Sibhala njalo ngokuthi abaduni bavame ukuthembela kanjani ekuxhashazweni ukugwema ukutholwa. Bona ngokoqobo , kusetshenziswa amathuluzi e-Windows ajwayelekile, ngaleyo ndlela yeqa ama-antivirus nezinye izinsiza zokuthola umsebenzi onobungozi. Thina, njengabavikeli, manje siphoqeleka ukuthi sibhekane nemiphumela engemihle yalezi zindlela zokugebenga ezihlakaniphile: isisebenzi esibekwe kahle singasebenzisa indlela efanayo ukuze sintshontshe idatha ngomshoshaphansi (impahla yenkampani yobuhlakani, izinombolo zekhadi lesikweletu). Futhi uma engajahi, kodwa esebenza kancane futhi ethule, kuzoba nzima kakhulu - kodwa kusengenzeka uma esebenzisa indlela efanele futhi efanele. , — ukuhlonza umsebenzi onjalo.
Ngakolunye uhlangothi, angifuni ukwenza amademoni abasebenzi ngoba akekho ofuna ukusebenza endaweni yebhizinisi kusukela ngo-1984 ka-Orwell. Ngenhlanhla, kunezinyathelo ezimbalwa ezisebenzayo nama-hacks wempilo angenza impilo ibe nzima kakhulu kwabangaphakathi. Sizocabangela izindlela zokuhlasela ezicashile, esetshenziswa abaduni ngabasebenzi abanesizinda esithile sobuchwepheshe. Futhi ngokuqhubekayo sizoxoxa ngezinketho zokunciphisa izingozi ezinjalo - sizofunda kokubili izinketho zobuchwepheshe kanye nenhlangano.
Yini engalungile nge-PsExec?
U-Edward Snowden, ngokufanelekile noma ngokungalungile, usefana nokwebiwa kwedatha yangaphakathi. Ngendlela, ungakhohlwa ukubheka mayelana nabanye abangaphakathi nabo abafanelwe isikhundla esithile sodumo. Iphuzu elilodwa elibalulekile okufanele ligcizelelwe mayelana nezindlela ezisetshenziswa ngu-Snowden ukuthi, ngokwazi kwethu, yena ayizange ifake ayikho isofthiwe yangaphandle enonya!
Esikhundleni salokho, u-Snowden wasebenzisa kancane ubunjiniyela bezenhlalo futhi wasebenzisa isikhundla sakhe njengomphathi wesistimu ukuqoqa amagama ayimfihlo futhi adale imininingwane. Akukho okuyinkimbinkimbi - akukho , ukuhlasela noma .
Izisebenzi zenhlangano azihlali zisesimweni esiyingqayizivele sika-Snowden, kodwa kunenqwaba yezifundo okufanele zifundwe emcabangweni "wokuphila ngokuklaba" okufanele wazi - ukungazibandakanyi kunoma yimuphi umsebenzi omubi ongabonwa, futhi ikakhulukazi. qaphela ngokusetshenziswa kwemininingwane. Khumbula lomcabango.
nomzala wakhe bahlabe umxhwele inqwaba yamapentester, abaduni, kanye nama-blogger okuphepha ku-inthanethi. Futhi uma kuhlanganiswe ne-mimikatz, i-psexec ivumela abahlaseli ukuthi bahambe ngaphakathi kwenethiwekhi ngaphandle kokudinga ukwazi igama eliyimfihlo eliyimfihlo.
I-Mimikatz ibamba i-NTLM hashi kusukela kunqubo ye-LSASS bese idlulisa ithokheni noma izifakazelo - okuthiwa. "dlulisa i-hashi" ukuhlasela - ku-psexec, okuvumela umhlaseli ukuthi angene kwenye iseva njenge womunye umsebenzisi. Futhi ngokuhambisa ngakunye okulandelayo kuseva entsha, umhlaseli uqoqa imininingwane eyengeziwe, enweba ububanzi bamakhono ayo ekufuneni okuqukethwe okutholakalayo.
