Lesi sihloko sabhalwa ngokususelwe kwi-pentest ephumelele kakhulu ochwepheshe beQembu-IB abayenza eminyakeni embalwa edlule: kwenzeka indaba engaguqulelwa ifilimu ku-Bollywood. Manje, cishe, ukusabela komfundi kuzolandela: “O, esinye isihloko se-PR, futhi lezi ziyavezwa, ukuthi zinhle kangakanani, ungakhohlwa ukuthenga ipentest.” Nokho, ngakolunye uhlangothi, kunjalo. Nokho, kunezinye izizathu eziningi ezenza lesi sihloko sivele. Bengifuna ukukhombisa ukuthi yini ngempela eyenziwa ama-pentesters, ukuthi lo msebenzi ungaba mnandi futhi ungeyona into encane kangakanani, yiziphi izimo ezihlekisayo ezingavela kumaphrojekthi, futhi okubaluleke kakhulu, ukukhombisa izinto ezibukhoma ezinezibonelo zangempela.
Ukubuyisela ibhalansi yesizotha emhlabeni, emva kwesikhashana sizobhala ngepentest engazange ihambe kahle. Sizobonisa ukuthi izinqubo eziklanywe kahle enkampanini zingavikela kanjani ekuhlaselweni okuhlukahlukene, ngisho nokulungiselelwe kahle, ngenxa nje yokuthi lezi zinqubo zikhona futhi ziyasebenza ngempela.
Ekhasimendeni kulesi sihloko, konke kwakukuhle kakhulu, okungenani kungcono kune-95% yemakethe e-Russian Federation, ngokusho kwemizwa yethu, kodwa kwakukhona ama-nuances ambalwa amancane akha uchungechunge olude lwezenzakalo, okuyinto yokuqala. kwaholela embikweni omude ngomsebenzi , kwase kuba kulesi sihloko.
Ngakho-ke, ake siqoqe ama-popcorn, futhi wamukelekile endabeni yabaseshi. Izwi - UPavel Suprunyuk, umphathi wezobuchwepheshe womnyango we-“Audit and Consulting” we-Group-IB.
Ingxenye 1. Udokotela we-Pochkin
2018 Kukhona ikhasimende - inkampani ye-IT yobuchwepheshe obuphezulu, yona ngokwayo ekhonza amaklayenti amaningi. Ufuna ukuthola impendulo yombuzo othi: kungenzeka, ngaphandle kolwazi lokuqala nokufinyelela, ukusebenza nge-Intanethi, ukuthola amalungelo omlawuli wesizinda se-Active Directory? Anginantshisekelo kunoma yimuphi ubunjiniyela bezenhlalo (), abahlosile ukuphazamisa umsebenzi ngenhloso, kodwa bangase ngephutha - balayishe kabusha iseva esebenza ngendlela exakile, isibonelo. Umgomo ongeziwe uwukuhlonza amanye ama-vector okuhlasela amaningi ngangokunokwenzeka ngokumelene ne-perimeter yangaphandle. Inkampani ihlale yenza izivivinyo ezinjalo, futhi manje umnqamulajuqu wokuhlola okusha usufikile. Izimo cishe zijwayelekile, zanele, ziyaqondakala. Ake siqale.
Kunegama lekhasimende - malibe “Inkampani”, newebhusayithi eyinhloko . Yiqiniso, ikhasimende libizwa ngokuhlukile, kodwa kulesi sihloko yonke into izobe ingenamuntu.
Ngenza uphenyo lwenethiwekhi - thola ukuthi yimaphi amakheli nezizinda ezibhaliswe nekhasimende, dweba umdwebo wenethiwekhi, ukuthi izinsizakalo zisakazwa kanjani kulawa makheli. Ngithola umphumela: amakheli e-IP abukhoma angaphezu kuka-4000. Ngibheka izizinda kulawa manethiwekhi: ngenhlanhla, iningi lingamanethiwekhi ahloselwe amakhasimende ekhasimende, futhi asinantshisekelo kuwo ngokusemthethweni. Ikhasimende licabanga okufanayo.
Kusele inethiwekhi eyodwa enamakheli angama-256, okuthi ngalo mzuzu sekuvele kuqondwe ukusatshalaliswa kwezizinda nezizinda ezingaphansi kwamakheli e-IP, kukhona ulwazi mayelana namachweba askeniwe, okusho ukuthi ungabheka izinsizakalo ezithokozisayo. Ngokuhambisanayo, zonke izinhlobo zezikena zethulwa kumakheli e-IP atholakalayo futhi ngokuhlukene kumawebhusayithi.
Ziningi izinkonzo. Ngokuvamile lokhu kuyinjabulo ye-pentester kanye nokulindela ukunqoba okusheshayo, njengoba kunezinsizakalo eziningi, insimu yokuhlasela inkulu futhi kulula ukuthola i-artifact. Ukubheka ngokushesha amawebhusayithi kubonise ukuthi iningi lawo liyisizindalwazi sewebhu semikhiqizo eyaziwayo yezinkampani ezinkulu zomhlaba, okuthi ngakho konke ukubonakala zikutshela ukuthi azamukelekile. Bacela igama lomsebenzisi nephasiwedi, banyakazise indawo yokufaka isici sesibili, bacele isitifiketi seklayenti le-TLS, noma basithumele ku-Microsoft ADFS. Ezinye azitholakali ku-inthanethi. Kwabanye, ngokusobala udinga ukuba neklayenti elikhokhelwayo elikhethekile ukuze uthole amaholo amathathu noma wazi i-URL eqondile ongayifaka. Ake seqe elinye isonto lokudangala kancane kancane ohlelweni lokuzama “ukugqobhoza” izinguqulo zesofthiwe ngobungozi obaziwayo, sicinga okuqukethwe okufihliwe emizileni yewebhu kanye nama-akhawunti aputshuziwe avela ezinsizeni zezinkampani zangaphandle ezifana ne-LinkedIn, sizama ukuqagela amagama ayimfihlo awasebenzisayo, futhi. njengokumba ubungozi kumawebhusayithi azibhale wona - ngendlela, ngokwezibalo, lena i-vector ethembisa kakhulu yokuhlasela kwangaphandle namuhla. Ngizoqaphela ngokushesha isibhamu sefilimu esadubula kamuva.
