa sei kune aya kero. Ini ndinowana mhedzisiro: kupfuura 4000 mhenyu IP kero. Ini ndinotarisa madomasi ari mumatiweki aya: nerombo rakanaka, iwo mazhinji ma network akagadzirirwa vatengi, uye isu hatifarire zviri pamutemo mazviri. Mutengi anofunga zvakafanana.
Pachine network imwe ine 256 kero, iyo panguva ino yatove nekunzwisisa kwekugoverwa kwemadomain uye subdomain ne IP kero, pane ruzivo nezve ma scanned ports, zvinoreva kuti unogona kutarisa masevhisi kune anonakidza. Mukufanana, marudzi ese ema scanner anotangwa pane anowanikwa IP kero uye zvakasiyana pamawebhusaiti.
Kune mabasa akawanda. Kazhinji iyi mufaro kune pentester uye kutarisira kwekukurumidza kukunda, sezvo mamwe masevhisi aripo, yakakura munda wekurwisa uye zviri nyore kuwana artifact. Kutarisa nekukurumidza mawebhusaiti kwakaratidza kuti mazhinji acho mawebhusaiti ezvigadzirwa zvinozivikanwa zvemakambani makuru epasi rose, ayo nekuonekwa kwese anokuudza kuti haagamuchirwe. Ivo vanobvunza zita rekushandisa uye password, zunza kunze kwemunda wekupinda chechipiri chinhu, bvunza TLS mutengi chitupa, kana kutumira kuMicrosoft ADFS. Zvimwe hazviwanike kubva paInternet. Kune vamwe, zviri pachena kuti unofanirwa kuve nemutengi akabhadharwa akabhadhara pamihoro mitatu kana kuziva iyo URL chaiyo yekupinda. Ngatisvetukei rimwe vhiki rekuora mwoyo zvishoma nezvishoma mukuedza "kupaza" shanduro dzesoftware dzekusagadzikana kunozivikanwa, tichitsvaga zvakavigwa mumakwara ewebhu uye akaunzwa maakaundi kubva kune wechitatu-bato masevhisi seLinkedIn, kuyedza kufungidzira mapassword achiashandisa, zvakare. sekuchera kusakanganiswa mumawebhusaiti anozvinyora - nenzira, maererano nehuwandu, iyi ndiyo inonyanya kuvimbisa vector yekurwisa kwekunze nhasi. Ini ndichabva ndaona pfuti yemufirimu yakazopfura.
Saka, takawana masaiti maviri akamira kunze kwemazana emasevhisi. Aya mawebhusaiti aive nechinhu chimwe chakafanana: kana iwe usingaite zvine hungwaru kucherechedzwa netiweki nedura, asi tarisa kumusoro-mberi kune yakavhurika madoko kana kunanga vulnerability scanner uchishandisa inozivikanwa IP renji, saka masaiti aya anopukunyuka scanning uye haazongove aripo. kuoneka usingazive zita reDNS. Zvichida vakarasikirwa kare, zvirinani, uye maturusi edu otomatiki haana kuwana chero matambudziko navo, kunyangwe akatumirwa zvakananga kune sosi.
Nenzira, nezve izvo zvakambotanga ma scanner akawanikwa mune zvakajairika. Rega ndikuyeuchidze: kune vamwe vanhu, "pentest" yakaenzana ne "otomatiki scan". Asi ma scanner pachirongwa ichi hapana chavakataura. Zvakanaka, iyo yakakwira yakaratidzwa neKusagadzikana Kwepakati (3 kubva pa5 maererano nekuomarara): pane imwe sevhisi yakashata TLS chitupa kana ecryption algorithms ekare, uye pamasaiti mazhinji Clickjacking. Asi izvi hazvizokusvitsa pachinangwa chako. Zvichida ma scanner angave anobatsira pano, asi regai ndikuyeuchidze: mutengi pachake anokwanisa kutenga mapurogiramu akadaro uye azviedze nawo, uye, nekutonga nemigumisiro yakaipa, akatotarisa.
Ngatidzokere kune "zvisinganzwisisike" saiti. Chekutanga chimwe chinhu chakafanana neWiki yemuno pane imwe kero isiri-yakajairwa, asi muchinyorwa chino ngaive wiki.company[.]ru. Iye zvakare akabva akumbira kupinda uye password, asi kuburikidza neNTLM mubrowser. Kune mushandisi, izvi zvinoita kunge hwindo reascetic rinokumbira kuisa zita rekushandisa uye password. Uye iyi itsika yakaipa.
Chinyorwa chidiki. NTLM mumawebhusaiti ekutenderera yakashata nekuda kwezvikonzero zvakati. Chikonzero chekutanga ndechekuti iyo Active Directory domain zita rinoratidzwa. Mumuenzaniso wedu, zvakazovewo company.ru, sezita re "kunze" DNS. Uchiziva izvi, unogona kunyatsogadzirira chimwe chinhu chakaipa kuitira kuti chiitwe chete pamushini wesangano, uye kwete mune imwe sandbox. Chechipiri, huchokwadi hunoenda zvakananga kuburikidza nemutongi wedomasi kuburikidza neNTLM (kushamisika, handiti?), Iine ese maficha e "yemukati" network network, kusanganisira kuvhara maakaundi kubva pakupfuura nhamba yekupinda password yekuedza. Kana munhu anorwisa akawana ma logins, anoedza mapassword avo. Kana iwe wakagadzirirwa kuvharira maakaunti kuti isapinde zvisirizvo mapassword, ichashanda uye iyo account ichavharwa. Chechitatu, hazvibviri kuwedzera chinhu chechipiri kuhuchokwadi hwakadaro. Kana mumwe wevaverengi achiri kuziva sei, ndapota ndizivisei, zvinonakidza chaizvo. Chechina, kusagadzikana kwekupfuura-the-hash kurwisa. ADFS yakagadzirwa, pakati pezvimwe zvinhu, kudzivirira pane izvi zvese.
