Sibhala rhoqo malunga nendlela abaduni bahlala bexhomekeke ekuxhaphazeni ukuphepha ukubhaqwa. Bona ngokoqobo , usebenzisa izixhobo ezisemgangathweni zeWindows, ngaloo ndlela idlula ii-antivirus kunye nezinye izinto eziluncedo zokubona umsebenzi ongalunganga. Thina, njengabakhuseli, ngoku siphoqeleka ukuba sijongane nemiphumo engathandekiyo yeendlela ezinjalo zobuqili: umqeshwa obekwe kakuhle unokusebenzisa indlela efanayo yokuba idatha ngokufihlakeleyo (ipropathi yengqondo yenkampani, iinombolo zekhadi letyala). Kwaye ukuba akangxamanga, kodwa usebenza kancinci kwaye ngokuzolileyo, kuya kuba nzima kakhulu - kodwa kunokwenzeka ukuba usebenzisa indlela elungileyo kunye nefanelekileyo. , - ukuchonga umsebenzi onjalo.
Kwelinye icala, andizukufuna ukwenza iidemon kubasebenzi kuba akukho mntu ufuna ukusebenza kwindawo yeshishini ngqo kwi-Orwell's 1984. Ngethamsanqa, kukho inani lamanyathelo asebenzayo kunye nee-hacks zobomi ezinokwenza ubomi bube nzima ngakumbi kubantu bangaphakathi. Siza kuqwalasela iindlela zokuhlasela ezifihlakeleyo, esetyenziswa ngabahlaseli ngabasebenzi abanemvelaphi ethile yobugcisa. Kwaye kancinci siza kuxubusha iinketho zokunciphisa imingcipheko enjalo - siya kufunda zombini iinketho zobugcisa kunye nombutho.
Yintoni engalunganga nge-PSExec?
U-Edward Snowden, ngokufanelekileyo okanye ngokungalunganga, uye wafana nokubiwa kwedatha yangaphakathi. Ngendlela, ungalibali ukujonga malunga nabanye abangaphakathi nabo bafanelwe yiwonga elithile lodumo. Inqaku elinye elibalulekileyo elifanele ukugxininiswa malunga neendlela ezisetyenziswa nguSnowden kukuba, ngokolwazi lwethu, yena ayifakelanga akukho software enobungozi yangaphandle!
Endaweni yoko, u-Snowden wasebenzisa ubunjineli bezentlalo kwaye wasebenzisa isikhundla sakhe njengomlawuli wenkqubo ukuqokelela amagama ayimfihlo kunye nokudala iziqinisekiso. Akukho nto inzima - akukho nanye , ukuhlaselwa okanye .
Abasebenzi bombutho abasoloko bekwisikhundla esikhethekileyo se-Snowden, kodwa kukho inani lezifundo ekufuneka zifundwe kwingqikelelo "yokusinda ngokutyisa" ukuba uqaphele - ukungazibandakanyi kuyo nayiphi na into engalunganga enokubonwa, kwaye ibe ngakumbi. qaphela ukusetyenziswa kweziqinisekiso. Khumbula le ngcamango.
nomzala wakhe bachukumise abantu abaninzi, abahlaseli, kunye neebhlogi ze-cybersecurity. Kwaye xa kudityaniswe ne-mimikatz, i-psexec ivumela abahlaseli ukuba bahambe ngaphakathi kwenethiwekhi ngaphandle kokufuna ukwazi igama eliyimfihlo eliyimfihlo.
I-Mimikatz ibamba i-NTLM hash kwinkqubo ye-LSASS kwaye emva koko igqithise uphawu okanye iziqinisekiso - ezibizwa ngokuba. "dlula i-hash" uhlaselo -kwi-psexec, ivumela umhlaseli ukuba angene kwenye iseva njenge yomnye umsebenzisi. Kwaye ngokuhamba okulandelayo okulandelayo kumncedisi omtsha, umhlaseli uqokelela iziqinisekiso ezongezelelweyo, ukwandisa uluhlu lwamakhono akhe ekufuneni umxholo okhoyo.