Ngakho-ke, sithole amasayithi amabili agqama kumakhulu ezinsizakalo. Lawa masayithi abenento eyodwa afana ngayo: uma ungazibandakanyi ekuhloleni kabusha kwenethiwekhi okucophelelayo ngesizinda, kodwa bheka ngqo izimbobo ezivulekile noma uqondise isithwebuli esisengozini usebenzisa uhla lwe-IP olwaziwayo, lawa masayithi azobalekela ukuskenwa futhi ngeke avele kubonakala ngaphandle kokwazi igama le-DNS. Mhlawumbe baphuthelwe ngaphambili, okungenani, futhi amathuluzi ethu azenzakalelayo awazange athole izinkinga ngawo, noma ngabe athunyelwe ngqo esisetshenziswa.
Ngendlela, mayelana nokuthi yini eyethulwe ngaphambilini izikena ezitholakala ngokujwayelekile. Ake ngikukhumbuze: kwabanye abantu, i-“pentest” ilingana “nokuskena okuzenzakalelayo”. Kodwa izithwebuli zalo msebenzi azishongo lutho. Nokho, umkhawulo uboniswe ukuba sengozini Okumaphakathi (oku-3 koku-5 ngokobukhulu): kwenye isevisi isitifiketi esibi se-TLS noma ama-algorithms wokubethela aphelelwe yisikhathi, kanye nakumasayithi amaningi oClickjacking. Kodwa lokhu ngeke kukufikise emgomweni wakho. Mhlawumbe izikena zingaba usizo kakhulu lapha, kodwa ake ngikukhumbuze: ikhasimende ngokwalo liyakwazi ukuthenga izinhlelo ezinjalo futhi lizihlole ngazo, futhi, ngokwahlulela ngemiphumela engathandeki, selivele lihlolile.
Masibuyele kumasayithi "angavamile". Eyokuqala into efana ne-Wiki yendawo ekhelini elingajwayelekile, kodwa kulesi sihloko mayibe i-wiki.company[.]ru. Uphinde wacela ngokushesha ukungena nephasiwedi, kodwa nge-NTLM esipheqululini. Kumsebenzisi, lokhu kubukeka njengewindi le-ascetic elicela ukufaka igama lomsebenzisi nephasiwedi. Futhi lokhu kuwumkhuba omubi.
Inothi elincane. I-NTLM kumawebhusayithi e-perimeter yimbi ngenxa yezizathu ezimbalwa. Isizathu sokuqala ukuthi igama lesizinda se-Active Directory lembulwa. Esibonelweni sethu, kuphinde kwavela inkampani.ru, njengegama le-DNS "langaphandle". Ukwazi lokhu, ungakwazi ukulungiselela ngokucophelela into enonya ukuze ibulawe kuphela emshinini wesizinda wenhlangano, hhayi kwelinye ibhokisi lesihlabathi. Okwesibili, ukufakazela ubuqiniso kungena ngokuqondile kusilawuli sesizinda nge-NTLM (ngokumangazayo, akunjalo?), nazo zonke izici zezinqubomgomo zenethiwekhi "zangaphakathi", okuhlanganisa ukuvimba ama-akhawunti ukuthi adlule inombolo yemizamo yokufaka iphasiwedi. Uma umhlaseli ethola ukungena ngemvume, uzozama amagama ayimfihlo kubo. Uma ulungiselelwe ukuvimba ama-akhawunti ukuthi angafaki amaphasiwedi angalungile, izosebenza futhi i-akhawunti izovinjwa. Okwesithathu, akunakwenzeka ukwengeza isici sesibili ekuqinisekiseni okunjalo. Uma omunye wabafundi esazi ukuthi kanjani, ngicela ungazise, kuyathakazelisa ngempela. Okwesine, ukuba sengozini yokuhlaselwa kwe-pass-the-hash. I-ADFS yasungulwa, phakathi kwezinye izinto, ukuvikela kukho konke lokhu.
Kunempahla eyodwa embi yemikhiqizo ye-Microsoft: ngisho noma ungazange uyishicilele ngokuqondile i-NTLM enjalo, izofakwa ngokuzenzakalelayo ku-OWA ne-Lync, okungenani.
Phela, umbhali walesi sihloko wake wavala ngephutha ama-akhawunti angaba ngu-1000 abasebenzi bebhange elilodwa elikhulu ngehora elilodwa nje esebenzisa indlela efanayo wabe esebukeka ephaphathekile. Izinsizakalo ze-IT zebhange nazo zaziphaphathekile, kodwa yonke into yaphela kahle futhi ngokwanele, saze sanconywa ngokuba ngabokuqala ukuthola le nkinga nokuvusa isixazululo esisheshayo nesiwujuqu.
Isiza sesibili sasinekheli “ngokusobala uhlobo oluthile lwesibongo.company.ru.” Ithole nge-Google, into efana nalena ekhasini le-10. Idizayini yayisuka ekuqaleni kweminyaka yawo-XNUMX, futhi umuntu ohloniphekile wayeyibuka ekhasini eliyinhloko, into efana nalena:
Lapha ngathatha okumile kusuka ku-"Inhliziyo Yenja", kodwa kholwa kimi, kwakufana ngokungafani, ngisho nomklamo wombala wawungamathoni afanayo. Makubizwe isiza preobrazhensky.company.ru.
Kwakuyiwebhusayithi yomuntu siqu... kadokotela womchamo. Ngazibuza ukuthi ngabe iwebhusayithi ye-urologist yenzani esizindeni senkampani yobuchwepheshe obuphezulu. Ukuhlola ngokushesha i-Google kubonise ukuthi lo dokotela wayengumsunguli wenye yezinkampani ezisemthethweni zekhasimende lethu futhi waze wanikela cishe ngama-ruble angu-1000 enhlokodolobha egunyaziwe. Isayithi cishe ladalwa eminyakeni eminingi edlule, futhi izinsiza zeseva yekhasimende zasetshenziswa njengokusingatha. Isiza sekuyisikhathi eside silahlekelwa ukuhambisana kwayo, kodwa ngesizathu esithile sishiywe sisebenza isikhathi eside.
Ngokuphathelene nokuba sengozini, iwebhusayithi ngokwayo ibivikelekile. Uma ngibheka phambili, ngizosho ukuthi kwakuyiqoqo lolwazi olungaguquki - amakhasi we-html alula anemifanekiso efakiwe ngesimo sezinso nesinye. Akusizi "ukuphula" indawo enjalo.
