Sibhala rhoqo malunga nendlela abaduni bahlala bexhomekeke ekuxhaphazeni
Kwelinye icala, andizukufuna ukwenza iidemon kubasebenzi kuba akukho mntu ufuna ukusebenza kwindawo yeshishini ngqo kwi-Orwell's 1984. Ngethamsanqa, kukho inani lamanyathelo asebenzayo kunye nee-hacks zobomi ezinokwenza ubomi bube nzima ngakumbi kubantu bangaphakathi. Siza kuqwalasela iindlela zokuhlasela ezifihlakeleyo, esetyenziswa ngabahlaseli ngabasebenzi abanemvelaphi ethile yobugcisa. Kwaye kancinci siza kuxubusha iinketho zokunciphisa imingcipheko enjalo - siya kufunda zombini iinketho zobugcisa kunye nombutho.
Yintoni engalunganga nge-PSExec?
U-Edward Snowden, ngokufanelekileyo okanye ngokungalunganga, uye wafana nokubiwa kwedatha yangaphakathi. Ngendlela, ungalibali ukujonga
Endaweni yoko, u-Snowden wasebenzisa ubunjineli bezentlalo kwaye wasebenzisa isikhundla sakhe njengomlawuli wenkqubo ukuqokelela amagama ayimfihlo kunye nokudala iziqinisekiso. Akukho nto inzima - akukho nanye
Abasebenzi bombutho abasoloko bekwisikhundla esikhethekileyo se-Snowden, kodwa kukho inani lezifundo ekufuneka zifundwe kwingqikelelo "yokusinda ngokutyisa" ukuba uqaphele - ukungazibandakanyi kuyo nayiphi na into engalunganga enokubonwa, kwaye ibe ngakumbi. qaphela ukusetyenziswa kweziqinisekiso. Khumbula le ngcamango.
I-Mimikatz ibamba i-NTLM hash kwinkqubo ye-LSASS kwaye emva koko igqithise uphawu okanye iziqinisekiso - ezibizwa ngokuba. "dlula i-hash" uhlaselo -kwi-psexec, ivumela umhlaseli ukuba angene kwenye iseva njenge yomnye umsebenzisi. Kwaye ngokuhamba okulandelayo okulandelayo kumncedisi omtsha, umhlaseli uqokelela iziqinisekiso ezongezelelweyo, ukwandisa uluhlu lwamakhono akhe ekufuneni umxholo okhoyo.
Ukuqala kwam ukusebenza kunye ne-psexec kwabonakala kunomlingo kum - enkosi
Inyani yokuqala enomdla malunga nepsexec kukuba isebenzisa intsonkothe ββkakhulu Iprotocol yefayile yenethiwekhi ye-SMB evela kuMicrosoft. Ukusebenzisa i-SMB, i-psexec ihambisa encinci yokubini iifayile kwindlela ekujoliswe kuyo, ibeka kwi C:Windows ulawulo.
Okulandelayo, i-psexec yenza inkonzo ye-Windows isebenzisa i-binary ekhutshelweyo kwaye iqhube phantsi kwegama "elingalindelekanga" kakhulu elithi PSEXECSVC. Kwangaxeshanye, unokubona konke oku, njengoko ndenzayo, ngokujonga umatshini okude (jonga ngezantsi).
Ikhadi lokufowuna le-Psexec: "PSEXECSVC" inkonzo. Isebenzisa ifayile yokubini eyayibekwe nge-SMB kwi-C:ifolda yeWindows.
Njengenyathelo lokugqibela, ifayile yokubini ekhutshelweyo iyavula Uqhagamshelwano lweRPC kumncedisi ekujoliswe kuwo kwaye emva koko wamkela imiyalelo yolawulo (nge Windows cmd iqokobhe ngokungagqibekanga), indulule kwaye iqondise ngokutsha igalelo kunye nemveliso kumatshini wasekhaya womhlaseli. Kule meko, umhlaseli ubona umgca womyalelo osisiseko - kufana nokuba udibaniswe ngokuthe ngqo.
Amacandelo amaninzi kunye nenkqubo enengxolo kakhulu!
