网安教育
培养网络安全人才
技术交流、学习咨询
本文介绍了RPC Filter技术的概念与使用,并演示了如何通过RPC Filter阻断基于计划任务的横向攻击,并给出了大量RPC Filter的参考,能够有效的应对impacket所提供的内网横向技术的攻击.....
前言
什么是WFP?
RPC Filer
使用Netsh命令添加RPC Filer规则阻断Impacket atexec
拦截DCOM IOXIDResolver接口网卡探测
批量添加RPC Filter规则
防御PetitPotam漏洞
总结
参考
Impacket工具包中所包含的内网横向技术大多都是依赖于RPC协议的,但对于RPC协议的攻击防御除了网络流量侧的检测识别以外,还可以通过Windows 内置的WFP(Windows Filtering Platform)技术。
这里提一下,流量测如何分析并防御impacket内网横向:https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/
1impacket-atexec 通过SMB协议认证,利用MS-TSCH RPC协议服务注册任务计划进行横向移动。
2impacket-psexec 通过SMB协议认证,利用MS-SCMR RPC协议注册系统服务进行横向移动。
3impacket-dcomexec 通过SMB认证,利用MS-DCOM RPC协议调用COM组件执行横向移动。
4impacket-wmiexec 通过SMB认证,利用MS-DCOM RPC协议调用COM组件执行横向移动。
5大名鼎鼎的PetitPotam CVE-2021-36942 利用MS-EFSRPC协议让服务器访问攻击者构造的地址进行NTLM重定向攻击。
6PrintNightmare Windows Print Spooler权限提升漏洞(CVE-2021-1675),利用MS-RPRN进行提权,其原理也是
7通过调用RPC接口,让服务器访问特定的路径。
8除了这类漏洞的利用,还有大部分的土豆提全系列都有使用到RPC接口,让系统SYSTEM特权进程访问攻击者构造的管道,然后进行令牌模拟,达到窃取Token然后提权的目的。
Windows Filtering Platform (WFP) is a network traffic processing platform designed to replace the Windows XP and Windows Server 2003 network traffic filtering interfaces. WFP consists of a set of hooks into the network stack and a filtering engine that coordinates network stack interactions.
顾名思义,他是一个网络流量处理平台,用于替代Windows Server 2003、Windows XP平台下的网络流量过滤接口。WFP 由一组进入网络堆栈的钩子和一个协调网络堆栈交互的过滤引擎组成。
随便查看WFP的API,可以大致确定这个技术的支持版本,大部分API还是兼容性较强的,也就是说这个技术在Windows很早就有了:
RPC Filer
而RPC Filter他是一种基于RPC协议的一种过滤技术,可以通过多个维度进行过滤,本文仅仅展开基于UUID来过滤对应的RPC协议。RPC Filter属于在WFP技术中的一部分。通过设置FWPM_FILTER0和FWPM_FILTER_CONDITION0结构可以配置Filter规则,然后调用相对应的API就能够完成Filter的注册。
使用Netsh命令添加RPC Filer规则阻断Impacket atexec
除了API接口以外,我们还可以通过系统自带的netsh命令来直接设置Filter规则,例如这里我直接设置一个不允许MS-TSCH 远程调用的例子:
环境:
1被攻击者 Windows Server 2008 IP: 192.168.31.134
2攻击者 Linux
首先使用atexec.py正常攻击一次:
这里可以看到可以攻击成功,RPC SchRpcRegisterTask 成功,这个API其实就是之前实现的远程创建任务计划工具,原理没有任何区别。
在Windows Server 2008上开始操作netsh,添加Filter:
1rpc
2filter
3add rule layer=um actiontype=block
4add condition field=if_uuid matchtype=equal data=86D35949-83C9-4044-B424-DB363231FD0C
5add filter
86D35949-83C9-4044-B424-DB363231FD0C 这个UUID代表了ITaskSchedulerService,在数据包中我们可以看到:
添加完Filter以后,我们这个时候再进行一次横向测试:
可以看到,已经无法注册任务计划了,atexec执行失败,而且RPC Filter其实和防火墙没有直接的关系,在测试期间Windows Server 2008的防火墙是关闭的状态。
除了计划任务以外还有很多,这里罗列一下:
11FF70682-0A51-30E8-076D-740BE8CEE98B Schedueled Task (MS-TSCH) ATSvc
2378E52B0-C0A9-11CF-822D-00AA0051E40F Schedueled Task (MS-TSCH) SASec
386D35949-83C9-4044-B424-DB363231FD0C Schedueled Task (MS-TSCH) ITaskSchedulerService
44FC742E0-4A10-11CF-8273-00AA004AE673 Distributed File System (DFS): Namespace Management Protocol MS-DFSNM
5e3514235-4b06-11d1-ab04-00c04fc2dcd2 Directory Replication Service (MS-DRSR)
6a8e0653c-2744-4389-a61d-7373df8b2292 File Server Remote VSS Protocol - MS-FSRVP
7c681d488-d850-11d0-8c52-00c04fd90f7e Encrypting File System Remote (EFSRPC) Protocol - (MS-EFSR) (unauthenticated implementation)
8df1941c5-fe89-4e79-bf10-463657acf44d Encrypting File System Remote (EFSRPC) Protocol - (MS-EFSR)
912345778-1234-ABCD-EF00-0123456789AB Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD) / Local Security Authority (Translation Methods) Remote Protocol (MS-LSAT)