Ukuqala kwam ukusebenza kunye ne-psexec kwabonakala kunomlingo kum - enkosi , umphuhlisi oqaqambileyo wepsexec - kodwa ndiyazi malunga neyakhe ingxolo amacandelo. Akafihli!
Inyani yokuqala enomdla malunga nepsexec kukuba isebenzisa intsonkothe ββkakhulu Iprotocol yefayile yenethiwekhi ye-SMB evela kuMicrosoft. Ukusebenzisa i-SMB, i-psexec ihambisa encinci yokubini iifayile kwindlela ekujoliswe kuyo, ibeka kwi C:Windows ulawulo.
Okulandelayo, i-psexec yenza inkonzo ye-Windows isebenzisa i-binary ekhutshelweyo kwaye iqhube phantsi kwegama "elingalindelekanga" kakhulu elithi PSEXECSVC. Kwangaxeshanye, unokubona konke oku, njengoko ndenzayo, ngokujonga umatshini okude (jonga ngezantsi).
Ikhadi lokufowuna le-Psexec: "PSEXECSVC" inkonzo. Isebenzisa ifayile yokubini eyayibekwe nge-SMB kwi-C:ifolda yeWindows.
Njengenyathelo lokugqibela, ifayile yokubini ekhutshelweyo iyavula Uqhagamshelwano lweRPC kumncedisi ekujoliswe kuwo kwaye emva koko wamkela imiyalelo yolawulo (nge Windows cmd iqokobhe ngokungagqibekanga), indulule kwaye iqondise ngokutsha igalelo kunye nemveliso kumatshini wasekhaya womhlaseli. Kule meko, umhlaseli ubona umgca womyalelo osisiseko - kufana nokuba udibaniswe ngokuthe ngqo.
Amacandelo amaninzi kunye nenkqubo enengxolo kakhulu!
Abangaphakathi abantsonkothileyo be-psexec bachaza umyalezo owandixaka ngexesha lovavanyo lwam lokuqala kwiminyaka eliqela eyadlulayo: "Ukuqala i-PSEXECSVC ..." kulandelwa kukunqumamisa ngaphambi kokuba kuvele umyalelo womyalelo.
I-Psexec ye-Impacket ibonisa ukuba kuqhubeka ntoni phantsi kwe-hood.
Akumangalisi: i-psexec yenze umsebenzi omkhulu phantsi kwe-hood. Ukuba unomdla kwingcaciso engaphezulu, jonga apha inkcazo emangalisayo.
Ngokucacileyo, xa isetyenziswe njengesixhobo solawulo lwenkqubo, eyayikho injongo yokuqala psexec, akukho nto iphosakeleyo βngokubhadulaβ kwazo zonke ezi ndlela zeWindows. Kumhlaseli, nangona kunjalo, i-psexec iya kudala iingxaki, kwaye kumntu ongaphakathi olumkileyo kunye onobuqili njengo-Snowden, i-psexec okanye into efanayo iya kuba yingozi kakhulu.
Kwaye emva koko kuza iSmbexec
I-SMB yindlela ekrelekrele nefihlakeleyo yokudlulisa iifayile phakathi kweeseva, kwaye abahlaseli bebengena kwi-SMB ngokuthe ngqo kangangeenkulungwane. Ndicinga ukuba wonke umntu sele eyazi ukuba ayifanelekanga Izibuko ze-SMB 445 kunye ne-139 kwi-Intanethi, akunjalo?
KwiDefcon 2013, uEric Millman () inikezelwe , ukuze i-pentesters izame ukukhwabanisa kwe-SMB ngokufihlakeleyo. Andazi lonke ibali, kodwa ke Impacket iphuculwe ngakumbi smbexec. Ngapha koko, kuvavanyo lwam, ndikhuphele izikripthi kwi-Impacket kwiPython ukusuka .
Ngokungafaniyo ne-psexec, smbexec uyaphepha ukuhambisa ifayile yokubini enokubakho kumatshini ekujoliswe kuwo. Endaweni yoko, i-utility iphila ngokupheleleyo ukusuka edlelweni ukuya ekuqaleni yendawo Umgca womyalelo weWindows.
