基于USB网卡适配器劫持DHCP Server嗅探Windows NTLM Hash密码
catalogue
1. DHCP、WPAD工作过程 2. python Responder 3. USB host/client adapter(USB Armory): 包含DHCP Server 4. USB Ethernet Adapter(Ethernet Shield) 5. NTLM Authentication Protocol and Security Support Provider 6. 实验过程
1. DHCP、WPAD工作过程
WPAD 通过让浏览器自动发现代理服务器,使代理服务器对用户来说是透明的,进而轻松访问互联网。WPAD 可以借助 DNS 服务器或 DHCP 服务器来查询代理自动配置(PAC)文件的位置
0x1: 引言
代理服务器大多被用来连接 INTERNET(国际互联网)和 INTRANET(企业内部网)。在多个局域网中需设置不同的代理服务器参数来使浏览器访问网络。在微软 Internet Explorer ( IE )5.0 以上版本中的功能中已经具备了自动切换代理服务器的功能。网络管理员需要事先部署代理服务器配置文件,然而用户方的设置却很简单
在这一功能中使用了被称为"WPAD"(Web Proxy Auto-Discovery protocol)的协议
1. 浏览器具有读入并解析代理服务器的配置文件,并将其配置信息设置到浏览器中的功能。配置文件是使用 JavaScript 描述的,通常具有".js",".jvs",".pac"(proxy auto-configuration)等扩展名的文件 2. 自动代理检测由系统确定,Web代理服务器代表客户端发送请求(中间人) 3. 自动代理检测启用时,系统会尝试定位到代理发送请求后返回的代理配置文件位置。若查找到代理配置文件,那么再使用 Web 代理服务器实例得到代理信息、数据请求或响应信息时,在本地计算机上进行下载,编译并运行 4. 被部署的大多数配置文件的格式是 Proxy auto-config(PAC)。最初,PAC 是由 Netscape 在 1996 年为 Netscape Navigator 2.0 设计的。WPAD 协议草案由 Inktomi、微软、RealNetworks、Sun Microsystems 几个公司共同提出。WPAD 可支持所有主流浏览器,首次存在于 Internet Explorer 5.0 中 5. WPAD 对代理服务器的透明处理使得管理员不再需要去每台客户机上设置代理服务器参数了(只需要借助DHCP把所有机器都配置为同一个代理服务器)。自动检测受动态主机配置协议 (DHCP) 和域名系统 (DNS) 的支持,浏览器通过 DHCP 和 DNS 的查询来搜索 PAC 文件的位置
0x2: Proxy Auto-Config(PAC)文件
代理自动配置(PAC)文件定义了浏览器和其他用户代理如何自动选择适当的代理服务器来访问一个 URL。要使用 PAC,我们应当在一个网页服务器上发布一个 PAC 文件,并且通过在浏览器的代理链接设置页面输入这个 PAC 文件的 URL 或者通过使用 WPAD 协议告知用户代理去使用这个文件。
一个 PAC 文件是一个至少定义了一个 JavaScript 函数的文本文件(按照惯例,这个文件名字一般是 proxy.pac。 WPAD 标准使用 wpad.dat)。该函数 FindProxyForURL(url, host)有 2 个参数
url 是一个对象的 URL
host 是一个由这个 URL 所衍生的主机名
一个非常简单的 PAC 文件内容如下
function FindProxyForURL(url, host) { if (url== 'http://www.baidu.com/') return 'DIRECT'; if (host== 'twitter.com') return 'SOCKS 127.0.0.10:7070'; if (dnsResolve(host) == '10.0.0.100') return 'PROXY 127.0.0.1:8086;DIRECT'; return 'DIRECT'; }
0x3: DHCP的报文格式
1. OP: 消息操作代码 1) 引导请求(1=BOOTREQUEST) 2) 引导答复(2=BOOTREPLY) 2. Htype: 硬件地址类别 1) ethernet 为 1 3. Hlen: 硬件地址长度 1) ethernet 为 6 4. Hops 1) 若数据包需经过 router 传送,每站加 1 2) 若在同一网内,为 0 5. Transaction ID: 事务 ID,是个随机数,用于客户和服务器之间匹配请求和相应消息 6. Seconds: 由用户指定的时间,指开始地址获取和更新进行后的时间 7. Flags: 从 0-15bits 1) 最左 一 bit 为 1 时表示 server 将以广播方式传送封包给 client 2) 其余尚未使用 8. Ciaddr: 用户 IP 地址 9. Yiaddr: 服务器分配给客户的 IP 地址 10. Siaddr: 用于 bootstrap 过程中的 IP 地址(服务器的 IP 地址) 11. Giaddr: 转发代理(网关)IP 地址 12. Chaddr: 客户机的硬件地址 13. Sname: 可选 server 的名称,以 0x00 结尾 14. File: 启动文件名 15. Options: 厂商标识,可选的参数字段。此参数是 WPAD 实现过程中的关键参数,即相关了 PAC 文件的 URL
