Indaba emayelana nocwaningo nentuthuko ezingxenyeni ezi-3. Ingxenye 1 iyahlola.
Kunezihlahla eziningi ze-beech - izinzuzo ezengeziwe.
Ukwakheka kwenkinga
Ngesikhathi se-pentest kanye nemikhankaso ye-RedTeam, akwenzeki ngaso sonke isikhathi ukusebenzisa amathuluzi ajwayelekile eKhasimende, njenge-VPN, i-RDP, i-Citrix, njll. njengehange lokungena kunethiwekhi yangaphakathi. Kwezinye izindawo, i-VPN ejwayelekile isebenza kusetshenziswa i-MFA futhi ithokheni ye-hardware isetshenziswa njengesici sesibili, kwezinye igadwa ngesihluku futhi ukungena kwethu kwe-VPN kubonakala ngokushesha, njengoba besho, nakho konke okukubandakanyayo, kodwa kwezinye kukhona. azikho nje izindlela ezinjalo.
Ezimweni ezinjalo, kufanele sihlale njalo senze lokho okubizwa ngokuthi βamathaneli ahlehlayoβ - ukuxhumana kusuka kunethiwekhi yangaphakathi kuya esisetshenziswa sangaphandle noma iseva esiyilawulayo. Ngaphakathi emhubheni onjalo, sesingakwazi kakade ukusebenzisana nezisetshenziswa zangaphakathi Zamakhasimende.
Kunezinhlobo eziningana zale mihubhe yokubuya. Okudume kakhulu kubo, yiqiniso, i-Meterpreter. Imigudu ye-SSH enokudluliselwa kwembobo ehlehlayo nayo idingeka kakhulu phakathi koquqaba lwabaduni. Ziningi kakhulu izindlela zokwenza ukuhlehla kwe-tunnel futhi eziningi zazo zifundwe kahle futhi zichazwe.
Vele, ngokwengxenye yabo, abathuthukisi bezixazululo zokuphepha abami eceleni futhi babone izenzo ezinjalo ngenkuthalo.
Isibonelo, izikhathi ze-MSF zitholwa ngempumelelo yi-IPS yesimanje kusuka ku-Cisco noma i-Positive Tech, futhi umhubhe we-SSH ohlehlayo ungatholwa cishe nganoma iyiphi i-firewall evamile.
Ngakho-ke, ukuze sihlale singanakiwe emkhankasweni omuhle we-RedTeam, sidinga ukwakha umhubhe obuyela emuva sisebenzisa izindlela ezingajwayelekile futhi sizivumelanise ngokuseduze ngangokunokwenzeka nemodi yokusebenza yangempela yenethiwekhi.
Ake sizame ukuthola noma ukusungula into efanayo.
Ngaphambi kokusungula noma yini, sidinga ukuqonda ukuthi yimuphi umphumela esifuna ukuwufinyelela, yimiphi imisebenzi okufanele yenziwe ukuthuthukiswa kwethu. Zizoba yini izidingo zomhubhe ukuze sikwazi ukusebenza ngemodi eyimfihlo kakhulu?
