Nyaya yetsvakiridzo nebudiriro muzvikamu zvitatu. Chikamu 3 chekuongorora.
Kune miti yakawanda yebeech - kunyange mamwe mabhenefiti.
Kugadzirwa kwedambudziko
Munguva yepentest uye RedTeam mishandirapamwe, hazvigoneke nguva dzose kushandisa maturusi eMutengi, akadai seVPN, RDP, Citrix, nezvimwe. sechibatiso chekupinda mukati me network. Mune dzimwe nzvimbo, VPN yakajairwa inoshanda uchishandisa MFA uye chiratidzo chehardware chinoshandiswa sechinhu chechipiri, mune dzimwe chinotariswa zvine hutsinye uye yedu VPN login inokurumidza kuoneka, sezvavanotaura, nezvose zvinosanganisira, asi mune vamwe hapana nzira dzakadaro.
Mumamiriro ezvinhu akadaro, isu tinofanirwa kugara tichigadzira izvo zvinonzi "reverse tunnels" - zvinongedzo kubva kune yemukati network kuenda kune yekunze sosi kana sevha yatinodzora. Mukati memugero wakadaro, tinogona kutoshanda neVatengi vemukati zviwanikwa.
Kune marudzi akati wandei ematanho ekudzokera aya. Iyo inonyanya kuzivikanwa kwavari ndeye, hongu, Meterpreter. SSH tunnels ine reverse port yekuendesa zvakare iri kudiwa zvikuru pakati peva hacker mass. Kune nzira dzakawanda dzekushandisa reverse tunneling uye mazhinji acho anonyatso kudzidzwa nekutsanangurwa.
Ehe, kune yavo, vanogadzira zvigadziriso zvekuchengetedza havamiri padivi uye vanoshingairira kuona zviito zvakadaro.
Semuenzaniso, zvikamu zveMSF zvinobudirira kuonekwa neIPS yemazuva ano kubva kuCisco kana Positive Tech, uye reverse SSH tunnel inogona kuonekwa nenenge chero yakajairika firewall.
Naizvozvo, kuti tirambe tisina kucherechedzwa mumushandirapamwe wakanaka weRedTeam, isu tinofanirwa kuvaka reverse tunnel tichishandisa zvisiri-standard nzira uye tigadzirise zvakanyanya sezvinobvira kune chaiyo inoshanda maitiro etiweki.
Ngatiedzei kutsvaga kana kugadzira chimwe chinhu chakafanana.
Tisati tagadzira chero chinhu, isu tinofanirwa kunzwisisa kuti ndeupi mhedzisiro yatinoda kuwana, ndeapi mabasa anofanirwa kuita budiriro yedu. Ndezvipi zvichange zvichidikanwa pamugero kuti tigone kushanda mune yakanyanya stealth mode?
Zviri pachena kuti pachiitiko chimwe nechimwe zvinodiwa zvakadaro zvinogona kusiyana zvakanyanya, asi zvichibva pane ruzivo rwebasa, izvo zvikuru zvinogona kuzivikanwa:
- shanda paWindows-7-10 OS. Sezvo mazhinji emakambani network anoshandisa Windows;
- mutengi anobatana neserver kuburikidza neSSL kudzivirira kupusa kuteerera uchishandisa ips;
- Kana uchibatanidza, mutengi anofanira kutsigira basa kuburikidza neproxy server nemvumo, nokuti Mumakambani mazhinji, kuwanikwa kweInternet kunoitika kuburikidza neproxy. Muchokwadi, muchina wemutengi ungasatomboziva chero chinhu nezvazvo, uye proxy inoshandiswa nenzira yakajeka. Asi tinofanira kupa kushanda kwakadaro;
- chikamu chemutengi chinofanira kunge chakapfupika uye chinotakurika;
Zviri pachena kuti kushanda mukati meMutengi wetiweki, unogona kuisa OpenVPN pamushini wevatengi uye kugadzira tunnel yakazara kune server yako (nerombo rakanaka, openvpn vatengi vanogona kushanda kuburikidza neproxy). Asi, chekutanga, izvi hazvishande nguva dzose, sezvo isu tingave tisiri maadmins emunharaunda ipapo, uye chechipiri, zvinozoita ruzha zvekuti SIEM kana HIPS yakanaka "inozotivhima" ipapo. Nenzira yakanaka, mutengi wedu anofanira kunge ari anonzi inline command, semuenzaniso akawanda bash shells anoshandiswa, uye anotangwa kuburikidza nemutsara wekuraira, semuenzaniso, pakuita mirairo kubva pazwi macro. - mugero wedu unofanirwa kuve wakawanda-shinda uye unotsigira akawanda makubatanidza panguva imwe chete;
- iyo mutengi-sevha yekubatanidza inofanirwa kuve neimwe mhando yemvumo kuitira kuti mugero ugadzirwe kune mutengi wedu chete, uye kwete kune wese munhu anouya kune yedu server pakero yakatarwa uye chiteshi. Sezvineiwo, peji yekumhara ine katsi kana misoro yehunyanzvi ine chekuita neyekutanga domain inofanira kuvhurira "vashandisi vechitatu."