1012345678-1234-ABCD-EF00-01234567CFFB Netlogon Remote Protocol - (NRPC)
1112345678-1234-ABCD-EF00-0123456789AB Print System Remote Protocol (MS-RPRN)
1276F03F96-CDFD-44FC-A22C-64950A001209 Print System Asynchronous Remote Protocol (MS-PAR)
13338CD001-2244-31F1-AAAA-900038001003 Remote Registry (MS-RRP)
1412345778-1234-ABCD-EF00-0123456789AC Security Account Manager (SAM) Remote Protocol (MS-SAMR)
15367ABB81-9844-35F1-AD32-98F038001003 Service Control Manager Remote Protocol (MS-SCMR)
164b324fc8-1670-01d3-1278-5a47bf6ee188 Server Service Remote Protocol (MS-SRVS)
176BFFD098-A112-3610-9833-46C3F87E345A**** Workstation Service Remote Protocol (MS-WKST)
18…..
之前有写过一篇 《通过OXID解析器获取Windows远程主机上网卡地址》 ,后来国内红队大部分扫描器就都开始集成这个功能,可以在未授权的情况下访问Windows操作系统的135端口获取网卡上的IP地址,主要是利用了IOXIDResolver 这个接口,通过抓包分析:
IOXIDResolver 对应的UUID是 99fcfec4-5260-101b-bbcb-00aa0021347a ,因此我们也同样可以使用netsh将这个协议给拦截掉。
1add rule layer=um actiontype=block
2add condition field=if_uuid matchtype=equal data=99fcfec4-5260-101b-bbcb-00aa0021347a
3add filter
添加RPC Filter之前:
添加RPC Filter之后:
netsh命令支持以文件作为命令输入,例如:
1netsh -f <command file>
我们可以将多条指令存放到文件中,执行命令加载:
Benjamin Delpy 早在去年有提到可以通过RPC Filter阻断PetitPotam漏洞:
1rpc
2filter
3add rule layer=um actiontype=block
4add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
5add filter
6add rule layer=um actiontype=block
7add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
8add filter
9quit
这里索性整理一下全部的Filter规则:
1rpc
2filter
3# ----------------------------
4# 禁用 MS-EFSR PetitPotam 提权 Encrypting File System Remote (EFSRPC) Protocol - (MS-EFSR)
5add rule layer=um actiontype=block
6add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
7add filter
8add rule layer=um actiontype=block
9add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
10add filter
11
12# ----------------------------
13# 禁用远程管理系统服务 Service Control Manager Remote Protocol (MS-SCMR)
14add rule layer=um actiontype=permit
15add condition field=if_uuid matchtype=equal data=367ABB81-9844-35F1-AD32-98F038001003
16add condition field=remote_user_token matchtype=equal data=D:(A;;KA;;;DA)
17add filter
18add rule layer=um actiontype=block
19add condition field=if_uuid matchtype=equal data=367ABB81-9844-35F1-AD32-98F038001003
20add filter
21
22# ----------------------------
23# 禁用命名空间管理Distributed File System (DFS)
24add rule layer=um actiontype=permit
25add condition field=if_uuid matchtype=equal data=4FC742E0-4A10-11CF-8273-00AA004AE673
26add condition field=auth_type matchtype=equal data=16
27add condition field=auth_level matchtype=equal data=6
28add filter
29add rule layer=um actiontype=block
30add condition field=if_uuid matchtype=equal data=4FC742E0-4A10-11CF-8273-00AA004AE673
31add filter
32
33# ----------------------------
34# 禁用DCSync攻击 Directory Replication Service (MS-DRSR)
35add rule layer=um actiontype=permit
36add condition field=if_uuid matchtype=equal data=e3514235-4b06-11d1-ab04-00c04fc2dcd2
37add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DD)
38add filter
39add rule layer=um actiontype=block
40add condition field=if_uuid matchtype=equal data=e3514235-4b06-11d1-ab04-00c04fc2dcd2
