Isu tinonyora nguva nenguva nezve ma hackers anowanzo vimba nekushandisa kudzivirira kuonekwa. Ivo chaizvo , uchishandisa zvakajairwa Windows maturusi, nekudaro achipfuura maantivirus uye mamwe maturusi ekuona kuita kwakashata. Isu, sevadziviriri, tava kumanikidzwa kutarisana nemigumisiro inosuruvarisa yemaitiro akadaro akachenjera ekubira: mushandi akaiswa zvakanaka anogona kushandisa nzira imwechete yekubira data pachivande (kambani yepfungwa, nhamba dzekadhi rechikwereti). Uye kana asingamhanyire, asi achishanda zvishoma nezvishoma uye chinyararire, zvichave zvakanyanya kuoma - asi zvakadaro zvinogoneka kana akashandisa nzira chaiyo uye yakakodzera. , - kuziva basa rakadaro.
Kune rimwe divi, ini handingade kuita dhimoni vashandi nekuti hapana anoda kushanda munzvimbo yebhizinesi akananga kunze kweOrwell's 1984. Neraki, kune akati wandei matanho anoshanda uye hacks yehupenyu inogona kuita kuti hupenyu hunyanye kuoma kune vemukati. Tichafunga nzira dzekurwisa dzakavanda, inoshandiswa nevanokuvadza nevashandi vane humwe unyanzvi hwemashure. Uye zvishoma mberi tichakurukura sarudzo dzekudzikisa njodzi dzakadai - isu tichadzidza zvese zvehunyanzvi uye zvesangano sarudzo.
Chii chakashata nePsExec?
Edward Snowden, zvakanaka kana zvisizvo, zvave zvakafanana nekubiwa kwe data mukati. Nenzira, usakanganwa kutarisa nezvevamwe vari mukati avo vanokodzerawo mamwe mukurumbira. Imwe pfungwa yakakosha inofanirwa kusimbisa nezve nzira dzakashandiswa naSnowden ndechekuti, sekuziva kwedu, iye haana kuisa hapana software yakaipa yekunze!
Pane kudaro, Snowden akashandisa zvishoma zveinjiniya yemagariro uye akashandisa chinzvimbo chake semaneja system kuunganidza mapassword uye kugadzira zvitupa. Hapana chakaoma - hapana , kurwisa kana .
Vashandi veSangano havasi nguva dzose vari munzvimbo yakasarudzika yaSnowden, asi kune akati wandei zvidzidzo zvekudzidzwa kubva kune pfungwa ye "kurarama nemafuro" kuziva - kusaita chero chinhu chakaipa chingaonekwa, uye kuve kunyanya. kungwarira nekushandiswa kwemagwaro. Rangarira pfungwa iyi.
nemukoma wake vakafadza zvisingaverengeki pentesters, hackers, uye cybersecurity bloggers. Uye kana yasanganiswa nemimikatz, psexec inobvumira vanorwisa kuti vafambe mukati metiweki vasingade kuziva iyo cleartext password.
Mimikatz inobata iyo NTLM hashi kubva kuLSASS maitiro uye obva apfuudza chiratidzo kana zvitupa - izvo zvinodaidzwa. "pfuudza hashi" kurwisa - mu psexec, kubvumira anorwisa kupinda mune imwe sevha se mumwe mushandisi. Uye nekufamba kwega kwega kunotevera kune sevha nyowani, anorwisa anounganidza humwe humbowo, achiwedzera huwandu hwekugona kwayo mukutsvaga zviripo zviripo.
Pandakatanga kushanda nepsexec zvaiita semashiripiti kwandiri - ndatenda , mugadziri akangwara wepsexec - asi ini ndinoziva nezve yake ruzha zvikamu. Haambovanzi!
Chinhu chekutanga chinonakidza nezve psexec ndechekuti inoshandisa zvakanyanya kuomarara SMB network faira protocol kubva kuMicrosoft. Uchishandisa SMB, psexec inotamisa idiki binary mafaera kune yakananga sisitimu, uchivaisa muC: Windows folda.
Tevere, psexec inogadzira sevhisi yeWindows ichishandisa iyo yakakopwa bhinari uye inoimhanyisa pasi pezita "risingatarisirwe" zvakanyanya PSEXECSVC. Panguva imwecheteyo, iwe unogona chaizvo kuona zvese izvi, sezvandakaita, nekuona muchina uri kure (ona pazasi).
Psexec yekufona kadhi: "PSEXECSVC" sevhisi. Inomhanyisa bhinari faira yakaiswa kuburikidza neSMB muC: Windows folda.