Pane imwe yakaipa midziyo yeMicrosoft zvigadzirwa: kunyangwe iwe usina kunyatso buritsa NTLM yakadaro, ichaiswa nekusarudzika muOWA neLync, zvirinani.
Sezvineiwo, munyori wechinyorwa ichi akambovhara netsaona maakaundi angangoita zana evashandi vebhangi rimwe hombe muawa imwe chete vachishandisa nzira imwe chete ndokuzotaridzika kucheneruka. Masevhisi ebhengi eIT aive zvakare akacheneruka, asi zvese zvakapera zvakanaka uye zvakaringana, isu takatorumbidzwa nekuve vekutanga kuwana dambudziko iri uye kumutsa nekukurumidza uye kwakasimba kugadzirisa.
Nzvimbo yechipiri yaive nekero "zviri pachena imwe mhando yezita rekupedzisira.company.ru." Ndakaiwana kuburikidza neGoogle, chimwe chinhu chakadai pane peji 10. Iyo dhizaini yaive kubva kutanga-pakati-pakati XNUMXs, uye munhu anoremekedzwa aizviona kubva papeji huru, chinhu chakadai:
Pano ndakatora runyararo kubva ku "Moyo wembwa", asi nditende, yakanga isina kufanana, kunyange kugadzirwa kwemavara kwaiva mumatoni akafanana. Rega nzvimbo yacho idanwe preobrazhensky.company.ru.
Yaiva webhusaiti yega ... yeurologist. Ndakashamisika kuti webhusaiti yeurologist yaiitei pane subdomain yekambani yepamusoro-tech. Kuchera nekukurumidza muGoogle kwakaratidza kuti chiremba uyu aive muvambi weimwe yemasangano epamutemo emutengi wedu uye akatopa nezve 1000 rubles muguta rine mvumo. Iyo saiti inogona kunge yakagadzirwa makore mazhinji apfuura, uye mutengi sevha zviwanikwa zvakashandiswa sekutambira. Iyo saiti yakarasa kukosha kwayo, asi nekuda kwechimwe chikonzero yakasara ichishanda kwenguva yakareba.
Panyaya yekusagadzikana, iyo webhusaiti pachayo yaive yakachengeteka. Ndichitarisa kumberi, ndichataura kuti yaive seti yeruzivo rwakamira - nyore html mapeji ane akaiswa mifananidzo muchimiro cheitsvo uye dundira. Hazvibatsiri "kuputsa" nzvimbo yakadaro.
Asi sevha yewebhu pazasi yainyanya kunakidza. Tichitarisa neiyo HTTP Server musoro, yaive neIIS 6.0, zvinoreva kuti yaishandiswa Windows 2003 seyo inoshanda sisitimu. Iyo scanner yakamboona kuti iyi webhusaiti yeurologist, kusiyana nemamwe madhiri epawebhusaiti imwechete, yakapindura murairo wePROPFIND, zvichireva kuti yaive ichimhanya WebDAV. Nenzira, scanner yakadzosa ruzivo urwu nechiratidzo Info (mumutauro we scanner mishumo, iyi ndiyo ngozi yakaderera) - zvinhu zvakadaro zvinowanzo svetuka. Mukubatana, izvi zvakapa mhedzisiro inonakidza, iyo yakazarurwa chete mushure meimwe kuchera paGoogle: isingawanzo buffer kufashukira kusagadzikana kwakabatana neiyo Shadow Brokers set, iyo CVE-2017-7269, iyo yaitove neyakagadzirira-yakagadzirwa kushandiswa. Mune mamwe mazwi, pachave nedambudziko kana uine Windows 2003 uye WebDAV iri kushanda paIIS. Kunyangwe ichimhanya Windows 2003 mukugadzira muna 2018 idambudziko pacharo.
Kubata kwacho kwakaguma kuMetasploit uye kwakaedzwa pakarepo nemutoro wakatumira chikumbiro cheDNS kune inodzorwa sevhisi - Burp Collaborator inowanzo shandiswa kubata zvikumbiro zveDNS. Kukushamisika kwangu, yakashanda kekutanga: DNS knockout yakagamuchirwa. Tevere, pakanga paine kuyedza kugadzira backconnect kuburikidza nechiteshi 80 (kureva, network yekubatanidza kubva kune server kuenda kune anorwisa, nekuwana cmd.exe pane akabatwa), asi fiasco yakaitika. Kubatana hakuna kuuya, uye mushure mekuedza kwechitatu kushandisa nzvimbo, pamwe chete nemifananidzo yose inofadza, yakanyangarika zvachose.