Semuenzaniso, kana Mutengi ari sangano rezvokurapa, saka kune ruzivo rwekuchengetedza mutariri anosarudza kutarisa zviwanikwa izvo mushandi wekiriniki akawana, peji ine mishonga yemishonga, Wikipedia ine tsananguro yekuongororwa, kana Dr. Komarovsky's blog, nezvimwewo. anofanira kuvhura.
Ongororo yezvishandiso zviripo
Usati wadzorera bhasikoro rako pachako, unofanirwa kuita ongororo yemabhasikoro aripo uye kunzwisisa kana isu tichida chaizvo uye, pamwe, isu hatisi isu chete takafunga nezve kudiwa kwebhasikoro rinoshanda rakadaro.
Googling paInternet (tinoita kunge google zvakajairika), pamwe nekutsvaga paGithub tichishandisa mazwi ekuti "reverse socks" haina kupa mibairo yakawanda. Chaizvoizvo, zvese zvinouya pasi pakuvaka ssh tunnels ine reverse port yekufambisa uye zvese zvakabatana nazvo. Pamusoro peSSH tunnels, kune akati wandei mhinduro:
Kuitwa kwenguva refu kweiyo reverse tunnel kubva kune vakomana kuKaspersky Lab. Zita racho rinojekesa kuti chinyorwa ichi chakarongerwa chii. Yakaiswa muPython 2.7, mugero unoshanda nenzira yakajeka (sezvazviri fashoni kutaura izvozvi - mhoro RKN)
Kumwe kuita muPython, zvakare mune yakajeka zvinyorwa, asi paine zvimwe zvinogoneka. Yakanyorwa semodule uye ine API yekubatanidza mhinduro mumapurojekiti ako.
Yekutanga chinongedzo ndiyo yekutanga vhezheni yekudzoreredza sox kuitiswa muGolang (isina kutsigirwa nemugadziri).
Chechipiri chinongedzo ndeyekudzokorora kwedu nemamwe maficha, zvakare muGolang. Mushanduro yedu, takaita SSL, shanda kuburikidza neproxy ine mvumo yeNTLM, mvumo kune mutengi, peji yekumhara kana paine password isiriyo (kana kuti, redirect kune yekumhara peji), akawanda-tambo maitiro (kureva vanhu vakati wandei). inogona kushanda nemugero panguva imwe chete) , hurongwa hwepinging mutengi kuti aone kuti mupenyu here kana kuti kwete.
Kuita reverse sox kubva ku "Shamwari dzeChinese" muPython. Ikoko, kune vane usimbe uye "kusingafi", kune yakagadzirira-yakagadzirwa bhinari (exe), yakaunganidzwa neChinese uye yakagadzirira kushandiswa. Pano, Mwari weChinese chete ndiye anoziva chimwe chinhu chingave neiyi bhanari kunze kwekuita kukuru, saka shandisa panjodzi yako uye nenjodzi.
Yakanyanya inonakidza purojekiti muC ++ yekushandisa reverse sox nezvimwe. Pamusoro peiyo reverse tunnel, inogona kuita port yekufambisa, kugadzira ganda rekuraira, nezvimwe.
MSF meterpreter
Pano, sezvavanotaura, hapana mhinduro. Vese vakatonyanya kana vashoma vakadzidza hackers vanonyatsoziva chinhu ichi uye vanonzwisisa kuti zviri nyore sei kuti zvionekwe nekuchengetedza maturusi.
Zvose zvezvishandiso zvinotsanangurwa pamusoro apa zvinoshandisa tekinoroji yakafanana: pre-prepared executable binary module inotangwa pamushini mukati metiweki, iyo inosimbisa kubatana nekunze server. Sevha inomhanyisa SOCKS4/5 sevha inogamuchira zvinongedzo uye inozvidzosera kune mutengi.
Kuipa kwezvishandiso zvese zviri pamusoro apa ndezvekuti Python kana Golang inofanirwa kuiswa pamushini wevatengi (wakamboona Python yakaiswa pamakina e, semuenzaniso, director wekambani kana vashandi vemuhofisi?), kana pre-yakaunganidzwa. bhinari (chaizvo python) inofanira kudhonzwa pamushini uyu uye script mubhodhoro rimwe chete) uye mhanyisa iyi bhinari yatovepo. Uye kudhawunirodha exe uye wobva waitanga zvakare siginicha yemuno antivirus kana HIPS.