Sedanho rekupedzisira, iyo yakakopwa binary faira inovhura RPC kubatana kune iyo inotarirwa sevha uye wobva wagamuchira mirairo yekudzora (kuburikidza neWindows cmd shell nekukasira), kuvatanga uye kudzoreredza kupinza uye kubuda kumushini wemba yeanorwisa. Muchiitiko ichi, anorwisa anoona mutsara wekutanga wekuraira - zvakafanana sekunge akabatanidzwa zvakananga.
Zvizhinji zvezvikamu uye maitiro ane ruzha kwazvo!
Iwo akaomarara emukati mepsexec anotsanangura meseji yakandishamisa panguva yekuyedzwa kwangu kwekutanga makore akati wandei apfuura: "Kutanga PSEXECSVC ..." inoteverwa nekumbomira kusati kwabuda chirevo.
Impacket's Psexec inonyatsoratidza zviri kuitika pasi pehodhi.
Hazvishamisi: psexec yakaita basa rakakura pasi pehodhi. Kana iwe uchida imwe tsananguro yakadzama, tarisa pano tsananguro inoshamisa.
Zviripachena, kana yakashandiswa sechishandiso chekutonga system, yaive chinangwa chepakutanga psexec, hapana chakaipa ne "buzzing" yeese maWindows masystem. Kune anorwisa, zvisinei, psexec yaizogadzira zvinonetsa, uye kune anongwarira uye ane njere mukati seSnowden, psexec kana chishandiso chakafanana chingave chakanyanya njodzi.
Uye ipapo kunouya Smbexec
SMB inzira yakangwara uye yakavanzika yekufambisa mafaera pakati pemaseva, uye matsotsi anga achipinza SMB zvakananga kwemazana emakore. Ndinofunga kuti munhu wose anotoziva kuti hazvina kukodzera SMB ports 445 uye 139 kuInternet, handiti?
PaDefcon 2013, Eric Millman () zvakaratidzwa , kuitira kuti mapentesters aedze akabira SMB kubira. Ini handizive iyo nyaya yese, asi ipapo Impacket yakawedzera kunatswa smbexec. Muchokwadi, pakuyedzwa kwangu, ndakadhawunirodha zvinyorwa kubva kuImpacket muPython kubva .
Kusiyana nepsexec, smbexec anonzvenga kuendesa iyo inogona kuonekwa bhinari faira kumuchina wakanangwa. Pane kudaro, zvinoshandiswa zvinorarama zvachose kubva kumafuro kuburikidza nekutanga yemuno Windows command line.
Hezvino zvazvinoita: inopa murairo kubva kumuchina wekurwisa kuburikidza neSMB kuenda kune yakakosha faira yekuisa, uye yobva yagadzira uye inomhanyisa mutsara wekuraira wakaoma (sevhisi yeWindows) inoita seyakajairwa nevashandisi veLinux. Muchidimbu: inotangisa yerudzi rweWindows cmd shell, inodzosera zvabuda kune imwe faira, uye yozotumira kuburikidza neSMB kudzokera kumushini weanorwisa.
Nzira yakanakisa yekunzwisisa izvi ndeyekutarisa mutsara wekuraira, wandakakwanisa kuisa maoko angu kubva pane chiitiko chinyorwa (ona pazasi).
Iyi haisi iyo nzira huru yekutungamirazve I/O? Nenzira, kusikwa kwesevhisi kune chiitiko ID 7045.
Kufanana nepsexec, inogadzirawo sevhisi inoita basa rese, asi sevhisi mushure meizvozvo kubviswa - inoshandiswa kamwe chete kumhanyisa kuraira uye yobva yanyangarika! Mupurisa wezveruzivo anotarisisa muchina wemunhu anenge akuvadzwa haazokwanise kuona pachena Zviratidzo zvekurwiswa: Hapana faira rakashata riri kutangwa, hapana basa rinoramba riripo riri kuiswa, uye hapana humbowo hweRPC iri kushandiswa sezvo SMB iriyo chete nzira yekufambisa data. Brilliant!
Kubva kudivi reanorwisa, "pseudo-shell" inowanikwa nekunonoka pakati pekutumira murairo uye kugamuchira mhinduro. Asi izvi zvakakwana kuti munhu anorwisa - angave ari wemukati kana wekunze hacker anenge atove nekutsika - kuti atange kutsvaga zvinonakidza zvemukati.
Kuburitsa data kudzoserwa kubva kumuchina wakananga kumushini weanorwisa, inoshandiswa . Hongu, iSamba imwe chete , asi yakashandurwa kuita Python script neImpacket. Muchokwadi, smbclient inokutendera iwe kubata zvakavanzika FTP kutamiswa pamusoro peSMB.