Kuyacaca ukuthi esimweni ngasinye izidingo ezinjalo zingahluka kakhulu, kodwa ngokusekelwe ekuhlangenwe nakho komsebenzi, okuyinhloko kungabonakala:
- sebenza ku-Windows-7-10 OS. Njengoba amanethiwekhi amaningi ezinkampani asebenzisa iWindows;
- iklayenti lixhuma kuseva nge-SSL ukuze ligweme ukulalela okungenangqondo lisebenzisa i-ips;
- Lapho uxhuma, iklayenti kufanele lisekele umsebenzi ngeseva elibamba ngokugunyazwa, ngoba Ezinkampanini eziningi, ukufinyelela ku-inthanethi kwenzeka nge-proxy. Eqinisweni, umshini weklayenti kungenzeka ungazi lutho ngakho, futhi ummeleli usetshenziswa kwimodi esobala. Kodwa kufanele sinikeze ukusebenza okunjalo;
- ingxenye yeklayenti kufanele ibe mfushane futhi iphatheke;
Kuyacaca ukuthi ukuze usebenze ngaphakathi kwenethiwekhi yeKhasimende, ungafaka i-OpenVPN emshinini weklayenti futhi udale umhubhe ogcwele ngokugcwele kuseva yakho (ngenhlanhla, amaklayenti e-openvpn angasebenza ngommeleli). Kodwa, okokuqala, lokhu ngeke kusebenze njalo, njengoba singase singabi ngabaphathi bendawo, futhi okwesibili, kuzokwenza umsindo omkhulu kangangokuthi i-SIEM ehloniphekile noma i-HIPS "izosishutha" ngokushesha. Ngokufanelekile, iklayenti lethu kufanele kube lokho okubizwa ngokuthi umyalo ongaphakathi komugqa, njengesibonelo amagobolondo amaningi e-bash asetshenziswa, futhi aqaliswe ngomugqa womyalo, isibonelo, lapho ukhipha imiyalo evela egameni elithi macro. - Umhubhe wethu kufanele ube nemicu eminingi futhi usekele ukuxhumana okuningi ngesikhathi esisodwa;
- uxhumano lweklayenti-server kufanele kube uhlobo oluthile lokugunyazwa ukuze umhubhe usungulwe iklayenti lethu kuphela, hhayi wonke umuntu oza kuseva yethu ekhelini elishiwo kanye nechweba. Okufanelekile, ikhasi lokubikezela elinamakati noma izihloko ezichwepheshile ezihlobene nesizinda sokuqala kufanele livulelwe "abasebenzisi bezinkampani zangaphandle."
Isibonelo, uma iKhasimende liyinhlangano yezokwelapha, khona-ke kumqondisi wezokuphepha wolwazi onquma ukuhlola insiza isisebenzi sasemtholampilo esifinyelele kuyo, ikhasi elinemikhiqizo yemithi, i-Wikipedia enencazelo yokuxilongwa, noma ibhulogi kaDkt Komarovsky, njll. Kufanele uvule.
Ukuhlaziywa kwamathuluzi akhona
Ngaphambi kokuvuselela ibhayisikili lakho, udinga ukuhlaziya amabhayisikili akhona futhi uqonde ukuthi siyawadinga ngempela futhi, mhlawumbe, akuthina kuphela esiye sacabanga ngesidingo sebhayisikili elinjalo elisebenzayo.
I-Googling ku-inthanethi (kubonakala sengathi i-google ngokuvamile), kanye nokusesha ku-Github usebenzisa amagama angukhiye "amasokisi ahlehlayo" akunikanga imiphumela eminingi. Ngokuyisisekelo, konke kwehla ekwakheni imigudu ye-ssh enokudluliselwa kwembobo okubuyela emuva nakho konke okuxhumene nayo. Ngaphezu kwemigudu ye-SSH, kunezixazululo ezimbalwa:
Ukuqaliswa okunesikhathi eside komhubhe obuyela emuva ovela kubafana baseKaspersky Lab. Igama likwenza kucace ukuthi lesi script sihloselwe ini. Isetshenziswe ku-Python 2.7, umhubhe usebenza ngemodi yombhalo ocacile (njengoba kuyimfashini ukusho manje - sawubona RKN)
Okunye ukuqaliswa ku-Python, futhi kumbhalo ocacile, kodwa ngamathuba amaningi. Ibhalwe njengemojula futhi ine-API yokuhlanganisa isisombululo kumaphrojekthi akho.
Isixhumanisi sokuqala siyinguqulo yoqobo yokuqaliswa kwe-sox ehlanekezelwe ku-Golang (ayisekelwe unjiniyela).
