まだ見ぬ攻撃を求めて

 まだ見ぬ攻撃を求めて

2020年1月25日 第7回 ハニーポッター技術交流会
@morihi_soc #hanipo_tech
https://hanipo-tech.connpass.com/event/160302/

292a5fc0722cc2ddabf2b088a8f12793?s=128

Kazuaki Morihisa

January 25, 2020
Tweet

Transcript

  1. 2.

    2 XIPBNJ w ৿ٱ࿨ত !NPSJIJ@TPD $*441 44$1 w ຊۀ͸ωοτϫʔΫηΩϡϦςΟΤϯδχΞɾΞφϦετ w

    झຯͰϋχʔϙοτͷӡ༻Λ͢Δϋχʔϙολʔ w ϒϩάˠIUUQTXXXNPSJIJTPDOFU w ϋχʔϙολʔٕज़ަྲྀձओ࠵ऀ w IUUQTIBOJQPUFDIDPOOQBTTDPN ࠓ·Ͱʹ͓ੈ࿩ʹͳͬͨΠϕϯτ(Ұ෦) ɾ*5,FZT ݱ4FD$BQ  ɾωοτϫʔΫύέοτΛಡΉձ Ծ  ɾ/*4$αΠόʔϋϩ΢Οϯɾ*OUFSOFU8FFL ɾ)BSEFOJOHɾTTNKQɾ"*4FDɾ4UVEZ$PEF ɾULULηΩϡϦςΟษڧձ ɾ૯ؔ੢αΠόʔηΩϡϦςΟ-5େձ ɾ08"41/BHPZBɾ*P54FD+1 ɾ͢ΈͩηΩϡϦςΟษڧձ ɾαΠόʔηΩϡϦςΟษڧձJOԘ৲ ࣥචͨ͠ຊ΍ٕज़ಉਓࢽ
  2. 3.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ໨࣍ w ϋχʔϙολʔϞνϕʔγϣϯ w ϋχʔϙοτԿ୆২͑ͯΔ  w &YQMPJU5SFBTVSF)VOU w

    ϩά͸ͳͥ૿͑Δͷ͔ w ͻΒΊ͖ͱ'VMM)5513FRVFTU)BTI w ౰વͷٙ໰ͱվྑͷ༨஍ w ·ͱΊ 3
  3. 5.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ϋχʔϙοτԿ୆২͑ͯΔ w 808)POFZQPU w ௿ର࿩ܕαʔόଆͷ8FCʹಛԽͨ͠ϋχʔϙοτ w ݸਓͷ׆ಈʹ͓͍ͯϝΠϯͰ࢖͍ͬͯΔ w ࢖༻Ϧιʔε͕গͳͯ͘΋ಈ͘ͷͰɺ͓ࡒ෍ͷڐ͢

    ݶΓɺϨϯλϧαʔόΛआΓͯෳ਺୆ՔಇͰ͖Δ w ࠷େಉ࣌ʹ୆ಈ͔͍ͯͨ͜͠ͱ΋ w ϲ݄ถυϧY୆ɾɾɾ 5 https://github.com/morihisa/WOWHoneypot
  4. 7.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ༨ஊ 808)POFZQPUΛ$JUSJYΧελϚΠζ w BSUσΟϨΫτϦʹDJUSJYUYUͱ͍͏ϑΝΠϧΛԼه ͷ಺༰Ͱ࡞੒͢Δ ίϯϑΟάࢀߟ ɻ w BSUσΟϨΫτϦͷ

    NSSVMFTYNMʹ ӈهͷϧʔϧΛ௥Ճ ˞NSSJE͸దٓमਖ਼ 7 [global] encrypt passwords = yes name resolve order = lmhosts bcast host *1 http://www.samba.gr.jp/project/translation/4.5/htmldocs/manpages/smb.conf.5.html <mrr> <meta> <mrrid>1045</mrrid> <enable>True</enable> <note>Citrix exploit(CVE-2019-19781)</note> </meta> <trigger> <uri>pns/cfg/smb.conf</uri> </trigger> <response> <status>200</status> <body filename="citrix.txt"></body> </response> </mrr>
  5. 8.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ༨ஊ 808)POFZQPUΛ$JUSJYΧελϚΠζ w $7&ͷεΩϟφͰ֬ೝͯ͠ΈΔ w ϧʔϧ௥Ճલ w ϧʔϧ௥Ճޙ 8

    →Citrix αʔόͰ͸ͳ͍(੬ऑͰ͸ͳ͍)ͱ൑ఆ͞Εͨ →੬ऑͳ Citrix αʔόͱ൑ఆ͞Εͨ
  6. 9.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ೥ͷϋχʔϙοτՔಇ࣮੷ w 808)POFZQPUͷϩά w ֤݄ͷϩάྔ w ͹Β͖͕ͭ݁ߏ͋Δ 9 ݄

    .# ݄ (# ݄ .# ݄ .# ݄ .# ݄ .# ݄ .# ݄ .# ݄ .# ݄ .# ݄ .# ݄ .#
  7. 11.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ෳ਺ͷϋχʔϙοτΛ২͑Δฐ֐ w ެ։αʔόΛεΩϟϯ͍ͯ͠ΔΑ͏ͳ߈ܸऀʹΑΓ ෳ਺ͷϋχʔϙοτͰಉ͡߈ܸͷϩά͕࢒Δ w ෼ੳ͍ͨ͠ͷ͸ɺ߈ܸऀͱͷϩάݸ͚ͩ 11 ߈ܸऀ1 ߈ܸऀ2