Lapho ngiqala ukusebenza ne-psexec kwakubonakala kuwumlingo kimi - ngiyabonga , umthuthukisi okhaliphile we-psexec - kodwa futhi ngiyazi ngeyakhe enomsindo izingxenye. Akalokothi afihle!
Iqiniso lokuqala elithokozisayo nge-psexec ukuthi isebenzisa inkimbinkimbi ngokwedlulele Iphrothokholi yefayela lenethiwekhi ye-SMB kusuka kuMicrosoft. Ngokusebenzisa i-SMB, i-psexec idlulisela kancane kanambambili amafayela ohlelweni oluqondiwe, ewabeka kufolda C:Windows.
Okulandelayo, i-psexec idala isevisi ye-Windows isebenzisa kanambambili ekopishiwe futhi iyisebenzise ngaphansi kwegama "elingalindelekile" kakhulu elithi PSEXECSVC. Ngesikhathi esifanayo, ungakwazi ngempela ukubona konke lokhu, njengoba ngenzile, ngokubuka umshini oqhelile (bheka ngezansi).
Ikhadi lokushaya le-Psexec: "PSEXECSVC" isevisi. Isebenzisa ifayela kanambambili elabekwa nge-SMB kufolda ethi C:Windows.
Njengesinyathelo sokugcina, ifayela kanambambili elikopishiwe liyavuleka Ukuxhumeka kwe-RPC kuseva eqondiwe bese yamukela imiyalo yokulawula (ngegobolondo le-Windows cmd ngokuzenzakalelayo), iyethule futhi iqondise kabusha okokufaka nokuphumayo emshinini wasekhaya womhlaseli. Kulesi simo, umhlaseli ubona umugqa womyalo oyisisekelo - kufana nokuthi uxhumeke ngokuqondile.
Izingxenye eziningi kanye nenqubo enomsindo kakhulu!
Abangaphakathi abayinkimbinkimbi be-psexec bachaza umlayezo owangidida phakathi novivinyo lwami lokuqala eminyakeni embalwa edlule: “Ukuqala i-PSEXECSVC...” kulandelwa isikhashana ngaphambi kokuthi kuvele umyalo.
I-Psexec ka-Impacket empeleni ibonisa ukuthi kwenzekani ngaphansi kwe-hood.
Akumangazi: i-psexec yenza umsebenzi omningi ngaphansi kwe-hood. Uma unentshisekelo encazelweni enemininingwane eyengeziwe, bheka lapha incazelo emangalisayo.
Ngokusobala, lapho isetshenziswa njengethuluzi lokuphatha uhlelo, okwakukhona inhloso yokuqala psexec, akukho lutho olungalungile “ngokubhuza” kwazo zonke lezi zindlela zeWindows. Kumhlaseli, nokho, i-psexec ingadala izinkinga, futhi kumuntu wangaphakathi oqaphile nonobuqili njengo-Snowden, i-psexec noma insiza efanayo ingaba yingozi enkulu kakhulu.
Bese kuza uSmbexec
I-SMB iyindlela ehlakaniphile neyimfihlo yokudlulisa amafayela phakathi kwamaseva, futhi abaduni bebelokhu bengena nge-SMB ngokuqondile amakhulu eminyaka. Ngicabanga ukuthi wonke umuntu uyazi ukuthi akufanelekile Izimbobo ze-SMB 445 kanye ne-139 ku-inthanethi, akunjalo?
Ku-Defcon 2013, u-Eric Millman () kwethulwe , ukuze ama-pentesters azame ukugebenga okuyimfihlo kwe-SMB. Angazi yonke indaba, kodwa ke Impacket eminye elicwengisiswe smbexec. Eqinisweni, ekuhlolweni kwami, ngilande imibhalo ku-Impacket kuPython kusuka .
Ngokungafani ne-psexec, smbexec uyagwema ukudlulisa ifayela kanambambili okungenzeka litholakale emshinini oqondiwe. Esikhundleni salokho, insiza iphila ngokuphelele kusukela emadlelweni kuze kube sekuqalisweni wendawo Umugqa womyalo weWindows.