Abangaphakathi abantsonkothileyo be-psexec bachaza umyalezo owandixaka ngexesha lovavanyo lwam lokuqala kwiminyaka eliqela eyadlulayo: "Ukuqala i-PSEXECSVC ..." kulandelwa kukunqumamisa ngaphambi kokuba kuvele umyalelo womyalelo.
I-Psexec ye-Impacket ibonisa ukuba kuqhubeka ntoni phantsi kwe-hood.
Akumangalisi: i-psexec yenze umsebenzi omkhulu phantsi kwe-hood. Ukuba unomdla kwingcaciso engaphezulu, jonga apha
Ngokucacileyo, xa isetyenziswe njengesixhobo solawulo lwenkqubo, eyayikho injongo yokuqala psexec, akukho nto iphosakeleyo βngokubhadulaβ kwazo zonke ezi ndlela zeWindows. Kumhlaseli, nangona kunjalo, i-psexec iya kudala iingxaki, kwaye kumntu ongaphakathi olumkileyo kunye onobuqili njengo-Snowden, i-psexec okanye into efanayo iya kuba yingozi kakhulu.
Kwaye emva koko kuza iSmbexec
I-SMB yindlela ekrelekrele nefihlakeleyo yokudlulisa iifayile phakathi kweeseva, kwaye abahlaseli bebengena kwi-SMB ngokuthe ngqo kangangeenkulungwane. Ndicinga ukuba wonke umntu sele eyazi ukuba ayifanelekanga
KwiDefcon 2013, uEric Millman (
Ngokungafaniyo ne-psexec, smbexec uyaphepha ukuhambisa ifayile yokubini enokubakho kumatshini ekujoliswe kuwo. Endaweni yoko, i-utility iphila ngokupheleleyo ukusuka edlelweni ukuya ekuqaleni yendawo Umgca womyalelo weWindows.
Nantsi into eyenzayo: igqithisa umyalelo osuka kumatshini ohlaselayo nge-SMB ukuya kwifayile ekhethekileyo yokufaka, kwaye emva koko idale kwaye iqhube umgca womyalelo onzima (njengenkonzo yeWindows) eya kubonakala iqhelekile kubasebenzisi beLinux. Ngokufutshane: isungula iqokobhe le-Windows cmd, iphinda ikhuphe imveliso kwenye ifayile, kwaye emva koko iyithumele nge-SMB kumatshini womhlaseli.
Eyona ndlela ingcono yokuqonda oku kukujonga kumgca womyalelo, endiye ndakwazi ukufumana izandla zam kwilog yesiganeko (jonga ngezantsi).
Ngaba ayisiyiyo le ndlela inkulu yokwalathisa kwakhona i-I/O? Ngendlela, ukudalwa kwenkonzo kunomcimbi we-ID 7045.
Njenge-psexec, ikwadala inkonzo eyenza wonke umsebenzi, kodwa inkonzo emva koko isuswe - isetyenziswa kube kanye kuphela ukwenza umyalelo emva koko inyamalale! Igosa lokhuseleko lolwazi elibeke esweni umatshini wexhoba aliyi kukwazi ukubona ngokucacileyo Izalathisi zohlaselo: Akukho fayile ikhohlakeleyo iqaliswayo, akukho nkonzo iqhubekayo ifakiweyo, kwaye akukho bungqina be-RPC esetyenziswayo kuba i-SMB kuphela kwendlela yokudlulisa idatha. Uqaqambileyo!
Ukusuka kwicala lomhlaseli, i-"pseudo-shell" ifumaneka ngokulibaziseka phakathi kokuthumela umyalelo kunye nokufumana impendulo. Kodwa oku kwanele ukuba umhlaseli - nokuba ngumntu wangaphakathi okanye i-hacker yangaphandle esele ine-foothold-ukuqala ukukhangela umxholo onomdla.
Ukubuyisela idatha kumatshini ekujoliswe kuwo kumatshini womhlaseli, isetyenziswa
Masikhe sibuye umva sicinge ukuba le nto ingamenzela ntoni umsebenzi. Kwimeko yam eyintsomi, masithi iblogger, umhlalutyi wezezimali okanye umcebisi wokhuseleko ohlawulwa kakhulu uvumelekile ukuba asebenzise ilaptop yomsebenzi. Njengomphumo wenkqubo ethile yomlingo, uyakhubeka kwinkampani kwaye "uhamba kakubi." Ngokuxhomekeke kwinkqubo yokusebenza yelaptop, mhlawumbi isebenzisa inguqulelo yePython evela kwiMpembelelo, okanye inguqulelo yeWindows ye-smbexec okanye i-smbclient njengefayile ye.exe.