0x4: WPAD的原理
1. DHCP 的自动检测
通过 DHCP 服务器,管理员可以集中指定全局 TCP/IP 参数和子网特定的 TCP/IP 参数,并可使用保留地址定义客户端的参数。如果客户端计算机在子网之间发生了移动,则在启动该计算机时,会自动重新配置 TCP/IP。通过 DHCP 服务器部署 WPAD 的原理如下
1. 首先确保 DHCP 服务器有效,然后为每个包含客户的子网建立了作用域 2. DHCP 服务器中的 252 选项通常被当作查询或注册用的指针,我们可以通过 252 项发现打印机、时间服务器、WPAD 主机以及其他的网络服务器 3. 在 DHCP 服务器中添加一个用于查找 WPAD 主机的 252 项,252 项是一个字符串值,内容是部署在 WPAD 主机上 PAC 文件的 URL。为适当的作用域配置 252 项,就算只有一个作用域 4. 因此 DHCP 客户机便可获得 PAC 文件的 URL,当客户机需要对浏览器或防火墙客户端进行自动配置时,就可以下载该 PAC 文件并得到代理服务器的地址(这个下载过程请求包中会携带NTLM HASH)
用户访问 laptop01.us.division.company.com 时,web 浏览器发送 DHCP INFORM 包于 DHCP 服务器来请求配置文件的位置,DHCP ACK 为 DHCP 服务器返回的数据包,其中 252 选项即为代理自动配置文件的位置
2. DNS 的自动检测
DNS 是 TCP/IP 网络上的一组协议和服务,通过 DNS,用户可以使用分层的用户友好名称(主机)代替数字 IP 地址来搜索其他计算机。用 DNS 来实现 WPAD,原理如下
1. WPAD 工作原理是客户机向 DNS 服务器发起 WPAD+X 的查询,客户机向 DNS 发起的 WPAD 查询的后缀是根据 WPAD 主机所处的环境决定的 1) 如果客户机是在一个域环境下时,发起的查询便是一个"WPAD.所在域的域名"的标准域名查询,这种情况下配合 DNS 里添加 WPAD 主机的 A 或别名记录便可轻松在域环境中对 WPAD 主机的定位 2) 如果在工作组环境下时,客户机发起的查询可能是一个标准的域名查询(如果计算机名有加域名后缀)也可能只是个没有后缀的 WPAD 查询,这时就要通过创建 DNS 私有根域查询或是通过创建单标签域的方式进行 WPAD 主机查询 2. DNS 返回提供 WPAD 主机 IP 地址 3. 客户机通过该 IP 的 80 端口去 WPAD 主机下载 WPAD.DAT(浏览器配置用文件)和 WSPAD.DAT(防火墙配置用文件)两个文件以实现自动配置
从以上的原理分析,首先 WPAD 主机要在 80 端口提供 wpad.dat 和 wspad.dat,有了这两个文件,客户机上的浏览器或防火墙客户端才能实现自动配置。其次,DNS 服务器要创建相关记录,当客户机来查询时,将解析结果指向 WPAD 主机
0x5: WPAD 的实现
通过 DNS 服务器部署 WPAD 在域的环境下比较适宜,但在工作组环境下就需要做一些改变。通过 DHCP 服务器部署 WPAD 还是更加方便,既不限制端口,又不受客户机计算机名影响,无论是工作组还是域都能很好地工。之前的浏览器通常使用手动代理配置和代理自动配置等,而 WPAD 协议的出现更高级别地实现了自动化。使用 DHCP 来实现 WPAD 的思想较简单,是较好的解决方案
常规的DHCP服务器没有252这个配置选项,即WPAD url配置,我们需要自己实现一个DHCP服务器
Relevant Link:
http://blog.163.com/hlz_2599/blog/static/14237847420134139541993/ http://www.ibm.com/developerworks/cn/linux/1309_quwei_wpad/ http://yuelei.blog.51cto.com/202879/84047/ http://blog.csdn.net/swanabin/article/details/52065005
2. python Responder
0x1: Intro
Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB.