Kazhinji, mhedziso inozviratidza pachayo - tinoda mhinduro yemagetsi. Iye zvino madomasi achabhururuka kwatiri - vanoti powershell yatove nehackneyed, inotariswa, yakavharwa, nezvimwe. zvichingoenda zvakadaro. Kutaura zvazviri, kwete kwose kwose. Tinozivisa nekuchenjera. Nenzira, kune nzira dzakawanda dzekupfuura nekuvharira (pano zvakare pane mutsara wefashoni nezve mhoro RKN π), kutanga kubva pakupusa kutumidza zita repowershell.exe -> cmdd.exe uye kupera nepowerdll, nezvimwe.
Ngatitangei kugadzira
Zviri pachena kuti kutanga tichatarisa paGoogle uye ... hatizowana chero chinhu pamusoro penyaya iyi (kana mumwe munhu akaiwana, tumira zvinongedzo mumashoko). Pane chete Masokisi5 pane powershell, asi iyi yakajairwa "yakananga" sox, iyo ine huwandu hwezvakashata zvayo (tichataura nezvazvo gare gare). Iwe unogona, hongu, nekufamba kudiki kweruoko rwako, kuishandura kuita reverse, asi iyi inongove imwechete-shinda sox, izvo zvisiri izvo chaizvo zvatinoda kwatiri.
Saka, isu hatisati tawana chero chinhu chakagadzirirwa-chakagadzirwa, saka tichazofanira kudzorera vhiri redu. Tichatora sehwaro hwebhasikoro redu reverse sox muGolang, uye isu tinoshandisa mutengi wayo mupowershell.
RSocksTun
Saka rsockstun inoshanda sei?
Kushanda kweRsocksTun (inozonzi rs) kwakavakirwa pazvikamu zviviri zvesoftware - Yamux uye Socks5 server. Socks5 server inogara masokisi emuno5, inomhanya pamutengi. Uye kuwanda kwekubatanidza kwairi (rangarira nezve multithreading?) inopihwa uchishandisa yamux () Ichi chirongwa chinokutendera kuti uvhure akati wandei evatengi socks5 maseva uye kugovera ekunze maratidziro kwavari, achiaendesa kuburikidza neiyo imwe chete TCP yekubatanidza (inenge senge in meterpreter) kubva kune mutengi kuenda kune server, nekudaro tichishandisa iyo yakawanda-tambo mode, pasina izvo isu tisingazove. kukwanisa kushanda zvizere mumambure emukati.
Chakakosha mashandiro anoita yamux ndechekuti inoburitsa imwe network yenzizi nzizi, ichiishandisa muchimiro che12-byte musoro wepaketi yega yega. (Pano isu tinoshandisa nemaune izwi rekuti "rukova" pane shinda, kuitira kuti tisavhiringa muverengi nechirongwa che "thread" - tichashandisawo pfungwa iyi muchinyorwa chino). Iyo yamux musoro ine nhamba yerukova, mireza yekuisa/kumisa rukova, nhamba yemabhaiti akatamiswa, uye saizi yehwindo rekutamisa.
Pamusoro pekuisa / kumisa rukova, yamux inoshandisa keepalive nzira iyo inokutendera kuti utarise mashandiro eiyo yakamiswa nzira yekutaurirana. Iko kushanda kweiyo keeplive meseji meseji inogadziriswa paunenge uchigadzira Yamux chikamu. Chaizvoizvo, pane zvigadziriso pane maviri chete ma paramita: gonesa / kudzima uye kuwanda kwekutumira mapaketi mumasekondi. Keepalive meseji inogona kutumirwa neyamux server kana yamux mutengi. Pakugamuchira meseji inochengeta, bato riri kure rinofanirwa kuipindura nekutumira chaiyo meseji identifier (chaiyo nhamba) yayakagamuchira. Kazhinji, keepalive ndiyo ping imwe chete, yeyamux chete.
Iyo yese nzira yekushandisa yemultiplexer: mhando dzepaketi, seta yekubatanidza uye kumisa mireza, uye nzira yekufambisa data inotsanangurwa zvakadzama mu. kuti yamx.
Mhedziso yechikamu chekutanga
Saka, muchikamu chekutanga chechinyorwa, takajairana nemamwe maturusi ekuronga reverse tunnels, takatarisa zvakanakira nekuipira kwavo, takadzidza maitiro ekushanda kweYamux multiplexer uye tikatsanangura zvinodikanwa zveiyo ichangobva kugadzirwa powershell module. Muchikamu chinotevera tichagadzira iyo module pachayo, ingangoita kubva mukutanga. Zvichaenderera mberi. Usachinja :)
Source: www.habr.com