Kazhinji izvi zvinoteverwa netsamba muchimiro che "mutengi, muka, tasiya zvese." Asi isu takaudzwa kuti saiti iyi haina chekuita nemaitiro ebhizinesi uye inoshanda ipapo pasina chikonzero zvachose, sesevha yese, uye kuti isu tinogona kushandisa sosi iyi sezvatinoda.
Rinenge zuva gare gare saiti yacho yakangoerekana yatanga kushanda pachayo. Sezvo ndavaka bhenji kubva kuWebDAV paIIS 6.0, ndakaona kuti iyo yekumisikidza yekumisikidza ndeyekutangazve IIS mushandi maitiro ega ega makumi matatu. Kureva kuti, pakabuda kudzora mushellcode, iyo IIS mushandi process yakapera, yakazozvitangazve kakati wandei ichibva yaenda kunozorora kwemaawa makumi matatu.
Sezvo backconnect kune tcp yakundikana kekutanga, ndakati dambudziko iri kune rakavharwa chiteshi. Ndiko kuti, akafungidzira kuvepo kweimwe mhando yefirewall iyo isingabvumire inobuda kubatana kupfuura kunze. Ndakatanga kumhanyisa mashellcode aitsvaga akawanda tcp uye udp ports, pakanga pasina chekuita. Reverse connection loads via http(s) kubva kuMetasploit hazvina kushanda - meterpreter/reverse_http(s). Kamwe kamwe, kubatana kune imwechete port 80 kwakasimbiswa, asi pakarepo kwakadonha. Ndakati izvi zvakakonzerwa nekuita kweiyo ichiri yekufungidzira IPS, iyo isingafarire meterpreter traffic. Tichifunga nezvekuti yakachena tcp yekubatanidza kune port 80 haina kupfuura, asi iyo http yekubatanidza yakaita, ndakagumisa kuti http proxy neimwe nzira yakarongedzwa muhurongwa.
Ndakatomboedza meterpreter kuburikidza neDNS (thanks nekuda kwekuedza kwako, yakachengetedza mapurojekiti mazhinji), uchirangarira kubudirira kwekutanga, asi haina kana kushanda pachigadziko - iyo shellcode yaive yakawandisa kune iyi njodzi.
Muchokwadi, zvaiita seizvi: 3-4 kuedza kurwisa mukati me5 maminetsi, uye kumirira kwemaawa makumi matatu. Uye zvakadaro kwemavhiki matatu akatevedzana. Ndakatoisa chiyeuchidzo kuti ndisatambise nguva. Pamusoro pezvo, pakanga paine mutsauko mumaitiro ekuyedzwa uye kugadzirwa kwenzvimbo: nekuda kwekusagadzikana uku kwaive nemaitiro maviri akafanana, imwe kubva kuMetasploit, yechipiri kubva paInternet, yakashandurwa kubva kuShadow Brokers vhezheni. Saka, Metasploit chete ndiyo yakaedzwa muhondo, uye yechipiri chete yakaedzwa pabhenji, izvo zvakaita kuti kugadzirisa zvinyanye kuoma uye kwaiva kukanganisa uropi.
Mukupedzisira, shellcode iyo yakadhawunirodha exe faira kubva kune yakapihwa server kuburikidza ne http uye ikatangisa iyo pane inotangwa system yakaratidza kushanda. Iyo shellcode yaive diki zvekukwana, asi zvirinani yakashanda. Sezvo sevha yaisada TCP traffic zvachose uye http (s) yakaongororwa kuvepo kwemeterpreter, ndakafunga kuti nzira yekukurumidza yaive yekurodha exe faira raive neDNS-meterpreter kuburikidza neiyo shellcode.
Pano zvakare dambudziko rakamuka: pakurodha exe faira uye, sekuedza kwakaratidza, zvisinei kuti ndeipi, kurodha kwakakanganiswa. Zvekare, imwe chengetedzo mudziyo pakati pesevha yangu uye urologist haina kufarira http traffic ine exe mukati. Iyo "yekukurumidza" mhinduro yaiita senge yekuchinja shellcode kuti ivhare http traffic panhunzi, kuitira kuti abstract binary data iendeswe pachinzvimbo cheexe. Pakupedzisira, kurwiswa kwakabudirira, kutonga kwakagamuchirwa kuburikidza nehutete hweDNS chiteshi:
Zvakabva zvabuda pachena kuti ndine kodzero dzeIIS dzekufambisa basa, izvo zvinonditendera kuti ndisaite chinhu. Izvi ndizvo zvaitaridzika paMetasploit console:
Nzira dzese dzepentest dzinokurudzira zvakasimba kuti iwe unofanirwa kuwedzera kodzero kana uchiwana mukana. Ini kazhinji handiite izvi munharaunda, sezvo yekutanga kuwana inongoonekwa senge network yekupinda nzvimbo, uye kukanganisa mumwe muchina pane imwecheteyo network kunowanzo kuve nyore uye nekukurumidza pane kuwedzera maropafadzo pane aripo aripo. Asi izvi hazvisizvo pano, sezvo chiteshi cheDNS chakamanikana uye hachizotenderi traffic kujeka.