The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
0x2: Features
1. Built-in SMB Auth server(This functionality is enabled by default when the tool is launched) 1) Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. 2) Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. 3) Clear text password is supported for NT4 4) and LM hashing downgrade when the --lm option is set. 2. Built-in MSSQL Auth server. In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008. 3. Built-in HTTP Auth server. In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari. //Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can now send your custom files to a victim. 4. Built-in HTTPS Auth server. Same as above. The folder certs/ contains 2 default keys, including a dummy private key. This is intentional, the purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair. 5. Built-in LDAP Auth server. In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin. 6. Built-in FTP, POP3, IMAP, SMTP Auth servers. This modules will collect clear text credentials. 7. Built-in DNS server. This server will answer type A queries. This is really handy when it's combined with ARP spoofing. 8. Built-in WPAD Proxy Server. This module will capture all HTTP requests from anyone launching Internet Explorer on the network if they have "Auto-detect settings" enabled. This module is highly effective. You can configure your custom PAC script in Responder.conf and inject HTML into the server's responses. See Responder.conf. 9. Browser Listener This module allows to find the PDC in stealth mode. 10. Fingerprinting When the option -f is used, Responder will fingerprint every host who issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode. 11. Icmp Redirect python tools/Icmp-Redirect.py 12. Rogue DHCP python tools/DHCP.py //DHCP Inform Spoofing. Allows you to let the real DHCP Server issue IP addresses, and then send a DHCP Inform answer to set your IP address as a primary DNS server, and your own WPAD URL. 13. Analyze mode. This module allows you to see NBT-NS, BROWSER, LLMNR, DNS requests on the network without poisoning any responses. Also, you can map domains, MSSQL servers, workstations passively, see if ICMP Redirects attacks are plausible on your subnet.
0x3: Hashes
All hashes are printed to stdout and dumped in an unique file John Jumbo compliant, using this format:
(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt
Log files are located in the "logs/" folder. Hashes will be logged and printed only once per user per hash type, unless you are using the Verbose mode (-v).
1. Responder will logs all its activity to Responder-Session.log 2. Analyze mode will be logged to Analyze-Session.log 3. Poisoning will be logged to Poisoners-Session.log
Additionally, all captured hashed are logged into an SQLite database which you can configure in Responder.conf
0x4: Considerations
1. This tool listens on several ports: 1) UDP 137 2) UDP 138 3) UDP 53 4) UDP/TCP 389 5) TCP 1433 6) TCP 80 7) TCP 139 8) TCP 445 9) TCP 21 10) TCP 3141 11) TCP 25 12) TCP 110 13) TCP 587 14) Multicast UDP 5553. 2. If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports. 3. For Ubuntu users: Edit this file /etc/NetworkManager/NetworkManager.conf and comment the line: dns=dnsmasq. Then kill dnsmasq with this command (as root): killall dnsmasq -9 4. Any rogue server can be turned off in Responder.conf. 5. This tool is not meant to work on Windows. 6. For OSX, please note: Responder must be launched with an IP address for the -i flag (e.g. -i YOUR_IP_ADDR). There is no native support in OSX for custom interface binding. Using -i en1 will not work. Also to run Responder with the best experience, run the following as root: 1) launchctl unload /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist 2) launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist 3) launchctl unload /System/Library/LaunchDaemons/com.apple.smbd.plist 4) launchctl unload /System/Library/LaunchDaemons/com.apple.netbiosd.plist
0x5: Usage
Typical Usage Example:
./Responder.py -I eth0 -wrf
Options:
--version show program's version number and exit -h, --help show this help message and exit -A, --analyze Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding. -I eth0, --interface=eth0 Network interface to use -b, --basic Return a Basic HTTP authentication. Default: NTLM -r, --wredir Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False -d, --NBTNSdomain Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False -f, --fingerprint This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query. -w, --wpad Start the WPAD rogue proxy server. Default value is False -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port) -F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file retrieval. This may cause a login prompt. Default: False --lm Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False -v, --verbose Increase verbosity.
