Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze the remote control situation of Sumap network mapping detection and remote control. The content is concise and easy to understand, which can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Threat Analysis of 0x00 from the Perspective of Network surveying and Mapping

In the increasingly fierce network confrontation, with the upgrading of penetration means, remote control develops in order to meet the needs, and there are many kinds of remote control, such as Cobalt Strike, Metasploit Framework, Empire, PoshC2, Pupy and so on.

In the common remote control, Cobalt Strike is a well-known penetration testing tool, which is very powerful and scalable, from pre-load generation, bait bundling, fishing attack to continuous control and post-infiltration phase after successful load implantation, covering almost every stage of the attack chain. And support a variety of online methods, as well as a variety of rich configurations can achieve a very good concealment effect. The CS teamserver team server can connect many CS clients to it for teamwork. Metasploit Framework can provide a large number of vulnerabilities to exploit, these two remote control functions are powerful and easy to use, so they are also necessary weapons for the majority of redteamer.

As the infrastructure of the global red team, ClearC has been deployed in every corner of the world for a long time, so how to detect ClearC server has become a problem. The traditional traffic rules can only identify a small range of C2 facilities, which has some limitations. For network-wide asset identification, will it be more comprehensive to scan and identify C2 through network mapping?

0x01 cyberspace surveying and mapping

Today, with the rapid development of the Internet, most of the traditional network security is oriented to local security without considering the network security in the whole network environment, which has caused attackers to attack the whole network frequently in recent years. Hundreds of millions of security problems of Internet of things devices have been exposed on a large scale. At the same time, attackers' attacks on the whole network include traditional attacks such as WEB attacks, buffer overflow attacks and database attacks. At the same time, attacks on new types of Internet of things and industrial control devices are becoming more and more frequent. Sumap cyberspace mapping has rapid asset detection capabilities, as well as asset monitoring capabilities, asset vulnerability management capabilities have formed an overall security solution based on global cyberspace asset security.

A brief introduction to the Metasploit1.Metasploit Framework of 0x02 concrete Analysis

In daily penetration testing, Metasploit is a commonly used tool security vulnerability exploitation tool, it has the latest public vulnerability exploitation, post-penetration exploitation module, it integrates the common vulnerabilities of each platform, has a variety of operating system shellcode, and can maintain target permissions as ClearC. Meterpreter is an extension module of meatasploit framework, and meterpreter is an extension module of metasploit framework, which is used as an attack payload after a successful overflow. The attack payload returns us a control channel after a successful overflow attack, and uses it as an attack payload to obtain a link to a meterpretershell of the target system. As an infiltration module, meterpretershell has many useful functions, such as adding a user, hiding something, opening shell, getting user passwords, uploading and downloading files of remote hosts, running cmd.exe, capturing screens, getting remote control, capturing keystrokes, clearing applications, displaying system information of remote hosts, displaying network interfaces and IP addresses of remote machines, and so on.

2.msf feature analysis

Start the analysis of msf's reverse_http, in msf's metasploit-framework/lib/msf/core/handler/reverse_http.rb# 83

OptString.new ('HttpUnknownRequestResponse'

'The returned HTML response body when the handler receives a request that is not from a payload'

Default:'It worksgiving'

)

Through the analysis of the features, it is found that the initial page of apache is imitated.

Https://raw.githubusercontent.com/apache/httpd/5f32ea94af5f1e7ea68d6fca58f0ac2478cc18c5/docs/docroot/index.html

However, in the actual test, the initial page request for apache is:

< HTTP/1.1 200 OK < Connection: keep-alive < Content-Length: 45 而msf的apche页面为： < HTTP/1.1 200 OK < Connection: keep-alive < Content-Length: 44 两者相比较Content-Length并不相同，相比apache原始页面多了\n。 在sumap平台中可以直接搜索 tags:"MSF http" 全球分布: 截止发稿前探测到msf reverse_http(s)全网有682台，同时sumap支持reverse_tcp连接查询。 直接搜索: tags:"Metasploit Rex httpd" 探测到全网有8,048台 Cobalt Strike1.Cobalt Strike Payload Staging 在Cobalt Strike的攻击框架中，payload是执行攻击的内容，payload拆分为：payload stage和payload stager。stager是一个小程序，通常是手工优化的汇编指令，用于下载stage、把它注入内存中运行。stage则就是包含了很多功能的代码块，用于接受和执行我们控制端的任务并返回结果。stager通过各种方式(如http、dns、tcp等)下载stage并注入内存运行这个过程称为Payload Staging。Cobalt strike也提供了传统的方式，打包成一个完整的exe、dll，上传运行与teamserver回连通讯，这种是Payload Stageless，生成Stageless的客户端可以在Attack->

Generated under Package- > Windows Executeable (s).

Through the documentation on the official website, because if staging is enabled (phased), anyone can connect to your server, request a payload and analyze its contents, so that you can get information from your payload configuration.

So you can download the beacon of cs by passing in the uri that meets the requirements through construction.

`/ src/main/java/cloudstrike/ WebServer.java`

You can see the check rules for uri in.

So you only need to construct a sum module equal to 92 (93) based on the combination of 4 digits of numbers and big and small letters.

Import random

Def generate_checksum (input):

Trial = ""

Total = 0

While total! = input:

Total = 0

Trial = '.join (random.sample ("abcdefghhijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890", 4))

For i in range (4):

Total = (total + ord (Trial [I: iTunes 1]))% 256

Return trial

If _ _ name__ = ='_ _ main__':

Uri_x86 = generate_checksum (92)

Uri_x64 = generate_checksum (93)

Print (uri_x64)

Print (uri_x86)

The logic here makes a decision by directly accessing the stage file that returns a 404 Not Found but with a qualified check code that downloads the beacon directly.

After getting the stage file, it needs to be decrypted by XOR. Here I rewrite the script of python3 with reference to https://sysopfb.github.io/malware,/cobaltstrike/2020/03/24/beacon-in-azure.html.

Import sys

Import struct

Filename = sys.argv [1]

Data = open (filename, 'rb') .read ()

T = bytearray (data [0x45:])

(a struct.unpack_from b) = (')

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.