Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use Apache mod_rewrite simulation to achieve CIA Hive traffic distribution", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "how to use Apache mod_rewrite simulation to achieve CIA Hive traffic distribution" bar!

First, background introduction

The reproduction scene of this article comes from the CIA Hive [1] tool of the CIA network arsenal exposed by WikiLeaks Vault 8 files in November 2017. The main function of CIA Hive tool is to assist other malware in CIA to control and run covertly.

The overall structure of CIA Hive can be divided into four layers, as shown in figure 1.

Figure 1

For more information on the detailed resolution of the correspondence of each layer of CIA Hive, please refer to [2]. This reproduction scenario focuses on simulating and verifying the traffic distribution function of hidden server (Blot)-Blot Server distributes requests to different servers set in advance according to different sources. That is, when Blot Server receives an access request, Blot Server distributes traffic based on the verification results of the client certificate. If SSL verifies that the access is illegal, Blot will distribute the traffic to cover server and return a normal web page. If the Blot receives traffic with a valid certificate (only the controlled host sends traffic with a valid certificate), the traffic is forwarded to the Honeycomb for covert communication and control.

From the technical point of view, this paper tries to use the mod_rewrite module of Apache to achieve its traffic distribution function and complete the same function as the Blot Server of CIA Hive.

II. Overview of principle 2.1Apache mod_rewrite module

2.1.1 what is mod_rewrite?

Mod_rewrite is a module of apache, which is installed by default in the installation apache environment, but is usually not enabled by default and needs to be enabled manually. This module is an engine that rewrites URL requests in real time based on certain rules. This module can manipulate all parts of URL and is valid for both server-level (httpd.conf) and directory-level (.htaccess) configurations.

2.1.2 the idea of implementing traffic distribution with mod_rewrite

By manually enabling the rewrite module, entering the apache configuration file apache2.conf, opening the directory level configuration of .htaccess, opening AllowOverride, and finally configuring rules in the .htaccess file to achieve traffic distribution. For more information on configuration rules and techniques, please see https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond and https://bluescreenofjeff.com/tags.

2.2 x.509 Certificate chain

2.2.1 Digital Certificate

A digital certificate is a network identity document that also contains a public key. The authenticity of the certificate needs a verification method, and the verifier needs to agree with this verification method in order to complete the certificate issuance process. A https site needs to be bound to a certificate, and the client completes the trusted identification process of the site by maintaining a "list of root trusted institutions", and whether the client trusts the site's certificate depends on whether the client program imports the certificate issuer's root certificate. At present, X.509 certificate is a general certificate format, which conforms to ITU-T X.509 international standard.

2.2.2X.509 certificate

The common certificate format X.509 mainly contains three files: key,csr,crt. The documents are described as follows:

Key file-A private key file on the server that is used to encrypt data sent to the client and to decrypt data received from the client.

Csr file-A certificate signing request file that is submitted to the certificate authority (CA) to sign the certificate.

Crt file-A certificate signed by a certificate authority (CA), or a certificate signed by the developer, containing the holder's information, the holder's public key, and the signer's signature, etc.

Note: this paper mainly focuses on the reproduction experiment and will use HTTPS two-way authentication. Among them, the principle of two-way authentication is similar to that of one-way authentication, except that the client needs to authenticate the server, but also increases the authentication of the server to the client. After verifying the client certificate, the server can provide different services according to its verification results (for example, only after the verification is legal can it be transferred to a specific service link). For more information, please refer to https://blog.csdn.net/duanbokan/article/details/50847612

Third, scene reproduction step 3.1 install and configure the basic environment under Ubuntu

Minimize environmental requirements: win7 virtual machine * 1 (client authentication, testing), ubuntu virtual machine * 1 (simulated Blot Server)

Note: in order to avoid reporting errors, it is recommended to carry out the experiment under the root account.