41add filter
42
43# ----------------------------
44# 禁用LLMNR/NBT-NS Poisoning and SMB Relay
45add rule layer=um actiontype=permit
46add condition field=if_uuid matchtype=equal data=a8e0653c-2744-4389-a61d-7373df8b2292
47add condition field=auth_type matchtype=equal data=16
48add condition field=auth_level matchtype=equal data=6
49add filter
50add rule layer=um actiontype=block
51add condition field=if_uuid matchtype=equal data=a8e0653c-2744-4389-a61d-7373df8b2292
52add filter
53
54# ----------------------------
55# 禁用远程枚举用户、添加用户 MS-LSAD & MS-LSAT. MS-LSAT
56add rule layer=um actiontype=permit
57add condition field=if_uuid matchtype=equal data=12345778-1234-ABCD-EF00-0123456789AB
58add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;BA)
59add filter
60add rule layer=um actiontype=block
61add condition field=if_uuid matchtype=equal data=12345778-1234-ABCD-EF00-0123456789AB
62add filter
63
64
65# ----------------------------
66# 禁用ZeroLogon漏洞Netlogon Remote Protocol - (NRPC)
67add rule layer=um actiontype=permit
68add condition field=if_uuid matchtype=equal data=12345678-1234-abcd-ef00-01234567cffb
69add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DC)
70add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;AU)
71add filter
72add rule layer=um actiontype=block
73add condition field=if_uuid matchtype=equal data=12345678-1234-abcd-ef00-01234567cffb
74add filter
75
76# ----------------------------
77# 禁用MS-RPRN & MS-PAR https://payloads.online/archivers/2022-03-04/1/
78add rule layer=um actiontype=permit
79add condition field=if_uuid matchtype=equal data=12345678-1234-ABCD-EF00-0123456789AB
80add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA)
81add condition field=auth_level matchtype=equal data=6
82add filter
83add rule layer=um actiontype=block
84add condition field=if_uuid matchtype=equal data=12345678-1234-ABCD-EF00-0123456789AB
85add filter
86add rule layer=um actiontype=permit
87add condition field=if_uuid matchtype=equal data=76F03F96-CDFD-44FC-A22C-64950A001209
88add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA)
89add condition field=auth_level matchtype=equal data=6
90add filter
91add rule layer=um actiontype=block
92add condition field=if_uuid matchtype=equal data=76F03F96-CDFD-44FC-A22C-64950A001209
93add filter
94
95# ----------------------------
96# 禁用远程管理注册表
97add rule layer=um actiontype=permit
98add condition field=if_uuid matchtype=equal data=338CD001-2244-31F1-AAAA-900038001003
99add condition field=remote_user_token matchtype=equal data=D:(A;;KA;;;DA)
100add filter
101add rule layer=um actiontype=block
102add condition field=if_uuid matchtype=equal data=367ABB81-9844-35F1-AD32-98F038001003
103add filter
104
105
106# ----------------------------
107# 禁用远程枚举域用户 Security Account Manager (SAM) Remote Protocol (MS-SAMR)
108add rule layer=um actiontype=permit
109add condition field=if_uuid matchtype=equal data=12345778-1234-ABCD-EF00-0123456789AC
110add condition field=remote_user_token matchtype=equal data=D:(A;;RC;;;BA)
111add filter
112add rule layer=um actiontype=block
113add condition field=if_uuid matchtype=equal data=e3514235-4b06-11d1-ab04-00c04fc2dcd2