Nantsi into eyenzayo: igqithisa umyalelo osuka kumatshini ohlaselayo nge-SMB ukuya kwifayile ekhethekileyo yokufaka, kwaye emva koko idale kwaye iqhube umgca womyalelo onzima (njengenkonzo yeWindows) eya kubonakala iqhelekile kubasebenzisi beLinux. Ngokufutshane: isungula iqokobhe le-Windows cmd, iphinda ikhuphe imveliso kwenye ifayile, kwaye emva koko iyithumele nge-SMB kumatshini womhlaseli.
Eyona ndlela ingcono yokuqonda oku kukujonga kumgca womyalelo, endiye ndakwazi ukufumana izandla zam kwilog yesiganeko (jonga ngezantsi).
Ngaba ayisiyiyo le ndlela inkulu yokwalathisa kwakhona i-I/O? Ngendlela, ukudalwa kwenkonzo kunomcimbi we-ID 7045.
Njenge-psexec, ikwadala inkonzo eyenza wonke umsebenzi, kodwa inkonzo emva koko isuswe - isetyenziswa kube kanye kuphela ukwenza umyalelo emva koko inyamalale! Igosa lokhuseleko lolwazi elibeke esweni umatshini wexhoba aliyi kukwazi ukubona ngokucacileyo Izalathisi zohlaselo: Akukho fayile ikhohlakeleyo iqaliswayo, akukho nkonzo iqhubekayo ifakiweyo, kwaye akukho bungqina be-RPC esetyenziswayo kuba i-SMB kuphela kwendlela yokudlulisa idatha. Uqaqambileyo!
Ukusuka kwicala lomhlaseli, i-"pseudo-shell" ifumaneka ngokulibaziseka phakathi kokuthumela umyalelo kunye nokufumana impendulo. Kodwa oku kwanele ukuba umhlaseli - nokuba ngumntu wangaphakathi okanye i-hacker yangaphandle esele ine-foothold-ukuqala ukukhangela umxholo onomdla.
Ukubuyisela idatha kumatshini ekujoliswe kuwo kumatshini womhlaseli, isetyenziswa . Ewe, ikwayiSamba enye , kodwa iguqulelwe kuphela kwiscript sePython yi-Impacket. Ngapha koko, i-smbclient ikuvumela ukuba ubambe ngokufihlakeleyo udluliselo lwe-FTP ngaphezulu kwe-SMB.
Masikhe sibuye umva sicinge ukuba le nto ingamenzela ntoni umsebenzi. Kwimeko yam eyintsomi, masithi iblogger, umhlalutyi wezezimali okanye umcebisi wokhuseleko ohlawulwa kakhulu uvumelekile ukuba asebenzise ilaptop yomsebenzi. Njengomphumo wenkqubo ethile yomlingo, uyakhubeka kwinkampani kwaye "uhamba kakubi." Ngokuxhomekeke kwinkqubo yokusebenza yelaptop, mhlawumbi isebenzisa inguqulelo yePython evela kwiMpembelelo, okanye inguqulelo yeWindows ye-smbexec okanye i-smbclient njengefayile ye.exe.
Njengo-Snowden, ufumanisa igama eliyimfihlo lomnye umsebenzisi ngokujonga egxalabeni lakhe, okanye uba nethamsanqa kwaye akhubeke kwifayile yokubhaliweyo enegama lokugqitha. Kwaye ngoncedo lwezi ziqinisekiso, uqala ukumba malunga nenkqubo kwinqanaba elitsha lamalungelo.
I-DCC yokuHacka: Asifuni nayiphi na iMimikatz "yobudenge".
Kwizithuba zam zangaphambili kwi-pentesting, bendisebenzisa i-mimikatz rhoqo. Esi sisixhobo esikhulu sokubamba iziqinisekiso-i-NTLM hashes kunye namagama agqithisiweyo acacileyo afihlwe ngaphakathi kweelaptops, alindele nje ukusetyenziswa.
