用 SessionGopher 拉出機器上各種密碼與 Key

同事在 Slack 上提到 fireeye/SessionGopher 這個工具,可以從機器上拉出各種敏感資訊:

SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.

方法是掃 registry 或是硬碟:

SessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It automatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords. When run in Thorough mode, it also searches all drives for PuTTY private key files (.ppk) and extracts all relevant private key information, including the key itself, as well as for Remote Desktop (.rdp) and RSA (.sdtid) files.

是個... 好玩... 的... 東西...

在 Cisco Router 上被植入的後門

FireEye 發表了一篇在 Cisco Router 上發現被植入的後門:「SYNful Knock - A Cisco router implant - Part I」。

發現這些被植入的 router 被散佈在四個地區:

Mandiant can confirm the existence of at least 14 such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India.

包括了這幾個型號:

  • Cisco 1841 router
  • Cisco 2811 router
  • Cisco 3825 router

後門的特性是使用特殊的封包啟動:

SYNful Knock is a stealthy modification of the router's firmware image that can be used to maintain persistence within a victim's network. It is customizable and modular in nature and thus can be updated once implanted. Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication.

最主要的重點是把記憶體保護機制關閉 (都變成 RW):

The malware forces all TLB Read and Write attributes to be Read-Write (RW). We believe this change is made to support the hooking of IOS functions by loaded modules.

文後也有提到 Cisco 的文章,如何 dump image 分析:「Offline Analysis of IOS Image Integrity」。