smbclient -L \\192.168.18.1\ipc$ -U zhenghan.zh
被攻击机器在发起IPC连接的时候,会带上NTLM HASH
Relevant Link:
https://github.com/Spiderlabs/Responder
3. USB host/client adapter(USB Armory): 包含DHCP Server
在巴黎举办的2014"天下无欺"国际安全大会(No Such Con)上,由意大利逆径安全咨询公司(Inverse Path)的首席安全工程师安德里亚·巴利桑尼(Andrea Barisani)带来的一款USB安全设备: USB军火库(USB Armory),这个小小的东西看起来就像一个U盘,但却集成了
1. 自加密数据存储 2. Tor路由器 3. 密码保险箱 4. 集成了microSD卡槽 5. 集成了i.MX53处理器 6. 集成了USB插头 7. 这个USB军火库却既不能连接显示屏,也不能连接键盘或电源,除了微处理器、内存和存储空空如也 8. 它依赖USB插头连接的主机为其供电和进行通讯,并从microSD卡上加载操作系统,使用的是Debian或Ubuntu系统 9. 它和其他USB微机的不同之处在于其选择的是包含有ARM's TrustZone可信执行环境技术的i.MX53处理器。该处理器具备包含安全启动在内的一系统安全特性 10. 该处理器还可以实现加密密钥的可信存储功能,这就让USB军火库变成了一支自加密的优盘,而且还可以实现在其插入未经授权电脑时清除加密密钥 11. 加密数据也无须存储在本地存储,完全可以通过USB连接,模拟网络设备(网卡适配器),实现与所有网盘一样的通讯 12. 网络模拟还包含其他一些安全应用程序,可以让不受信任的机器通过SSH或VPN安全地接入远程计算机,也可以通过Tor浏览器进行匿名浏览而不必在电脑上安装Tor客户端
The USB armory requires a microSD card with a valid operating system to boot.
0x1: Pre-imaged microSD card
https://dev.inversepath.com/download/usbarmory/
0x2: Preparing your own microSD card
1. microSD compatibility
https://github.com/inversepath/usbarmory/wiki/microSD-compatibility
The microSD card can be manually installed, on a computer using a microSD reader/write (with or without an adapter depending on the reader type), with either a pre-existing image or from scratch
2. Available images
The USB armory has been successfully tested with Debian and Ubuntu installations, using a standard Linux kernel and stock U-Boot (>= v2015.04).
In order to boot the USB armory it is possible to either use a pre-compiled disk image(已编译好的内核镜像) or manually prepare your own(自己裁剪编译内核镜像).