Kodwa iseva yewebhu ngaphansi ibithakazelisa kakhulu. Uma sibheka isihloko se-HTTP Server, sasine-IIS 6.0, okusho ukuthi yayisetshenziswa Windows 2003 njengohlelo lokusebenza. Isikena sasihlonze ngaphambilini ukuthi le webhusayithi ethile ye-urologist, ngokungafani nabanye ababungazi bewebhu efanayo, iphendule umyalo we-PROPFIND, okusho ukuthi ibisebenzisa i-WebDAV. Ngendlela, isithwebuli sibuyise lolu lwazi ngophawu Ulwazi (ngolimi lwemibiko yesithwebuli, lena ingozi ephansi kakhulu) - izinto ezinjalo zivame ukweqiwa. Ngokuhlangene, lokhu kunikeze umphumela othokozisayo, ovezwe kuphela ngemuva kokunye ukumba ku-Google: ubungozi bokuchichima kwe-buffer obungavamile obuhlotshaniswa nesethi ye-Shadow Brokers, okuyi-CVE-2017-7269, eyayivele inokuxhashazwa okwenziwe ngomumo. Ngamanye amazwi, kuzoba nenkinga uma une-Windows 2003 futhi i-WebDAV isebenza ku-IIS. Nakuba isebenza Windows 2003 ekukhiqizeni ngo-2018 kuyinkinga ngokwayo.
Ukuxhashazwa kugcine ku-Metasploit futhi kwahlolwa ngokushesha ngomthwalo othumele isicelo se-DNS kusevisi elawulwayo - I-Burp Collaborator isetshenziswa ngokwesiko ukubamba izicelo ze-DNS. Okwangimangaza ukuthi kusebenze okokuqala ngqa: kwamukelwa i-DNS knockout. Okulandelayo, kube nomzamo wokwenza i-backconnect nge-port 80 (okungukuthi, uxhumano lwenethiwekhi olusuka kuseva ukuya kumhlaseli, ngokufinyelela ku-cmd.exe kumsingathi wesisulu), kodwa-ke kwenzeka i-fiasco. Ukuxhumeka akuzange kufike, futhi ngemva komzamo wesithathu wokusebenzisa isayithi, kanye nazo zonke izithombe ezithakazelisayo, zanyamalala unomphela.
Ngokuvamile lokhu kulandelwa uhlamvu olusesitayelani esithi “khasimende, vuka, silahle yonke into.” Kodwa satshelwa ukuthi isayithi alihlangene nezinqubo zebhizinisi futhi lisebenza lapho ngaphandle kwesizathu nhlobo, njengeseva yonke, nokuthi singasebenzisa le nsiza ngokuthanda kwethu.
Cishe ngemva kosuku isiza saqala ukusebenza ngokwaso. Ngemva kokwakha ibhentshi kusuka ku-WebDAV ku-IIS 6.0, ngithole ukuthi ukulungiselelwa okuzenzakalelayo ukuqala kabusha izinqubo zesisebenzi se-IIS njalo ngamahora angu-30. Okusho ukuthi, lapho isilawuli siphuma ku-shellcode, inqubo yesisebenzi se-IIS yaphela, yabe iziqalisa kabusha izikhathi ezimbalwa bese iphumuza amahora angu-30.
Njengoba i-backconnect ku-tcp ihlulekile okokuqala, ngibalele le nkinga embobeni evaliwe. Okusho ukuthi, ucabange ukuba khona kohlobo oluthile lwe-firewall olungavumeli ukuxhumana okuphumayo kudlule ngaphandle. Ngaqala ukusebenzisa ama-shellcodes asesha kumachweba amaningi we-tcp ne-udp, kwakungekho mphumela. Imithwalo yoxhumano ehlehliswayo nge-http(ama) esuka ku-Metasploit ayisebenzanga - meterpreter/reverse_http(ama). Kungazelelwe, kwaxhunywa echwebeni elifanayo 80, kodwa kwehla ngokushesha. Lokhu ngikubalele esenzweni se-IPS esekhona ecatshangelwayo, engazange iyithande ithrafikhi ye-meterpreter. Ngenxa yokuthi ukuxhumeka okuhlanzekile kwe-tcp ku-port 80 akuzange kudlule, kodwa uxhumano lwe-http luye lwadlula, ngiphethe ngokuthi ummeleli we-http wawulungiselelwe ngandlela thile ohlelweni.
Ngize ngazama i-meterpreter nge-DNS (ngiyabonga ngemizamo yakho, ilondoloze amaphrojekthi amaningi), ikhumbula impumelelo yokuqala, kodwa ayizange isebenze ngisho nesitendi - i-shellcode yayinamandla kakhulu kulokhu kuba sengozini.
Eqinisweni, bekubukeka kanje: 3-4 imizamo yokuhlasela kungakapheli imizuzu emi-5, bese ilinda amahora angama-30. Futhi kanjalo amasonto amathathu elandelana. Ngize ngisethe isikhumbuzi ukuze ngingachithi isikhathi. Ukwengeza, kube nomehluko ekuziphatheni kwezindawo zokuhlola nezokukhiqiza: kulobu bungozi kube nokuxhashazwa okubili okufanayo, okukodwa okuvela ku-Metasploit, okwesibili okuvela ku-inthanethi, okuguqulelwe kunguqulo ye-Shadow Brokers. Ngakho-ke, i-Metasploit kuphela eyahlolwa empini, futhi eyesibili kuphela eyahlolwa ebhentshini, okwenza ukulungisa iphutha kube nzima nakakhulu futhi kwakuphazamisa ubuchopho.
Ekugcineni, ikhodi yegobolondo elande ifayela le-exe kuseva enikeziwe nge-http futhi yalethula kusistimu eqondiwe ibonakale isebenza kahle. I-shellcode yayincane ngokwanele ukuba ingene, kodwa okungenani yasebenza. Njengoba iseva yayingathandi nhlobo ithrafikhi ye-TCP futhi ama-http(ama) ahlolelwa ukuba khona kwe-meterpreter, nginqume ukuthi indlela eshesha kakhulu kwakuwukulanda ifayela le-exe eliqukethe i-DNS-meterpreter ngale shellcode.