Isixhumanisi sesibili yisibuyekezo sethu esinezici ezengeziwe, futhi ngesi-Golang. Enguqulweni yethu, sisebenzise i-SSL, sisebenzisa ummeleli ogunyazwe i-NTLM, ukugunyazwa kuklayenti, ikhasi lokufika uma kunephasiwedi engalungile (noma kunalokho, ukuqondisa kabusha ekhasini lokufika), imodi enezintambo eziningi (okungukuthi abantu abambalwa ingasebenza nomhubhe ngesikhathi esifanayo) , uhlelo lokuphonsela iklayenti ukuze linqume ukuthi liyaphila noma cha.
Ukusetshenziswa kwe-reverse sox evela "kubangane bethu baseShayina" ePython. Lapho, kumavila kanye "nokungafi", kukhona kanambambili esenziwe ngomumo (exe), eqoqwe amaShayina futhi elungele ukusetshenziswa. Lapha, uNkulunkulu wamaShayina kuphela owaziyo ukuthi yini enye lena kanambambili engase ibe nayo ngaphandle kokusebenza okuyinhloko, ngakho-ke sebenzisa ngokuzifaka engozini nangengozi yakho.
Iphrojekthi ethokozisayo ku-C++ yokusebenzisa i-reverse sox nokuningi. Ngokungeziwe emhubheni obuyela emuva, ingakwazi ukudlulisa imbobo, idale igobolondo lomyalo, njll.
I-MSF meterpreter
Lapha, njengoba besho, akukho ukuphawula. Bonke abagebengu abangafundile ngisho nangaphezulu bajwayelene kakhulu nale nto futhi bayaqonda ukuthi ingatholwa kalula kanjani ngamathuluzi okuvikela.
Wonke amathuluzi achazwe ngenhla asebenza esebenzisa ubuchwepheshe obufanayo: imojuli kanambambili esebenzisekayo elungiselelwe ngaphambilini yethulwa emshinini ongaphakathi kwenethiwekhi, esungula uxhumano neseva yangaphandle. Iseva isebenzisa iseva ye-SOCKS4/5 eyamukela ukuxhumana futhi ikudlulisele kuklayenti.
Ububi bawo wonke amathuluzi angenhla ukuthi i-Python noma i-Golang kufanele ifakwe emshinini weklayenti (ingabe uvame ukubona iPython ifakwe emishinini, isibonelo, yomqondisi wenkampani noma abasebenzi basehhovisi?), noma ehlanganiswe ngaphambili kanambambili (empeleni i-python) kufanele ihudulelwe kulo mshini kanye nesikripthi ebhodleleni elilodwa) bese uqhuba le kanambambili kakade lapho. Futhi ukulanda i-exe bese uyethula futhi kuyisignesha ye-antivirus yendawo noma i-HIPS.
Ngokuvamile, isiphetho siyaziphakamisa - sidinga isisombululo se-powershell. Manje utamatisi uzondiza kithi - bathi i-powershell isivele i-hackneyed, igadiwe, ivinjiwe, njll. njalo njalo. Eqinisweni, akukhona yonke indawo. Simemezela ngokuzibophezela. Ngendlela, kunezindlela eziningi zokudlula ukuvinjwa (lapha futhi kukhona isisho semfashini mayelana ne-sawubona RKN π), kusukela ekuqanjweni kabusha oyisiphukuphuku kwe-powershell.exe -> cmdd.exe futhi igcine ngokuthi powerdll, njll.
Ake siqale ukusungula
Kuyacaca ukuthi okokuqala sizobheka ku-Google futhi... ngeke sithole lutho ngalesi sihloko (uma othile esitholile, thumela izixhumanisi kumazwana). Kukhona kuphela Amasokisi5 ku-powershell, kodwa lena i-sox evamile "eqondile", enenqwaba yezinkinga zayo (sizokhuluma ngazo kamuva). Yebo, ungakwazi, ngokunyakazisa kancane isandla sakho, usiguqule sibe yi-reverse, kodwa lokhu kuzoba i-single-threaded sox, okungeyona into esiyidingayo kithi.