The following table summarizes the list of available pre-compiled images:
| OS | Author | Link |
|---|---|---|
| Debian Jessie | Inverse Path | USB armory base images |
| Linux kernel w/ INTERLOCK buildroot | Inverse Path | INTERLOCK releases |
| Arch Linux | Arch Linux ARM | Arch Linux ARM Installation |
| Void Linux | Juan RP et al. | Void Linux USB armory Installation |
| Kali Linux | Offensive Security | Kali Linux on USB armory |
| Gentoo Linux | sakaki | gentoo-on-armory |
3. Preparing a bootable microSD image
Alternatively the following instructions can be used to manually install a Linux distribution on the microSD from a Linux computer:
1. Prerequisites: 1) Recent Debian and Ubuntu (x86 or x86-64): sudo apt-get install parted debootstrap binfmt-support qemu-user-static u-boot-tools wget git xz-utils tar build-essential bc 2) Only on x86-64 Debian add: sudo dpkg --add-architecture i38、sudo apt-get update、sudo apt-get install zlib1g-dev:i386 libstdc++6:i386 3) Only on x86-64 Ubuntu add: sudo apt-get install lib32z1 lib32ncurses5 # on Ubuntu 12.04 install ia32-libs instead 2. Toolchain 1) On Debian 8 use the packaged one: sudo apt-get install gcc-arm-none-eabi、export CROSS_COMPILE=arm-none-eabi- 2) On Ubuntu (12.04 LTS, 14.04 LTS, 15.10, 16.04 LTS) use the packaged one: sudo apt-get install gcc-arm-linux-gnueabihf、export CROSS_COMPILE=arm-linux-gnueabihf- 3) On Debian 7 install the Linaro 4.9: export TOOLCHAIN_DIR=~ # set the directory where to install the toolchain wget http://releases.linaro.org/14.09/components/toolchain/binaries/gcc-linaro-arm-none-eabi-4.9-2014.09_linux.tar.xz tar xvf gcc-linaro-arm-none-eabi-4.9-2014.09_linux.tar.xz -C $TOOLCHAIN_DIR export CROSS_COMPILE=${TOOLCHAIN_DIR}/gcc-linaro-arm-none-eabi-4.9-2014.09_linux/bin/arm-none-eabi- 3. Root file system 1) Prepare the microSD: export TARGET_DEV=/dev/sdX # pick the appropriate device name for your microSD card (e.g. /dev/sdb) export TARGET_MNT=/mnt # set the microSD root file system mounting path sudo parted $TARGET_DEV --script mklabel msdos sudo parted $TARGET_DEV --script mkpart primary ext4 5M 100% sudo mkfs.ext4 ${TARGET_DEV}1 sudo mount ${TARGET_DEV}1 $TARGET_MNT 2) For Debian 8 (Jessie): sudo qemu-debootstrap --arch=armhf --include=ssh,sudo,ntpdate,fake-hwclock,openssl,vim,nano,cryptsetup,lvm2,locales,less,cpufrequtils,isc-dhcp-server,haveged,whois,iw,wpasupplicant,dbus jessie $TARGET_MNT http://ftp.debian.org/debian/ sudo wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/debian_conf/rc.local -O ${TARGET_MNT}/etc/rc.local sudo wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/debian_conf/sources.list -O ${TARGET_MNT}/etc/apt/sources.list sudo wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/debian_conf/dhcpd.conf -O ${TARGET_MNT}/etc/dhcp/dhcpd.conf sudo sed -i -e 's/INTERFACES=""/INTERFACES="usb0"/' ${TARGET_MNT}/etc/default/isc-dhcp-server echo "tmpfs /tmp tmpfs defaults 0 0" | sudo tee ${TARGET_MNT}/etc/fstab echo -e "\nUseDNS no" | sudo tee -a ${TARGET_MNT}/etc/ssh/sshd_config echo "nameserver 8.8.8.8" | sudo tee ${TARGET_MNT}/etc/resolv.conf sudo chroot $TARGET_MNT systemctl mask getty-static.service sudo chroot $TARGET_MNT systemctl mask isc-dhcp-server.service sudo chroot $TARGET_MNT systemctl mask display-manager.service sudo chroot $TARGET_MNT systemctl mask hwclock-save.service 3) For Ubuntu 