Tichifunga kuti izvi Windows 2003 sevha haina kugadzirwa kune yakakurumbira MS17-010 kusagadzikana, ini nzira yekufamba kuenda kuchiteshi 445/TCP kuburikidza ne meterpreter DNS mugero kune localhost (hongu, izvi zvakare zvinogoneka) uye edza kumhanya yakambodhawunirodha exe kuburikidza. kusagadzikana. Kurwiswa kunoshanda, ini ndinogashira kubatana kwechipiri, asi nekodzero dzeSYSTEM.
Zvinonakidza kuti ivo vachiri kuedza kuchengetedza sevha kubva kuMS17-010 - yaive nenjodzi network masevhisi akaremara pane yekunze interface. Izvi zvinodzivirira kubva pakurwiswa pamusoro petiweki, asi kurwiswa kubva mukati meiyo localhost kwakashanda, sezvo iwe usingakwanise kungodzima SMB nekukurumidza pane localhost.
Zvadaro, zvitsva zvinonakidza zvinoratidzwa:
- Kuve nekodzero dzeSYSTEM, unogona kuseta nyore backconnection kuburikidza neTCP. Zviripachena, kudzima yakananga TCP idambudziko kune yakaderera IIS mushandisi. Spoiler: iyo IIS mushandisi traffic yaive neimwe nzira yakaputirwa mukati meiyo ISA Proxy mumativi ese. Izvo zvinoshanda sei chaizvo, ini handina kubereka.
- Ndiri mune imwe "DMZ" (uye iyi haisi Active Directory domain, asi WORKGROUP) - zvinonzwika zvine musoro. Asi panzvimbo yeinotarisirwa yakavanzika ("grey") IP kero, ndine "chena" IP kero, yakangofanana neyandakarwisa pakutanga. Izvi zvinoreva kuti kambani yasakara munyika yeIPv4 ichitaura zvekuti inokwanisa kuchengetedza nzvimbo yeDMZ yemakero 128 "chena" pasina NAT maererano nechirongwa, sezvakaratidzwa mumabhuku eCisco kubva 2005.
Sezvo sevha yakwegura, Mimikatz inovimbiswa kushanda zvakananga kubva mundangariro:
Ini ndinotora password yemuno maneja, tunnel RDP traffic pamusoro peTCP uye pinda mune inotonhorera desktop. Sezvo ndaigona kuita chero zvandaida nevhavha, ndakabvisa antivirus uye ndakaona kuti sevha yaiwanikwa kubva paInternet chete kuburikidza neTCP ports 80 uye 443, uye 443 yakanga isina kubatikana. Ini ndakamisa sevha yeOpenVPN pa443, wedzera mabasa eNAT kune yangu VPN traffic uye kuwana yakananga kune network yeDMZ mune isina muganho fomu kuburikidza yangu OpenVPN. Zvinokosha kuziva kuti ISA, iine mamwe asina kuremara IPS mabasa, yakavharira traffic yangu nechiteshi scanning, iyo yaifanira kutsiviwa neRRAS iri nyore uye inoenderana. Saka mapentester dzimwe nguva vachiri kufanira kutonga marudzi ese ezvinhu.
Muverengi anoteerera anobvunza kuti: "Zvakadini nezvesaiti yechipiri - wiki ine NTLM chokwadi, nezvakawanda zvakanyorwa?" Zvimwe pane izvi gare gare.
Chikamu 2. Kunyange zvakadaro kwete encrypting? Ipapo tave kuuya kwamuri kare pano
Saka, kune mukana weiyo DMZ network segment. Iwe unofanirwa kuenda kune domain administrator. Chinhu chekutanga chinouya mupfungwa ndechekungotarisa kuchengetedzeka kwemasevhisi mukati mechikamu cheDMZ, kunyanya sezvo mazhinji acho ave kuvhurirwa kutsvaga. Mufananidzo wakajairwa panguva yekuedzwa kwekupinda: iyo yekunze perimeter inochengetedzwa zvirinani pane masevhisi emukati, uye kana uchinge wawana chero mukana mukati mehombe yezvivakwa, zviri nyore kuwana kodzero dzakawedzerwa mudura chete nekuda kwekuti iyi domain inotanga kuve. inowanikwa kune zvishandiso, uye chechipiri, Muzvivako zvine zviuru zvakati wandei, pachagara paine matambudziko akati wandei.
Ini ndinochaja ma scanner kuburikidza neDMZ kuburikidza neOpenVPN mugero uye mirira. Ini ndinovhura chirevo - zvakare hapana chakakomba, sezviri pachena mumwe munhu akapfuura nenzira imwechete pamberi pangu. Nhanho inotevera ndeyekuongorora kuti vanotambira mukati meDMZ network vanotaurirana sei. Kuti uite izvi, tanga wavhura iyo yakajairwa Wireshark uye teerera kune zvikumbiro zvekutepfenyura, kunyanya ARP. ARP mapaketi akaunganidzwa zuva rose. Zvinoitika kuti akawanda masuwo anoshandiswa muchikamu ichi. Izvi zvichabatsira gare gare. Nekubatanidza data pane zvikumbiro zveARP uye mhinduro uye data yekuongorora chiteshi, ndakawana nzvimbo dzekubuda dzemushandisi traffic kubva mukati metiweki yenzvimbo kuwedzera kune aya masevhisi aimbozivikanwa, sewebhu netsamba.