Amaxesha atshintshile. Izixhobo zokubeka iliso ziye zaba ngcono ekubhaqeni nasekuvimbeni i-miikatz. Abalawuli bokhuseleko lolwazi nabo ngoku banokhetho oluninzi lokunciphisa imingcipheko ehambelana nokuhlaselwa kwe-hash (PtH).
Ke kufuneka umqeshwa okrelekrele enze ntoni ukuqokelela iziqinisekiso ezongezelelweyo ngaphandle kokusebenzisa imikatz?
Ikiti ye-Impacket iquka into eluncedo ebizwa , efumana iziqinisekiso ezivela kwi-Domain Credential Cache, okanye iDCC ngokufutshane. Ukuqonda kwam kukuba ukuba umsebenzisi wesizinda ungena kwi-server kodwa umlawuli wesizinda akafumaneki, i-DCC ivumela umncedisi ukuba aqinisekise umsebenzisi. Ngapha koko, i-secretdump ikuvumela ukuba ulahle zonke ezi hashes ukuba ziyafumaneka.
Iingxaki zeDCC zi hayi NTML hashes kunye nabo ayinakusetyenziselwa uhlaselo lwe-PtH.
Ewe, ungazama ukuziqhekeza ukuze ufumane igama eligqithisiweyo lokuqala. Nangona kunjalo, iMicrosoft iye yaqina ngakumbi nge-DCC kunye ne-DCC hashes kuye kwaba nzima kakhulu ukuqhekeka. Ewe ndinayo , "eyona nto ikhawulezayo yokuqikelela igama lokugqitha ehlabathini," kodwa ifuna i-GPU ukuze isebenze ngokufanelekileyo.
Endaweni yoko, makhe sizame ukucinga njengo-Snowden. Umqeshwa angaqhuba ngobunjineli bobuso ngobuso kwaye afumane ulwazi malunga nomntu onegama eliyimfihlo afuna ukuliqhekeza. Umzekelo, fumanisa ukuba i-akhawunti yomntu ye-intanethi ikhe yaqhekezwa kwaye ujonge igama eliyimfihlo eliyimfihlo eliyimfihlo kuyo nayiphi na imikhondo.
Kwaye le yimeko endigqibe kwelokuba ndihambe nayo. Masicinge ukuba umntu ongaphakathi uye wafumanisa ukuba umphathi wakhe, uCruella, waye waqhekezwa amatyeli aliqela kwimithombo eyahlukeneyo yewebhu. Emva kokuhlalutya ezininzi zezi phasiwedi, uyaqonda ukuba i-Cruella ikhetha ukusebenzisa ifomathi yegama leqela le-baseball "Yankees" elandelwa ngunyaka wangoku - "Yankees2015".
Ukuba ngoku uzama ukuvelisa oku ekhaya, unokukhuphela encinci, "C" , eyenza i-DCC hashing algorithm, kwaye uyihlanganise. , ngendlela, inkxaso eyongeziweyo ye-DCC, ngoko inokusetyenziswa kwakhona. Masicinge ukuba umntu wangaphakathi akafuni kuzikhathaza ngokufunda uJohn uMkhumbuzi kwaye uthanda ukuqhuba "gcc" kwikhowudi ye-C yelifa.
Ndithatha indima yomntu wangaphakathi, ndiye ndazama indibaniselwano ezininzi ezahlukeneyo kwaye ekugqibeleni ndakwazi ukufumanisa ukuba igama eliyimfihlo likaCruella yayingu "Yankees2019" (jonga ngezantsi). Umsebenzi ugqityiwe!
Ubunjineli obuncinci bentlalontle, ithamsanqa lokuxela ithamsanqa kunye nentwana ye-Maltego kwaye usendleleni eya ekuqhekezeni i-DCC hash.
Ndicebisa ukuba siphele apha. Siza kubuyela kwesi sihloko kwezinye izithuba kwaye sijonge iindlela zokuhlasela ezicothayo nezingacacanga, siqhubeka nokwakha kwiseti ebalaseleyo ye-Impacket yezinto eziluncedo.
umthombo: www.habr.com