15.10 (Wily Werewolf): wget http://cdimage.ubuntu.com/ubuntu-core/releases/15.10/release/ubuntu-core-15.10-core-armhf.tar.gz sudo tar xvf ubuntu-core-15.10-core-armhf.tar.gz -C $TARGET_MNT sudo wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/ubuntu_conf/ttymxc0.conf -O ${TARGET_MNT}/etc/init/ttymxc0.conf sudo cp /usr/bin/qemu-arm-static ${TARGET_MNT}/usr/bin/qemu-arm-static echo "nameserver 8.8.8.8" | sudo tee ${TARGET_MNT}/etc/resolv.conf sudo chroot $TARGET_MNT apt-get install -y sudo openssh-server whois ntpdate openssl vim nano less 4) Finalize and set the password: echo "ledtrig_heartbeat" | sudo tee -a ${TARGET_MNT}/etc/modules echo "ci_hdrc_imx" | sudo tee -a ${TARGET_MNT}/etc/modules echo "g_ether" | sudo tee -a ${TARGET_MNT}/etc/modules echo "options g_ether use_eem=0 dev_addr=1a:55:89:a2:69:41 host_addr=1a:55:89:a2:69:42" | sudo tee -a ${TARGET_MNT}/etc/modprobe.d/usbarmory.conf echo -e 'auto usb0\nallow-hotplug usb0\niface usb0 inet static\n address 10.0.0.1\n netmask 255.255.255.0\n gateway 10.0.0.2'| sudo tee -a ${TARGET_MNT}/etc/network/interfaces echo "usbarmory" | sudo tee ${TARGET_MNT}/etc/hostname echo "usbarmory ALL=(ALL) NOPASSWD: ALL" | sudo tee -a ${TARGET_MNT}/etc/sudoers echo -e "127.0.1.1\tusbarmory" | sudo tee -a ${TARGET_MNT}/etc/hosts sudo chroot $TARGET_MNT /usr/sbin/useradd -s /bin/bash -p `sudo chroot $TARGET_MNT mkpasswd -m sha-512 usbarmory` -m usbarmory sudo rm ${TARGET_MNT}/usr/bin/qemu-arm-static 4. Kernel: Linux 4.7.2 export ARCH=arm wget https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.7.2.tar.xz tar xvf linux-4.7.2.tar.xz && cd linux-4.7.2 wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/kernel_conf/usbarmory_linux-4.7.config -O .config wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/kernel_conf/imx53-usbarmory-common.dtsi -O arch/arm/boot/dts/imx53-usbarmory-common.dtsi wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/kernel_conf/imx53-usbarmory.dts -O arch/arm/boot/dts/imx53-usbarmory.dts wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/kernel_conf/imx53-usbarmory-host.dts -O arch/arm/boot/dts/imx53-usbarmory-host.dts wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/kernel_conf/imx53-usbarmory-gpio.dts -O arch/arm/boot/dts/imx53-usbarmory-gpio.dts wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/kernel_conf/imx53-usbarmory-spi.dts -O arch/arm/boot/dts/imx53-usbarmory-spi.dts wget https://raw.githubusercontent.com/inversepath/usbarmory/master/software/kernel_conf/imx53-usbarmory-i2c.dts -O arch/arm/boot/dts/imx53-usbarmory-i2c.dts make uImage LOADADDR=0x70008000 modules imx53-usbarmory.dtb imx53-usbarmory-host.dtb imx53-usbarmory-gpio.dtb imx53-usbarmory-spi.dtb imx53-usbarmory-i2c.dtb sudo cp arch/arm/boot/uImage ${TARGET_MNT}/boot/ sudo cp arch/arm/boot/dts/imx53-usbarmory*.dtb ${TARGET_MNT}/boot/ sudo make INSTALL_MOD_PATH=$TARGET_MNT ARCH=arm modules_install sudo umount $TARGET_MNT 5. Bootloader: U-Boot 2016.07 wget ftp://ftp.denx.de/pub/u-boot/u-boot-2016.07.tar.bz2 tar xvf u-boot-2016.07.tar.bz2 && cd u-boot-2016.07 make distclean make usbarmory_config make ARCH=arm sudo dd if=u-boot.imx of=$TARGET_DEV bs=512 seek=2 conv=fsync 6. Connecting After successful image preparation the CDC Ethernet section of Host communication can be followed for pointers on establishing SSH communication with its OpenSSH server.
