T1505-003-webshell-冰蝎
来自ATT&CK的描述
Webshell是一个Web脚本,放置在可公开访问的Web服务器上,允许攻击者将Web服务器用作网络的网关。 Web shell可以提供多种功能,如虚拟终端、文件管理、数据库连接等。 除了服务器端脚本之外,Webshell可能还有一个客户端接口程序,用于与管理Web服务器的通信(例如,中国菜刀、C刀、蚁剑、冰蝎等)。
测试案例
PHP网站(Phpstudy+DVWA)
冰蝎V1.0/V2.0(客户端+自带shell)
wireshark(必备)
检测日志
HTTP流量
测试复现
利用DVWA相关漏洞,上传冰蝎默认webshell,利用冰蝎客户端对webshell进行管理,抓取冰蝎客户端与web服务器上的脚本之间的通讯流量。
测试留痕
冰蝎V1.0
1)正常流量
GET请求包a
GET /1.php HTTP/1.1
Host: 192.168.66.136
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.66.136/
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
GET请求返回包a
HTTP/1.1 200 OK
Date: Tue, 20 Aug 2019 02:50:43 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Content-Length: 4
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
test
POST请求包a
POST /DVWA/vulnerabilities/exec/ HTTP/1.1
Host: 192.168.66.136
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
DNT: 1
Connection: keep-alive
Referer: http://192.168.66.136/DVWA/vulnerabilities/exec/
Cookie: security=low; PHPSESSID=190krorgsuckk0elaa1tk0v891
Upgrade-Insecure-Requests: 1
ip=127.0.0.1+%26%26+whoami&Submit=Submit
POST返回包a
HTTP/1.1 200 OK
Date: Tue, 20 Aug 2019 02:52:47 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Expires: Tue, 23 Jun 2009 12:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 5161
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
!DOCTYPE html PUBLIC "-//W3C//DTD(此处省略更多字符信息)
2)冰蝎客户端与服务端通信流量
GET请求包
GET /shell.php?pass=1 HTTP/1.1
User-Agent: Java/1.8.0_211
Host: 192.168.66.136
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
GET返回包
HTTP/1.1 200 OK
Date: Sun, 21 Jul 2019 02:51:55 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Set-Cookie: PHPSESSID=6dclf3mic9i86q7r6snpk34ef1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 16
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
f52eb8c003a3991b
POST请求包
POST /shell.php HTTP/1.1
Content-Type: application/octet-stream
Cookie: null;PHPSESSID=6dclf3mic9i86q7r6snpk34ef1; path=/
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_211
Host: 192.168.66.136
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 1624
D3dH8lwIFCCGYS9Yca (此处省略加密字符信息)
POST返回包
HTTP/1.1 200 OK
Date: Sun, 21 Jul 2019 02:51:55 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
1f4c0(此处省略加密字符信息)
3)正常流量VS冰蝎通讯流量
从中可以看到冰蝎V1.0版本在初期交互通讯时,特征较为明显,user-agent与正常业务流量明显不同。可以通过对user-agent进行检测分析。其次在POST返回包中相对正常流量多了Transfer-Encoding: chunked,Transfer-Encoding主要是用来改变报文格式,这里指的是利用分块进行传输。你可以基于此特征值进行检测,当然,你也可以用更简单的方法进行检测,比如url中包含.php?pass=来进行检测。
冰蝎V2.1
从冰蝎V1.1开始新增随机UserAgent支持,每次会话会从17种常见UserAgent中随机选取。冰蝎最新版本为V2.1,可以通过对2.1版本服务端与客户端的通信流量,进行捕获,对比正常流量进行分析。
1)正常流量a
GET请求包a
同冰蝎V1.0章节
GET请求返回包a
同冰蝎V1.0章节
POST请求包a
同冰蝎V1.0章节
POST返回包a
同冰蝎V1.0章节
2)冰蝎客户端与服务端通信流量a
GET请求包a
GET /DVWA/hackable/uploads/shell.php?pass=673 HTTP/1.1
Content-type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
Host: 192.168.66.136
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
**GET请求返回包**a
HTTP/1.1 200 OK
Date: Mon, 19 Aug 2019 09:34:36 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Set-Cookie: PHPSESSID=m0agat42tmo0i4srnda5ssfq94; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 16
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
03befc81cbefda94
POST请求包
POST /DVWA/hackable/uploads/shell.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=bv5lv0681hq09ggt8rfj1peio5; path=/
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.66.136
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 2220
ltEi32XJreSl8Y5Hhzk08Wgjfe8bLPr3x8n4qlJ(此处省略加密字符信息)
POST返回包
HTTP/1.1 200 OK
Date: Mon, 19 Aug 2019 09:34:36 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
21dc0gfUOcrBcH7jint5L0pmkDxT5ypIbjLnIsXnDxHGjofQk3g(此处省略加密字符信息)
3)正常流量VS冰蝎通讯流量a
通过对比可以看到,冰蝎V2.1在初期交互通讯时流量中多了Transfer-Encoding: chunked,Transfer-Encoding主要是用来改变报文格式,这里指的是利用分块进行传输。你可以基于此特征值进行检测,当然,你也可以用更简单的方法进行检测,比如url中包含.php?pass=来进行检测。
检测特征/思路
冰蝎V1.0a
基于GET请求包的检测特征:url包含.php?pass=,useragent包含Java/*;
基于POST请求包的检测特征:useragent包含Java/* ,返回包包含:Transfer-Encoding: chunked;
冰蝎V2.1a
基于GET请求包的检测特征:url包含.php?pass=;(如果与业务冲突,误报较大)
基于POST返回包的检测特征:Transfer-Encoding: chunked;
参考推荐
MITRE-ATT&CK-T1505-003
https://attack.mitre.org/techniques/T1505/003/
冰蝎下载地址