Ibali malunga nophando kunye nophuhliso kwiindawo ezi-3. Icandelo loku-1 liyaphonononga.
Mininzi imithi ye-beech- nangakumbi izibonelelo.
ΠΡ ΡΠ Β° Β°
Ngexesha le-pentest kunye ne-RedTeam imikhankaso, akusoloko kunokwenzeka ukusebenzisa izixhobo eziqhelekileyo zoMthengi, njenge-VPN, i-RDP, i-Citrix, njl. njengeankile yokungena kwinethiwekhi yangaphakathi. Kwezinye iindawo, i-VPN eqhelekileyo isebenza usebenzisa i-MFA kunye nethokheni ye-hardware isetyenziswe njengento yesibini, kwezinye ibekwe iliso elibukhali kwaye ukungena kwethu kwe-VPN ngokukhawuleza kubonakala, njengoko besithi, kunye nayo yonke into ebandakanya, kodwa kwezinye kukho. ngokulula akukho ndlela enjalo.
Kwiimeko ezinjalo, kufuneka sihlale sisenza oko kubizwa ngokuba "ziitonela ezibuyela umva" - uqhagamshelo olusuka kuthungelwano lwangaphakathi ukuya kwisixhobo sangaphandle okanye iseva esiyilawulayo. Ngaphakathi kwetonela enjalo, sinokusebenza kunye nezixhobo zangaphakathi zabaThengi.
Kukho iindidi ezininzi zala matonela abuyelayo. Eyona idumileyo kubo, kunjalo, i-Meterpreter. Iitonela ze-SSH ezinokuhanjiswa kwezibuko ezibuyela umva zikwafuneka kakhulu phakathi kweqela lehacker. Zininzi kakhulu iindlela zokusebenzisa ukubuyisela umva itonela kwaye uninzi lwazo zifundwe kakuhle kwaye zichazwe.
Ngokuqinisekileyo, ngenxa yecala labo, abaphuhlisi bezisombululo zokhuseleko abayimi bucala kwaye baqaphele izenzo ezinjalo.
Ngokomzekelo, iiseshini ze-MSF zifunyenwe ngempumelelo yi-IPS yanamhlanje evela kwi-Cisco okanye i-Positive Tech, kwaye itonela ye-SSH ebuyela umva inokubonwa phantse nayiphi na i-firewall eqhelekileyo.
Ngoko ke, ukuze sihlale singabonakali kwiphulo elihle le-RedTeam, kufuneka sakhe i-tunnel ye-reverse usebenzisa iindlela ezingezona eziqhelekileyo kwaye ulungelelanise ngokusondeleyo kwindlela yokusebenza yokwenene yenethiwekhi.
Masizame ukufumana okanye ukuyila into efanayo.
Ngaphambi kokuqamba nantoni na, kufuneka siqonde ukuba yeyiphi isiphumo esifuna ukuyifumana, yeyiphi imisebenzi ekufuneka yenziwe uphuhliso lwethu. Ziya kuba yintoni iimfuno zetonela ukuze sisebenze kwimowudi ephezulu efihlakeleyo?