Nalapha futhi inkinga yavela: lapho ulanda ifayela le-exe futhi, njengoba imizamo ibonisiwe, kungakhathaliseki ukuthi iyiphi, ukulanda kuphazamisekile. Futhi, enye idivayisi yokuphepha phakathi kweseva yami kanye ne-urologist ayizange ithande ithrafikhi ye-http ene-exe ngaphakathi. Isixazululo "esisheshayo" sibonakale siwukushintsha i-shellcode ukuze iphazamise ithrafikhi ye-http ngokuhamba kwesikhathi, ukuze idatha ye-abstract kanambambili idluliselwe esikhundleni se-exe. Ekugcineni, ukuhlasela kuphumelele, ukulawula kwatholwa ngesiteshi esincane se-DNS:
Ngokushesha kwacaca ukuthi nginamalungelo ayisisekelo e-IIS okuhamba komsebenzi, angivumela ukuthi ngingenzi lutho. Nakhu okwakubukeka ku-console ye-Metasploit:
Zonke izindlela zepentest ziphakamisa ngokuqinile ukuthi udinga ukwandisa amalungelo lapho uthola ukufinyelela. Ngokuvamile angikwenzi lokhu endaweni, njengoba ukufinyelela kokuqala kubonakala njengendawo yokungena yenethiwekhi, futhi ukubeka engcupheni omunye umshini kunethiwekhi efanayo ngokuvamile kulula futhi kuyashesha kunamalungelo akhulayo kumsingathi okhona. Kodwa lokhu akunjalo lapha, njengoba isiteshi se-DNS sincane kakhulu futhi ngeke sivumele ithrafikhi ukuthi ivuleke.
Uma sicabanga ukuthi lokhu Windows 2003 iseva ayilungiswanga sengozini edumile ye-MS17-010, ngidonsa ithrafikhi yokuya echwebeni elingu-445/TCP ngomhubhe we-DNS we-meterpreter ku-localhost (yebo, lokhu kuyenzeka futhi) bese uzama ukusebenzisa i-exe elandiwe ngaphambilini. ukuba sengozini. Ukuhlasela kuyasebenza, ngithola uxhumano lwesibili, kodwa ngamalungelo we-SYSTEM.
Kuyathakazelisa ukuthi basazama ukuvikela iseva ku-MS17-010 - yayinezinsizakalo zenethiwekhi ezisengozini zikhutshaziwe esibonakalayo sangaphandle. Lokhu kuvikela ekuhlaselweni kwenethiwekhi, kodwa ukuhlasela okuvela ngaphakathi ku-localhost kusebenzile, njengoba awukwazi ukuvele uvale ngokushesha i-SMB ku-localhost.
Okulandelayo, imininingwane emisha ethokozisayo iyembulwa:
- Ukuba namalungelo e-SYSTEM, ungakwazi ukusungula kalula ukuxhumana nge-TCP. Ngokusobala, ukukhubaza i-TCP eqondile kuyinkinga kumsebenzisi olinganiselwe we-IIS. I-Spoiler: ithrafikhi yabasebenzisi be-IIS ibigoqwe ngandlela thize kummeleli wendawo we-ISA kuzo zombili izinkomba. Ukuthi isebenza kanjani ngempela, angizange ngikhiqize kabusha.
- Ngiku-“DMZ” ethile (futhi lesi akusona isizinda se-Active Directory, kodwa i-WORKGROUP) - kuzwakala kunengqondo. Kodwa esikhundleni sekheli le-IP eliyimfihlo (“elimpunga”) elilindelwe, nginekheli le-IP “elimhlophe” ngokuphelele, elifana ncamashi naleli engilihlasele ngaphambili. Lokhu kusho ukuthi inkampani indala kakhulu emhlabeni we-IPv4 ekhuluma kangangokuthi ingakwazi ukugcina indawo ye-DMZ yamakheli “amhlophe” angu-128 ngaphandle kwe-NAT ngokohlelo, njengoba kuboniswe kumanuwali e-Cisco kusukela ngo-2005.
Njengoba iseva indala, i-Mimikatz iqinisekisiwe ukuthi izosebenza ngokuqondile ngenkumbulo:
Ngithola igama-mfihlo lomphathi wendawo, ithrafikhi ye-RDP yomhubhe phezu kwe-TCP futhi ngingena kudeskithophu ethokomele. Njengoba ngingenza noma yini engiyifunayo ngeseva, ngisuse i-antivirus futhi ngathola ukuthi iseva yayifinyeleleka ku-intanethi kuphela nge-TCP ports 80 no-443, futhi i-443 yayingekho matasa. Ngimise iseva ye-OpenVPN ku-443, ngengeza imisebenzi ye-NAT yethrafikhi yami ye-VPN futhi ngithole ukufinyelela okuqondile kunethiwekhi ye-DMZ ngendlela engenamkhawulo nge-OpenVPN yami. Kuyaphawuleka ukuthi i-ISA, enemisebenzi ethile ye-IPS engakhubazekile, ivimbe ithrafikhi yami ngokuskena kwechweba, okwadingeka ukuthi ithathelwe indawo nge-RRAS elula nethobela kakhudlwana. Ngakho-ke ama-pentester kwesinye isikhathi kusafanele aphathe zonke izinhlobo zezinto.
Umfundi olalelayo uzobuza: "Kuthiwani ngesiza sesibili - i-wiki enokuqinisekiswa kwe-NTLM, okubhalwe okuningi ngayo?" Okuningi ngalokhu kamuva.
Ingxenye 2. Namanje awubetheli? Bese siza kuwe kakade lapha
Ngakho-ke, kukhona ukufinyelela engxenyeni yenethiwekhi ye-DMZ. Udinga ukuya kumphathi wesizinda. Into yokuqala efika emqondweni ukuhlola ngokuzenzakalelayo ukuphepha kwezinsizakalo ngaphakathi kwengxenye ye-DMZ, ikakhulukazi njengoba eziningi zazo manje sezivulekele ucwaningo. Isithombe esijwayelekile ngesikhathi sokuhlolwa kokungena: i-perimeter yangaphandle ivikelwe kangcono kunezinsizakalo zangaphakathi, futhi lapho uthola noma yikuphi ukufinyelela ngaphakathi kwengqalasizinda enkulu, kulula kakhulu ukuthola amalungelo anwetshiwe esizindeni kuphela ngenxa yokuthi lesi sizinda siqala ukutholakala. kufinyeleleka kumathuluzi, futhi okwesibili, Kungqalasizinda enezinkulungwane ezimbalwa zabasingathi, kuyohlale kunezinkinga ezimbalwa ezibalulekile.