Nakhu ekwenzayo: idlulisa umyalo osuka emshinini ohlaselayo nge-SMB iye efayeleni elikhethekile lokufaka, bese idala futhi isebenzise umugqa womyalo oyinkimbinkimbi (njengesevisi yeWindows) ozobonakala ujwayelekile kubasebenzisi beLinux. Ngamafuphi: yethula igobolondo le-Windows cmd, iqondise kabusha okukhiphayo kwelinye ifayela, bese ithumela nge-SMB emuva emshinini womhlaseli.
Indlela engcono kakhulu yokuqonda lokhu ukubuka umugqa womyalo, engikwazile ukuwuthola kulogi lomcimbi (bheka ngezansi).
Ingabe lena akuyona indlela enhle kakhulu yokuqondisa kabusha i-I/O? Phela, ukudalwa kwesevisi kunomcimbi we-ID 7045.
Njenge-psexec, iphinda idale isevisi eyenza wonke umsebenzi, kodwa isevisi ngemva kwalokho kususiwe - isetshenziswa kanye kuphela ukusebenzisa umyalo bese iyanyamalala! Unogada wolwazi oqaphe umshini wezisulu ngeke akwazi ukubona sobala Izinkomba zokuhlasela: Alikho ifayela elinonya elethulwayo, ayikho isevisi eqhubekayo efakiwe, futhi abukho ubufakazi bokuthi i-RPC iyasetshenziswa njengoba i-SMB kuwukuphela kwendlela yokudlulisa idatha. Kuyakhanya!
Kusukela ohlangothini lomhlaseli, i-"pseudo-shell" iyatholakala ngokubambezeleka phakathi kokuthumela umyalo nokuthola impendulo. Kodwa lokhu kwanele kumhlaseli - kungaba umuntu wangaphakathi noma isigebengu sangaphandle esesivele sinendawo - aqale ukufuna okuqukethwe okuthakazelisayo.
Ukukhipha idatha emuva isuka emshinini oqondiwe iye emshinini womhlaseli, iyasetshenziswa . Yebo, yiSamba efanayo , kodwa iguqulelwe kuphela kumbhalo wePython yi-Impacket. Eqinisweni, i-smbclient ikuvumela ukuthi uphathe ngokuyimfihlo ukudluliselwa kwe-FTP nge-SMB.
Ake sibuyele emuva sicabange ukuthi lokhu kungamenzelani umsebenzi. Esimeni sami esiqanjiwe, ake sithi i-blogger, umhlaziyi wezezimali noma umeluleki wezokuphepha okhokhelwa kakhulu uvunyelwe ukusebenzisa ikhompuyutha ephathekayo yomuntu siqu emsebenzini. Ngenxa yenqubo ethile yemilingo, uyayicasukela inkampani futhi “ihamba kabi.” Ngokuya ngohlelo olusebenzayo lwekhompuyutha ephathekayo, isebenzisa inguqulo ye-Python evela ku-Impact, noma inguqulo ye-Windows ye-smbexec noma i-smbclient njengefayela le-.exe.
Njengo-Snowden, uthola igama-mfihlo lomunye umsebenzisi ngokubheka ehlombe lakhe, noma uba nenhlanhla azitholele ifayela lombhalo elinephasiwedi. Futhi ngosizo lwalezi ziqinisekiso, uqala ukumba ezungeze uhlelo ezingeni elisha lamalungelo.
I-DCC yokugebenga: Asiyidingi i-Mimikatz "eyisiphukuphuku".
Ekubhaleni kwami okudlule kokungena ngemvume, ngangisebenzisa i-mimikatz kaningi. Leli ithuluzi elihle lokuthola imininingwane - i-NTLM hashes kanye namagama ayimfihlo ayimfihlo afihliwe ngaphakathi kwamakhompyutha aphathekayo, alinde ukusetshenziswa.