0x3: JTAG
The USB armory exposes the i.MX53 JTAG interface using 7 test pads plus the ground pin of the pin header. The following picture identifies the relevant pads.
The following schematic (PDF) illustrates connection between the pads and a standard ARM JTAG 20-pin connector.
Relevant Link:
http://sec.chinabyte.com/442/13162442.shtml https://item.taobao.com/item.htm?spm=a1z0k.7385993.1997994373.d4919381.kd2wNT&id=535868992169&_u=82fmi7ab735&qq-pf-to=pcqq.group&wwlight=cntaobaokoneor-%7B535868992169%7D https://inversepath.com/usbarmory.html#ordering https://github.com/inversepath/usbarmory/wiki/Available-images https://github.com/inversepath/usbarmory/wiki/Preparing-a-bootable-microSD-image https://github.com/inversepath/usbarmory/wiki/Starting#preparing-your-own-microsd-card https://github.com/inversepath/usbarmory/wiki https://inversepath.com/usbarmory https://github.com/inversepath/usbarmory/wiki/Internal-Boot-ROM https://github.com/inversepath/usbarmory/wiki/Enclosures https://github.com/inversepath/usbarmory/wiki/JTAG https://github.com/inversepath/usbarmory/wiki/Hardware-security-features https://github.com/inversepath/interlock
4. USB Ethernet Adapter(Ethernet Shield)
0x1: Introduction
Your Ethernet Shield gets a total renewal now! This shield provides you instant Internet connectivity with a high spec Ethernet controller, W5200, with twice the buffer size of v1.0 and support for up to eight simultaneous TCP/UDP connections. An included SD slot enables applications that require storing large amounts of data, like IoT data logging. Thanks to a lowered RJ45 pot, you can flexibly add most of shields on top of this Ethernet Shield. 
0x2: Features
1. High speed Ethernet controller W5200 2. SPI interface 3. 32 Kbytes inner buffer 4. Minimal RJ45 Ethernet port 5. Support up to eight simultaneous TCP/UDP connections 6. Handy SD card function 7. Grove ports for I2C and UART preformed
0x3: Interface
1. Hardware Configuration
RJ45: Ethernet Port; IC HX1198: 10/100BASE-T signal port; IC W5200: a hardwired TCP/IP Ethernet Controller; U3: IC CJ117, low dropout linear regulator; U6: IC 74VHC125PW, quad buffer; Reset KEY: Reset Ethernet shield and Arduino when pressed; SD card: support Micro SD card in FAT16 or FAT32; maximum storage is 2GB.
2. Pins usage on Arduino
D4: SD card chip select D10: W5200 Chip Select D11: SPI MOSI D12: SPI MISO D13: SPI SCK
Both W5200 and SD card communicate with Arduino via SPI bus. Pin 10 and pin 4 are chip select pins for W5200 and SD slot. They cannot be used as general I/O.
Relevant Link:
http://www.maplin.co.uk/p/gigabit-usb-20-to-ethernet-adapter-n56hn http://www.electronicsspecialist.co.uk/networking/usb-2-0-to-ethernet-adapter.asp http://www.maplin.co.uk/p/arduino-ethernet-shield-v20-n54ec
5. NTLM Authentication Protocol and Security Support Provider
0x1: What is NTLM
NTLM is a suite of authentication and session security protocols used in various Microsoft network protocol implementations and supported by the NTLM Security Support Provider ("NTLMSSP").
1. Originally used for authentication and negotiation of secure DCE/RPC 2. NTLM is also used throughout Microsoft's systems as an integrated single sign-on mechanism. 3. It is probably best recognized as part of the "Integrated Windows Authentication" stack for HTTP authentication(例如WPAD) 4. however, it is also used in Microsoft implementations of SMTP, POP3, IMAP (all part of Exchange), CIFS/SMB, Telnet, SIP, and possibly others.