Kucacile ukuba kwimeko nganye iimfuno ezinjalo zinokwahluka kakhulu, kodwa ngokusekelwe kumava omsebenzi, ezona ziphambili zinokuchongwa:
- sebenza kwi-Windows-7-10 OS. Ekubeni uninzi lweenethiwekhi zisebenzisa iWindows;
- umxhasi uqhagamshela kumncedisi nge-SSL ukunqanda ukumamela kobudenge usebenzisa i-ips;
- Xa udibanisa, umxhasi kufuneka axhase umsebenzi ngomncedisi wommeleli ngokugunyaziswa, kuba Kwiinkampani ezininzi, ukufikelela kwi-Intanethi kwenzeka ngeproxy. Enyanisweni, umatshini womthengi usenokungazi nto malunga nayo, kwaye i-proxy isetyenziswe ngendlela ecacileyo. Kodwa kufuneka sinikezele ukusebenza okunjalo;
- inxalenye yomxhasi kufuneka ibe mfutshane kwaye iphatheke;
Kucacile ukuba ukusebenza ngaphakathi kwenethiwekhi yoMthengi, unokufaka i-OpenVPN kumatshini womthengi kwaye wenze itonela epheleleyo kwiseva yakho (ngethamsanqa, abathengi be-openvpn banokusebenza nge-proxy). Kodwa, okokuqala, oku akuyi kuhlala kusebenza, kuba sisenokungabi ngabalawuli basekhaya, kwaye okwesibini, kuya kwenza ingxolo enkulu kangangokuba i-SIEM okanye i-HIPS efanelekileyo iya "kusihlutha" ngokukhawuleza. Ngokufanelekileyo, umxhasi wethu kufuneka abe yinto ebizwa ngokuba ngumyalelo ongaphakathi, njengomzekelo amaninzi amaqokobhe e-bash aphunyeziweyo, kwaye aqaliswe ngelayini yomyalelo, umzekelo, xa uphumeza imiyalelo evela kwigama macro. - Itonela yethu kufuneka ibe nemisonto emininzi kwaye ixhase uqhagamshelo oluninzi ngaxeshanye;
- uxhulumaniso lomxhasi-umncedisi kufuneka lube nolunye uhlobo logunyaziso ukwenzela ukuba itonela isekwe kuphela kumxhasi wethu, kwaye kungekhona wonke umntu oza kumncedisi wethu kwidilesi echaziweyo kunye nezibuko. Ngokufanelekileyo, iphepha lokumisa elineekati okanye izihloko zobuchwephesha ezinxulumene nesizinda soqobo kufuneka livulelwe "abasebenzisi bomntu wesithathu."
Ngokomzekelo, ukuba uMthengi ngumbutho wezonyango, ngoko kumlawuli wokhuseleko lolwazi ogqiba ukukhangela isibonelelo esifunyenwe ngumqeshwa wekliniki, iphepha elinemveliso yamachiza, iWikipedia enenkcazo yokuxilongwa, okanye iblogi kaDkt Komarovsky, njl. kufuneka ivule.
Uhlalutyo lwezixhobo ezikhoyo
Ngaphambi kokuba ubuyisele ibhayisekile yakho, kufuneka wenze uhlalutyo lweebhayisikile ezikhoyo kwaye uqonde ukuba siyayifuna ngokwenene kwaye, mhlawumbi, akuthina kuphela abaye bacinga ngesidingo sebhayisekile esebenzayo.
I-Googling kwi-Intanethi (sibonakala ngathi si-google ngokuqhelekileyo), kunye nokukhangela kwi-Github usebenzisa amagama angundoqo "i-reverse socks" ayizange inike iziphumo ezininzi. Ngokusisiseko, yonke into yehla ekwakhiweni kweetonela ze-ssh ezinokugqithisela umva izibuko kunye nayo yonke into edityaniswe nayo. Ukongeza kwiitonela ze-SSH, kukho izisombululo ezininzi:
Ukuphunyezwa kwexesha elide letonela elibuyela umva ukusuka kubafana baseKaspersky Lab. Igama likwenza kucace ukuba esi script senzelwe ntoni. Iphunyezwe kwi-Python 2.7, itonela isebenza kwimodi ecacileyo (njengoko kuyimfashini ukuthetha ngoku - molo RKN)
Olunye ukuphunyezwa kwiPython, kwakhona kumbhalo ocacileyo, kodwa ngamathuba amaninzi. Ibhalwe njengemodyuli kwaye ine-API yokudibanisa isisombululo kwiiprojekthi zakho.
Ikhonkco lokuqala yinguqulo yokuqala yokuphunyezwa kwe-reverse sox kwi-Golang (engaxhaswanga ngumphuhlisi).