Sezvo panguva ino ini ndakanga ndisingakwanise kuwana mamwe masisitimu uye ndisina kana account imwe chete yemasevhisi emakambani, zvakasarudzwa kuti nditore imwe account kubva mutraffic uchishandisa ARP Spoofing.
Kaini naAbheri vakaiswa paserver yeurologist. Tichifunga nezvekuyerera kwetraffic yakaratidzwa, vaviri vanonyanya kuvimbisa kurwiswa kwemurume-pakati-vakasarudzwa, uyezve imwe network traffic yakagamuchirwa nekumisikidzwa kwenguva pfupi kwemaminetsi 5-10, ine timer yekumisikidza sevha. kana kuchitonhora. Sezvakaita joke, pakanga pane nhau mbiri:
- Zvakanaka: zvakawanda zvezvinyorwa zvakabatwa uye kurwiswa kwese kwakashanda.
- Izvo zvakaipa: zvese zvitupa zvaibva kune vatengi vega vatengi. Ndichiri kupa masevhisi ekutsigira, nyanzvi dzevatengi dzakabatana nemasevhisi evatengi vaisagara vaine traffic encryption yakagadziriswa.
Somugumisiro, ndakawana humbowo hwakawanda hwakanga husina maturo mumamiriro ezvinhu epurojekiti, asi zvechokwadi inofadza sechiratidzo chengozi yekurwisa. Border routers emakambani makuru ane telnet, akatumira debug http ports kune yemukati CRM ine data rese, kuwana kwakananga kuRDP kubva kuWindows XP pane network yemuno uye zvimwewo obscurantism. Zvakaitika seizvi .
Ndakawanawo mukana unosetsa wekuunganidza mavara kubva kutraffic, chimwe chinhu chakadai. Uyu muenzaniso wetsamba yakagadzirira-yakagadzirwa yakabva kune mutengi wedu kuenda kune mutengi wake SMTP port, zvakare, isina encryption. Mumwe Andrey anobvunza zita rake kuti atumire zvakare zvinyorwa, uye zvinoiswa kune gore dhisiki rine login, password uye chinongedzo mune imwe mhinduro tsamba:
Ichi chimwe chiyeuchidzo chekuvhara masevhisi ese. Hazvizivikanwe kuti ndiani uye riini achaverenga nekushandisa data rako zvakananga - mupi, maneja weimwe kambani, kana pentester akadaro. Ini ndakanyarara nezve chokwadi chekuti vanhu vazhinji vanogona kungobata isina kunyorwa traffic.
Pasinei nekubudirira kunooneka, izvi hazvina kutiswededza pedyo nechinangwa. Zvakanga zvichibvira, hongu, kugara kwenguva yakareba uye hove ruzivo rwakakosha, asi hachisi chokwadi kuti chaizoonekwa ipapo, uye kurwisa pachako kune ngozi zvikuru maererano nekuvimbika kwetiweki.
Mushure meimwe kuchera mumasevhisi, imwe pfungwa inofadza yakauya mupfungwa. Pane chishandiso chakadai chinodaidzwa kuti Responder (zviri nyore kuwana mienzaniso yekushandisa nezita iri), iyo, ne "chepfu" zvikumbiro zvekutepfenyura, inomutsa kubatana kuburikidza neakasiyana maprotocol akaita seSMB, HTTP, LDAP, nezvimwe. nenzira dzakasiyana, wobva wabvunza munhu wese anobatana kuti atende uye agadzirise kuitira kuti chokwadi chiitike kuburikidza neNTLM uye nenzira yakajeka kune akabatwa. Kazhinji, anorwisa anounganidza NetNTLMv2 kubata maoko nenzira iyi uye kubva kwavari, vachishandisa duramazwi, nekukurumidza kudzoreredza domain user password. Pano ndaida chimwe chinhu chakafanana, asi vashandisi vakagara "kuseri kwemadziro", kana kuti, ivo vakaparadzaniswa nefirewall, uye vakawana WEB kuburikidza neBlue Coat proxy cluster.
Rangarira, ini ndakatsanangura kuti iyo Active Directory domain zita rakabatana ne "kunze" domain, ndiko kuti, yaive company.ru? Saka, Windows, kunyanya Internet Explorer (uye Edge neChrome), bvumira mushandisi kuti aratidze pachena muHTTP kuburikidza neNTLM kana vakafunga kuti saiti iri mune imwe "Intranet Zone". Chimwe chezviratidzo zve "Intranet" kuwana "grey" IP kero kana pfupi DNS zita, kureva, isina madots. Sezvo vaive nesevha ine "white" IP uye DNS zita preobrazhensky.company.ru, uye domain michina inowanzo gamuchira iyo Active Directory domain suffix kuburikidza neDHCP yekunyoreswa kwezita rekunyora, vaifanira kunyora URL mubhawa rekero. , kuitira kuti vawane nzira yakarurama kune server yakakanganiswa yeurologist, kwete kukanganwa kuti iyi yava kunzi "Intranet". Ndokunge, panguva imwechete achindipa NTLM-ruoko rwemushandisi pasina ruzivo rwake. Chasara kumanikidza mabrowser evatengi kuti afunge nezve kudiwa kwekukurumidzira kubata iyi server.