Izikhathi zishintshile. Amathuluzi okuqapha abe ngcono ekutholeni nasekuvimbeni i-mimikatz. Abaphathi bezokuphepha bolwazi nabo manje banezinketho eziningi zokunciphisa izingozi ezihlobene nokuhlasela kwe-hash (PtH).
Ngakho-ke yini umsebenzi ohlakaniphile okufanele ayenze ukuze aqoqe imininingwane eyengeziwe ngaphandle kokusebenzisa i-mimikatz?
Ikhithi ye-Impacket ihlanganisa insiza ebizwa ngokuthi , ebuyisela izifakazelo kunqolobane yokuqinisekisa yesizinda, noma i-DCC ngamafuphi. Ukuqonda kwami ukuthi uma umsebenzisi wesizinda engena kuseva kodwa isilawuli sesizinda singatholakali, i-DCC ivumela iseva ukuthi iqinisekise umsebenzisi. Noma kunjalo, i-secretdump ikuvumela ukuthi ulahle wonke lawa ma hashi uma etholakala.
DCC hashes kukhona hhayi i-NTML hashes kanye nabo ayikwazi ukusetshenziselwa ukuhlasela kwe-PtH.
Awu, ungazama Hack kubo ukuze uthole iphasiwedi yasekuqaleni. Kodwa-ke, iMicrosoft isihlakaniphe ngokwengeziwe nge-DCC futhi ama-DCC hashes abe nzima kakhulu ukuwaqhekeza. Yebo, nginayo , "isiqageli sephasiwedi esishesha kakhulu emhlabeni," kodwa sidinga i-GPU ukuze sisebenze ngempumelelo.
Kunalokho, ake sizame ukucabanga njengo-Snowden. Isisebenzi singakwazi ukwenza ubunjiniyela bezenhlalo ubuso nobuso futhi mhlawumbe sithole ulwazi oluthile mayelana nomuntu ofuna ukudalula igama-mfihlo lakhe. Isibonelo, thola ukuthi ingabe i-akhawunti yomuntu eku-inthanethi yake yagetshengwa futhi uhlole iphasiwedi yakhe yombhalo ocacile ukuze uthole noma yiziphi izinkomba.
Futhi lesi yisimo enganquma ukuhamba naso. Ake sicabange ukuthi umuntu wangaphakathi uthole ukuthi umphathi wakhe, u-Cruella, wayegetshengiwe izikhathi ezimbalwa ezinsizeni ezihlukene zewebhu. Ngemva kokuhlaziya amaningana alawa maphasiwedi, uyaqaphela ukuthi u-Cruella ukhetha ukusebenzisa ifomethi yegama leqembu le-baseball elithi "Yankees" elilandelwa unyaka wamanje - "Yankees2015".
Uma manje uzama ukukhiqiza kabusha lokhu ekhaya, ungalanda u-"C" omncane. , esebenzisa i-DCC hashing algorithm, futhi iyihlanganise. , ngendlela, ukwesekwa okwengeziwe kwe-DCC, ngakho-ke ingasetshenziswa. Ake sicabange ukuthi umuntu wangaphakathi akafuni ukuzihlupha ngokufunda uJohn the Ripper futhi uthanda ukusebenzisa okuthi "gcc" kukhodi C yefa.
Ngithatha indima yomuntu ongaphakathi, ngizame inhlanganisela eminingana futhi ekugcineni ngakwazi ukuthola ukuthi igama-mfihlo lika-Cruella lalithi "Yankees2019" (bona ngezansi). Umgomo Uqediwe!
Ubunjiniyela bomphakathi obuncane, inhlanhla yokubikezela kanye nengcosana ye-Maltego futhi usendleleni eya ekuqedeni i-DCC hash.
Ngiphakamisa ukuthi sigcine lapha. Sizobuyela kulesi sihloko kokunye okuthunyelwe futhi sibheke izindlela zokuhlasela ezihamba kancane futhi ezicashile, siqhubeka nokwakhela phezu kwesethi yezinsiza ezinhle kakhulu ze-Impacket.
Source: www.habr.com