Ngakho-ke, asikatholi lutho oselulungile, ngakho-ke kusazodingeka sisungule kabusha isondo lethu. Sizothatha njengesisekelo sebhayisikili lethu i-reverse sox ku-Golang, futhi sisebenzisa iklayenti layo ku-powershell.
RSocksTun
Ngakho-ke i-rsockstun isebenza kanjani?
Ukusebenza kwe-RsocksTun (ngemuva kwalokhu ebizwa ngokuthi rs) kusekelwe ezingxenyeni ezimbili zesofthiwe - iseva ye-Yamux ne-Socks5. Iseva ye-Socks5 iyisokisi elivamile lasendaweni5, ligijima kuklayenti. Futhi ukuphindaphinda kokuxhuma kuyo (ukhumbula mayelana ne-multithreading?) kunikezwa kusetshenziswa i-yamux (). Lolu hlelo lukuvumela ukuthi uqalise amaseva amaklayenti ama-socks5 amaningana futhi usabalalise ukuxhumana kwangaphandle kuwo, uwathumele ngoxhumano olulodwa lwe-TCP (cishe njenge-meterpreter) ukusuka kuklayenti kuye kuseva, ngaleyo ndlela sisebenzisa imodi enemicu eminingi, ngaphandle kwalokho ngeke sivele ekwazi ukusebenza ngokugcwele kumanethiwekhi angaphakathi.
Ingqikithi yokuthi i-yamux isebenza kanjani ukuthi yethula isendlalelo senethiwekhi eyengeziwe yokusakaza, iyisebenzise ngendlela yesihloko esingamabhayithi angu-12 ephaketheni ngalinye. (Lapha sisebenzisa ngamabomu igama elithi βukusakazwaβ esikhundleni somucu, ukuze singaphambanisi umfundi ngohlelo βuchungechungeβ lohlelo - sizosebenzisa lo mqondo kulesi sihloko). Unhlokweni we-yamux uqukethe inombolo yokusakaza, amafulegi okufakwa/okuqeda ukusakaza, inani lamabhayithi adlulisiwe, kanye nosayizi wewindi lokudlulisa.
Ngaphezu kokufaka/ukumisa umfudlana, i-yamux isebenzisa indlela yokugcina yokuphila ekuvumela ukuthi uqaphe ukusebenza kwesiteshi sokuxhumana esimisiwe. Ukusebenza komshini we-keeplive umyalezo kuyalungiswa lapho kwakhiwa iseshini ye-Yamux. Empeleni, kuzilungiselelo kukhona amapharamitha amabili kuphela: vumela/khubaza kanye nemvamisa yokuthumela amaphakethe ngemizuzwana. Imilayezo ye-Keepalive ingathunyelwa iseva ye-yamux noma iklayenti le-yamux. Lapho ithola umlayezo wokugcina, iqembu elikude kufanele liwuphendule ngokuthumela isihlonzi somlayezo esifanayo ncamashi (eqinisweni inombolo) esiyitholile. Ngokuvamile, i-keepalive i-ping efanayo, ye-yamux kuphela.
Yonke inqubo yokusebenza ye-multiplexer: izinhlobo zephakethe, ukusethwa koxhumano namafulegi okunqanyulwa, kanye nendlela yokudlulisa idatha kuchazwe ngokuningiliziwe ku- kwe yamx.
Isiphetho sengxenye yokuqala
Ngakho-ke, engxenyeni yokuqala ye-athikili, sajwayelana namathuluzi athile wokuhlela imigudu ehlehlayo, sabheka izinzuzo nezinkinga zabo, safunda indlela yokusebenza kwe-multiplexer ye-Yamux futhi sachaza izidingo eziyisisekelo zemojula ye-powershell esanda kwakhiwa. Engxenyeni elandelayo sizothuthukisa imojuli ngokwayo, cishe kusukela ekuqaleni. Kuzoqhutshwa. Ungashintshi :)
Source: www.habr.com