Iyo inoshamisa Intercepter-NG yekushandisa yakauya kuzonunura (ndatenda ) Yakakubvumidza kuti uchinje traffic pane nhunzi uye yakashanda zvakanaka paWindows 2003. Yaitove neyakasiyana mashandiro ekugadzirisa mafaira eJavaScript chete mukuyerera kwetraffic. Imwe mhando yeCross-Site Scripting yakakura yakarongwa.
Blue Coat proxies, kuburikidza iyo vashandisi vakawana iyo yepasi rose WEB, nguva nenguva yakavharirwa static zvirimo. Nekutambisa traffic, zvaive pachena kuti vaive vachishanda siku nesikati, vachikumbira zvisingawanzo shandiswa static kuti vakurumidze kuratidzwa kwezviri mukati munguva dzepamusoro. Mukuwedzera, BlueCoat yakanga ine chaiyo Mushandisi-Agent, iyo yakanyatsoisiyanisa kubva kumushandisi chaiye.
Javascript yakagadzirirwa, iyo, uchishandisa Intercepter-NG, yakashandiswa kweawa usiku kune imwe neimwe mhinduro neJS mafaira eBlue Coat. Iyo script yakaita zvinotevera:
- Yakasarudza browser yazvino neMushandisi-Agent. Kana iri Internet Explorer, Edge kana Chrome, yakaramba ichishanda.
- Ndakamirira kusvika DOM yepeji yaumbwa.
- Akaisa mufananidzo usingaonekwe muDOM une src hunhu hwefomu :8080/NNNNNNN.png, uko NNN dziri manhamba dzisingaverengeki kuitira kuti BlueCoat irege kuichengeta.
- Seta mureza wepasi rose kuratidza kuti jekiseni rakapedzwa uye hapasisina chikonzero chekuisa mifananidzo.
Bhurawuza rakaedza kurodha mufananidzo uyu; pachiteshi 8080 chesevha yakakanganisika, mugero weTCP wakanga wakaumirira kune laptop yangu, uko Mupinduri mumwechete aimhanya, achida kuti bhurawuza ripinde neNTLM.
Tichitarisa neResponder logs, vanhu vakauya kuzoshanda mangwanani, vakashandura nzvimbo dzavo dzekushanda, ipapo vazhinji uye vasina kucherechedzwa vakatanga kushanyira sevha yeurologist, vasingakanganwi "kudhonza" maoko eNTLM. Kubata maoko kwakanaya zuva rese uye kuunganidza zvakajeka zvinhu zvekurwisa kwakabudirira kudzoreredza mapassword. Izvi ndizvo zvainge zvakaita maResponder logs:
Misa yakavanzika inoshanyira kune urologist server nevashandisi
Iwe unogona kunge watoona kuti iyi nyaya yese yakavakirwa pamusimboti "zvese zvanga zvakanaka, asi ipapo pakanga paine bummer, ipapo pakava nekukunda, uye zvese zvakazobudirira." Saka, pakanga paine kubhowekana apa. Pakukwazisana maoko kwakasiyana makumi mashanu, hapana kana chimwe chete chakaburitswa. Uye izvi zvinofunga nezve chokwadi chekuti kunyangwe palaptop ine processor yakafa, idzi NTLMv2 kubata maoko kunogadziriswa nekumhanya kwemazana akati wandei emamiriyoni ekuedza pasekondi.
Ini ndaifanira kuzvishongedza nepassword mutation matekiniki, vhidhiyo kadhi, gobvu duramazwi uye kumirira. Mushure menguva refu, maakaundi akati wandei ane mapassword efomu "Q11111111....1111111q" akaburitswa, izvo zvinoratidza kuti vashandisi vese vakambomanikidzwa kuuya nepassword refu kwazvo ine nyaya dzakasiyana dzemavara, iyo yaifanirwawo kuva yakaoma. Asi haugone kunyengedza mushandisi ane ruzivo, uye aya ndiwo maitiro aakaita kuti zvive nyore kwaari kurangarira. Pakazara, dzinenge 5 maakaunti akakanganiswa, uye mumwe chete wavo aive nechero kodzero dzakakosha kumasevhisi.
Chikamu 3. Roskomnadzor inorova kumashure
Saka, yekutanga domain accounts yakagamuchirwa. Kana usati warara nenguva ino kubva pakuverenga kwenguva refu, ungangorangarira kuti ndakataura sevhisi yaisada chechipiri chechokwadi: iwiki ine NTLM yekusimbisa. Chokwadi, chinhu chokutanga kuita kwaiva kupinda imomo. Kuchera muhwaro hweruzivo rwemukati kwakakurumidza kuunza mhedzisiro:
- Iyo kambani ine network yeWiFi ine chokwadi ichishandisa domain maakaunti nekuwana kune yemuno network. Neyezvino seti yedata, iyi yatove inoshanda kurwisa vector, asi iwe unofanirwa kuenda kuhofisi netsoka dzako uye unowanikwa pane imwe nzvimbo pandima yehofisi yemutengi.