Ikhonkco lesibini luhlaziyo lwethu oluneempawu ezongezelelweyo, nakwiGolang. Kwinguqulo yethu, siphumeze i-SSL, sisebenze nge-proxy enesigunyaziso se-NTLM, isigunyaziso kumxhasi, iphepha lokufika kwimeko yegama eliyimfihlo (okanye kunoko, ukuqondisa kwakhona kwiphepha lokufika), imodi enemisonto emininzi (oko kukuthi abantu abaninzi. inokusebenza kunye netonela ngaxeshanye) , inkqubo yokukhangela umxhasi ukugqiba ukuba uyaphila okanye hayi.
Ukuphunyezwa kwe-reverse sox evela "kubahlobo bethu baseTshayina" kwiPython. Kulapho, kwivila kunye "nokungafi", kukho ibhinari esele ilungile (exe), ehlanganiswe ngamaTshayina kwaye ilungele ukusetyenziswa. Apha, nguThixo waseTshayina kuphela owaziyo ukuba yintoni enye into enokuthi iqulathwe yile bhinari ngaphandle kowona msebenzi uphambili, ke sebenzisa ngengozi yakho kunye nomngcipheko.
Iprojekthi enomdla kakhulu kwi-C ++ yokuphumeza i-reverse sox kunye nokunye. Ukongeza kwitonela ebuyela umva, inokwenza ukuhanjiswa kwezibuko, ukwenza iqokobhe lomyalelo, njl.
imitha ye-MSF
Apha, njengoko besithi, akukho zimvo. Bonke abahlaseli abaninzi nangaphantsi abafundileyo baqhelene kakhulu nale nto kwaye bayayiqonda indlela enokubonwa ngokulula ngayo ngezixhobo zokhuseleko.
Zonke izixhobo ezichazwe ngasentla zisebenza ngokusebenzisa iteknoloji efanayo: imodyuli yebhinari elungiselelwe kwangaphambili ephunyeziweyo iqaliswe kumatshini ngaphakathi kwinethiwekhi, eyenza uxhulumaniso kunye nomncedisi wangaphandle. Umncedisi uqhuba i-SOCKS4/5 iseva eyamkela imidibaniso kwaye izidlulisele kumxhasi.
Ukungalungi kwazo zonke ezi zixhobo zingentla kukuba mhlawumbi iPython okanye iGolang kufuneka ifakwe kumatshini womthengi (ingaba ukhe wayibona iPython ifakwe koomatshini, umzekelo, umlawuli wenkampani okanye abasebenzi baseofisini?), okanye udityaniswe kwangaphambili. yokubini (eneneni ipithon) mayitsalelwe kulo matshini kunye nescript kwibhotile enye) kwaye sebenzisa oku kubini sele kukho. Kwaye ukukhuphela i-exe kwaye emva koko ukuyindulula ikwayisignisha ye-antivirus yasekhaya okanye i-HIPS.
Ngokubanzi, isiphelo sizicebisa - sifuna isisombululo se-powershell. Ngoku iitumato ziya kubhabha kuthi - bathi i-powershell sele ifakiwe, ibekwe iliso, ivaliwe, njl. kwaye nangokunjalo. Enyanisweni, kungekhona kuyo yonke indawo. Sibhengeza ngokufanelekileyo. Ngendlela, kukho iindlela ezininzi zokudlula ukubhloka (apha kwakhona kukho ibinzana elifake imfashini malunga ne-Molo RKN π), ukuqala kwi-renaming yobudenge be-powershell.exe -> cmdd.exe kwaye iphele nge-powerdll, njl.
Masiqale ukuqamba
Kucacile ukuba okokuqala siza kujonga kwiGoogle kwaye ... asiyi kufumana nantoni na kwesi sihloko (ukuba umntu ufumene, thumela izixhumanisi kwizimvo). Kukho kuphela Iisokisi5 kwi-powershell, kodwa le yi-sox eqhelekileyo "ethe ngqo", enenani lezinto ezingalunganga (siya kuthetha ngazo kamva). Unako, ewe, ngokushukuma kancinci kwesandla sakho, uyiguqule ibe ngasemva, kodwa le iya kuba yi-sox enemisonto enye, engeyiyo le nto siyidingayo kuthi.