The NTLM Security Support Provider provides authentication, integrity, and confidentiality services within the Window Security Support Provider Interface (SSPI) framework(SSPI是一个接口规范,具体的实现由上层实现决定). SSPI specifies a core set of security functionality that is implemented by supporting providers;
the NTLMSSP is such a provider. The SSPI specifies, and the NTLMSSP implements, the following core operations:
1. Authentication: NTLM provides a challenge-response authentication mechanism, in which clients are able to prove their identities without sending a password to the server. 2. Signing: The NTLMSSP provides a means of applying a digital "signature" to a message. This ensures that the signed message has not been modified (either accidentally or intentionally) and that that signing party has knowledge of a shared secret. NTLM implements a symmetric signature scheme (Message Authentication Code, or MAC); that is, a valid signature can only be generated and verified by parties that possess the common shared key. 3. Sealing: The NTLMSSP implements a symmetric-key encryption mechanism, which provides message confidentiality. In the case of NTLM, sealing also implies signing (a signed message is not necessarily sealed, but all sealed messages are signed).
尽管现在有各种各样的应用层、传输层加密、认证协议,但是NTLM作为windows原生的统一底层接入认证机制,在windows机器之间进行统一认证认证,仍然发挥着重大作用
NTLM has been largely supplanted by Kerberos as the authentication protocol of choice for domain-based scenarios. However, Kerberos is a trusted-third-party scheme, and cannot be used in situations where no trusted third party exists; for example, member servers (servers that are not part of a domain), local accounts, and authentication to resources in an untrusted domain. In such scenarios, NTLM continues to be the primary authentication mechanism (and likely will be for a long time).
0x2: NTLM Terminology
NTLM authentication is a challenge-response scheme, consisting of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication). It basically works like this
1. (negotiation): The client sends a Type 1 message to the server. This primarily contains a list of features supported by the client and requested of the server. 2. (challenge): The server responds with a Type 2 message. This contains a list of features supported and agreed upon by the server. Most importantly, however, it contains a challenge generated by the server. 3. (authentication): The client replies to the challenge with a Type 3 message. This contains several pieces of information about the client, including the domain and username of the client user. It also contains one or more responses to the Type 2 challenge //The responses in the Type 3 message are the most critical piece, as they prove to the server that the client user has knowledge of the account password.
The process of authentication establishes a shared context between the two involved parties; this includes a shared session key, used for subsequent signing and sealing operations.
0x3: The NTLM Message Header Layout
6. 实验过程
1. USB Armory本身作为一个网卡适配器(相当于一个linux系统路由器),当插入到被攻击PC后,被攻击PC会有限选择该高速网卡适配器,进行网络通信,windows虽然对plug-and-play即插即用设备的安装有白名单限制,但是显然网卡适配器是在白名单之内的,即允许自动安装usb网卡适配器驱动
2. USB Armory作为一个微型linux操作系统(主要功能是网卡),除了搭载了网卡适配器外,还具备DHCP Server、NTLM HASH Responser的功能
3. 平时我们在linux配置例如eth0网卡的网关、DHCP信息后,网卡就会按照配置进行DHCP请求、NetBios请求等,我们定制的USB Armory适配器系统有自己的网卡配置,DHCP IP配置,我们认为将DHCP IP配置为USB网卡适配器自身,从而可以通过控制DHCP Answer来控制WPAD
4. WPAD相当于一个exploit,用来触发被攻击PC发送NTLM HASH,被攻击的client在获取WPAD Proxy时会向外发送的NTLM Hash
5. 被攻击PC发送的数据(包含NTLM HASH)会通过USB Armory(网卡适配器)进行发送,被py responser截获后、py responser将自己伪装成"Auth Server",在正确响应后,记录NTLM HASH数据
Relevant Link:
http://www.codesec.net/view/467035.html http://mp.weixin.qq.com/s?__biz=MzI4MjA1MzkyNA==&mid=2655294326&idx=3&sn=c015cb5e94042b5f03cf954ff0910e0b&chksm=f02fef3dc758662b66f61985efaeba17426ae041db4c68a2cc3f0fe70a0780f7ff333bc32a10&scene=1&srcid=0908FQe55ZAHAhzgD1CvbVA6#rd
Copyright (c) 2016 LittleHann All rights reserved