Ngishaja izikena nge-DMZ ngomhubhe we-OpenVPN bese ngilinda. Ngivula umbiko - futhi akukho okungathí sina, ngokusobala kukhona owadlula ngendlela efanayo phambi kwami. Isinyathelo esilandelayo ukuhlola ukuthi ababungazi abangaphakathi kwenethiwekhi ye-DMZ baxhumana kanjani. Ukuze wenze lokhu, qala ngokuvula i-Wireshark evamile futhi ulalele izicelo zokusakaza, ikakhulukazi i-ARP. Amaphakethe e-ARP aqoqwe usuku lonke. Kuvela ukuthi amasango amaningana asetshenziswa kulesi sigaba. Lokhu kuzosebenza ngokuhamba kwesikhathi. Ngokuhlanganisa idatha yezicelo ze-ARP nezimpendulo kanye nedatha yokuskena kwembobo, ngithole izindawo zokuphuma zethrafikhi yomsebenzisi kusukela ngaphakathi kwenethiwekhi yendawo ngaphezu kwalezo zinsizakalo ezaziwa ngaphambilini, njengewebhu nemeyili.
Njengoba okwamanje bengingenakho ukufinyelela kwezinye izinhlelo futhi ngingenayo i-akhawunti eyodwa yezinkonzo zezinkampani, kunqunywe ukudoba okungenani i-akhawunti ethile kuthrafikhi kusetshenziswa i-ARP Spoofing.
U-Cain & Abel wethulwa kuseva kadokotela womchamo. Kucatshangelwa ukugeleza kwethrafikhi ekhonjiwe, amapheya athembisa kakhulu okuhlasela kwendoda emaphakathi akhethiwe, futhi enye ithrafikhi yenethiwekhi yatholwa ngokuqalisa isikhathi esifushane imizuzu emi-5-10, ngesibali sikhathi sokuqalisa kabusha iseva. uma kubanda. Njengasehlaya, kwakukhona izindaba ezimbili:
- Okuhle: kuqoqwe imininingwane eminingi futhi ukuhlasela sekukonke kwasebenza.
- Okubi: zonke iziqinisekiso bezivela kumakhasimende ekhasimende uqobo. Ngenkathi ihlinzeka ngamasevisi osekelo, ochwepheshe bamakhasimende baxhumeke kumasevisi amaklayenti angazange ahlale elungiselelwe ukubethela kwethrafikhi.
Ngenxa yalokho, ngathola iziqinisekiso eziningi ezazingenamsebenzi kumongo wephrojekthi, kodwa ngokuqinisekile ezithakazelisayo njengendlela yokubonisa ingozi yokuhlaselwa. Amarutha asemngceleni ezinkampani ezinkulu ezine-telnet, adlulisele amachweba okususa iphutha e-http ku-CRM yangaphakathi enayo yonke idatha, ukufinyelela okuqondile ku-RDP kusuka ku-Windows XP kunethiwekhi yendawo nokunye okungaqondakali. Kwaba kanje .
Ngithole nethuba elihlekisayo lokuqoqa izincwadi kuthrafikhi, into efana nale. Lesi isibonelo sencwadi esenziwe ngomumo eyasuka kukhasimende yethu yaya echwebeni le-SMTP leklayenti lalo, futhi, ngaphandle kokubethela. U-Andrey othile ucela igama lakhe ukuthi lithumele kabusha imibhalo, futhi ilayishwa kudiski yefu ngokungena ngemvume, iphasiwedi kanye nesixhumanisi encwadini eyodwa yokuphendula:
Lesi esinye isikhumbuzi sokubethela wonke amasevisi. Akwaziwa ukuthi ubani futhi nini ozofunda futhi asebenzise idatha yakho ngokuqondile - umhlinzeki, umlawuli wesistimu wenye inkampani, noma i-pentester enjalo. Ngithule mayelana neqiniso lokuthi abantu abaningi bangavele babambe ithrafikhi engabhaliwe.
Naphezu kokuphumelela okusobala, lokhu akuzange kusisondeze egoli. Kwakungenzeka, yiqiniso, ukuhlala isikhathi eside futhi udobe ulwazi olubalulekile, kodwa akulona iqiniso ukuthi lizovela lapho, futhi ukuhlasela ngokwako kuyingozi kakhulu mayelana nobuqotho benethiwekhi.
Ngemva kokunye ukumba ezinkonzweni, kwafika umqondo othakazelisayo engqondweni. Kukhona insiza ebizwa ngokuthi i-Responder (kulula ukuthola izibonelo zokusetshenziswa ngaleli gama), okuthi, ngokufaka “ubuthi” izicelo zokusakaza, ivuse ukuxhumana ngezinqubo ezahlukahlukene ezifana ne-SMB, HTTP, LDAP, njll. ngezindlela ezahlukene, bese icela wonke umuntu oxhumayo ukuthi aqinisekise futhi asethe ukuze ukuqinisekiswa kwenzeke nge-NTLM nangemodi esobala kumuntu ohlukunyeziwe. Imvamisa, umhlaseli uqoqa ukuxhawula kwe-NetNTLMv2 ngale ndlela futhi kubo, esebenzisa isichazamazwi, abuyisele ngokushesha amaphasiwedi wesizinda somsebenzisi. Lapha ngangifuna into efanayo, kodwa abasebenzisi bahlala "ngemuva kodonga", noma kunalokho, bahlukaniswa ngodonga lomlilo, futhi bafinyelela i-WEB ngokusebenzisa iqoqo lommeleli we-Blue Coat.