3.1.1 install apache2 and openssl on ubuntu 16.04

Apt-getinstallapache2 apt-getinstallopenssl

3.1.2 enable the Apache SSL module

A2enmodssl

3.1.3 enable the Apache mod_rewrite module

A2enmodrewrite

3.1.4 self-signed certificate generation

Certificates are generated using openssl. For more information on the generation process, please see forged HTTPS certificates [3] and Hetian online implementation-HTTPS Certificate forgery [4]. Finally, this experiment uses https two-way authentication, that is, we need to generate certificate files and corresponding two pairs of public and private key files for server and client verification.

3.2 configure https two-way authentication steps under Apache

3.2.1 Certificate preparation (all generated using openssl in ubuntu environment)

The following are the steps and commands for rapid generation. Please refer to [3] and [4] for detailed explanation.

(1) Certificate required for server authentication

Generate a 2048-bit RSA key .key file

Openssl genrsa-out ciahive.com.key

Generate a certificate signing request .csr file

Openssl req-new-key ciahive.com.key-out ciahive.com.csr

Note: you need to enter the configuration information in turn according to the prompts, and the Common Name entry needs to correspond to the domain name entry (i.e. ciahive.com).

Generate a self-signed certificate .crt file

Openssl x509-req-days 36500-in ciahive.com.csr-signkey ciahive.com.key-out ciahive.com.crt

(2) Certificate required for client authentication

The steps are similar to those in (1), and the following is a shortcut command:

Openssl req-new-SHA256-newkey rsa:2048-nodes-keyout client.key-out client.csr-subj "/ C=CN/ST=Shanghai/L=Shanghai/O=11/OU=22/CN=client" openssl x509-req-days 365-in client.csr-signkey client.key-out client.crt openssl pkcs12-export-cacerts-inkey client.key-in client.crt-out client.p12

(3) the list of final standby certificates is shown in figure 2:

Figure 2

3.2.2 configure HTTPS two-way authentication

(1) confirm that the Apache SSL module is enabled.

A2enmod ssl

(2) Edit SSL configuration file

Vim / etc/apache2/sites-enabled/default-ssl.conf

Specify the path to the private key file and the signing certificate (server authentication) on the open file editing page.

SSLEngine on

SSLCertificateFile / XX/XX/XX/ciahive.com.crt

SSLcertificateKeyFile

/ xx/xx/xx/ciahive.com.key

Turn on client authentication and specify the path to use for the client certificate

SSLCACertificateFile / xx/xx/xx/client.crt

SSLVerifyClient require

SSLVerifyDepth 10

(3) enable Apache default SSL virtual host

A2ensite default-ssl

(4) restart Apache service

Service apache2 restart

(5) client configuration

1) modify the Hosts file of the client

Since the experimental domain name ciahive.com is not actually registered, it needs to be resolved through the local hosts file (the path of the hosts file under the windows system is: C:\ Windows\ System32\ Drivers\ etc\ hosts). Add the ip of the Apache server and the corresponding domain name ciahive.com in the hosts file (administrator permission is required for modification). Figure 3.

Figure 3

2) the self-signed certificate ciahive.com.crt of the client installation server is the trusted root certificate authority, and the installation result is shown in figure 4.

Figure 4

3) add a specific certificate client.p12 file to the client for the server to verify the client. The installation result is shown in figure 5.

Figure 5

3.2.3 Test https two-way authentication configuration

Test the success of the https two-way authentication configuration by accessing https://ciahive.com. The following is a simple verification method.

(1) if you access https://ciahive.com through client 1 that does not have a ciahive.com.crt certificate configured, the insecure connection should be blocked. As shown in figure 6.

Figure 6

(2) if the client only installs the certificate ciahive.com.crt, the client that lacks the client.p12 certificate will fail to connect directly. The result is shown in figure 7.

Figure 7

(3) when you access https://ciahive.com using client 2, which has completed the installation of two certificates, you will be prompted to select the client certificate first, as shown in figure 8.

Figure 8

(4) after confirming the use of client.p12 as the client certificate, establish a secure link with https://ciahive.com. The success page is shown in figure 9.

Figure 9

(5) after visiting https://ciahive.com, the secure connection page shown in figure 9 indicates that the configuration of https two-way authentication is successful.