    ϋχʔϙοτ1 ϋχʔϙοτ2 ϋχʔϙοτ3 ϋχʔϙοτ1ͷ߈ܸऀ1ͷϩά ϋχʔϙοτ1ͷ߈ܸऀ2ͷϩά ϋχʔϙοτ2ͷ߈ܸऀ1ͷϩά ϋχʔϙοτ2ͷ߈ܸऀ2ͷϩά ϋχʔϙοτ3ͷ߈ܸऀ1ͷϩά ϋχʔϙοτ3ͷ߈ܸऀ2ͷϩά ߹ܭ6ݸͷϩά
  8. 12.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ϩάྔ ॏෳ ΛݮΒ͢ 12 w ͳΜΒ͔ͷج४Λ༻͍ͯॏෳΛഉআ w 63* w

    ߈ܸऀͷ*1ΞυϨε w ϖΠϩʔυͷXHFUDVSMͷμ΢ϯϩʔυ63- w *%4ʹΑΔΞϥʔτ w ͦͷଞ ͲΕ͔1ͭʹݶఆ͢Δඞཁ͸ͳ͍ (૊Έ߹Θͤͯ࢖͏)
  9. 13.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ͻΒΊ͖ w )551ϦΫΤετΛϋογϡԽ͢Δɻ ͨͩ͠)PTUϔομͷ஋͸औΓআ͘ɻ ཧ༝͸ޙड़  w ϋογϡ஋ͷσʔλϕʔεΛ࡞Δɻ w

    σʔλϕʔεʹؚ·Ε͍ͯͳ͍ϋογϡ஋ͷ߈ܸ͸ ৽͍͠߈ܸͱ͢Δ ˠಉ͡߈ܸऀ͔Βͷෳ਺ͷ௨৴Λճ͚ͩݟΔ͜ͱ ͕Ͱ͖ΔΑ͏ʹͳΔͷͰ͸ 13
  10. 15.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ )PTUϔομͷॲཧ w )551ͷόʔδϣϯͰ͸ɺ)PTUϔομͷࢦఆ͕ ඞਢ 3'$  w ϋογϡԽ͸ɺݩͷϝοηʔδ͕όΠτҧ͏ͱੜ ੒͞ΕΔϋογϡ஋΋ҟͳΔੑ࣭͕͋Δɻ

    w ϋχʔϙοτͷάϩʔόϧ*1ΞυϨε΍υϝΠϯ໊ ʹΑΓϋογϡ஋͕มΘͬͯ͠·͏ͱɺಉ͡߈ܸ௨ ৴͕ҟͳΔϋογϡ஋ʹͳͬͯ͠·͏ɻ ˠ)PTUϔομͷ஋͚ͩ࡟আ͕ඞཁ 15
  11. 16.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ೥ͷϩάͰࢼͯ͠Έͨ 16 ݄ ݩσʔλ ')3) ࡟ݮ཰ ݄  

       ݄       ݄       ݄       ݄      ݄      ݄      ݄      ݄      ݄      ݄       ݄      ୯Ґɿߦ਺
  12. 17.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ॲཧ࣌ؒ w ܭଌ؀ڥ J.BD  w ()[ΫΞουίΞ*OUFM$PSFJ ϝϞϦ(#.)[%%344% w

    ϓϩάϥϜ w 1ZUIPO w ܭଌ w UJNFίϚϯυ w ௕ͯ͘΋෼΄Ͳ 17 1݄ ./fhrh.py 5.32s user 0.21s system 97% cpu 5.675 total 2݄ ./fhrh.py 62.29s user 1.39s system 98% cpu 1:04.59 total 3݄ ./fhrh.py 22.76s user 1.01s system 98% cpu 24.101 total 4݄ ./fhrh.py 17.83s user 0.84s system 97% cpu 19.100 total 5݄ ./fhrh.py 10.17s user 0.60s system 97% cpu 11.018 total 6݄ ./fhrh.py 8.22s user 0.42s system 98% cpu 8.803 total 7݄ ./fhrh.py 10.09s user 0.47s system 98% cpu 10.739 total 8݄ ./fhrh.py 7.01s user 0.37s system 98% cpu 7.516 total 9݄ ./fhrh.py 5.66s user 0.33s system 98% cpu 6.097 total 10݄ ./fhrh.py 5.25s user 0.35s system 98% cpu 5.713 total 11݄ ./fhrh.py 12.61s user 0.62s system 98% cpu 13.424 total 12݄ ./fhrh.py 6.36s user 0.39s system 97% cpu 6.893 total
  13. 21.

    ·ͩݟ͵߈ܸΛݟ͚ͭΔ ')3)ͱ૊Έ߹ΘͤΔ w ෼ੳ͠ͳ͍ͱ൑அͨ͠΋ͷΛϑΟϧλ͢Δ w ྫ  w 5PNDBUϒϧʔτϑΥʔε͸ݟ๞͖ͨ ˠʮNBOBHFSIUNMʯΛϑΟϧλ͢Δɻ

    w ΫϩʔϦϯά͸෼ੳ͠ͳ͍ ˠʮSPCPUTUYUʯΛϑΟϧλ͢Δɻ w /FVUSJOPϘοτ͔ΒͷίϚϯυ࣮ߦ͸෼ੳෆཁ ˠʮEJF !NE ʯΛؚΉϦΫΤετΛϑΟϧλ͢Δɻ 21 Finding Neutrino https://blog.ptsecurity.com/2019/08/finding-neutrino.html