Khumbula, ngicacisile ukuthi igama lesizinda se-Active Directory lihambisana nesizinda "sangaphandle", okungukuthi, bekuyinkampani.ru? Ngakho-ke, iWindows, enembe kakhulu i-Internet Explorer (kanye ne-Edge ne-Chrome), ivumela umsebenzisi ukuthi aqinisekise ngokusobala ku-HTTP nge-NTLM uma ebheka ukuthi isiza sitholakala “kwe-Intranet Zone” ethile. Olunye lwezimpawu ze-“Intranet” ukufinyelela ekhelini le-IP “elimpunga” noma igama elifushane le-DNS, okungukuthi, elingenawo amachashazi. Njengoba babeneseva ene-IP “emhlophe” negama le-DNS preobrazhensky.company.ru, futhi imishini yesizinda ivamise ukuthola isijobelelo sesizinda se-Active Directory nge-DHCP ukuze kufakwe igama elenziwe lula, bekufanele ibhale i-URL kubha yekheli kuphela. , ukuze bathole indlela efanele kuseva ye-urologist eyekethisiwe, bengakhohlwa ukuthi lokhu manje sekubizwa ngokuthi "Intranet". Okusho ukuthi, ngasikhathi sinye unginika ukuxhawula kwe-NTLM komsebenzisi ngaphandle kolwazi lwakhe. Okusele nje ukuphoqa iziphequluli zamaklayenti ukuthi zicabange ngesidingo esiphuthumayo sokuxhumana nale seva.
Uhlelo oluhle lwe-Intercepter-NG lwasiza (ngiyabonga ). Ikuvumele ukuthi uguqule ithrafikhi endizeni futhi yasebenza kahle ku-Windows 2003. Yaze yaba nomsebenzi ohlukene wokushintsha amafayela e-JavaScript kuphela ekuhambeni kwethrafikhi. Kwahlelwa uhlobo olukhulu lweCross-Site Scripting.
Amaphrokzi we-Blue Coat, abasebenzisi abafinyelele ngawo i-WEB yomhlaba wonke, bagcina okuqukethwe okumile ngezikhathi ezithile. Ngokuvimba ithrafikhi, kwaba sobala ukuthi basebenza ubusuku nemini, becela ngokungaguquki ukusetshenziswa okuqinile ukuze kusheshiswe ukuboniswa kokuqukethwe phakathi namahora aphakeme. Ngaphezu kwalokho, i-BlueCoat yayine-User-Agent ethile, eyayihlukanisa ngokucacile nomsebenzisi wangempela.
I-Javascript yalungiswa, okwathi, kusetshenziswa i-Intercepter-NG, yasetshenziswa ihora ebusuku ngempendulo ngayinye enamafayela e-JS e-Blue Coat. Iskripthi senze lokhu okulandelayo:
- Kunqunywe isiphequluli samanje nge-User-Agent. Uma bekuyi-Internet Explorer, i-Edge noma i-Chrome, yaqhubeka nokusebenza.
- Ngilinde kuze kwakhiwe i-DOM yekhasi.
- Kufakwe isithombe esingabonakali ku-DOM ngesibaluli se-src sefomu :8080/NNNNNNN.png, lapho i-NNN kuyizinombolo ezingafanele ukuze i-BlueCoat ingayigcini inqolobane.
- Setha ukuhluka kwefulegi lomhlaba wonke ukuze ubonise ukuthi umjovo uqediwe futhi asikho isidingo sokufaka izithombe.
Isiphequluli sizame ukulayisha lesi sithombe; ku-port 8080 yeseva eyonakele, umhubhe we-TCP ubuwulindile kukhompuyutha yami ephathekayo, lapho uMphenduli ofanayo wayesebenza khona, edinga ukuthi isiphequluli singene nge-NTLM.
Ukwahlulela ngezingodo ze-Responder, abantu beza emsebenzini ekuseni, bavula izindawo zabo zokusebenza, bese bebaningi futhi benganakekile baqala ukuvakashela iseva ye-urologist, bengakhohlwa "ukukhipha" ukuxhawula izandla kwe-NTLM. Ukuxhawula izandla kwana usuku lonke futhi kwanqwabelana ngokusobala okokusebenza ukuze kube nokuhlasela okuphumelele ngokusobala ukuze kubuyiselwe amaphasiwedi. Lena indlela amalogi Ophendulayo ayebukeka ngayo:
Ukuvakashelwa okuyimfihlo okukhulu kuseva ye-urologist ngabasebenzisi
Cishe usubonile ukuthi yonke le ndaba yakhelwe esimisweni esithi "konke kwakuhamba kahle, kepha kwase kuba khona ukuqhuma, bese kuba nokunqoba, bese konke kwaphumelela." Ngakho-ke, kwakukhona i-bummer lapha. Ekuxhawulaneni okungamashumi amahlanu okuyingqayizivele, akukho neyodwa eyembulwa. Futhi lokhu kucabangela iqiniso lokuthi ngisho naku-laptop ene-processor efile, lokhu kuxhawula kwe-NTLMv2 kusetshenzwa ngesivinini semizamo eyizigidi ezingamakhulu ambalwa ngomzuzwana.
Kwadingeka ngizihlomise ngamasu okuguqula iphasiwedi, ikhadi levidiyo, isichazamazwi esikhudlwana bese ngilinda. Ngemva kwesikhathi eside, kwavezwa ama-akhawunti amaningana anamagama ayimfihlo efomu elithi “Q11111111....1111111q”, okubonisa ukuthi bonke abasebenzisi bake baphoqeleka ukuba beze nephasiwedi ende enezinhlamvu ezihlukene, okwakufanele futhi kube yinkimbinkimbi. Kodwa awukwazi ukukhohlisa umsebenzisi ongumakadebona, futhi yile ndlela akwenze ngayo kwaba lula ngaye ukuzikhumbula. Sekukonke, cishe ama-akhawunti angu-5 aye afakwa engozini, futhi eyodwa kuphela yawo eyayinamalungelo abalulekile ezinsizeni.
Ingxenye 3. I-Roskomnadzor iphindisela emuva
Ngakho, ama-akhawunti wesizinda sokuqala atholiwe. Uma ungazange ulale ngaleli phuzu kusukela ekufundeni isikhathi eside, cishe uzokhumbula ukuthi ngikhulume ngesevisi engadingi isici sesibili sokuqinisekisa: i-wiki enobuqiniso be-NTLM. Yebo, into yokuqala okufanele yenziwe kwakuwukungena lapho. Ukumba esisekelweni solwazi lwangaphakathi ngokushesha kulethe imiphumela:
- Inkampani inenethiwekhi ye-WiFi enokuqinisekisa isebenzisa ama-akhawunti wesizinda anokufinyelela kunethiwekhi yendawo. Ngesethi yamanje yedatha, lokhu sekuvele kuyi-vector yokuhlasela esebenzayo, kodwa udinga ukuya ehhovisi ngezinyawo zakho futhi utholakale endaweni ethile endaweni yehhovisi lekhasimende.
