Jufeng Laboratory · 2015/07/06 10:45
0 x00 background
Chicken is also known as the puppet machine, refers to the hacker remote control of the machine. Once a chicken, it can be used by attackers at will, such as: steal data, attack again, damage and so on. Let’s use WireShark to learn about one example: an AD spam site.
0x01 A fault is found
A server (10.190.214.130) of the customer is found to be abnormal during the security inspection of an enterprise server farm. It should be an idle server according to its communication behavior. After a period of packet capture and collection, the protocol statistics on the data are found that the basic protocol is SMTP.
SMTP is the mail transfer protocol. Under normal circumstances, there are two situations for this agreement:
1. The user sends an email. 2. The mail server communicates normally.Copy the codeThe IP address belongs to the server, so it must be a non-personal user using a PC to send emails.
So this is a mail server? If so, why only SMTP, POP3, HTTP, IMAP, and so on?
With doubt, we have counted the IP and port information of the data:
Statistics show that all communications are SMTP protocol generated with 61.158.163.126 (Sanmenxia, Henan), and the server (10.190.214.130) has opened TCP25 port, it is indeed a mail server.
At this point, many security analysts or surveillance-analysis software stop. The reason is that THE IP address is reasonable and the logic is reasonable. The SMTP protocol seldom has attack behavior. It is considered as a normal mail communication behavior. Well, unfortunately, you’ll be missing out on a modest security threat.
My professional sensibilities told me it was not a reasonable mail server. This time needs to use the application layer analysis, look at its communication behavior. Continue to look at the SMTP login process data.
Click Follow TCPStream to see the complete login information.
334 VXNlcm5hbWU6 //Base64 decoded as "Username:" YWRtaW4= // the Username entered by the user. Base Base64 decoded as "admin" 334 UGFzc3dvcmQ6 //Base64 decoded as "admin" Password: YWRtaW4= // Password entered by the user. Base Base64 decoded to admin 235 Authentication successful. // MAIL FROM:<[email protected]> // The email was sent from...Copy the code61.158.163.126 Successfully log in to the mail server 10.190.214.30, [email protected], [email protected] using the user name admin and password admin.
A user name, password, email address, you can see the problem:
1. Generally, the admin account will not be managed through Internet login.
2, the “stupid” administrator will set the admin account as the password.
[email protected]
Clearly, this is a controlled mail server – a “broiler mail server.”
0x02 Behavior Tracing
Find the problem, next trace its behavior, the broiler server exactly what. Follow TCPStream: [email protected] [email protected]@[email protected] [email protected] [email protected]
To see the complete email content, we can click Save As X. ml and open it in Outlook or other email clients.
One look at the email and it all unravels. The email content is a “clever tiger” advertising spam, the server was controlled by the attacker to create a mail server, used for spam sending site. Use the same method to restore some of the other messages:
It can be seen that the mail content is exactly the same. It can be seen from the previous figure that the SMTP protocol has dozens of sessions in the short time monitoring, that is to say, dozens of emails were sent, involving hundreds of mailboxes. The domain name http://url7.me/HnhV1 in the email will jump to the advertising page of Qiaohu products.
0x03 Analysis conclusion
1, the server via simple detection, open the TCP25/110/445/135/3389/139 a large number of high-risk port, so be attacked control is necessary.
2. The server has been controlled to create a WinWebMail server, [email protected], from 61.158.163.126 (Sanmenxia city, Henan Province) [email protected], through the mail client or dedicated software to send out spam.
3, a simple baidu, [email protected], today finally understand its context.
4, spam is not sent casually, is very targeted. Qiaohu is a product for children. From the QQ number receiving emails, randomly select 4 people to query the information and find that the sending objects may be young parents.
Disclaimers: IP, email address and other information in this article are used for security monitoring, attack prevention, learning and communication. Do not use them for other purposes, or you shall be responsible for them.
0x04 Preliminary design of subsequent articles
For the content of the following articles, the WireShark hacker discovery journey is preliminatively designed, including brute force cracking, port scanning, Web vulnerability scanning, Web vulnerability exploitation, phishing login, phishing email, database attack, mail system attack, web-based Intranet penetration, etc. However, it may be adjusted slightly according to the time and setting up the experimental environment. (By: Mr.Right, K0r4dji)