- Ndakawana murairo maererano nekwaive nesevhisi yakabvumira ... kuzvimiririra kunyoresa "second factor" yekusimbisa mudziyo kana mushandisi ari mukati metiweki yenzvimbo uye nekuvimba anoyeuka ake domain login uye password. Muchiitiko ichi, "mukati" uye "kunze" zvakatemwa nekuwanikwa kwechiteshi chebasa iri kumushandisi. Chiteshi chakanga chisingawanike kubva paInternet, asi chaiwanikwa kuburikidza neDMZ.
Ehe, "chimwe chinhu chechipiri" chakabva chawedzerwa kuakaundi yakakanganiswa muchimiro chekunyorera pafoni yangu. Paive nechirongwa chaigona kutumira nezwi guru chikumbiro kurunhare chine mabhatani ekuti "tendera"/"ramba" chiitiko, kana kuratidza chinyararire kodhi yeOTP pachiratidziri kuti uwedzere kuzvimiririra. Uyezve, nzira yekutanga yaifanirwa nemirayiridzo kuti ndiyo chete yakarurama, asi haina kushanda, kusiyana neOTP nzira.
Ne "chechipiri chinhu" chakatyoka, ndakakwanisa kuwana Outlook Web Access mail uye kure kure muCitrix Netscaler Gateway. Paive nekushamisika mutsamba muOutlook:
Mune ino pfuti isingawanzo iwe unogona kuona kuti Roskomnadzor inobatsira sei pentesters
Iyi yaive mwedzi yekutanga mushure meiyo yakakurumbira "fan" kuvharika kweTeregiramu, apo network dzese nezviuru zvekero dzakanyangarika zvisingaite. Zvakava pachena kuti sei kusunda kusina kushanda ipapo uye nei "akabatwa" wangu asina kuridza alarm nekuti vakatanga kushandisa account yake panguva yekuvhurika.
Chero ani anoziva nezveCitrix Netscaler anofungidzira kuti inowanzoitwa nenzira yekuti chete mufananidzo wemifananidzo unogona kuendeswa kumushandisi, kuyedza kusamupa maturusi ekutanga echitatu-bato maapplication uye kuendesa data, kudzikisira munzira dzese zviito. kuburikidza neyakajairwa control shells. "Musungwa" wangu, nekuda kwebasa rake, akangowana 1C:
Mushure mekufamba kutenderedza 1C interface zvishoma, ndakaona kuti kune ekunze ekugadzirisa mamodule ipapo. Ivo vanogona kutakurwa kubva kune iyo interface, uye ivo vanozoitwa pane mutengi kana sevha, zvichienderana nekodzero uye marongero.
Ndakabvunza shamwari dzangu dze1C programmer kuti dzigadzire gadziriso yaizogamuchira tambo uye kuigadzira. Mumutauro we1C, kutanga maitiro kunoratidzika seizvi (zvakatorwa kubva kuInternet). Unobvuma here kuti syntax yemutauro we1C inokatyamadza vanhu vanotaura chiRussia nekuita kwayo?
Kugadziriswa kwacho kwakaitwa nemazvo; zvakazove izvo zvinonzi pentesters "shell" - Internet Explorer yakatangwa kuburikidza nayo.
Pakutanga, kero yegadziriro inokubvumira kuodha mapasi kundima yakawanikwa mutsamba. Ndakaraira kupasa kana ndaifanira kushandisa WiFi kurwisa vector.
Pane hurukuro paInternet yekuti pakanga pachine chikafu chinonaka chemahara kuhofisi yemutengi, asi ini ndichiri kuda kukudziridza kurwiswa kure, kwakadzikama.
AppLocker yakabatidzwa pane application server inomhanya Citrix, asi yakapfuura. Meterpreter imwechete yakarodha uye yakatangwa kuburikidza neDNS, sezvo http (s) shanduro dzaisada kubatana, uye ini ndakanga ndisingazivi kero yemukati yeproxy panguva iyoyo. Nenzira, kubva panguva ino zvichienda mberi, pentest yekunze yakashandurwa zvachose kuita yemukati.
Chikamu 4. Admin kodzero dzevashandisi dzakaipa, kwakanaka here?
Basa rekutanga repentester kana uchiwana kutonga kwedomasi mushandisi musangano kuunganidza ruzivo rwese nezve kodzero mudura. Iko kune BloodHound utility iyo inobvumidza iwe kurodha ruzivo nezve vashandisi, makomputa, mapoka ekuchengetedza kuburikidza neLDAP protocol kubva kune domain controller, uye kuburikidza neSMB - ruzivo rwekuti ndeupi mushandisi achangopinda mukati uye ndiani maneja wenzvimbo.
Imwe nzira yekutora kodzero yekutonga domain inotaridzika yakapfava sedenderedzwa rezviitwa zvinongodaro:
- Isu tinoenda kumakomputa emakomputa uko kune kodzero dzemutongi wenzvimbo, zvichibva pane akatotorwa akatorwa domain account.
- Isu tinotangisa Mimikatz uye tinowana mapassword akavharirwa, matikiti eKerberos uye NTLM hashes yeakaunti yedomasi ichangobva kupinda mune ino system. Kana kuti tinobvisa mufananidzo wekuyeuka welsass.exe maitiro uye toita zvakafanana kudivi redu. Izvi zvinoshanda zvakanaka neWindows mudiki pane 2012R2/Windows 8.1 ine default marongero.