- Ngithole umyalo ngokuya ngokuthi kwakukhona isevisi evumela... ukubhalisa ngokuzimela idivayisi yokuqinisekisa "isici sesibili" uma umsebenzisi engaphakathi kwenethiwekhi yendawo futhi ekhumbula ngokuzethemba ukungena kwakhe kwesizinda nephasiwedi. Kulokhu, "ngaphakathi" kanye "nangaphandle" kunqunywe ukufinyeleleka kwechweba lale sevisi kumsebenzisi. Ichweba belingafinyeleleki ku-inthanethi, kodwa belitholakala nge-DMZ.
Yebo, "isici sesibili" sengezwe ngokushesha ku-akhawunti esengozini ngendlela yohlelo lokusebenza ocingweni lwami. Kube khona uhlelo olungathumela ngokuzwakalayo isicelo sokusunduza ocingweni ngezinkinobho "vuma"/"phika" isenzo, noma lubonise buthule ikhodi ye-OTP esikrinini ukuze ungene ngokuzimele. Ngaphezu kwalokho, indlela yokuqala kwakufanele ngemiyalo kube yiyona kuphela elungile, kodwa ayizange isebenze, ngokungafani nendlela ye-OTP.
Njengoba “isici sesibili” siphukile, ngikwazile ukufinyelela i-Outlook Web Access mail kanye nokufinyelela kude ku-Citrix Netscaler Gateway. Kube khona isimanga kumeyili ku-Outlook:
Kulesi sithombe esingavamile ungabona ukuthi i-Roskomnadzor isiza kanjani ama-pentester
Lezi kwakuyizinyanga zokuqala ngemuva kokuvinjwa "komlandeli" odumile weTelegram, lapho wonke amanethiwekhi anezinkulungwane zamakheli enyamalala ngokungenakuvinjelwa ekufinyeleleni. Kwaba sobala ukuthi kungani ukucindezela kungazange kusebenze ngokushesha nokuthi kungani “isisulu” sami singazange sikhale i-alamu ngoba saqala ukusebenzisa i-akhawunti yaso ngesikhathi sokuvula.
Noma ubani ojwayelene ne-Citrix Netscaler ucabanga ukuthi ngokuvamile isetshenziswa ngendlela yokuthi kuphela isithombe esibonakalayo esingadluliselwa kumsebenzisi, sizama ukungamniki amathuluzi okuqalisa izinhlelo zokusebenza zezinkampani zangaphandle kanye nokudlulisa idatha, kukhawulelwe ngazo zonke izindlela ezingase zibe khona. ngokusebenzisa amagobolondo okulawula ajwayelekile. “Isisulu” sami, ngenxa yomsebenzi waso, sathola i-1C kuphela:
Ngemva kokuzungeza isixhumi esibonakalayo se-1C kancane, ngathola ukuthi kukhona amamojula okucubungula angaphandle lapho. Angalayishwa kusuka kusixhumi esibonakalayo, futhi azokwenziwa kuklayenti noma kuseva, kuye ngamalungelo nezilungiselelo.
Ngicele abangani bami bohlelo lwe-1C ukuthi badale ukucutshungulwa okungamukela iyunithi yezinhlamvu futhi kukwenze. Ngolimi lwe-1C, ukuqala inqubo kubukeka kanje (kuthathwe ku-inthanethi). Ingabe uyavuma ukuthi i-syntax yolimi lwe-1C iyabamangaza abantu abakhuluma isiRashiya ngokuzenzakalelayo?
Ukucutshungulwa kwenziwa kahle kakhulu; kwaba yilokho ama-pentesters akubiza ngokuthi “igobolondo” - i-Internet Explorer yethulwa ngayo.
Ngaphambilini, ikheli lesistimu elikuvumela ukuthi u-ode amapasi endaweni lalitholwe ngeposi. Ngi-ode ukudlula uma kufanele ngisebenzise i-vector yokuhlasela ye-WiFi.
Kunenkulumo ku-inthanethi yokuthi bekusenokudla kwamahhala okumnandi ehhovisi lekhasimende, kodwa ngisancamela ukuthuthukisa ukuhlasela ngikude, kuzolile.
I-AppLocker yenziwe yasebenza kuseva yohlelo lokusebenza esebenzisa i-Citrix, kodwa yeqiwe. I-Meterpreter efanayo yalayishwa futhi yethulwa nge-DNS, njengoba izinguqulo ze-http(ama) bezingafuni ukuxhuma, futhi bengingalazi ikheli lommeleli wangaphakathi ngaleso sikhathi. Ngendlela, kusukela kulo mzuzu kuqhubeke, i-pentest yangaphandle empeleni yaphenduka yangaphakathi.
Ingxenye 4. Amalungelo okuphatha kubasebenzisi mabi, kulungile?
Umsebenzi wokuqala we-pentester lapho uthola ukulawula isikhathi somsebenzisi wesizinda ukuqoqa lonke ulwazi mayelana namalungelo esizindeni. Kukhona insiza ye-BloodHound ekuvumela ngokuzenzakalelayo ukuthi udawunilode ulwazi olumayelana nabasebenzisi, amakhompyutha, amaqembu okuvikela usebenzisa iphrothokholi ye-LDAP kusuka kusilawuli sesizinda, futhi nge-SMB - ulwazi mayelana nokuthi yimuphi umsebenzisi osanda kungena ngemvume kuphi futhi ngubani umlawuli wendawo.
Indlela ejwayelekile yokuthatha amalungelo omlawuli wesizinda ibonakala yenziwe lula njengomjikelezo wezenzo eziyisidina:
- Siya kumakhompuyutha wesizinda lapho kunamalungelo omlawuli wendawo, ngokusekelwe kuma-akhawunti esizinda asevele athunjiwe.