114add filter
115
116# ----------------------------
117# 禁用远程枚举域用户 Security Account Manager (SAM) Remote Protocol (MS-SAMR)
118add rule layer=um actiontype=permit
119add condition field=if_uuid matchtype=equal data=12345778-1234-ABCD-EF00-0123456789AC
120add condition field=remote_user_token matchtype=equal data=D:(A;;RC;;;BA)
121add filter
122add rule layer=um actiontype=block
123add condition field=if_uuid matchtype=equal data=e3514235-4b06-11d1-ab04-00c04fc2dcd2
124add filter
125
126# ----------------------------
127# 禁用NetSessionEnum 会话枚举
128add rule layer=um actiontype=permit
129add condition field=if_uuid matchtype=equal data=4b324fc8-1670-01d3-1278-5a47bf6ee188
130add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;BA)
131add filter
132add rule layer=um actiontype=block
133add condition field=if_uuid matchtype=equal data=4b324fc8-1670-01d3-1278-5a47bf6ee188
134add filter
135
136# ----------------------------
137# 禁用远程管理计划任务
138add rule layer=um actiontype=permit
139add condition field=if_uuid matchtype=equal data=1FF70682-0A51-30E8-076D-740BE8CEE98B
140add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA)
141add filter
142add rule layer=um actiontype=block
143add condition field=if_uuid matchtype=equal data=1FF70682-0A51-30E8-076D-740BE8CEE98B
144add filter
145add rule layer=um actiontype=permit
146add condition field=if_uuid matchtype=equal data=378E52B0-C0A9-11CF-822D-00AA0051E40F
147add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA)
148add filter
149add rule layer=um actiontype=block
150add condition field=if_uuid matchtype=equal data=378E52B0-C0A9-11CF-822D-00AA0051E40F
151add filter
152add rule layer=um actiontype=permit
153add condition field=if_uuid matchtype=equal data=86D35949-83C9-4044-B424-DB363231FD0C
154add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA)
155add filter
156add rule layer=um actiontype=block
157add condition field=if_uuid matchtype=equal data=86D35949-83C9-4044-B424-DB363231FD0C
158add filter
159
160quit
”#“是netsh批量执行的注释符号,上面的所有Filter请自行测试。
我们可以根据场景需要来设置对应的RPC Filter,这将有效的降低基于RPC协议接口的内网横向技术所带来的风险。
本文介绍了RPC Filter技术的概念与使用,并演示了如何通过RPC Filter阻断基于计划任务的横向攻击,并给出了大量RPC Filter的参考,能够有效的应对impacket所提供的内网横向技术的攻击,文末参考的链接是我在编写此文所查阅的资料,对我的帮助很大。其中,对于RPC Filter的设置本文并没有介绍太多,微软的文档资料也比较少,后面有空将会编写对应的自动化加固工具,例如:根据系统的某一个用户制订专属的RPC Filter、防御SERVICE提权到SYSTEM特权的问题解决方案,这些netsh命令可能并不具备此功能,但WFP API具备。如果文中有错误,希望读者能够通过留言指教。
https://github.com/akamai/akamai-security-research/tree/main/rpc-filters
https://github.com/jsecurity101/MSRPC-to-ATTACK/
https://www.tiraniddo.dev/2021/08/how-windows-firewall-rpc-filter-works.html
https://googleprojectzero.blogspot.com/2021/08/understanding-network-access-windows-app.html
https://crfilter.com/
https://learn.microsoft.com/en-us/windows/win32/api/fwpmtypes/ns-fwpmtypes-fwpm_filter_condition0
文:倾旋的博客
原文链接:https://payloads.online/archivers/2022-10-23/1/
版权声明:著作权归作者所有。如有侵权请联系删除
战疫期间,开源聚合网络安全基础班、实战班线上全面开启,学网络安全技术、升职加薪……有兴趣的可以加入开源聚合网安大家庭,一起学习、一起成长,考证书求职加分、升级加薪,有兴趣的可以咨询客服小姐姐哦!
加QQ(1005989737)找小姐姐私聊哦
原文始发于微信公众号(开源聚合网络空间安全研究院):【内网攻击】使用RPC Filter技术防御内网RPC横向攻击
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论