3.3.Configuring apache mod_rewrite rules to achieve traffic distribution

3.3.1 configure Apache to enable mod_rewrite

(1) enable the Apache mod_rewrite module

A2enmod rewrite

(2) Edit the / etc/apache2/apache2.conf file and open the supporting .htaccess file-- used to edit the forwarding rules. Navigate to the following location:

Options Indexes FollowSymLinks

AllowOverride None

Require all granted

Change AllowOverride None to AllowOverride All.

(3) create and edit the .htaccess file, and save the file to: / var/www/html/. Write test rules.

1), test rule example-- redirect 1.html to 2.html

RewriteEngine on

RewriteRule 1.html 2.html

2) create an empty 1.html file and write the content in 2.html:

Test is successful!

(4) restart the apache service and test the web page https://ciahive.com/1.html. If the returned page is "Test is successful!" Then the test passes.

3.3.2 Editing rules to achieve traffic distribution

Specific configuration rules can be edited on demand. Please refer to [5] and [6] for detailed tips on htaccess.

Note: the experimental environment is limited, only two virtual hosts are used for the experiment, and the following rules are compiled to simulate the forwarding idea of CIA Hive.

The specific .htaccess simulation forwarding rules are as follows:

RewriteEngine on

RewriteCond {SERVER_PORT}! ^ 443 $

RewriteCond% {REQUEST_URI} ^ / 0.html

# access 0.html is converted to mandatory https access, and the client needs to be authenticated.

RewriteRule (. *) https://%{SERVER_NAME}/$1 [R]

# because https double authentication is configured, only the infected host has a legal certificate.

# Redirect to payload address (local or other remote host) after authentication is passed, that is, Honey Server in analogy CIA Hive

RewriteRule 0.html https://ciahive.com/.payload/remotepayload/payload1.html [L]

3.3.3 actual test

(1) simulated normal host (without certificate)

1), visit other pages (all ciahive.com and directory files except ciahive.com/0.html) are normal. Refer to figure 10.

Figure 10

2) when accessing ciahive.com/0.html, you are forced to use https access. If you do not obtain a valid certificate, you will be prompted that the connection failed. Refer to figure 11.

Figure 11

(2), infected host (ciahive.com.crt and client.p12 certificates have been installed)

1) visit other pages the same as the normal host.

2) be forced to use https access when accessing ciahive.com/0.html. You will be prompted to select client certificate confirmation (the actual attack scenario can be designed as the default, that is, no pop-up prompts), and the connection is redirected to the https://ciahive.com/.payload/remotepayload/payload1.html page (simulated Honey Server). Refer to figure 12.

Figure 12

Fourth, the summary of the experiment 4.1 the key to the reappearance of this paper:

The main contents are as follows: (1) deeply understand the principle of X.509 certificate chain and HTTPS two-way authentication.

(2) the parameters of Apache and re_write module are configured correctly.

(3) understand the CIA Hive traffic forwarding process, especially the function of the covert server.

(4) the implementation of forwarding rules in .htaccess.

4.2 Summary:

The main results are as follows: (1) when this reproduction experiment is of great help to understand the CIA Hive framework, at the same time in the construction of the Apache+openssl environment and the various problems encountered in the process, when the problems are solved one by one, a clear understanding of the whole process is formed.

(2) Special attention should be paid to X.509 certificate chain and its basic principles. At the same time, the two-way authentication of HTTPS used in the experiment will not be turned on in public sites, so it is difficult for attackers to use such technical points concerned by a few people to achieve the purpose of attack.

(3) this reproduction only implements the simplest function in basic learning and understanding, and there is still a lot of room for improvement in the design of the forwarding rules of .htaccess files and the whole experimental design.

Thank you for reading, the above is the content of "how to use Apache mod_rewrite simulation to achieve CIA Hive traffic distribution". After the study of this article, I believe you have a deeper understanding of how to use Apache mod_rewrite simulation to achieve CIA Hive traffic distribution, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.