Ke, asifumananga nto sele ilungile, ke kuya kufuneka siphinde siyiqale kwakhona ivili lethu. Siza kuthatha njengesiseko sebhayisekile yethu reverse sox e Golang, kwaye siphumeza umxhasi kuyo kwi-powershell.
RSocksTun
Ngoko ke isebenza njani i-rsockstun?
Ukusebenza kwe-RsocksTun (emva koku kubhekiselwa kuyo njenge-rs) kusekwe kumacandelo amabini esoftware - iYamux kunye neseva yeSocks5. Iseva yeSocks5 yindawo eqhelekileyo yeekawusi5, isebenza kumxhasi. Kwaye ukuphindaphinda koqhagamshelo kuyo (uyakhumbula malunga nokuphindaphinda imisonto emininzi?) kubonelelwe kusetyenziswa iyamux (). Esi sikimu sikuvumela ukuba uqalise iiseva ezininzi zabathengi beesokisi5 kwaye usasaze uqhagamshelo lwangaphandle kubo, uzithumele ngoqhagamshelo olunye lwe-TCP (phantse lufana ne-meterpreter) ukusuka kumxhasi ukuya kumncedisi, ngaloo ndlela sisebenzisa indlela enemisonto emininzi, ngaphandle kwayo asiyi kuba nayo. iyakwazi ukusebenza ngokupheleleyo kuthungelwano lwangaphakathi.
Undoqo wendlela i-yamux esebenza ngayo kukuba yazisa i-network layer eyongezelelweyo yemijelo, iphunyezwe ngendlela ye-header ye-12-byte kwipakethi nganye. (Apha sisebenzisa ngamabomu igama elithi "umsinga" kunokuba sidibanise, ukuze singabhidanisi umfundi "umsonto" weprogram - siya kusebenzisa le ngcamango kweli nqaku). Iheader yeyamux iqulethe inombolo yomsinga, iiflegi zokuhlohla/ukuphelisa umsinga, inani leebhayithi ezigqithiselweyo, kunye nobungakanani befestile yogqithiselo.
Ukongeza kokufaka / ukuphelisa umlambo, i-yamux isebenzisa indlela yokugcina yokuphila evumela ukuba ubeke iliso ekusebenzeni kwejelo lonxibelelwano olusekiweyo. Umsebenzi womyalezo we-keeplive uqwalaselwe xa kuyilwa iseshoni yeYamux. Ngokwenyani, kuseto kukho iiparamitha ezimbini kuphela: vumela / khubaza kunye nezihlandlo zokuthumela iipakethi ngemizuzwana. Imiyalezo yeKeepalive inokuthunyelwa ngumncedisi weyamux okanye umxhasi weyamux. Xa ifumana umyalezo owugcinayo, iqela elikude kufuneka liwuphendule ngokuthumela umyalezo ofanayo wokuchonga (enyanisweni inani) eliwufumeneyo. Ngokubanzi, i-keepalive ifana ne-ping, yeyamux kuphela.
Ubuchule bokusebenza bubonke be-multiplexer: iintlobo zepakethi, ukuseta uqhagamshelo kunye neeflegi zokuphelisa, kunye nendlela yokudlulisa idatha ichazwe ngokweenkcukacha kwi yamx.
Ukuqukumbela inxalenye yokuqala
Ngoko ke, kwinxalenye yokuqala yenqaku, siye saqhelana nezixhobo ezithile zokulungelelanisa iitonela ezibuyela umva, sajonga izinto eziluncedo kunye nezingeloncedo, safunda indlela yokusebenza kweYamux multiplexer kwaye sachaza iimfuno ezisisiseko zemodyuli entsha eyenziwe yamandla. Kwicandelo elilandelayo siza kuphuhlisa imodyuli ngokwayo, ngokwenyani ukusuka ekuqaleni. Iza kuqhubeka. Musa ukutshintsha :)
umthombo: www.habr.com