- Sethula i-Mimikatz futhi sithola amaphasiwedi enqolobane, amathikithi e-Kerberos kanye nama-hashes e-NTLM wama-akhawunti wesizinda asanda kungena kule sistimu. Noma sisusa isithombe senkumbulo senqubo ye-lsass.exe futhi senze okufanayo ngasohlangothini lwethu. Lokhu kusebenza kahle nge-Windows encane kuno-2012R2/Windows 8.1 enezilungiselelo ezizenzakalelayo.
- Sinquma ukuthi ama-akhawunti onakalisiwe anamalungelo omlawuli wendawo. Siphinda iphuzu lokuqala. Kwesinye isikhathi sithola amalungelo omlawuli aso sonke isizinda.
“Ukuphela Komjikelezo;”, njengoba abahleli bohlelo be-1C bengabhala lapha.
Ngakho-ke, umsebenzisi wethu uvele waba umlawuli wendawo kumsingathi oyedwa one-Windows 7, igama layo elihlanganisa igama elithi "VDI", noma "Ingqalasizinda yedeskithophu ebonakalayo", imishini yomuntu siqu. Mhlawumbe, umklami wesevisi ye-VDI wayesho ukuthi njengoba i-VDI iyisistimu yokusebenza yomuntu siqu yomsebenzisi, ngisho noma umsebenzisi eshintsha imvelo yesofthiwe ngendlela athanda ngayo, umsingathi usengakwazi "ukulayishwa kabusha". Ngiphinde ngacabanga ukuthi ngokujwayelekile umqondo wawumuhle, ngaya kulo msingathi we-VDI ngenza isidleke lapho:
- Ngifake iklayenti le-OpenVPN lapho, elenze umhubhe nge-inthanethi kuseva yami. Iklayenti bekufanele liphoqeleke ukuthi lidlule ku-Blue Coat efanayo nokuqinisekiswa kwesizinda, kodwa i-OpenVPN ikwenzile, njengoba besho, "ngaphandle kwebhokisi."
- Kufakwe i-OpenSSH ku-VDI. Yebo, empeleni, yini iWindows 7 ngaphandle kwe-SSH?
Lokhu bekubukeka bukhoma. Ake ngikukhumbuze ukuthi konke lokhu kufanele kwenziwe nge-Citrix no-1C:
Enye indlela yokuthuthukisa ukufinyelela kumakhompuyutha angomakhelwane iwukuhlola amaphasiwedi omlawuli wendawo ukuze uthole okufanayo. Nansi inhlanhla ilindelwe ngokushesha: i-NTLM hashi yomphathi wendawo ozenzakalelayo (owavele wabizwa ngokuthi u-Administrator) wasondezwa ngokuhlaselwa kwe-pass-the-hash kubasingathi be-VDI abangomakhelwane, ababengamakhulu ambalwa. Yebo, ukuhlasela kwabashaya ngokushesha.
Kulapho abaphathi be-VDI bezidubula khona kabili ezinyaweni:
- Okokuqala kwaba lapho imishini ye-VDI ingafakwanga ngaphansi kwe-LAPS, empeleni igcina igama eliyimfihlo lomlawuli wendawo elisuka esithombeni esasetshenziswa kakhulu ku-VDI.
- Umlawuli ozenzakalelayo ukuphela kwe-akhawunti yendawo esengozini yokuhlaselwa kwe-pass-the-hash. Ngisho nephasiwedi efanayo, kungakwazi ukugwema ukuyekethisa okukhulu ngokwakha i-akhawunti yesibili yomphathi wendawo enephasiwedi eyinkimbinkimbi engahleliwe futhi uvimbele ezenzakalelayo.
Kungani kunesevisi ye-SSH kuleyo Windows? Kulula kakhulu: manje iseva ye-OpenSSH ayizange inikeze kuphela igobolondo lomyalo osebenzisanayo olulula ngaphandle kokuphazamisa umsebenzi womsebenzisi, kodwa futhi nommeleli we-socks5 ku-VDI. Ngala masokisi, ngixhume nge-SMB futhi ngaqoqa ama-akhawunti agcinwe kunqolobane kuwo wonke lawa makhulu emishini ye-VDI, ngase ngibheka indlela eya kumphathi wesizinda ngiyisebenzisa kumagrafu e-BloodHound. Njengoba nginamakhulu ababungazi, ngathola le ndlela ngokushesha okukhulu. Amalungelo omlawuli wesizinda atholiwe.
Nasi isithombe esivela ku-inthanethi esibonisa ukusesha okufanayo. Ukuxhumana kubonisa ukuthi ubani lapho umlawuli ekhona nokuthi ubani ongene lapho.
Phela, khumbula isimo kusukela ekuqaleni kwephrojekthi - "ungasebenzisi ubunjiniyela bezenhlalakahle." Ngakho-ke, ngiphakamisa ukucabanga ngokuthi ingakanani yonke le-Bollywood enemiphumela ekhethekile izonqanyulwa uma kusengenzeka ukusebenzisa ubugebengu bokweba imininingwane ebucayi. Kodwa ngokwami, kwakuthakazelisa kakhulu kimi ukwenza konke lokhu. Ngethemba ukuthi ukujabulele ukufunda lokhu. Vele, akuwona wonke amaphrojekthi abukeka ethakazelisa kakhulu, kepha umsebenzi usuwonke unenselele enkulu futhi awukuvumeli ukuthi umile.
Mhlawumbe othile uzoba nombuzo: indlela yokuzivikela? Ngisho lesi sihloko sichaza amasu amaningi, amaningi awo abaphathi beWindows abawazi ngisho nawo. Kodwa-ke, ngiphakamisa ukuthi ngizibheke ngokombono wezimiso zokugetshengwa kanye nezinyathelo zokuphepha zolwazi:
- ungasebenzisi isoftware ephelelwe yisikhathi (khumbula iWindows 2003 ekuqaleni?)
- ungagcini izinhlelo ezingadingekile zivuliwe (kungani bekunewebhusayithi ye-urologist?)
- hlola amaphasiwedi omsebenzisi ukuze uthole amandla ngokwakho (ngaphandle kwalokho amasosha... ama-pentester azokwenza lokhu)
- abanawo amagama ayimfihlo afanayo ama-akhawunti ahlukene (i-VDI compromise)
- nokunye
Yiqiniso, lokhu kunzima kakhulu ukukusebenzisa, kodwa esihlokweni esilandelayo sizobonisa ngokusebenza ukuthi kungenzeka.
Source: www.habr.com