- Isu tinoona kuti maakaundi akakanganiswa ane kodzero dzemutungamiriri wenzvimbo. Tinodzokorora pfungwa yekutanga. Pane imwe nhanho tinowana kodzero dzemaneja kune yese domain.
"End of the Cycle;", sezvo 1C programmers vaizonyora pano.
Saka, mushandisi wedu akazove maneja wenzvimbo pane imwe chete ine Windows 7, iro zita raisanganisira izwi rekuti "VDI", kana "Virtual Desktop Infrastructure", ega ega muchina. Zvichida, mugadziri weVDI sevhisi aireva kuti sezvo VDI iriyo yega yega sisitimu yekushandisa, kunyangwe kana mushandisi akachinja nharaunda yesoftware sezvaanoda, muenzi anogona "kurodhazve". Ndakafungawo kuti kazhinji pfungwa yacho yaive yakanaka, ndakaenda kune uyu muenzi weVDI ndikagadzira dendere ipapo:
- Ndakaisa OpenVPN mutengi ipapo, iyo yakagadzira mugero kuburikidza neInternet kune server yangu. Mutengi aifanira kumanikidzwa kuenda nepakati peBlue Coat yakafanana neyechokwadi domain, asi OpenVPN akazviita, sezvavanotaura, "kunze kwebhokisi."
- Yakaiswa OpenSSH paVDI. Zvakanaka, chaizvo, chii Windows 7 pasina SSH?
Izvi ndizvo zvaiita kunge live. Rega ndikuyeuchidze kuti zvese izvi zvinofanirwa kuitwa kuburikidza neCitrix uye 1C:
Imwe nzira yekusimudzira kupinda kumakomputa evavakidzani ndeyekutarisa mapassword emutungamiriri wenzvimbo yemutambo. Heino rombo rakakurumidza kumirira: iyo NTLM hashi yemutongi wenzvimbo yakasarudzika (uyo akangoerekana anzi Administrator) akasvikirwa kuburikidza nekupfuura-the-hash kurwiswa kune vavakidzani veVDI mauto, ayo aive nemazana akati wandei. Chokwadi, kurwisa kwacho kwakabva kwavarova.
Apa ndipo pakapfura vatariri veVDI mutsoka kaviri:
- Nguva yekutanga yaive apo michina yeVDI isina kuunzwa pasi peLAPS, ichichengeta iyo yakafanana maneja password kubva pamufananidzo wakaiswa zvakanyanya kuVDI.
- Iyo default administrator ndiyo yega account yemuno iri panjodzi yekupfuura-the-hash kurwiswa. Kunyangwe nepassword yakafanana, zvingaite kudzivirira kukanganiswa kwevazhinji nekugadzira yechipiri maneja account account ine yakaoma isina kurongeka password uye kuvhara iyo yakasarudzika.
Sei paine SSH sevhisi pane iyo Windows? Yakareruka kwazvo: ikozvino iyo OpenSSH sevha haina kungopa yakanakira inopindirana yekuraira goko pasina kukanganisa basa remushandisi, asiwo socks5 proxy paVDI. Kuburikidza nemasokisi aya, ndakabatanidza kuburikidza neSMB uye ndakaunganidza akachengetwa maakaundi kubva kumazana ese emakina eVDI, ndokutsvaga nzira inoenda kune domain administrator achivashandisa mumagirafu eBloodHound. Nemazana evagamuchiri vandaive navo, ndakawana nzira iyi nokukurumidza. Domain administrator kodzero dzawanikwa.
Heino mufananidzo kubva paInternet unoratidza kutsvaga kwakafanana. MaConnections anoratidza kuti ndiani arikune maneja uye kuti ndiani anopinda kupi.
Nenzira, yeuka mamiriro kubva pakutanga kweprojekiti - "usashandise social engineering." Saka, ini ndinofunga kufunga kuti yakawanda sei iyi Bollywood ine yakakosha mhedzisiro yaizogurwa dai zvichiri kugona kushandisa banal phishing. Asi pachangu, zvaindinakidza chaizvo kuita zvese izvi. Ndinovimba wakanakidzwa nekuverenga izvi. Hongu, haazi ese mapurojekiti anotaridzika achinakidza zvakadaro, asi basa rose rakaoma kwazvo uye haritenderi kuti rimire.
Zvichida mumwe munhu achava nemubvunzo: ungazvidzivirira sei? Kunyangwe chinyorwa ichi chinotsanangura akawanda matekiniki, mazhinji ayo maWindows administrator haatomboziva nezvazvo. Nekudaro, ini ndinokurudzira kuvatarisa kubva pamaonero eiyo hackneyed misimboti uye ruzivo rwekuchengetedza matanho:
- usashandise software yechinyakare (rangarira Windows 2003 pakutanga?)
- usachengete zvisina kufanira masisitimu akabatidzwa (nei pakanga paine webhusaiti yeurologist?)
- tarisa mapassword evashandisi kuti uwane simba iwe pachako (zvikasadaro masoja ... pentesters achaita izvi)
- kusave nemapassword akafanana emaakaundi akasiyana (VDI compromise)
- nezvimwe
Zvechokwadi, izvi zvakaoma zvikuru kushandisa, asi munyaya inotevera ticharatidza mukuita kuti zvinogoneka.
Source: www.habr.com