Njengo-Snowden, ufumanisa igama eliyimfihlo lomnye umsebenzisi ngokujonga egxalabeni lakhe, okanye uba nethamsanqa kwaye akhubeke kwifayile yokubhaliweyo enegama lokugqitha. Kwaye ngoncedo lwezi ziqinisekiso, uqala ukumba malunga nenkqubo kwinqanaba elitsha lamalungelo.
I-DCC yokuHacka: Asifuni nayiphi na iMimikatz "yobudenge".
Kwizithuba zam zangaphambili kwi-pentesting, bendisebenzisa i-mimikatz rhoqo. Esi sisixhobo esikhulu sokubamba iziqinisekiso-i-NTLM hashes kunye namagama agqithisiweyo acacileyo afihlwe ngaphakathi kweelaptops, alindele nje ukusetyenziswa.
Amaxesha atshintshile. Izixhobo zokubeka iliso ziye zaba ngcono ekubhaqeni nasekuvimbeni i-miikatz. Abalawuli bokhuseleko lolwazi nabo ngoku banokhetho oluninzi lokunciphisa imingcipheko ehambelana nokuhlaselwa kwe-hash (PtH).
Ke kufuneka umqeshwa okrelekrele enze ntoni ukuqokelela iziqinisekiso ezongezelelweyo ngaphandle kokusebenzisa imikatz?
Ikiti ye-Impacket iquka into eluncedo ebizwa
Iingxaki zeDCC zi hayi NTML hashes kunye nabo ayinakusetyenziselwa uhlaselo lwe-PtH.
Ewe, ungazama ukuziqhekeza ukuze ufumane igama eligqithisiweyo lokuqala. Nangona kunjalo, iMicrosoft iye yaqina ngakumbi nge-DCC kunye ne-DCC hashes kuye kwaba nzima kakhulu ukuqhekeka. Ewe ndinayo
Endaweni yoko, makhe sizame ukucinga njengo-Snowden. Umqeshwa angaqhuba ngobunjineli bobuso ngobuso kwaye afumane ulwazi malunga nomntu onegama eliyimfihlo afuna ukuliqhekeza. Umzekelo, fumanisa ukuba i-akhawunti yomntu ye-intanethi ikhe yaqhekezwa kwaye ujonge igama eliyimfihlo eliyimfihlo eliyimfihlo kuyo nayiphi na imikhondo.
Kwaye le yimeko endigqibe kwelokuba ndihambe nayo. Masicinge ukuba umntu ongaphakathi uye wafumanisa ukuba umphathi wakhe, uCruella, waye waqhekezwa amatyeli aliqela kwimithombo eyahlukeneyo yewebhu. Emva kokuhlalutya ezininzi zezi phasiwedi, uyaqonda ukuba i-Cruella ikhetha ukusebenzisa ifomathi yegama leqela le-baseball "Yankees" elandelwa ngunyaka wangoku - "Yankees2015".
Ukuba ngoku uzama ukuvelisa oku ekhaya, unokukhuphela encinci, "C"
Ndithatha indima yomntu wangaphakathi, ndiye ndazama indibaniselwano ezininzi ezahlukeneyo kwaye ekugqibeleni ndakwazi ukufumanisa ukuba igama eliyimfihlo likaCruella yayingu "Yankees2019" (jonga ngezantsi). Umsebenzi ugqityiwe!
Ubunjineli obuncinci bentlalontle, ithamsanqa lokuxela ithamsanqa kunye nentwana ye-Maltego kwaye usendleleni eya ekuqhekezeni i-DCC hash.
Ndicebisa ukuba siphele apha. Siza kubuyela kwesi sihloko kwezinye izithuba kwaye sijonge iindlela zokuhlasela ezicothayo nezingacacanga, siqhubeka nokwakha kwiseti ebalaseleyo ye-Impacket yezinto eziluncedo.
umthombo: www.habr.com