Ngatitore nhanho kumashure uye tifunge kuti izvi zvingaite sei kumushandi. Mune mamiriro angu ekunyepedzera, ngatitii blogger, muongorori wezvemari kana anobhadharwa zvakanyanya kuchengetedza anotenderwa kushandisa laptop yako kubasa. Nekuda kwemamwe maitiro emashiripiti, anogumburwa nekambani uye "zvinoenda zvakaipa." Zvichienderana nelaptop inoshanda sisitimu, inogona kushandisa iyo Python vhezheni kubva kuImpact, kana iyo Windows vhezheni ye smbexec kana smbclient se .exe faira.
SaSnowden, anoona password yemumwe mushandisi nekutarisa pamusoro pefudzi rake, kana kuti anoita rombo rakanaka uye anogumburwa nefaira remavara rine password. Uye nerubatsiro rwezvitupa izvi, anotanga kuchera kutenderedza sisitimu pane imwe nhanho yeropafadzo.
Kubira DCC: Hatidi chero "benzi" Mimikatz
Muzvinyorwa zvangu zvekare zvepentesting, ndaishandisa mimikatz kakawanda. Ichi chishandiso chikuru chekutora magwaro - NTLM hashes uye kunyange mapassword akajeka akavanzwa mukati memalaptops, achingomirira kushandiswa.
Nguva dzachinja. Maturusi ekutarisisa ave nani pakuona nekuvhara mimikatz. Vatariri vekuchengetedza ruzivo zvakare vane dzimwe sarudzo dzekudzikisa njodzi dzine chekuita nekupfuura hashi (PtH) kurwiswa.
Saka chii chinofanira kuitwa nemushandi akangwara kuti atore humwe hunhu pasina kushandisa mimikatz?
Impacket's kit inosanganisira yekushandisa inonzi , iyo inotora magwaro kubva kuDomain Credential Cache, kana DCC kwenguva pfupi. Manzwisisiro angu ndeokuti kana mushandisi wedomasi achipinda museva asi mutongi wedura asipo, DCC inobvumira sevha kuti isimbise mushandisi. Zvakadaro, secretsdump inokutendera kuti urase ese aya hashe kana aripo.
DCC hashes ndizvo kwete NTML hashes uye navo haigone kushandiswa pakurwisa kwePtH.
Zvakanaka, unogona kuedza Hack navo kuti vawane chepakutanga pasiwedhi. Nekudaro, Microsoft yave nehungwaru neDCC uye DCC hashes dzave dzakanyanya kuoma kupaza. Hongu, ndazviita , "the world's fastest password guesser," asi zvinoda GPU kuti imhanye zvinobudirira.
Pane kudaro, ngatiedzei kufunga saSnowden. Mushandi anogona kuitisa masocial engineering uye pamwe nekuwana rumwe ruzivo nezve munhu ane password yaanoda kupaza. Semuyenzaniso, tsvaga kana account yemunhu yepamhepo yakambobirwa uye ongorora password yavo yakajeka kuti uwane chero zviratidzo.
Uye ichi ndicho chiitiko chandakafunga kuenda nacho. Ngatifungei kuti munhu wemukati akaziva kuti mukuru wake, Cruella, akange abiwa kakawanda pamawebhusaiti akasiyana. Mushure mekuongorora akati wandei emapassword aya, anoona kuti Cruella anofarira kushandisa chimiro chezita retimu yebaseball "Yankees" inoteverwa negore razvino - "Yankees2015".
Kana iwe ikozvino uri kuedza kuburitsa izvi kumba, saka unogona kudhawunirodha diki, "C" , iyo inoshandisa iyo DCC hashing algorithm, uye inyore. , nenzira, yakawedzera rutsigiro rweDCC, saka inogona kushandiswa zvakare. Ngatifungei kuti munhu wemukati haadi kunetseka kudzidza John the Ripper uye anofarira kumhanya "gcc" pane legacy C kodhi.
Ndichinyepedzera kuita zvemukati, ndakaedza masanganiswa akati wandei uye ndakazokwanisa kuona kuti password yaCruella yaive "Yankees2019" (ona pazasi). Basa Rakakwana!
Injiniya shoma yemagariro, dhizaini yekufembera uye piniki yeMaltego uye uri munzira yekupwanya iyo DCC hashi.
Ndinoti tigumire pano. Tichadzokera kunyaya iyi mune mamwe mapositi uye totarisa dzimwe nzira dzinononoka uye dzakabira dzekurwisa, tichienderera mberi nekuvaka paImpacket's yakanakisa seti yezvishandiso.
Source: www.habr.com